base/SOURCES/policy-rhel-7.9-contrib.patch

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..bea5755230
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
index 1a93dc5781..e948aef597 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,47 @@
-/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 
-/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-.* 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker	--  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-watch-log         --  gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+/usr/bin/retrace-server-worker  --  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages      --  gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
+/usr/sbin/abrtd			        --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus		        --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.*	    --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-install-ccpp-hook --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch     --  gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
 
-/usr/libexec/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 /usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-ccpp     --  gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+
+/var/cache/abrt(/.*)?			    gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)?            gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)?		gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/cache/retrace-server(/.*)?		gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+
+/var/log/abrt-logger.*		--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/lib/abrt(/.*)?               gen_context(system_u:object_r:abrt_var_lib_t,s0)
+
+/var/run/abrt\.pid		    --	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)?		    	gen_context(system_u:object_r:abrt_var_run_t,s0)
 
-/usr/sbin/abrtd	--	gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus	--	gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-upload-watch	--	gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/spool/abrt(/.*)?			    gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/faf(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
 
-/var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
 
-/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
 
-/var/run/abrt\.pid	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket	-s	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_run_t,s0)
 
-/var/spool/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908e49..1b643bfb5d 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
-## <summary>Automated bug-reporting tool.</summary>
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  ABRT daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`abrt_basic_types_template',`
+    gen_require(`
+        attribute abrt_domain;
+    ')
+
+    type $1_t, abrt_domain;
+    type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
 
 ######################################
 ## <summary>
@@ -17,6 +39,26 @@ interface(`abrt_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, abrt_exec_t, abrt_t)
+    allow $1 abrt_exec_t:file map;
+')
+
+######################################
+## <summary>
+##	Execute abrt_dump_oops in the abrt_dump_oops_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_dump_oops_domtrans',`
+	gen_require(`
+		type abrt_dump_oops_t, abrt_dump_oops_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 ')
 
 ######################################
@@ -36,11 +78,12 @@ interface(`abrt_exec',`
 
 	corecmd_search_bin($1)
 	can_exec($1, abrt_exec_t)
+    allow $1 abrt_exec_t:file map;
 ')
 
 ########################################
 ## <summary>
-##	Send null signals to abrt.
+##	Send a null signal to abrt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58,7 +101,7 @@ interface(`abrt_signull',`
 
 ########################################
 ## <summary>
-##	Read process state of abrt.
+##	Allow the domain to read abrt state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -71,12 +114,13 @@ interface(`abrt_read_state',`
 		type abrt_t;
 	')
 
+	kernel_search_proc($1)
 	ps_process_pattern($1, abrt_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to abrt over an unix stream socket.
+##	Connect to abrt over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -116,8 +160,7 @@ interface(`abrt_dbus_chat',`
 
 #####################################
 ## <summary>
-##	Execute abrt-helper in the abrt
-##	helper domain.
+##	Execute abrt-helper in the abrt-helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -130,15 +173,13 @@ interface(`abrt_domtrans_helper',`
 		type abrt_helper_t, abrt_helper_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute abrt helper in the abrt
-##	helper domain, and allow the
-##	specified role the abrt helper domain.
+##	Execute abrt helper in the abrt_helper domain, and
+##	allow the specified role the abrt_helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -163,8 +204,45 @@ interface(`abrt_run_helper',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt cache files.
+##	Read abrt cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Append abrt cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_append_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	
+	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/Write inherited abrt cache
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -172,15 +250,18 @@ interface(`abrt_run_helper',`
 ##	</summary>
 ## </param>
 #
-interface(`abrt_cache_manage',`
-	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
-	abrt_manage_cache($1)
+interface(`abrt_rw_inherited_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	
+	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt cache content.
+##	Manage abrt cache
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -193,7 +274,6 @@ interface(`abrt_manage_cache',`
 		type abrt_var_cache_t;
 	')
 
-	files_search_var($1)
 	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 	manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
@@ -201,7 +281,7 @@ interface(`abrt_manage_cache',`
 
 ####################################
 ## <summary>
-##	Read abrt configuration files.
+##	Read abrt configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -218,9 +298,29 @@ interface(`abrt_read_config',`
 	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
 ')
 
+####################################
+## <summary>
+##	Dontaudit read abrt configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_dontaudit_read_config',`
+	gen_require(`
+		type abrt_etc_t;
+	')
+
+	files_search_etc($1)
+    dontaudit $1 abrt_etc_t:dir list_dir_perms;
+    dontaudit $1 abrt_etc_t:file read_file_perms;
+')
+
 ######################################
 ## <summary>
-##	Read abrt log files.
+##	Read abrt logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -258,8 +358,7 @@ interface(`abrt_read_pid_files',`
 
 ######################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt PID files.
+##	Create, read, write, and delete abrt PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,10 +375,52 @@ interface(`abrt_manage_pid_files',`
 	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
 ')
 
+########################################
+## <summary>
+##	Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute abrt server in the abrt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_systemctl',`
+	gen_require(`
+		type abrt_t;
+		type abrt_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 abrt_unit_file_t:file manage_file_perms;
+	allow $1 abrt_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, abrt_t)
+')
+
 #####################################
 ## <summary>
-##	All of the rules required to
-##	administrate an abrt environment,
+##	All of the rules required to administrate
+##	an abrt environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -288,39 +429,174 @@ interface(`abrt_manage_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the abrt domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`abrt_admin',`
 	gen_require(`
-		attribute abrt_domain;
-		type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
-		type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
-		type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+		type abrt_t, abrt_etc_t;
+		type abrt_var_cache_t, abrt_var_log_t;
+		type abrt_var_run_t, abrt_tmp_t;
+		type abrt_initrc_exec_t;
+		type abrt_unit_file_t;
 	')
 
-	allow $1 abrt_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, abrt_domain)
+	allow $1 abrt_t:process { signal_perms };
+	ps_process_pattern($1, abrt_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 abrt_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, abrt_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, abrt_var_log_t)
 
-	files_search_var($1)
-	admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+	files_list_var($1)
+	admin_pattern($1, abrt_var_cache_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, abrt_var_run_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, abrt_tmp_t)
+
+	abrt_systemctl($1)
+	admin_pattern($1, abrt_unit_file_t)
+	allow $1 abrt_unit_file_t:service all_service_perms;
+')
+
+####################################
+## <summary>
+##  Execute abrt-retrace in the abrt-retrace domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`abrt_domtrans_retrace_worker',`
+    gen_require(`
+        type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+## <summary>
+##  Manage abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_manage_spool_retrace',`
+    gen_require(`
+        type abrt_retrace_spool_t;
+    ')
+
+	manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+	manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+	manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
+## <summary>
+##  Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_read_spool_retrace',`
+    gen_require(`
+        type abrt_retrace_spool_t;
+    ')
+
+    list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 ')
+
+
+#####################################
+## <summary>
+##  Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_read_cache_retrace',`
+    gen_require(`
+        type abrt_retrace_cache_t;
+    ')
+
+    list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+    read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write abrt sock files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`abrt_dontaudit_write_sock_file',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	dontaudit $1 abrt_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Transition to abrt named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_filetrans_named_content',`
+	gen_require(`
+		type abrt_tmp_t;
+		type abrt_etc_t;
+		type abrt_var_cache_t;
+		type abrt_var_run_t;
+	')
+
+	files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
+	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+	files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f070fe..a006449032 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether ABRT can modify
-##	public files used for public file
-##	transfer services.
-##	</p>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
 ## </desc>
 gen_tunable(abrt_anon_write, false)
 
@@ -37,87 +36,99 @@ attribute abrt_domain;
 attribute_role abrt_helper_roles;
 roleattribute system_r abrt_helper_roles;
 
-type abrt_t, abrt_domain;
-type abrt_exec_t;
+abrt_basic_types_template(abrt)
 init_daemon_domain(abrt_t, abrt_exec_t)
 
 type abrt_initrc_exec_t;
 init_script_file(abrt_initrc_exec_t)
 
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
 type abrt_etc_t;
 files_config_file(abrt_etc_t)
 
 type abrt_var_log_t;
 logging_log_file(abrt_var_log_t)
 
+type abrt_var_lib_t;
+files_type(abrt_var_lib_t)
+
 type abrt_tmp_t;
 files_tmp_file(abrt_tmp_t)
 
 type abrt_var_cache_t;
 files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
+userdom_user_tmp_content(abrt_var_cache_t)
 
 type abrt_var_run_t;
 files_pid_file(abrt_var_run_t)
 
-type abrt_dump_oops_t, abrt_domain;
-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
 init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+domain_obj_id_change_exemption(abrt_dump_oops_t)
 
-type abrt_handle_event_t, abrt_domain;
-type abrt_handle_event_exec_t;
-domain_type(abrt_handle_event_t)
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
 role system_r types abrt_handle_event_t;
 
-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
+# type needed to allow all domains
+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
 application_domain(abrt_helper_t, abrt_helper_exec_t)
 role abrt_helper_roles types abrt_helper_t;
 
-type abrt_retrace_coredump_t, abrt_domain;
-type abrt_retrace_coredump_exec_t;
-domain_type(abrt_retrace_coredump_t)
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-role system_r types abrt_retrace_coredump_t;
-
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
 role system_r types abrt_retrace_worker_t;
 
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
 type abrt_retrace_cache_t;
 files_type(abrt_retrace_cache_t)
 
 type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
 
-type abrt_watch_log_t, abrt_domain;
-type abrt_watch_log_exec_t;
+abrt_basic_types_template(abrt_watch_log)
 init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
 
-type abrt_upload_watch_t, abrt_domain;
-type abrt_upload_watch_exec_t;
+abrt_basic_types_template(abrt_upload_watch)
 init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
 
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
+
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
 ')
 
 ########################################
 #
-# Local policy
+# abrt local policy
 #
 
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
 allow abrt_t self:fifo_file rw_fifo_file_perms;
-allow abrt_t self:tcp_socket { accept listen };
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow abrt_t abrt_etc_t:dir list_dir_perms;
+# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
 
+# log file
 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
 
@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
 
+# abrt var/cache files
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
 files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
+allow abrt_t abrt_var_cache_t:file map;
 
+# abrt pid files
 manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
 
-can_exec(abrt_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
 
+kernel_read_all_proc(abrt_t)
 kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
+kernel_read_software_raid_state(abrt_t)
 kernel_request_load_module(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
 kernel_rw_kernel_sysctl(abrt_t)
+# needed by docker BZ #1194280
+kernel_read_net_sysctls(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
 
 corecmd_exec_bin(abrt_t)
 corecmd_exec_shell(abrt_t)
 corecmd_read_all_executables(abrt_t)
 
 corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
 corenet_tcp_sendrecv_generic_if(abrt_t)
 corenet_tcp_sendrecv_generic_node(abrt_t)
-corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
 corenet_tcp_bind_generic_node(abrt_t)
-
-corenet_sendrecv_all_client_packets(abrt_t)
 corenet_tcp_connect_http_port(abrt_t)
 corenet_tcp_connect_ftp_port(abrt_t)
 corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
 
 dev_getattr_all_chr_files(abrt_t)
 dev_getattr_all_blk_files(abrt_t)
 dev_read_rand(abrt_t)
 dev_read_urand(abrt_t)
 dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory(abrt_t)
+dev_write_kmsg(abrt_t)
 
 domain_getattr_all_domains(abrt_t)
 domain_read_all_domains_state(abrt_t)
@@ -176,29 +199,45 @@ files_getattr_all_files(abrt_t)
 files_read_config_files(abrt_t)
 files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
-files_read_usr_files(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
 files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
 files_dontaudit_read_default_files(abrt_t)
 files_dontaudit_read_all_symlinks(abrt_t)
 files_dontaudit_getattr_all_sockets(abrt_t)
 files_list_mnt(abrt_t)
+fs_list_all(abrt_t)
 
+fs_list_inotifyfs(abrt_t)
 fs_getattr_all_fs(abrt_t)
 fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
 fs_read_fusefs_files(abrt_t)
 fs_read_noxattr_fs_files(abrt_t)
 fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 
-auth_use_nsswitch(abrt_t)
+storage_dontaudit_read_fixed_disk(abrt_t)
 
 logging_read_generic_logs(abrt_t)
+logging_mmap_journal(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
 
+auth_use_nsswitch(abrt_t)
+auth_map_passwd(abrt_t)
+
+init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
+miscfiles_dontaudit_write_generic_cert_files(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
 
 tunable_policy(`abrt_anon_write',`
 	miscfiles_manage_public_files(abrt_t)
@@ -206,15 +245,11 @@ tunable_policy(`abrt_anon_write',`
 
 optional_policy(`
 	apache_list_modules(abrt_t)
-	apache_read_module_files(abrt_t)
+	apache_read_modules(abrt_t)
 ')
 
 optional_policy(`
 	dbus_system_domain(abrt_t, abrt_exec_t)
-
-	optional_policy(`
-		policykit_dbus_chat(abrt_t)
-	')
 ')
 
 optional_policy(`
@@ -222,6 +257,28 @@ optional_policy(`
 ')
 
 optional_policy(`
+	container_stream_connect(abrt_t)
+')
+
+optional_policy(`
+	kdump_manage_crash(abrt_t)
+')
+
+optional_policy(`
+	mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+	mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+	mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
+    pcp_read_lib_files(abrt_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
@@ -233,6 +290,11 @@ optional_policy(`
 	corecmd_exec_all_executables(abrt_t)
 ')
 
+optional_policy(`
+    puppet_read_lib(abrt_t)
+')
+
+# to install debuginfo packages
 optional_policy(`
 	rpm_exec(abrt_t)
 	rpm_dontaudit_manage_db(abrt_t)
@@ -243,6 +305,14 @@ optional_policy(`
 	rpm_signull(abrt_t)
 ')
 
+optional_policy(`
+    rhsmcertd_manage_pid_files(abrt_t)
+    rhsmcertd_read_log(abrt_t)
+    rhsmcertd_read_lib_files(abrt_t)
+
+')
+
+# to run mailx plugin
 optional_policy(`
 	sendmail_domtrans(abrt_t)
 ')
@@ -253,9 +323,21 @@ optional_policy(`
 	sosreport_delete_tmp_files(abrt_t)
 ')
 
+optional_policy(`
+	sssd_stream_connect(abrt_t)
+')
+
+optional_policy(`
+	xserver_read_log(abrt_t)
+')
+
+optional_policy(`
+	udev_read_db(abrt_t)
+')
+
 #######################################
 #
-# Handle-event local policy
+# abrt-handle-event local policy
 #
 
 allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +348,13 @@ tunable_policy(`abrt_handle_event',`
 	can_exec(abrt_t, abrt_handle_event_exec_t)
 ')
 
+optional_policy(`
+	unconfined_domain(abrt_handle_event_t)
+')
+
 ########################################
 #
-# Helper local policy
+# abrt--helper local policy
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +367,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
 
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +376,20 @@ corecmd_read_all_executables(abrt_helper_t)
 
 domain_read_all_domains_state(abrt_helper_t)
 
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
 fs_list_inotifyfs(abrt_helper_t)
 fs_getattr_all_fs(abrt_helper_t)
 
 auth_use_nsswitch(abrt_helper_t)
 
+logging_send_syslog_msg(abrt_helper_t)
+
 term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
 ifdef(`hide_broken_symptoms',`
+	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +397,25 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow abrt_t self:capability sys_resource;
+	allow abrt_t domain:file write;
+	allow abrt_t domain:process setrlimit;
 ')
 
 #######################################
 #
-# Retrace coredump policy
+# abrt retrace coredump policy
 #
 
 allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +433,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
 
 dev_read_urand(abrt_retrace_coredump_t)
 
-files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
 
 sysnet_dns_name_resolve(abrt_retrace_coredump_t)
 
+# to install debuginfo packages
 optional_policy(`
 	rpm_exec(abrt_retrace_coredump_t)
 	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +451,11 @@ optional_policy(`
 
 #######################################
 #
-# Retrace worker policy
+# abrt retrace worker policy
 #
 
-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +474,83 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
-files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
 
 sysnet_dns_name_resolve(abrt_retrace_worker_t)
 
+optional_policy(`
+	mock_domtrans(abrt_retrace_worker_t)
+	mock_manage_lib_files(abrt_t)
+')
+
 ########################################
 #
-# Dump oops local policy
+# abrt_dump_oops local policy
 #
 
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid };
+allow abrt_dump_oops_t self:process setfscreate;
 allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
 
 files_search_spool(abrt_dump_oops_t)
 manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+
+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
+manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
 
 read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 
 read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
 
+kernel_read_debugfs(abrt_dump_oops_t)
 kernel_read_kernel_sysctls(abrt_dump_oops_t)
 kernel_read_ring_buffer(abrt_dump_oops_t)
+kernel_read_security_state(abrt_dump_oops_t)
+
+auth_read_passwd(abrt_dump_oops_t)
+
+corecmd_getattr_all_executables(abrt_dump_oops_t)
+
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
 
 domain_use_interactive_fds(abrt_dump_oops_t)
+domain_signull_all_domains(abrt_dump_oops_t)
+domain_read_all_domains_state(abrt_dump_oops_t)
+domain_getattr_all_domains(abrt_dump_oops_t)
+
+tunable_policy(`deny_ptrace',`',`
+    domain_ptrace_all_domains(abrt_dump_oops_t)
+')
+
+files_manage_non_security_dirs(abrt_dump_oops_t)
+files_manage_non_security_files(abrt_dump_oops_t)
+files_map_non_security_files(abrt_dump_oops_t)
 
+fs_getattr_all_fs(abrt_dump_oops_t)
 fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
+
+selinux_compute_create_context(abrt_dump_oops_t)
 
 logging_read_generic_logs(abrt_dump_oops_t)
+logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
+logging_mmap_generic_logs(abrt_dump_oops_t)
+logging_mmap_journal(abrt_dump_oops_t)
+
+init_read_var_lib_files(abrt_dump_oops_t)
+
+optional_policy(`
+    nscd_dontaudit_write_sock_file(abrt_dump_oops_t)
+')
 
 #######################################
 #
@@ -404,25 +558,63 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
 
+auth_read_passwd(abrt_watch_log_t)
+auth_use_nsswitch(abrt_watch_log_t)
+
 domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+allow abrt_watch_log_t abrt_dump_oops_exec_t:file map;
 
 corecmd_exec_bin(abrt_watch_log_t)
 
 logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+optional_policy(`
+    gnome_list_home_config(abrt_watch_log_t)
+')
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+	miscfiles_manage_public_files(abrt_upload_watch_t)
+')
 
 #######################################
 #
 # Upload watch local policy
 #
 
+allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid };
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
+abrt_dbus_chat(abrt_upload_watch_t)
+
 corecmd_exec_bin(abrt_upload_watch_t)
 
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
+
+miscfiles_read_certs(abrt_upload_watch_t)
+
 tunable_policy(`abrt_upload_watch_anon_write',`
-	miscfiles_manage_public_files(abrt_upload_watch_t)
+    miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(abrt_upload_watch_t)
 ')
 
 #######################################
@@ -430,10 +622,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
-kernel_read_system_state(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
 
 files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a929..0682710306 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.*  --              gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
 /usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
 
 /usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9ab08..554177cd29 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`accountsd_systemctl',`
+	gen_require(`
+		type accountsd_t;
+		type accountsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 accountsd_unit_file_t:file read_file_perms;
+	allow $1 accountsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, accountsd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an accountsd environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`accountsd_admin',`
 	gen_require(`
 		type accountsd_t;
+		type accountsd_unit_file_t;
 	')
 
-	allow $1 accountsd_t:process { ptrace signal_perms };
+	allow $1 accountsd_t:process signal_perms;
 	ps_process_pattern($1, accountsd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 accountsd_t:process ptrace;
+	')
+
 	accountsd_manage_lib_files($1)
+
+	accountsd_systemctl($1)
+	admin_pattern($1, accountsd_unit_file_t)
+	allow $1 accountsd_unit_file_t:service all_service_perms;
 ')
diff --git a/accountsd.te b/accountsd.te
index 3593510d8e..7c13845fd0 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
 	class passwd all_passwd_perms;
 ')
 
+gen_require(`
+	class passwd { passwd chfn chsh rootok crontab };
+')
+
 ########################################
 #
 # Declarations
@@ -11,17 +15,21 @@ gen_require(`
 
 type accountsd_t;
 type accountsd_exec_t;
-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
 
 type accountsd_var_lib_t;
 files_type(accountsd_var_lib_t)
 
+type accountsd_unit_file_t;
+systemd_unit_file(accountsd_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace };
 allow accountsd_t self:process signal;
 allow accountsd_t self:fifo_file rw_fifo_file_perms;
 allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
 dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
-files_read_usr_files(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t)
 auth_read_login_records(accountsd_t)
 auth_read_shadow(accountsd_t)
 
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
 
 logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
 logging_set_loginuid(accountsd_t)
 
+userdom_dontaudit_create_admin_dir(accountsd_t)
+userdom_dontaudit_manage_admin_dir(accountsd_t)
+
 userdom_read_user_tmp_files(accountsd_t)
 userdom_read_user_home_content_files(accountsd_t)
 
@@ -65,10 +75,17 @@ optional_policy(`
 	consolekit_read_log(accountsd_t)
 ')
 
+optional_policy(`
+	dbus_system_domain(accountsd_t, accountsd_exec_t)
+')
+
 optional_policy(`
 	policykit_dbus_chat(accountsd_t)
 ')
 
 optional_policy(`
 	xserver_read_xdm_tmp_files(accountsd_t)
+	xserver_read_state_xdm(accountsd_t)
+	xserver_dbus_chat_xdm(accountsd_t)
+	xserver_manage_xdm_etc_files(accountsd_t)
 ')
diff --git a/acct.if b/acct.if
index 81280d0086..bc4038b45e 100644
--- a/acct.if
+++ b/acct.if
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
 
 ########################################
 ## <summary>
+##	Dontaudit Attempts to list acct_data directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`acct_dontaudit_list_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	dontaudit $1 acct_data_t:dir list_dir_perms;	
+')
+
+#######################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an acct environment.
 ## </summary>
@@ -103,9 +121,13 @@ interface(`acct_admin',`
 		type acct_t, acct_initrc_exec_t, acct_data_t;
 	')
 
-	allow $1 acct_t:process { ptrace signal_perms };
+	allow $1 acct_t:process { signal_perms };
 	ps_process_pattern($1, acct_t)
 
+    tunable_policy(`deny_ptrace',`',`
+		allow $1 acct_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, acct_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
index 8b9ad83c5b..f4f24864b1 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
 dev_read_sysfs(acct_t)
 dev_read_urand(acct_t)
 
-domain_use_interactive_fds(acct_t)
-
 fs_search_auto_mountpoints(acct_t)
 fs_getattr_xattr_fs(acct_t)
 
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
 term_dontaudit_use_generic_ptys(acct_t)
 
 files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
 
 auth_use_nsswitch(acct_t)
 
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
 
 logging_send_syslog_msg(acct_t)
 
-miscfiles_read_localization(acct_t)
-
 userdom_dontaudit_search_user_home_dirs(acct_t)
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
 
diff --git a/ada.te b/ada.te
index 8d42c97ae9..2377f8f826 100644
--- a/ada.te
+++ b/ada.te
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
 
 allow ada_t self:process { execstack execmem };
 
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
 
 optional_policy(`
 	unconfined_domain(ada_t)
diff --git a/afs.fc b/afs.fc
index 8926c1696e..206ea16fd5 100644
--- a/afs.fc
+++ b/afs.fc
@@ -3,6 +3,8 @@
 /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 
+/usr/afs(/.*)?		gen_context(system_u:object_r:afs_files_t,s0)
+
 /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
 /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
@@ -10,6 +12,10 @@
 /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+/usr/afs/bin/dafileserver      --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver       --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver     --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager        --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 
 /usr/afs/db	-d	gen_context(system_u:object_r:afs_dbdir_t,s0)
 /usr/afs/db/pr.*	--	gen_context(system_u:object_r:afs_pt_db_t,s0)
diff --git a/afs.if b/afs.if
index 3b41be6994..97d99f979f 100644
--- a/afs.if
+++ b/afs.if
@@ -38,6 +38,24 @@ interface(`afs_rw_udp_sockets',`
 	allow $1 afs_t:udp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Read AFS config data
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`afs_read_config',`
+	gen_require(`
+		type afs_config_t;
+	')
+
+	read_files_pattern($1, afs_config_t, afs_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write afs cache files.
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
 interface(`afs_admin',`
 	gen_require(`
 		attribute afs_domain;
-		type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+		type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
 		type afs_ka_db_t, afs_vl_db_t, afs_config_t;
 		type afs_logfile_t, afs_cache_t, afs_files_t;
 	')
 
-	allow $1 afs_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, afs_domain)
+	allow $1 afs_t:process signal_perms;
+	ps_process_pattern($1, afs_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 afs_t:process ptrace;
+	')
 
 	afs_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
index 90ce63748d..8cf712d15b 100644
--- a/afs.te
+++ b/afs.te
@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t;
 # afs client local policy
 #
 
-allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
+allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config };
 allow afs_t self:process { setsched signal };
 allow afs_t self:fifo_file rw_file_perms;
 allow afs_t self:unix_stream_socket { accept listen };
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
 files_mounton_mnt(afs_t)
-files_read_usr_files(afs_t)
 files_rw_etc_runtime_files(afs_t)
 
 fs_getattr_xattr_fs(afs_t)
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
 
 logging_send_syslog_msg(afs_t)
 
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy
@@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t)
 
 manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
 manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local")
 
-allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db")
 
 allow afs_bosserver_t afs_fsserver_t:process signal_perms;
 domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
@@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
 
 kernel_read_kernel_sysctls(afs_bosserver_t)
 
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
 corenet_all_recvfrom_netlabel(afs_bosserver_t)
 corenet_udp_sendrecv_generic_if(afs_bosserver_t)
 corenet_udp_sendrecv_generic_node(afs_bosserver_t)
@@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
 corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
 
 files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
 
 seutil_read_config(afs_bosserver_t)
 
+optional_policy(`
+    kerberos_read_config(afs_bosserver_t)
+')
+
 ########################################
 #
 # fileserver local policy
 #
 
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice };
 dontaudit afs_fsserver_t self:capability fsetid;
 allow afs_fsserver_t self:process { setsched signal_perms };
 allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
 allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 
@@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
 
 corenet_all_recvfrom_unlabeled(afs_fsserver_t)
 corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
 corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
 corenet_udp_sendrecv_generic_if(afs_fsserver_t)
 corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
 corenet_udp_sendrecv_generic_node(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
 
 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
 corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
 
 files_read_etc_runtime_files(afs_fsserver_t)
 files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
 files_list_pids(afs_fsserver_t)
 files_dontaudit_search_mnt(afs_fsserver_t)
 
@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
 
 kernel_read_kernel_sysctls(afs_kaserver_t)
 
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
 corenet_all_recvfrom_netlabel(afs_kaserver_t)
 corenet_udp_sendrecv_generic_if(afs_kaserver_t)
 corenet_udp_sendrecv_generic_node(afs_kaserver_t)
@@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
 corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
 
 files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
 
 seutil_read_config(afs_kaserver_t)
 
@@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
 allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
 allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 
 manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
 filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
 
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
 corenet_all_recvfrom_netlabel(afs_ptserver_t)
 corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
 corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
 corenet_udp_bind_afs_pt_port(afs_ptserver_t)
 corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 
+sysnet_read_config(afs_ptserver_t)
+
 userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
 ########################################
@@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
 allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 
 manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
 filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
 
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
 corenet_all_recvfrom_netlabel(afs_vlserver_t)
 corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
 corenet_udp_sendrecv_generic_if(afs_vlserver_t)
@@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
 
 allow afs_domain self:udp_socket create_socket_perms;
 
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
+allow afs_domain afs_config_t:dir list_dir_perms;
 
 sysnet_read_config(afs_domain)
+
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb9470..fbe187fe1e 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
 		type aiccu_var_run_t;
 	')
 
-	allow $1 aiccu_t:process { ptrace signal_perms };
+	allow $1 aiccu_t:process signal_perms;
 	ps_process_pattern($1, aiccu_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aiccu_t:process ptrace;
+	')
+
 	aiccu_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
index 5d2b90e04c..7374df0b9c 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
 corenet_tcp_bind_generic_node(aiccu_t)
 corenet_tcp_sendrecv_generic_if(aiccu_t)
 corenet_tcp_sendrecv_generic_node(aiccu_t)
-
 corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
 corenet_tcp_connect_sixxsconfig_port(aiccu_t)
 corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
@@ -60,16 +59,23 @@ domain_use_interactive_fds(aiccu_t)
 dev_read_rand(aiccu_t)
 dev_read_urand(aiccu_t)
 
-files_read_etc_files(aiccu_t)
+
+auth_read_passwd(aiccu_t)
 
 logging_send_syslog_msg(aiccu_t)
 
-miscfiles_read_localization(aiccu_t)
+optional_policy(`
+    gnome_dontaudit_search_config(aiccu_t)
+')
 
 optional_policy(`
 	modutils_domtrans_insmod(aiccu_t)
 ')
 
+optional_policy(`
+    pcscd_stream_connect(aiccu_t)
+')
+
 optional_policy(`
 	sysnet_dns_name_resolve(aiccu_t)
 	sysnet_domtrans_ifconfig(aiccu_t)
diff --git a/aide.if b/aide.if
index 01cbb67df8..94a4a24062 100644
--- a/aide.if
+++ b/aide.if
@@ -67,9 +67,13 @@ interface(`aide_admin',`
 		type aide_t, aide_db_t, aide_log_t;
 	')
 
-	allow $1 aide_t:process { ptrace signal_perms };
+	allow $1 aide_t:process signal_perms;
 	ps_process_pattern($1, aide_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aide_t:process ptrace;
+	')
+
 	aide_run($1, $2)
 
 	files_list_etc($1)
diff --git a/aide.te b/aide.te
index 03831e6e52..e7d9dd97e6 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
 type aide_t;
 type aide_exec_t;
 application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
 role aide_roles types aide_t;
 
 type aide_log_t;
@@ -23,22 +24,35 @@ files_type(aide_db_t)
 # Local policy
 #
 
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin };
+allow aide_t self:process signal;
 
 manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
 
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
 logging_log_filetrans(aide_t, aide_log_t, file)
 
+dev_read_rand(aide_t)
+dev_read_urand(aide_t)
+
 files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+files_mmap_usr_files(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
 
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)
 
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+	prelink_domtrans(aide_t)
+')
 
 optional_policy(`
 	seutil_use_newrole_fds(aide_t)
diff --git a/aisexec.if b/aisexec.if
index a2997fa57a..861cebdf90 100644
--- a/aisexec.if
+++ b/aisexec.if
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
 		type aisexec_initrc_exec_t;
 	')
 
-	allow $1 aisexec_t:process { ptrace signal_perms };
+	allow $1 aisexec_t:process signal_perms;
 	ps_process_pattern($1, aisexec_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aisexec_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
index 4e4f063649..808e067e82 100644
--- a/aisexec.te
+++ b/aisexec.te
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
 kernel_read_system_state(aisexec_t)
 
 corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
 
 corenet_all_recvfrom_unlabeled(aisexec_t)
 corenet_all_recvfrom_netlabel(aisexec_t)
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
 
 logging_send_syslog_msg(aisexec_t)
 
-miscfiles_read_localization(aisexec_t)
-
 userdom_rw_unpriv_user_semaphores(aisexec_t)
 userdom_rw_unpriv_user_shared_mem(aisexec_t)
 
@@ -105,6 +104,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
 	rhcs_rw_dlm_controld_semaphores(aisexec_t)
 
 	rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 0000000000..aeb1888a78
--- /dev/null
+++ b/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm	--	gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py	--	gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid		--	gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/ajaxterm.if b/ajaxterm.if
new file mode 100644
index 0000000000..7abe946d42
--- /dev/null
+++ b/ajaxterm.if
@@ -0,0 +1,90 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+	gen_require(`
+		type ajaxterm_t, ajaxterm_exec_t;
+	')
+
+	domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+## <summary>
+##	Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+	gen_require(`
+		type ajaxterm_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Read and write the ajaxterm pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ajaxterm_rw_ptys',`
+    gen_require(`
+        type ajaxterm_devpts_t;
+    ')
+
+    allow $1 ajaxterm_devpts_t:chr_file	rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ajaxterm environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+	gen_require(`
+		type ajaxterm_t, ajaxterm_initrc_exec_t;
+	')
+
+	allow $1 ajaxterm_t:process signal_perms;
+	ps_process_pattern($1, ajaxterm_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ajaxterm_t:process ptrace;
+	')
+
+	ajaxterm_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 ajaxterm_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
index 0000000000..a95a4adf3b
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,60 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+	ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/alsa.fc b/alsa.fc
index 33d9d31116..58bf1829ac 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
 /usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 
-/var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/var/lock/asound\.state\.lock   --  gen_context(system_u:object_r:alsa_lock_t,s0)
+
+/usr/lib/systemd/system/alsa.*  --              gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid		--	gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index ca8d8cf3b5..053a30ad41 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
 
 	userdom_search_user_home_dirs($1)
 	allow $1 alsa_home_t:file manage_file_perms;
+	alsa_filetrans_home_content($1)
 ')
 
 ########################################
@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic alsa
-##	home type.
+##	Read Alsa lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
+#
+interface(`alsa_read_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Class of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`alsa_filetrans_home_content',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
 	gen_require(`
 		type alsa_home_t;
+		type alsa_etc_rw_t;
+		type alsa_var_lib_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+	files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+	files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+	files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+	files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+	files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+	files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
 ')
 
 ########################################
 ## <summary>
-##	Read Alsa lib files.
+##	Execute alsa server in the alsa domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
 	gen_require(`
-		type alsa_var_lib_t;
+		type alsa_t;
+		type alsa_unit_file_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 alsa_unit_file_t:file read_file_perms;
+	allow $1 alsa_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, alsa_t)
 ')
 
 #########################################
diff --git a/alsa.te b/alsa.te
index 4b153f1797..a799cd3947 100644
--- a/alsa.te
+++ b/alsa.te
@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
 type alsa_etc_rw_t;
 files_config_file(alsa_etc_rw_t)
 
+type alsa_lock_t;
+files_lock_file(alsa_lock_t)
+
 type alsa_tmp_t;
 files_tmp_file(alsa_tmp_t)
 
@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
 
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
 type alsa_home_t;
 userdom_user_home_content(alsa_home_t)
 
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket { accept listen };
@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
 
 can_exec(alsa_t, alsa_exec_t)
 
+manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
+files_lock_filetrans(alsa_t, alsa_lock_t, file)
+
 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
 manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
 kernel_read_system_state(alsa_t)
+kernel_signal(alsa_t)
 
 corecmd_exec_bin(alsa_t)
 
@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
 dev_read_urand(alsa_t)
 dev_write_sound(alsa_t)
 
-files_read_usr_files(alsa_t)
 files_search_var_lib(alsa_t)
 
 term_dontaudit_use_console(alsa_t)
@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
 
 logging_send_syslog_msg(alsa_t)
 
-miscfiles_read_localization(alsa_t)
-
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbca3c..e5c9f45b83 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,5 +1,6 @@
 /etc/amanda(/.*)?	gen_context(system_u:object_r:amanda_config_t,s0)
 /etc/amanda/.*/tapelist(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates	gen_context(system_u:object_r:amanda_amandates_t,s0)
 /etc/dumpdates	gen_context(system_u:object_r:amanda_dumpdates_t,s0)
 # empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
 /usr/lib/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 
+/usr/lib/systemd/system/amanda.*    --  gen_context(system_u:object_r:amanda_unit_file_t,s0)
+
 /usr/sbin/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
diff --git a/amanda.te b/amanda.te
index 519051c7db..5f838c4dd9 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
 roleattribute system_r amanda_recover_roles;
 
 type amanda_t;
+type amanda_exec_t;
 type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
 
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
+type amanda_unit_file_t;
+systemd_unit_file(amanda_unit_file_t)
 
 type amanda_log_t;
 logging_log_file(amanda_log_t)
@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t)
 type amanda_tmp_t;
 files_tmp_file(amanda_tmp_t)
 
+type amanda_tmpfs_t;
+files_tmpfs_file(amanda_tmpfs_t)
+
 type amanda_amandates_t;
 files_type(amanda_amandates_t)
 
@@ -59,8 +65,8 @@ optional_policy(`
 # Local policy
 #
 
-allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:capability { chown dac_read_search dac_override setuid setgid kill sys_admin };
+allow amanda_t self:process { getsched setsched setpgid signal };
 allow amanda_t self:fifo_file rw_fifo_file_perms;
 allow amanda_t self:unix_stream_socket { accept listen };
 allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
 
 manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
 
 manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
 manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
 
 manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
 manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
@@ -90,23 +98,30 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
 manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
 files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
 
+manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir file })
+
 can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
 
 kernel_read_kernel_sysctls(amanda_t)
 kernel_read_system_state(amanda_t)
+kernel_read_network_state(amanda_t)
 kernel_dontaudit_getattr_unlabeled_files(amanda_t)
 kernel_dontaudit_read_proc_symlinks(amanda_t)
 
 corecmd_exec_shell(amanda_t)
 corecmd_exec_bin(amanda_t)
 
-corenet_all_recvfrom_unlabeled(amanda_t)
 corenet_all_recvfrom_netlabel(amanda_t)
 corenet_tcp_sendrecv_generic_if(amanda_t)
 corenet_tcp_sendrecv_generic_node(amanda_t)
 corenet_tcp_sendrecv_all_ports(amanda_t)
 corenet_tcp_bind_generic_node(amanda_t)
 
+corenet_tcp_bind_amanda_port(amanda_t)
+corenet_udp_bind_amanda_port(amanda_t)
+
 corenet_sendrecv_all_server_packets(amanda_t)
 corenet_tcp_bind_all_rpc_ports(amanda_t)
 corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +129,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
 
 dev_getattr_all_blk_files(amanda_t)
 dev_getattr_all_chr_files(amanda_t)
+dev_read_urand(amanda_t)
 
 files_read_etc_runtime_files(amanda_t)
 files_list_all(amanda_t)
@@ -126,6 +142,7 @@ files_getattr_all_sockets(amanda_t)
 
 fs_getattr_xattr_fs(amanda_t)
 fs_list_all(amanda_t)
+fs_getattr_tmpfs(amanda_t)
 
 storage_raw_read_fixed_disk(amanda_t)
 storage_read_tape(amanda_t)
@@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t)
 # Recover local policy
 #
 
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override };
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
 allow amanda_recover_t self:unix_stream_socket create_socket_perms;
@@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
 
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t)
 
 auth_use_nsswitch(amanda_recover_t)
 
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
 logging_search_logs(amanda_recover_t)
 
-miscfiles_read_localization(amanda_recover_t)
-
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
 userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+    inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+')
+
+optional_policy(`
+	fstools_domtrans(amanda_t)
+	fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
index 17689a7071..8aa684917e 100644
--- a/amavis.fc
+++ b/amavis.fc
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
 /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 ')
 
-/var/opt/f-secure(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
 /var/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
 
 /var/lib/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
index 60d4f8c90c..18ef0772c3 100644
--- a/amavis.if
+++ b/amavis.if
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
 
 	files_search_spool($1)
 	read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+	allow $1 amavis_spool_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -151,6 +152,26 @@ interface(`amavis_read_lib_files',`
 	files_search_var_lib($1)
 ')
 
+########################################
+## <summary>
+##	Read and write amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_rw_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	allow $1 amavis_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
 		type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
 	')
 
-	allow $1 amavis_t:process { ptrace signal_perms };
+	allow $1 amavis_t:process signal_perms;
 	ps_process_pattern($1, amavis_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 amavis_t:process ptrace;
+	')
+
 	amavis_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
index 91fa72ae12..be1f9677d8 100644
--- a/amavis.te
+++ b/amavis.te
@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false)
 type amavis_t;
 type amavis_exec_t;
 init_daemon_domain(amavis_t, amavis_exec_t)
+init_nnp_daemon_domain(amavis_t)
 
 type amavis_etc_t;
 files_config_file(amavis_etc_t)
@@ -39,14 +40,14 @@ type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
 
 type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_read_search  dac_override setgid setuid };
 dontaudit amavis_t self:capability sys_tty_config;
 allow amavis_t self:process signal_perms;
 allow amavis_t self:fifo_file rw_fifo_file_perms;
@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
 
+# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
 allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
 
 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
 corecmd_exec_bin(amavis_t)
 corecmd_exec_shell(amavis_t)
 
-corenet_all_recvfrom_unlabeled(amavis_t)
 corenet_all_recvfrom_netlabel(amavis_t)
 corenet_tcp_sendrecv_generic_if(amavis_t)
 corenet_udp_sendrecv_generic_if(amavis_t)
@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
 
 corenet_sendrecv_razor_client_packets(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
 
 dev_read_rand(amavis_t)
 dev_read_sysfs(amavis_t)
@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t)
 domain_dontaudit_read_all_domains_state(amavis_t)
 
 files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
 files_search_spool(amavis_t)
 
 fs_getattr_xattr_fs(amavis_t)
@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
 
-miscfiles_read_localization(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
+
+sysnet_use_ldap(amavis_t)
 
 userdom_dontaudit_search_user_home_dirs(amavis_t)
 
 tunable_policy(`amavis_use_jit',`
-	allow amavis_t self:process execmem;
+    allow amavis_t self:process execmem;
 ',`
-	dontaudit amavis_t self:process execmem;
+    dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+	antivirus_domain_template(amavis_t)
 ')
 
 optional_policy(`
@@ -172,6 +181,10 @@ optional_policy(`
 	mta_read_config(amavis_t)
 ')
 
+optional_policy(`
+	nslcd_stream_connect(amavis_t)
+')
+
 optional_policy(`
 	postfix_read_config(amavis_t)
 	postfix_list_spool(amavis_t)
diff --git a/amtu.te b/amtu.te
index 16d0d66eba..60abfd080e 100644
--- a/amtu.te
+++ b/amtu.te
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
 
 files_manage_boot_files(amtu_t)
 files_read_etc_runtime_files(amtu_t)
-files_read_etc_files(amtu_t)
 
 logging_send_audit_msgs(amtu_t)
 
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
 
 optional_policy(`
 	nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
index b098089d08..fe35bebfd2 100644
--- a/anaconda.fc
+++ b/anaconda.fc
@@ -1 +1,13 @@
 # No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda      --  gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/initial-setup  --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/libexec/rpm-ostreed --  gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/preupg.*   --  gen_context(system_u:object_r:preupgrade_exec_t,s0)
+/var/lib/preupgrade(/.*)?   gen_context(system_u:object_r:preupgrade_data_t,s0)
+/var/log/preupgrade(/.*)?   gen_context(system_u:object_r:preupgrade_data_t,s0)
diff --git a/anaconda.if b/anaconda.if
index 14a61b7e11..76d93294de 100644
--- a/anaconda.if
+++ b/anaconda.if
@@ -1 +1,132 @@
 ## <summary>Anaconda installer.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run install.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_install',`
+	gen_require(`
+		type install_t, install_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, install_exec_t, install_t)
+')
+
+########################################
+## <summary>
+##	Execute install in the install
+##	domain, and allow the specified
+##	role the install domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_run_install',`
+	gen_require(`
+		type install_t;
+		type install_exec_t;
+		attribute_role install_roles;
+	')
+
+	anaconda_domtrans_install($1)
+	roleattribute $2 install_roles;
+	role_transition $2 install_exec_t system_r;
+
+	optional_policy(`
+		rpm_transition_script(install_t, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Execute preupgrade in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_exec_preupgrade',`
+	gen_require(`
+		type preupgrade_exec_t;
+	')
+
+	corecmd_search_bin($1)
+    can_exec($1, preupgrade_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run preupgrade.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_preupgrade',`
+	gen_require(`
+		type preupgrade_t, preupgrade_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
+')
+
+########################################
+## <summary>
+##	Read preupgrade lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_read_lib_files_preupgrade',`
+	gen_require(`
+		type preupgrade_data_t;
+	')
+
+	read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage preupgrade lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_manage_lib_files_preupgrade',`
+	gen_require(`
+		type preupgrade_data_t;
+	')
+
+	manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	files_search_var_lib($1)
+')
diff --git a/anaconda.te b/anaconda.te
index aa44abfe4d..9efa1f20b1 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
 	class passwd all_passwd_perms;
 ')
 
+gen_require(`
+	class passwd { passwd chfn chsh rootok crontab };
+')
+
 ########################################
 #
 # Declarations
@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
 domain_obj_id_change_exemption(anaconda_t)
 role system_r types anaconda_t;
 
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+type install_t;
+type install_exec_t;
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
+type preupgrade_t;
+type preupgrade_exec_t;
+application_domain(preupgrade_t, preupgrade_exec_t)
+role system_r types preupgrade_t;
+
+type preupgrade_data_t;
+files_type(preupgrade_data_t)
+
 ########################################
 #
 # Local policy
@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
 modutils_domtrans_depmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(anaconda_t)
 
 optional_policy(`
 	rpm_domtrans(anaconda_t)
@@ -53,3 +74,54 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain_noaudit(anaconda_t)
 ')
+
+########################################
+#
+# Local policy
+#
+
+allow install_t self:capability2 mac_admin;
+
+systemd_dbus_chat_localed(install_t)
+
+tunable_policy(`deny_ptrace',`',`
+	domain_ptrace_all_domains(install_t)
+')
+
+optional_policy(`
+    iscsid_run(install_t, install_roles)
+')
+
+optional_policy(`
+    mount_run(install_t, install_roles)
+')
+
+optional_policy(`
+    networkmanager_dbus_chat(install_t)
+')
+
+optional_policy(`
+    policykit_dbus_chat(install_t)
+')
+
+optional_policy(`
+	seutil_run_setfiles_mac(install_t, install_roles)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(install_t)
+')
+
+
+########################################
+#
+# Local policy
+#
+
+manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+
+optional_policy(`
+    unconfined_domain_noaudit(preupgrade_t)
+')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000000..219f32db00
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,44 @@
+/etc/amavis(d)?\.conf			--	gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)?					gen_context(system_u:object_r:antivirus_conf_t,s0)
+
+/etc/rc\.d/init\.d/amavis		--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp	--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamd.*		--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/clamd.*	--	gen_context(system_u:object_r:antivirus_unit_file_t,s0)
+
+/usr/lib/AntiVir/antivir		--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/amavi 				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/amavisd.*				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/freshclam				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/clamd					--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/clamav-milter			--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/var/clamav(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/amavis(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav-unofficial-sigs(/.*)?   gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.*					gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)?			gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/virusmails(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/log/amavisd\.log.* 		--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav.*   				gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/freshclam.*    		--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav/freshclam.* 	--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamd.*    				gen_context(system_u:object_r:antivirus_log_t,s0)
+
+/var/run/amavis(d)?(/.*)?			gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/amavisd-snmp-subagent\.pid	--	gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
+/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamav.*					gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamd.*					gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
index 0000000000..36251b9266
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,325 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  antivirus domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+interface(`antivirus_domain_template',`
+        gen_require(`
+                attribute antivirus_domain;
+        ')
+
+        typeattribute $1 antivirus_domain;
+
+        kernel_read_system_state($1)
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run antivirus program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`antivirus_domtrans',`
+    gen_require(`
+        type antivirus_t, antivirus_exec_t;
+    ')
+
+    domtrans_pattern($1, antivirus_exec_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  Execute antivirus program without a transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_exec',`
+    gen_require(`
+        type antivirus_exec_t;
+    ')
+
+    can_exec($1, antivirus_exec_t)
+')
+
+#######################################
+## <summary>
+##  Connect to run antivirus program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_stream_connect',`
+    gen_require(`
+        type antivirus_t, antivirus_db_t, antivirus_var_run_t;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
+	stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to append
+##  to antivirus log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_append_log',`
+    gen_require(`
+        type antivirus_log_t;
+    ')
+
+    logging_search_logs($1)
+    allow $1 antivirus_log_t:dir list_dir_perms;
+    append_files_pattern($1, antivirus_log_t, antivirus_log_t)
+')
+
+#######################################
+## <summary>
+##  Read antivirus configuration files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_read_config',`
+    gen_require(`
+        type antivirus_conf_t;
+    ')
+
+    files_search_etc($1)
+    allow $1 antivirus_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Search antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_search_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+	files_search_spool($1)
+    allow $1 antivirus_db_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##  Read antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_read_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+	read_files_pattern($1, antivirus_db_t, antivirus_db_t)
+	read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#####################################
+## <summary>
+##  Read and write antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_rw_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+    write_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+####################################
+## <summary>
+##  Manage antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_manage_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+    manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
+	manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#######################################
+## <summary>
+##  Manage antivirus pid content.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_manage_pid',`
+    gen_require(`
+        type antivirus_var_run_t;
+    ')
+
+    manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+    manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+')
+
+######################################
+## <summary>
+##      Read antivirus state files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`antivirus_read_state_clamd',`
+        gen_require(`
+                type antivirus_t;
+        ')
+
+        kernel_search_proc($1)
+        ps_process_pattern($1, antivirus_t)
+')
+
+######################################
+## <summary>
+##      Execute antivirus server in the antivirus domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`antivirus_systemctl',`
+        gen_require(`
+                type antivirus_t;
+                type antivirus_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 antivirus_unit_file_t:file read_file_perms;
+        allow $1 antivirus_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  All of the rules required to administrate
+##  an antivirus programs environment
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed to manage the clamav domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`antivirus_admin',`
+    gen_require(`
+		attribute antivirus_domain;
+        type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
+        type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
+        type antivirus_initrc_exec_t, antivirus_unit_file_t;
+    ')
+
+	allow $1 antivirus_t:process signal_perms;
+    ps_process_pattern($1, antivirus_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 antivirus_t:process ptrace;
+    ')
+
+    init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 antivirus_initrc_exec_t system_r;
+    allow $2 system_r;
+
+	antivirus_systemctl($1)
+    admin_pattern($1, antivirus_unit_file_t)
+    allow $1 antivirus_unit_file_t:service all_service_perms;
+
+    files_list_etc($1)
+    admin_pattern($1, antivirus_conf_t)
+
+    files_list_var_lib($1)
+	admin_pattern($1, antivirus_db_t)
+
+    logging_list_logs($1)
+    admin_pattern($1, antivirus_log_t)
+
+    files_list_pids($1)
+    admin_pattern($1, antivirus_var_run_t)
+
+    files_list_tmp($1)
+    admin_pattern($1, antivirus_tmp_t)
+
+    optional_policy(`
+        systemd_passwd_agent_exec($1)
+        systemd_read_fifo_file_passwd_run($1)
+    ')
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000000..784eeb11a8
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,272 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Allow antivirus programs to read non security files on a system
+##  </p>
+## </desc>
+gen_tunable(antivirus_can_scan_system, false)
+
+## <desc>
+##  <p>
+##  Determine whether can antivirus programs use JIT compiler.
+##  </p>
+## </desc>
+gen_tunable(antivirus_use_jit, false)
+
+attribute antivirus_domain;
+
+type antivirus_t;
+type antivirus_exec_t;
+typeattribute antivirus_t antivirus_domain;
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
+init_script_file(antivirus_initrc_exec_t)
+
+type antivirus_unit_file_t;
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
+files_pid_file(antivirus_var_run_t)
+
+type antivirus_log_t;
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
+logging_log_file(antivirus_log_t)
+
+type antivirus_db_t;
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
+files_type(antivirus_db_t)
+
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
+type antivirus_tmp_t;
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
+files_tmp_file(antivirus_tmp_t)
+
+########################################
+#
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_read_search dac_override chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
+allow antivirus_domain self:tcp_socket { listen accept };
+
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+allow antivirus_t antivirus_db_t:file map;
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
+
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
+
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
+kernel_read_system_state(antivirus_t)
+kernel_read_network_state(antivirus_domain)
+kernel_read_all_sysctls(antivirus_domain)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
+corenet_all_recvfrom_netlabel(antivirus_t)
+corenet_tcp_sendrecv_generic_if(antivirus_t)
+corenet_udp_sendrecv_generic_if(antivirus_t)
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
+corenet_udp_sendrecv_generic_node(antivirus_domain)
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
+corenet_udp_sendrecv_all_ports(antivirus_domain)
+corenet_tcp_bind_generic_node(antivirus_domain)
+corenet_udp_bind_generic_node(antivirus_domain)
+
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
+
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
+
+corenet_sendrecv_generic_server_packets(antivirus_domain)
+corenet_udp_bind_generic_port(antivirus_domain)
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
+
+corenet_sendrecv_razor_client_packets(antivirus_domain)
+corenet_tcp_connect_razor_port(antivirus_domain)
+corenet_tcp_connect_agentx_port(antivirus_domain)
+
+corenet_tcp_connect_clamd_port(antivirus_domain)
+
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
+corenet_tcp_bind_clamd_port(antivirus_domain)
+
+corenet_sendrecv_http_client_packets(antivirus_domain)
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
+
+dev_read_rand(antivirus_domain)
+dev_read_sysfs(antivirus_domain)
+dev_read_urand(antivirus_domain)
+
+domain_read_all_domains_state(antivirus_domain)
+
+files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
+fs_getattr_xattr_fs(antivirus_domain)
+
+auth_use_nsswitch(antivirus_t)
+auth_dontaudit_read_shadow(antivirus_domain)
+
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
+init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
+miscfiles_read_generic_certs(antivirus_domain)
+
+sysnet_use_ldap(antivirus_domain)
+
+userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
+	files_read_non_security_files(antivirus_domain)
+	files_getattr_all_pipes(antivirus_domain)
+	files_getattr_all_sockets(antivirus_domain)
+    dev_getattr_all_blk_files(antivirus_domain)
+    dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
+    allow antivirus_domain self:process execmem;
+    allow antivirus_domain self:process execmem;
+',`
+    dontaudit antivirus_domain self:process execmem;
+    dontaudit antivirus_domain self:process execmem;
+')
+
+optional_policy(`
+	apache_read_sys_content(antivirus_domain)
+')
+
+optional_policy(`
+	antivirus_systemctl(antivirus_domain)
+')
+
+optional_policy(`
+	cron_system_entry(antivirus_t, antivirus_exec_t)
+    cron_use_fds(antivirus_domain)
+    cron_use_system_job_fds(antivirus_domain)
+    cron_rw_pipes(antivirus_domain)
+')
+
+optional_policy(`
+    dcc_domtrans_client(antivirus_domain)
+    dcc_stream_connect_dccifd(antivirus_domain)
+')
+
+optional_policy(`
+    exim_read_spool_files(antivirus_domain)
+')
+
+optional_policy(`
+    mta_read_config(antivirus_domain)
+	mta_read_queue(antivirus_domain)
+	mta_send_mail(antivirus_domain)
+')
+
+optional_policy(`
+    nslcd_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+	mysql_stream_connect(antivirus_domain)
+	corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
+    postfix_read_config(antivirus_domain)
+    postfix_list_spool(antivirus_domain)
+')
+
+optional_policy(`
+    pyzor_domtrans(antivirus_domain)
+    pyzor_signal(antivirus_domain)
+')
+
+optional_policy(`
+    razor_domtrans(antivirus_domain)
+')
+
+optional_policy(`
+    snmp_manage_var_lib_dirs(antivirus_domain)
+    snmp_manage_var_lib_files(antivirus_domain)
+    snmp_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+	spamd_stream_connect(clamd_t)
+	spamassassin_exec(antivirus_domain)
+	spamassassin_exec_client(antivirus_domain)
+	spamassassin_read_lib_files(antivirus_domain)
+	spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 7caefc3538..1edf14e25c 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,162 +1,219 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
 HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
 
-/etc/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/horde(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab	--	gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs	gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nextcloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/opt/rh/rh-nginx18/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 
-/etc/vhosts	--	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/thttpd\.conf       -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/opt/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/thttpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* --      gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.*	--  gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.*     --  gen_context(system_u:object_r:httpd_unit_file_t,s0)
 
-/srv/([^/]*/)?www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog      --      gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
-/usr/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)?        gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/usr/bin/htsslpass	--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 
-/usr/lib/apache-ssl/.+	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)?	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/joomla(/.*)?                 gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 
-/usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs	--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.*	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/htcacheclean      --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx         --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm       --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 
-/usr/share/dirsrv(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.*	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.*	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.*	gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.*			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/share/glpi(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/nginx/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php		--		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php	-- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php    --  gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/local/nagios/sbin(/.*)?      gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.*			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem	--	gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ganglia(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/graphite-web(/.*)?     gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.*			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ipsilon(/.*)?          gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/moodle(/.*)?		    gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)?     gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/opt/rh/rh-nginx18/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+
 /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)?		  gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/nextcloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/roundcubemail(/.*)?    gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/graphite-web(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
+/var/opt/rh/rh-nginx18/log(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/thttpd\.log.*  -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/shibboleth-www(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+')
 
-/var/run/apache.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/cherokee\.pid	--	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port	-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/mod_.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/wsgi.*	-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/user/apache(/.*)?	gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)?	gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/opt/rh/rh-nginx18/run/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid    -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php	--	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)?	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html(/.*)?/sites/default/settings\.php	-- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html(/.*)?/sites/default/files(/.*)? 	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp_backups(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/nextcloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/moodle/data(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/openshift/console/tmp(/.*)?    gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/console/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/openshift/console/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/stickshift/[^/]*/log(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb4851f1..94c92bab0f 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
-## <summary>Various web servers.</summary>
+## <summary>Apache web server</summary>
 
 ########################################
 ## <summary>
-##	Create a set of derived types for
-##	httpd web content.
+##	Create a set of derived types for apache
+##	web content.
 ## </summary>
 ## <param name="prefix">
 ##	<summary>
@@ -11,120 +11,237 @@
 ##	</summary>
 ## </param>
 #
-template(`apache_content_template',`
+template(`apache_user_content_template',`
 	gen_require(`
-		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
-		attribute httpd_script_domains, httpd_htaccess_type;
+		attribute httpd_exec_scripts, httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t;
+		attribute httpd_script_type, httpd_user_content_type;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	## <desc>
-	##	<p>
-	##	Determine whether the script domain can
-	##	modify public files used for public file
-	##	transfer services. Directories/Files must
-	##	be labeled public_content_rw_t.
-	##	</p>
-	## </desc>
-	gen_tunable(allow_httpd_$1_script_anon_write, false)
-
-	type httpd_$1_content_t, httpdcontent; # customizable
-	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
-	files_type(httpd_$1_content_t)
-
-	type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
-	files_type(httpd_$1_htaccess_t)
-
-	type httpd_$1_script_t, httpd_script_domains;
-	domain_type(httpd_$1_script_t)
-	role system_r types httpd_$1_script_t;
-
-	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-	corecmd_shell_entry_type(httpd_$1_script_t)
-	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
-	type httpd_$1_rw_content_t, httpdcontent; # customizable
-	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
-	files_type(httpd_$1_rw_content_t)
+	#This type is for webpages
+	type $1_content_t; # customizable;
+	typeattribute $1_content_t httpd_user_content_type;
+	typealias $1_content_t alias { httpd_$1_content_t httpd_$1_script_ro_t };
+	files_type($1_content_t)
+
+	# This type is used for .htaccess files
+	type $1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute $1_htaccess_t httpd_user_content_type;
+    typealias $1_htaccess_t alias {httpd_$1_htaccess_t };
+	files_type($1_htaccess_t)
+
+	# Type that CGI scripts run as
+	type $1_script_t,	httpd_script_type;
+	typealias $1_script_t alias { httpd_$1_script_t };
+	domain_type($1_script_t)
+	role system_r types $1_script_t;
+
+	kernel_read_system_state($1_script_t)
+
+	# This type is used for executable scripts files
+	type $1_script_exec_t, httpd_script_exec_type; # customizable;
+	typeattribute $1_script_exec_t httpd_user_content_type;
+	typealias $1_script_exec_t alias { httpd_$1_script_exec_t };
+	domain_entry_file($1_script_t, $1_script_exec_t)
+
+	type $1_rw_content_t; # customizable
+	typeattribute $1_rw_content_t httpd_user_content_type;
+	typealias $1_rw_content_t alias { httpd_$1_rw_content_t $1_script_rw_t $1_content_rw_t };
+	files_type($1_rw_content_t)
+
+	type $1_ra_content_t, httpd_content_type; # customizable
+	typeattribute $1_ra_content_t httpd_user_content_type;
+	typealias $1_ra_content_t alias { httpd_$1_ra_content_t $1_script_ra_t $1_content_ra_t };
+	files_type($1_ra_content_t)
+
+	# Allow the script process to search the cgi directory, and users directory
+	allow $1_script_t $1_content_t:dir search_dir_perms;
+
+	can_exec($1_script_t, $1_script_exec_t)
+	allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+	allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+	allow $1_script_t $1_content_t:dir list_dir_perms;
+	read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+	read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+	manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+	# Allow the web server to run scripts and serve pages
+	tunable_policy(`httpd_builtin_scripting',`
+		manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
 
-	type httpd_$1_ra_content_t, httpdcontent; # customizable
-	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
-	files_type(httpd_$1_ra_content_t)
+		allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+		read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
 
-	########################################
-	#
-	# Policy
-	#
+	')
 
-	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+	tunable_policy(`httpd_enable_cgi',`
+		allow $1_script_t $1_script_exec_t:file entrypoint;
 
-	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-	allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-	allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+		domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
 
-	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
-	allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
-	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+		# privileged users run the script:
+		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
 
-	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
+		# apache runs the script:
+		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+		allow httpd_t $1_script_t:unix_dgram_socket sendto;
+	')
+')
 
-	tunable_policy(`allow_httpd_$1_script_anon_write',`
-		miscfiles_manage_public_files(httpd_$1_script_t)
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`apache_content_template',`
+	gen_require(`
+		attribute httpd_exec_scripts, httpd_script_exec_type;
+		type httpd_t, httpd_suexec_t;
+		attribute httpd_script_type, httpd_content_type;
 	')
 
+	#This type is for webpages
+	type $1_content_t; # customizable;
+	typeattribute $1_content_t httpd_content_type;
+	typealias $1_content_t alias httpd_$1_script_ro_t;
+	files_type($1_content_t)
+
+	# This type is used for .htaccess files
+	type $1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute $1_htaccess_t httpd_content_type;
+	files_type($1_htaccess_t)
+
+	# Type that CGI scripts run as
+	type $1_script_t,	httpd_script_type;
+    typealias $1_script_t alias { httpd_$1_script_t };
+	domain_type($1_script_t)
+	role system_r types $1_script_t;
+
+	kernel_read_system_state($1_script_t)
+
+	# This type is used for executable scripts files
+	type $1_script_exec_t, httpd_script_exec_type; # customizable;
+	typeattribute $1_script_exec_t httpd_content_type;
+	domain_entry_file($1_script_t, $1_script_exec_t)
+
+	type $1_rw_content_t; # customizable
+	typeattribute $1_rw_content_t httpd_content_type;
+	typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+	files_type($1_rw_content_t)
+
+	type $1_ra_content_t, httpd_content_type; # customizable
+	typeattribute $1_ra_content_t httpd_content_type;
+	typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+	files_type($1_ra_content_t)
+
+	# Allow the script process to search the cgi directory, and users directory
+	allow $1_script_t $1_content_t:dir search_dir_perms;
+
+	can_exec($1_script_t, $1_script_exec_t)
+	allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+	allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+	allow $1_script_t $1_content_t:dir list_dir_perms;
+	read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+	read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+	manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+		manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
 
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-		allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-		allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-	')
+		allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+		read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
 
-	tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-		can_exec(httpd_t, httpd_$1_rw_content_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
-		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
-		domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
-	')
+		allow $1_script_t $1_script_exec_t:file entrypoint;
 
-	tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
-		can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
-	')
+		domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
-	')
+		# privileged users run the script:
+		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
-		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
+
+		# apache runs the script:
+		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+		allow httpd_t $1_script_t:unix_dgram_socket sendto;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for apache.
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving new type names.
+##	</summary>
+## </param>
+## <param name="oldprefix">
+##	<summary>
+##	The prefix to be used for deriving old type names.
+##	</summary>
+## </param>
+#
+template(`apache_content_alias_template',`
+	typealias $1_htaccess_t alias httpd_$2_htaccess_t;
+	#typealias $1_script_t alias httpd_$2_script_t;
+	typealias $1_script_exec_t alias httpd_$2_script_exec_t;
+	typealias $1_content_t alias httpd_$2_content_t;
+	typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
+	typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
+')
+
+########################################
+## <summary>
+##	Role access for apache
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -133,47 +250,61 @@ template(`apache_content_template',`
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`apache_role',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_user_content_t, httpd_user_htaccess_t;
-		type httpd_user_script_t, httpd_user_script_exec_t;
-		type httpd_user_ra_content_t, httpd_user_rw_content_t;
+		type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+		type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
 	')
 
 	role $1 types httpd_user_script_t;
 
-	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
-	allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+	apache_exec_modules($2)
+	apache_filetrans_home_content($2)
 
 	tunable_policy(`httpd_enable_cgi',`
+		# If a user starts a script by hand it gets the proper context
 		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
 	')
 
@@ -184,7 +315,7 @@ interface(`apache_role',`
 
 ########################################
 ## <summary>
-##	Read user httpd script executable files.
+##	Read httpd user scripts executables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -204,7 +335,7 @@ interface(`apache_read_user_scripts',`
 
 ########################################
 ## <summary>
-##	Read user httpd content.
+##	Read user web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -224,7 +355,27 @@ interface(`apache_read_user_content',`
 
 ########################################
 ## <summary>
-##	Execute httpd with a domain transition.
+##	Manage user web content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_manage_user_content',`
+	gen_require(`
+		type httpd_user_content_t;
+	')
+
+	allow $1 httpd_user_content_t:dir manage_dir_perms;
+	manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+## <summary>
+##	Transition to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,27 +392,47 @@ interface(`apache_domtrans',`
 	domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute httpd server in the httpd domain.
+##	Allow the specified domain to execute apache
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
 	gen_require(`
-		type httpd_initrc_exec_t;
+		type httpd_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+	can_exec($1, httpd_exec_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to execute apache suexec
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_suexec',`
+	gen_require(`
+		type httpd_suexec_exec_t;
+	')
+
+	can_exec($1, httpd_suexec_exec_t)
 ')
 
 #######################################
 ## <summary>
-##	Send generic signals to httpd.
+##	Send a generic signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -279,7 +450,7 @@ interface(`apache_signal',`
 
 ########################################
 ## <summary>
-##	Send null signals to httpd.
+##	Send a null signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -297,7 +468,7 @@ interface(`apache_signull',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to httpd.
+##	Send a SIGCHLD signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -315,8 +486,7 @@ interface(`apache_sigchld',`
 
 ########################################
 ## <summary>
-##	Inherit and use file descriptors
-##	from httpd.
+##	Inherit and use file descriptors from Apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -334,8 +504,8 @@ interface(`apache_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd unnamed pipes.
+##	Do not audit attempts to read and write Apache
+##	unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -348,13 +518,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
 		type httpd_t;
 	')
 
-	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write Apache
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd unix domain stream sockets.
+##	Do not audit attempts to read and write Apache
+##	unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -367,13 +556,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
 		type httpd_t;
 	')
 
-	dontaudit $1 httpd_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd TCP sockets.
+##	Do not audit attempts to read and write Apache
+##	TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -391,8 +580,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	all httpd content.
+##	Create, read, write, and delete all web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -417,7 +605,8 @@ interface(`apache_manage_all_content',`
 
 ########################################
 ## <summary>
-##	Set attributes httpd cache directories.
+##	Allow domain to  set the attributes
+##	of the APACHE cache directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -435,7 +624,8 @@ interface(`apache_setattr_cache_dirs',`
 
 ########################################
 ## <summary>
-##	List httpd cache directories.
+##	Allow the specified domain to list
+##	Apache cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -453,7 +643,8 @@ interface(`apache_list_cache',`
 
 ########################################
 ## <summary>
-##	Read and write httpd cache files.
+##	Allow the specified domain to read
+##	and write Apache cache files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -471,7 +662,8 @@ interface(`apache_rw_cache_files',`
 
 ########################################
 ## <summary>
-##	Delete httpd cache directories.
+##	Allow the specified domain to delete
+##	Apache cache dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -489,7 +681,8 @@ interface(`apache_delete_cache_dirs',`
 
 ########################################
 ## <summary>
-##	Delete httpd cache files.
+##	Allow the specified domain to delete
+##	Apache cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -507,49 +700,51 @@ interface(`apache_delete_cache_files',`
 
 ########################################
 ## <summary>
-##	Read httpd configuration files.
+##	Allow the specified domain to search
+##	apache configuration dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`apache_read_config',`
+interface(`apache_search_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 
 	files_search_etc($1)
-	allow $1 httpd_config_t:dir list_dir_perms;
-	read_files_pattern($1, httpd_config_t, httpd_config_t)
-	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+	allow $1 httpd_config_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search httpd configuration directories.
+##	Allow the specified domain to read
+##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`apache_search_config',`
+interface(`apache_read_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 
 	files_search_etc($1)
-	allow $1 httpd_config_t:dir search_dir_perms;
+	allow $1 httpd_config_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_config_t, httpd_config_t)
+	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd configuration files.
+##	Allow the specified domain to manage
+##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -570,8 +765,8 @@ interface(`apache_manage_config',`
 
 ########################################
 ## <summary>
-##	Execute the Apache helper program
-##	with a domain transition.
+##	Execute the Apache helper program with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -608,16 +803,38 @@ interface(`apache_domtrans_helper',`
 #
 interface(`apache_run_helper',`
 	gen_require(`
-		attribute_role httpd_helper_roles;
+		type httpd_helper_t;
 	')
 
 	apache_domtrans_helper($1)
-	roleattribute $2 httpd_helper_roles;
+	role $2 types httpd_helper_t;
+')
+
+########################################
+## <summary>
+##	dontaudit attempts to read
+##	apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_dontaudit_read_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	dontaudit $1 httpd_log_t:file read_file_perms;
+	dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read httpd log files.
+##	Allow the specified domain to read
+##	apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -639,7 +856,8 @@ interface(`apache_read_log',`
 
 ########################################
 ## <summary>
-##	Append httpd log files.
+##	Allow the specified domain to append
+##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -657,10 +875,29 @@ interface(`apache_append_log',`
 	append_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
+#######################################
+## <summary>
+##  Allow the specified domain to write
+##  to apache log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`apache_write_log',`
+    gen_require(`
+        type httpd_log_t;
+    ')
+
+	allow $1 httpd_log_t:file write;
+')
+
 ########################################
 ## <summary>
-##	Do not audit attempts to append
-##	httpd log files.
+##	Do not audit attempts to append to the
+##	Apache logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -678,8 +915,8 @@ interface(`apache_dontaudit_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd log files.
+##	Allow the specified domain to manage
+##	to apache var lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -687,20 +924,21 @@ interface(`apache_dontaudit_append_log',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_manage_log',`
+interface(`apache_manage_lib',`
 	gen_require(`
-		type httpd_log_t;
+		type httpd_var_lib_t;
 	')
 
-	logging_search_logs($1)
-	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
-	manage_files_pattern($1, httpd_log_t, httpd_log_t)
-	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+	manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+	read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Write apache log files.
+##	Allow the specified domain to manage
+##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -708,19 +946,21 @@ interface(`apache_manage_log',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_write_log',`
+interface(`apache_manage_log',`
 	gen_require(`
 		type httpd_log_t;
 	')
 
 	logging_search_logs($1)
-	write_files_pattern($1, httpd_log_t, httpd_log_t)
+	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+	manage_files_pattern($1, httpd_log_t, httpd_log_t)
+	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	httpd module directories.
+##	Do not audit attempts to search Apache
+##	module directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -738,7 +978,8 @@ interface(`apache_dontaudit_search_modules',`
 
 ########################################
 ## <summary>
-##	List httpd module directories.
+##	Allow the specified domain to read
+##	the apache module directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -746,17 +987,19 @@ interface(`apache_dontaudit_search_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
-	allow $1 httpd_modules_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute httpd module files.
+##	Allow the specified domain to list
+##	the contents of the apache modules
+##	directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -764,19 +1007,19 @@ interface(`apache_list_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_exec_modules',`
+interface(`apache_list_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
-	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
-	can_exec($1, httpd_modules_t)
+	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Read httpd module files.
+##	Allow the specified domain to execute
+##	apache modules.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -784,19 +1027,19 @@ interface(`apache_exec_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_read_module_files',`
+interface(`apache_exec_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
-	libs_search_lib($1)
-	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+	allow $1 httpd_modules_t:dir list_dir_perms;
+	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+	can_exec($1, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run httpd_rotatelogs.
+##	Execute a domain transition to run httpd_rotatelogs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -809,13 +1052,50 @@ interface(`apache_domtrans_rotatelogs',`
 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
 ')
 
+#######################################
+## <summary>
+##  Execute httpd_rotatelogs in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_rotatelogs',`
+    gen_require(`
+        type httpd_rotatelogs_exec_t;
+    ')
+
+	can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+## <summary>
+##  Execute httpd system scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_sys_script',`
+	gen_require(`
+		type httpd_sys_script_exec_t;
+	')
+
+	allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+	can_exec($1, httpd_sys_script_exec_t)
+')
+
 ########################################
 ## <summary>
-##	List httpd system content directories.
+##	Allow the specified domain to list
+##	apache system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -829,13 +1109,14 @@ interface(`apache_list_sys_content',`
 	')
 
 	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	files_search_var($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd system content files.
+##	Allow the specified domain to manage
+##	apache system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -844,6 +1125,7 @@ interface(`apache_list_sys_content',`
 ## </param>
 ## <rolecap/>
 #
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
 interface(`apache_manage_sys_content',`
 	gen_require(`
 		type httpd_sys_content_t;
@@ -855,32 +1137,98 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
-########################################
+######################################
+## <summary>
+##	Allow the specified domain to read
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to read
+##	apache system content rw dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd system rw content.
+##	Allow the specified domain to manage
+##	apache system content rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_manage_sys_content_rw',`
 	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 
-	apache_search_sys_content($1)
+	files_search_var($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute all httpd scripts in the
-##	system script domain.
+##	Allow the specified domain to delete
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	files_search_tmp($1)
+	delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+##	Execute all web scripts in the system
+##	script domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -888,10 +1236,17 @@ interface(`apache_manage_sys_rw_content',`
 ##	</summary>
 ## </param>
 #
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_sys_script_t;
+		type httpd_sys_script_exec_t;
+		type httpd_sys_script_t, httpd_sys_content_t;
+	')
+
+	tunable_policy(`httpd_enable_cgi',`
+		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1256,8 @@ interface(`apache_domtrans_sys_script',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd system script unix
-##	domain stream sockets.
+##	Do not audit attempts to read and write Apache
+##	system script unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -916,7 +1270,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
 		type httpd_sys_script_t;
 	')
 
-	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
@@ -941,7 +1295,7 @@ interface(`apache_domtrans_all_scripts',`
 ########################################
 ## <summary>
 ##	Execute all user scripts in the user
-##	script domain. Add user script domains
+##	script domain.  Add user script domains
 ##	to the specified role.
 ## </summary>
 ## <param name="domain">
@@ -954,6 +1308,7 @@ interface(`apache_domtrans_all_scripts',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
@@ -966,7 +1321,8 @@ interface(`apache_run_all_scripts',`
 
 ########################################
 ## <summary>
-##	Read httpd squirrelmail data files.
+##	Allow the specified domain to read
+##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -979,12 +1335,13 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file read_file_perms;
+	read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
 ')
 
 ########################################
 ## <summary>
-##	Append httpd squirrelmail data files.
+##	Allow the specified domain to append
+##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1002,7 +1359,7 @@ interface(`apache_append_squirrelmail_data',`
 
 ########################################
 ## <summary>
-##	Search httpd system content.
+##	Search apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1015,13 +1372,12 @@ interface(`apache_search_sys_content',`
 		type httpd_sys_content_t;
 	')
 
-	files_search_var($1)
 	allow $1 httpd_sys_content_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read httpd system content.
+##	Read apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1041,7 +1397,7 @@ interface(`apache_read_sys_content',`
 
 ########################################
 ## <summary>
-##	Search httpd system CGI directories.
+##	Search apache system CGI directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1059,8 +1415,7 @@ interface(`apache_search_sys_scripts',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete all
-##	user httpd content.
+##	Create, read, write, and delete all user web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1071,18 +1426,21 @@ interface(`apache_search_sys_scripts',`
 #
 interface(`apache_manage_all_user_content',`
 	gen_require(`
-		type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
-		type httpd_user_htaccess_t, httpd_user_script_exec_t;
+		attribute httpd_user_content_type, httpd_user_script_exec_type;
 	')
 
-	manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
-	manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
-	manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
 ')
 
 ########################################
 ## <summary>
-##	Search system script state directories.
+##	Search system script state directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1100,7 +1458,48 @@ interface(`apache_search_sys_script_state',`
 
 ########################################
 ## <summary>
-##	Read httpd tmp files.
+##	Allow the specified domain to read
+##	apache pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_pid_files',`
+	gen_require(`
+		type httpd_var_run_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_tmp_dirs',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	list_dirs_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1119,8 +1518,47 @@ interface(`apache_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	httpd tmp files.
+##	Allow the specified domain to read
+##	apache tmp lnk files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_tmp_symlinks',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_lnk_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+######################################
+## <summary>
+##	Dontaudit attempts to read and write
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to write
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1133,7 +1571,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
 
-	dontaudit $1 httpd_tmp_t:file write_file_perms;
+	dontaudit $1 httpd_tmp_t:file write;
 ')
 
 ########################################
@@ -1142,6 +1580,9 @@ interface(`apache_dontaudit_write_tmp_files',`
 ## </summary>
 ##	<desc>
 ##	<p>
+##	Execute CGI in the specified domain.
+##	</p>
+##	<p>
 ##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
@@ -1171,8 +1612,31 @@ interface(`apache_cgi_domain',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an apache environment.
+##	Execute httpd server in the httpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apache_systemctl',`
+	gen_require(`
+		type httpd_t;
+		type httpd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 httpd_unit_file_t:file read_file_perms;
+	allow $1 httpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, httpd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an apache environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1189,18 +1653,19 @@ interface(`apache_cgi_domain',`
 interface(`apache_admin',`
 	gen_require(`
 		attribute httpdcontent, httpd_script_exec_type;
-		attribute httpd_script_domains, httpd_htaccess_type;
 		type httpd_t, httpd_config_t, httpd_log_t;
-		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
-		type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
-		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
-		type httpd_initrc_exec_t, httpd_keytab_t;
+		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+		type httpd_suexec_tmp_t, httpd_tmp_t;
+		type httpd_unit_file_t;
 	')
 
-	allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
-	allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
-	ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+	allow $1 httpd_t:process signal_perms;
+	ps_process_pattern($1, httpd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 httpd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -1210,10 +1675,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
-	files_search_etc($1)
-	admin_pattern($1, { httpd_keytab_t httpd_config_t })
+	files_list_etc($1)
+	admin_pattern($1, httpd_config_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1689,165 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
-	admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
-	admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+	admin_pattern($1, httpdcontent)
+	admin_pattern($1, httpd_script_exec_type)
+
+	seutil_domtrans_setfiles($1)
+
+	files_list_tmp($1)
+	admin_pattern($1, httpd_tmp_t)
+	admin_pattern($1, httpd_php_tmp_t)
+	admin_pattern($1, httpd_suexec_tmp_t)
+
+	apache_systemctl($1)
+	admin_pattern($1, httpd_unit_file_t)
+	allow $1 httpd_unit_file_t:service all_service_perms;
+
+	apache_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+	gen_require(`
+		type httpd_t;
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit $1 httpd_t:tcp_socket { read write };
+	dontaudit $1 httpd_t:unix_dgram_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+	dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Transition to apache named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_filetrans_named_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+		type httpd_tmp_t;
+	')
+
+
+	apache_filetrans_home_content($1)
+	files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
+	files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+## <summary>
+##	Allow any httpd_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_entrypoint',`
+	gen_require(`
+		type httpd_exec_t;
+	')
+	allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+## <summary>
+##	Execute a httpd_exec_t in the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_domtrans',`
+	gen_require(`
+		type httpd_exec_t;
+	')
+
+	domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Transition to apache home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_filetrans_home_content',`
+	gen_require(`
+		type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+		type httpd_user_content_ra_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+	filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+	filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
+
 
-	apache_run_all_scripts($1, $2)
-	apache_run_helper($1, $2)
+########################################
+## <summary>
+##      Send and receive messages from
+##      httpd over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`apache_dbus_chat',`
+        gen_require(`
+                type httpd_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 httpd_t:dbus send_msg;
+        allow httpd_t $1:dbus send_msg;
+		ps_process_pattern(httpd_t, $1)
 ')
diff --git a/apache.te b/apache.te
index 6649962b6e..e51965af4b 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
 # Declarations
 #
 
+selinux_genbool(httpd_bool_t)
+
 ## <desc>
-##	<p>
-##	Determine whether httpd can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
 ## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use mod_auth_pam.
-##	</p>
+## <p>
+## Dontaudit Apache to search dirs.
+## </p>
 ## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use built in scripting.
-##	</p>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
 ## </desc>
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_pam, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can check spam.
-##	</p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
 ## </desc>
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and modules
-##	can connect to the network using TCP.
-##	</p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
+gen_tunable(httpd_manage_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to run IPA helper.
+## </p>
+## </desc>
+gen_tunable(httpd_run_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and modules
-##	can connect to cobbler over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect_cobbler, false)
 
 ## <desc>
-##	<p>
-##	Determine whether scripts and modules can
-##	connect to databases over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to server cobbler files.
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect to
-##	ldap over the network.
-##	</p>
+## <p>
+## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect
-##	to memcache server over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_memcache, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can act as a relay.
-##	</p>
+## <p>
+## Allow httpd to act as a relay
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_relay, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd daemon can
-##	connect to zabbix over the network.
-##	</p>
+##  <p>
+##  Allow http daemon to connect to zabbix
+##  </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_connect_zabbix, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can send mail.
-##	</p>
+##  <p>
+##  Allow http daemon to connect to mythtv
+##  </p>
+## </desc>
+gen_tunable(httpd_can_connect_mythtv, false)
+
+## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
+## <desc>
+## <p>
+## Allow http daemon to send mail
+## </p>
 ## </desc>
 gen_tunable(httpd_can_sendmail, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can communicate
-##	with avahi service via dbus.
-##	</p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
 ## </desc>
 gen_tunable(httpd_dbus_avahi, false)
 
 ## <desc>
-##	<p>
-##	Determine wether httpd can use support.
-##	</p>
+## <p>
+## Allow Apache to communicate with sssd service via dbus
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_dbus_sssd, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can act as a
-##	FTP server by listening on the ftp port.
-##	</p>
+## <p>
+## Allow httpd cgi support
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_enable_cgi, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can traverse
-##	user home directories.
-##	</p>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_enable_ftp_server, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd gpg can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
 ## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_can_connect_ftp, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can execute
-##	its temporary content.
-##	</p>
+##  <p>
+##  Allow httpd to connect to the ldap port 
+##  </p>
 ## </desc>
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_can_connect_ldap, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and
-##	modules can use execmem and execstack.
-##	</p>
+## <p>
+## Allow httpd to read home directories
+## </p>
 ## </desc>
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_enable_homedirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect
-##	to port 80 for graceful shutdown.
-##	</p>
+## <p>
+## Allow httpd to read user content 
+## </p>
 ## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_read_user_content, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can
-##	manage IPA content files.
-##	</p>
+## <p>
+## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
 ## </desc>
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_run_stickshift, false)
+
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use mod_auth_ntlm_winbind.
-##	</p>
+## <p>
+## Allow Apache to run preupgrade
+## </p>
 ## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_run_preupgrade, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can read
-##	generic user home content files.
-##	</p>
+## <p>
+## Allow Apache to query NS records
+## </p>
 ## </desc>
-gen_tunable(httpd_read_user_content, false)
+gen_tunable(httpd_verify_dns, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can change
-##	its resource limits.
-##	</p>
+## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
 ## </desc>
 gen_tunable(httpd_setrlimit, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can run
-##	SSI executables in the same domain
-##	as system CGI scripts.
-##	</p>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
 ## </desc>
 gen_tunable(httpd_ssi_exec, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can communicate
-##	with the terminal. Needed for entering the
-##	passphrase for certificates at the terminal.
-##	</p>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
 ## </desc>
 gen_tunable(httpd_tty_comm, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can have full access
-##	to its content types.
-##	</p>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
 ## </desc>
 gen_tunable(httpd_unified, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use
-##	cifs file systems.
-##	</p>
+## <p>
+## Allow httpd to access openstack ports
+## </p>
+## </desc>
+gen_tunable(httpd_use_openstack, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
 ## </desc>
 gen_tunable(httpd_use_cifs, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether httpd can
-##	use fuse file systems.
+##	Allow httpd to access FUSE file systems
 ##	</p>
 ## </desc>
 gen_tunable(httpd_use_fusefs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use gpg.
-##	</p>
+## <p>
+## Allow httpd to run gpg
+## </p>
 ## </desc>
 gen_tunable(httpd_use_gpg, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use
-##	nfs file systems.
-##	</p>
+## <p>
+## Allow httpd to connect to  sasl
+## </p>
+## </desc>
+gen_tunable(httpd_use_sasl, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
 
+## <desc>
+## <p>
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(httpd_sys_script_anon_write, false)
+
 attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
 
-# domains that can exec all scripts
+# domains that can exec all users scripts
 attribute httpd_exec_scripts;
 
+attribute httpd_script_type;
 attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
 
-# all script domains
+# user script domains
 attribute httpd_script_domains;
 
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
 type httpd_t;
 type httpd_exec_t;
+ifdef(`distro_redhat',`
+	typealias httpd_t alias phpfpm_t;
+	typealias httpd_exec_t alias phpfpm_exec_t;
+')
 init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
 
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
 type httpd_cache_t;
 files_type(httpd_cache_t)
 
+# httpd_config_t is the type given to the configuration files
 type httpd_config_t;
 files_config_file(httpd_config_t)
 
 type httpd_helper_t;
 type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
 type httpd_keytab_t;
 files_type(httpd_keytab_t)
 
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+	typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
 type httpd_log_t;
+ifdef(`distro_redhat',`
+	typealias httpd_log_t alias phpfpm_log_t;
+')
 logging_log_file(httpd_log_t)
 
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
 type httpd_modules_t;
 files_type(httpd_modules_t)
 
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
 type httpd_rotatelogs_t;
 type httpd_rotatelogs_exec_t;
 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
 type httpd_squirrelmail_t;
 files_type(httpd_squirrelmail_t)
 
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
 type httpd_suexec_exec_t;
 domain_type(httpd_suexec_t)
 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
 type httpd_suexec_tmp_t;
 files_tmp_file(httpd_suexec_tmp_t)
 
-apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+# setup the system domain for system CGI scripts
+apache_content_template(httpd_sys)
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
 
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
@@ -324,14 +418,16 @@ files_tmp_file(httpd_tmp_t)
 type httpd_tmpfs_t;
 files_tmpfs_file(httpd_tmpfs_t)
 
-apache_content_template(user)
+apache_user_content_template(httpd_user)
 ubac_constrained(httpd_user_script_t)
-userdom_user_home_content(httpd_user_content_t)
-userdom_user_home_content(httpd_user_htaccess_t)
-userdom_user_home_content(httpd_user_script_exec_t)
-userdom_user_home_content(httpd_user_ra_content_t)
-userdom_user_home_content(httpd_user_rw_content_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
+typeattribute httpd_user_script_t httpd_script_domains;
 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
 
+# for apache2 memory mapped files
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
 
 type httpd_var_run_t;
+ifdef(`distro_redhat',`
+	typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
 files_pid_file(httpd_var_run_t)
 
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
 
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
 
 optional_policy(`
 	prelink_object_file(httpd_modules_t)
 ')
 
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
 ########################################
 #
-# Local policy
+# Apache server local policy
 #
 
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
 allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +484,41 @@ allow httpd_t self:shm create_shm_perms;
 allow httpd_t self:sem create_sem_perms;
 allow httpd_t self:msgq create_msgq_perms;
 allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
 
+# Allow httpd_t to put files in /var/cache/httpd etc
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+allow httpd_t httpd_cache_t:file map;
 
+# Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
+
+can_exec(httpd_t, httpd_exec_t)
 
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
 allow httpd_t httpd_lock_t:file manage_file_perms;
 files_lock_filetrans(httpd_t, httpd_lock_t, file)
 
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
 create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
 allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,13 +526,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
 allow httpd_t httpd_rotatelogs_t:process signal_perms;
 
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
+
+allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms;
 
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_sys_content_t:file map;
 
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 
@@ -428,6 +551,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
 userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
+allow httpd_t httpd_tmp_t:file map;
 
 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -435,9 +559,11 @@ manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow httpd_t httpd_tmpfs_t:file map;
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +576,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
 kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
 kernel_search_network_sysctl(httpd_t)
 
-corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
 corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
 corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+	corenet_tcp_connect_http_port(httpd_t)
+')
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
 dev_read_urand(httpd_t)
 dev_rw_crypto(httpd_t)
 
-domain_use_interactive_fds(httpd_t)
-
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
 fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_rw_hugetlbfs_files(httpd_t)
+fs_exec_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
 
+files_dontaudit_search_all_pids(httpd_t)
 files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
 files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
+files_search_all(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
 files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
 files_read_var_lib_symlinks(httpd_t)
 
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
 libs_read_lib_files(httpd_t)
 
+ifdef(`hide_broken_symptoms',`
+	libs_exec_lib_files(httpd_t)
+')
+
 logging_send_syslog_msg(httpd_t)
 
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
 miscfiles_read_fonts(httpd_t)
 miscfiles_read_public_files(httpd_t)
 miscfiles_read_generic_certs(httpd_t)
+miscfiles_map_generic_certs(httpd_t)
 miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
 
 userdom_use_unpriv_users_fds(httpd_t)
+userdom_rw_inherited_user_tmp_files(httpd_t)
+userdom_map_tmp_files(httpd_t)
 
-ifdef(`TODO',`
-	tunable_policy(`allow_httpd_mod_auth_pam',`
-		auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+	allow httpd_t self:process setrlimit;
+	allow httpd_t self:capability sys_resource;
+')
 
-		logging_send_audit_msgs(httpd_t)
-	')
+tunable_policy(`httpd_anon_write',`
+	miscfiles_manage_public_files(httpd_t)
 ')
 
-ifdef(`hide_broken_symptoms',`
-	libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+    files_dontaudit_search_non_security_dirs(httpd_t)
 ')
 
-tunable_policy(`allow_httpd_anon_write',`
-	miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+	auth_domtrans_chkpwd(httpd_t)
+	logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+		samba_domtrans_winbind_helper(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_can_network_connect',`
-	corenet_sendrecv_all_client_packets(httpd_t)
 	corenet_tcp_connect_all_ports(httpd_t)
-	corenet_tcp_sendrecv_all_ports(httpd_t)
 ')
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_t)
 	corenet_tcp_connect_gds_db_port(httpd_t)
-	corenet_tcp_sendrecv_gds_db_port(httpd_t)
-	corenet_sendrecv_mssql_client_packets(httpd_t)
 	corenet_tcp_connect_mssql_port(httpd_t)
-	corenet_tcp_sendrecv_mssql_port(httpd_t)
-	corenet_sendrecv_oracledb_client_packets(httpd_t)
-	corenet_tcp_connect_oracledb_port(httpd_t)
-	corenet_tcp_sendrecv_oracledb_port(httpd_t)
+	corenet_tcp_connect_mongod_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+	corenet_tcp_connect_oracle_port(httpd_t)
+	corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+	corenet_tcp_connect_memcache_port(httpd_t)
 ')
 
 tunable_policy(`httpd_can_network_relay',`
-	corenet_sendrecv_gopher_client_packets(httpd_t)
+	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
-	corenet_tcp_sendrecv_gopher_port(httpd_t)
-	corenet_sendrecv_ftp_client_packets(httpd_t)
 	corenet_tcp_connect_ftp_port(httpd_t)
-	corenet_tcp_sendrecv_ftp_port(httpd_t)
-	corenet_sendrecv_http_client_packets(httpd_t)
 	corenet_tcp_connect_http_port(httpd_t)
-	corenet_tcp_sendrecv_http_port(httpd_t)
-	corenet_sendrecv_http_cache_client_packets(httpd_t)
 	corenet_tcp_connect_http_cache_port(httpd_t)
-	corenet_tcp_sendrecv_http_cache_port(httpd_t)
-	corenet_sendrecv_squid_client_packets(httpd_t)
 	corenet_tcp_connect_squid_port(httpd_t)
-	corenet_tcp_sendrecv_squid_port(httpd_t)
+	corenet_tcp_connect_memcache_port(httpd_t)
+	corenet_sendrecv_gopher_client_packets(httpd_t)
+	corenet_sendrecv_ftp_client_packets(httpd_t)
+	corenet_sendrecv_http_client_packets(httpd_t)
+	corenet_sendrecv_http_cache_client_packets(httpd_t)
+	corenet_sendrecv_squid_client_packets(httpd_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_builtin_scripting',`
-	exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+')
 
-	allow httpd_t httpdcontent:dir list_dir_perms;
-	allow httpd_t httpdcontent:file read_file_perms;
-	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+	can_exec(httpd_sys_script_t, httpd_sys_content_t)
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
-	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+	miscfiles_manage_public_files(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +758,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
 
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-#	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+	manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+	manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+	manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+	corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+	corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+	corenet_tcp_connect_zabbix_port(httpd_t)
 ')
 
 tunable_policy(`httpd_enable_ftp_server',`
-	corenet_sendrecv_ftp_server_packets(httpd_t)
 	corenet_tcp_bind_ftp_port(httpd_t)
-	corenet_tcp_sendrecv_ftp_port(httpd_t)
+	corenet_tcp_bind_all_ephemeral_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+	can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+	can_exec(httpd_sys_script_t, httpd_tmp_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +810,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_t)
+tunable_policy(`httpd_use_nfs',`
+	fs_list_auto_mountpoints(httpd_t)
+	fs_manage_nfs_dirs(httpd_t)
+	fs_manage_nfs_files(httpd_t)
+	fs_manage_nfs_symlinks(httpd_t)
+')
+
+
+optional_policy(`
+    tunable_policy(`httpd_use_nfs',`
+	    automount_search_tmp_dirs(httpd_t)
+    ')
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_t)
 	fs_read_cifs_files(httpd_t)
 	fs_read_cifs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
+tunable_policy(`httpd_can_sendmail',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
+	corenet_tcp_connect_pop_port(httpd_t)
+	corenet_sendrecv_pop_client_packets(httpd_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_t)
-	corenet_tcp_connect_smtp_port(httpd_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_t)
-	corenet_sendrecv_pop_client_packets(httpd_t)
-	corenet_tcp_connect_pop_port(httpd_t)
-	corenet_tcp_sendrecv_pop_port(httpd_t)
-
-	mta_send_mail(httpd_t)
-	mta_signal_system_mail(httpd_t)
+optional_policy(`
+    tunable_policy(`httpd_can_sendmail',`
+	    mta_send_mail(httpd_t)
+	    mta_signal_system_mail(httpd_t)
+    ')
 ')
 
 optional_policy(`
-	tunable_policy(`httpd_can_network_connect_zabbix',`
-		zabbix_tcp_connect(httpd_t)
-	')
+    tunable_policy(`httpd_can_sendmail',`
+    postfix_rw_spool_maildrop_files(httpd_t)
+    ')
 ')
 
-optional_policy(`
-	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-		spamassassin_domtrans_client(httpd_t)
-	')
-')
-
-tunable_policy(`httpd_graceful_shutdown',`
-	corenet_sendrecv_http_client_packets(httpd_t)
-	corenet_tcp_connect_http_port(httpd_t)
-	corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
-	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-		gpg_spec_domtrans(httpd_t, httpd_gpg_t)
-	')
-')
-
-optional_policy(`
-	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
-		samba_domtrans_winbind_helper(httpd_t)
-	')
+tunable_policy(`httpd_use_cifs',`
+	fs_manage_cifs_dirs(httpd_t)
+	fs_manage_cifs_files(httpd_t)
+	fs_manage_cifs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+	fs_manage_fusefs_dirs(httpd_t)
+	fs_manage_fusefs_files(httpd_t)
+	fs_manage_fusefs_symlinks(httpd_t)
 ')
 
 tunable_policy(`httpd_setrlimit',`
@@ -695,49 +869,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
 ')
 
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-	can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_cifs_dirs(httpd_t)
-	fs_manage_cifs_files(httpd_t)
-	fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+	cobbler_list_config(httpd_t)
+	cobbler_read_config(httpd_t)
 
-tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_fusefs_dirs(httpd_t)
-	fs_manage_fusefs_files(httpd_t)
-	fs_read_fusefs_symlinks(httpd_t)
-')
+    tunable_policy(`httpd_serve_cobbler_files',`
+        cobbler_manage_lib_files(httpd_t)
+',`
+	    cobbler_read_lib_files(httpd_t)
+	    cobbler_search_lib(httpd_t)
+    ')
 
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_t)
+    tunable_policy(`httpd_can_network_connect_cobbler',`
+        corenet_tcp_connect_cobbler_port(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_nfs_dirs(httpd_t)
-	fs_manage_nfs_files(httpd_t)
-	fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+    tunable_policy(`httpd_use_sasl',`
+        sasl_connect(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_t)
+optional_policy(`
+	# Support for ABRT retrace server
+	# mod_wsgi
+	abrt_manage_spool_retrace(httpd_t)
+	abrt_domtrans_retrace_worker(httpd_t)
+	abrt_read_config(httpd_t)
 ')
 
 optional_policy(`
@@ -749,24 +922,32 @@ optional_policy(`
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(httpd_t)
+	cron_system_entry(httpd_t, httpd_exec_t)
 ')
 
 optional_policy(`
-	cobbler_read_config(httpd_t)
-	cobbler_read_lib_files(httpd_t)
+	cvs_read_data(httpd_t)
 ')
 
 optional_policy(`
-	cron_system_entry(httpd_t, httpd_exec_t)
+	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
 
 optional_policy(`
-	cvs_read_data(httpd_t)
+	#needed by FreeIPA 
+	dirsrv_stream_connect(httpd_t)
 ')
 
 optional_policy(`
-	daemontools_service_domain(httpd_t, httpd_exec_t)
+	dirsrv_manage_config(httpd_t)
+	dirsrv_manage_log(httpd_t)
+	dirsrv_manage_var_run(httpd_t)
+	dirsrv_read_share(httpd_t)
+	dirsrv_signal(httpd_t)
+	dirsrv_signull(httpd_t)
+	dirsrvadmin_manage_config(httpd_t)
+	dirsrvadmin_manage_tmp(httpd_t)
+	dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
 ')
 
 optional_policy(`
@@ -775,6 +956,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
+
+    tunable_policy(`httpd_dbus_sssd',`
+        sssd_dbus_chat(httpd_t)
+    ')
 ')
 
 optional_policy(`
@@ -786,35 +971,62 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_manage_host_rcache(httpd_t)
-	kerberos_read_keytab(httpd_t)
-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
-	kerberos_use(httpd_t)
+	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+		gpg_domtrans_web(httpd_t)
+	')
 ')
 
 optional_policy(`
-	ldap_stream_connect(httpd_t)
+	gssproxy_stream_connect(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_ldap',`
-		ldap_tcp_connect(httpd_t)
-	')
+optional_policy(`
+    ipa_read_lib(httpd_t)
+    ipa_manage_pid_files(httpd_t)
+')
+
+optional_policy(`
+	mirrormanager_manage_pid_files(httpd_t)
+    mirrormanager_manage_pid_sock_files(httpd_t)
+	mirrormanager_read_lib_files(httpd_t)
+	mirrormanager_read_log(httpd_t)
+')
+
+optional_policy(`
+	jetty_admin(httpd_t)
+')
+
+optional_policy(`
+    kerberos_manage_host_rcache(httpd_t)
+    kerberos_read_keytab(httpd_t)
+    kerberos_read_kdc_config(httpd_t)
+    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+    kerberos_use(httpd_t)
+')
+
+optional_policy(`
+	# needed by FreeIPA
+	ldap_stream_connect(httpd_t)
+	ldap_read_certs(httpd_t)
 ')
 
 optional_policy(`
 	mailman_signal_cgi(httpd_t)
 	mailman_domtrans_cgi(httpd_t)
 	mailman_read_data_files(httpd_t)
+	# should have separate types for public and private archives
 	mailman_search_data(httpd_t)
 	mailman_read_archive(httpd_t)
 ')
 
 optional_policy(`
-	memcached_stream_connect(httpd_t)
+	mediawiki_read_tmp_files(httpd_t)
+	mediawiki_delete_tmp_files(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_memcache',`
-		memcached_tcp_connect(httpd_t)
-	')
+optional_policy(`
+	memcached_stream_connect(httpd_t)
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
@@ -822,8 +1034,31 @@ optional_policy(`
 ')
 
 optional_policy(`
+    tunable_policy(`httpd_run_ipa',`
+        oddjob_dbus_chat(httpd_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`httpd_run_ipa',`
+        ipa_domtrans_helper(httpd_t)
+    ')
+    ipa_cert_filetrans_named_content(httpd_t)
+')
+
+optional_policy(`
+	munin_read_config(httpd_t)
+')
+
+optional_policy(`
+	# Allow httpd to work with mysql
 	mysql_read_config(httpd_t)
 	mysql_stream_connect(httpd_t)
+	mysql_rw_db_sockets(httpd_t)
+
+	optional_policy(`
+		postgresql_stream_connect(httpd_t)
+	')
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
@@ -832,6 +1067,8 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
+    nagios_read_lib(httpd_t)
+	nagios_read_log(httpd_t)
 ')
 
 optional_policy(`
@@ -841,38 +1078,77 @@ optional_policy(`
 	openca_kill(httpd_t)
 ')
 
+optional_policy(`
+	openshift_search_lib(httpd_t)
+	openshift_initrc_signull(httpd_t)
+	openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+	passenger_exec(httpd_t)
+	passenger_kill(httpd_t)
+	passenger_manage_pid_content(httpd_t)
+')
+
 optional_policy(`
 	pcscd_read_pid_files(httpd_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(httpd_t)
-	postgresql_unpriv_client(httpd_t)
+	pki_apache_domain_signal(httpd_t)
+	pki_manage_apache_config_files(httpd_t)
+	pki_manage_apache_lib(httpd_t)
+	pki_manage_apache_log_files(httpd_t)
+	pki_manage_apache_run(httpd_t)
+	pki_read_tomcat_cert(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_t)
-	')
+optional_policy(`
+	puppet_read_lib(httpd_t)
 ')
 
 optional_policy(`
-	puppet_read_lib_files(httpd_t)
+	pwauth_domtrans(httpd_t)
+')
+
+optional_policy(`
+    realmd_read_var_lib(httpd_t)
+')
+
+optional_policy(`
+	rpm_dontaudit_read_db(httpd_t)
 ')
 
 optional_policy(`
 	rpc_search_nfs_state_data(httpd_t)
 ')
 
+optional_policy(`
+	# Allow httpd to work with postgresql
+	postgresql_stream_connect(httpd_t)
+	postgresql_unpriv_client(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_t)
+	')
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(httpd_t)
 ')
 
 optional_policy(`
 	smokeping_read_lib_files(httpd_t)
+    smokeping_read_pid_files(httpd_t)
+')
+
+optional_policy(`
+	files_dontaudit_rw_usr_dirs(httpd_t)
+    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 ')
 
 optional_policy(`
-	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
-	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+    thin_stream_connect(httpd_t)
 ')
 
 optional_policy(`
@@ -883,65 +1159,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
+optional_policy(`
+	zarafa_manage_lib_files(httpd_t)
+	zarafa_stream_connect_server(httpd_t)
+	zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+    zoneminder_append_log(httpd_t)
+    zoneminder_manage_lib_dirs(httpd_t)
+    zoneminder_manage_lib_files(httpd_t)
+    zoneminder_stream_connect(httpd_t)
+    zoneminder_exec(httpd_t)
+')
+
 ########################################
 #
-# Helper local policy
+# Apache helper local policy
 #
 
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
 
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
 
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
 
-logging_search_logs(httpd_helper_t)
 logging_send_syslog_msg(httpd_helper_t)
 
+tunable_policy(`httpd_verify_dns',`
+	corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+	allow httpd_t self:capability { fowner fsetid sys_resource };
+	dontaudit httpd_t self:capability sys_ptrace;
+	allow httpd_t self:process setexec;
+
+	files_dontaudit_getattr_all_files(httpd_t)
+	domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`httpd_run_stickshift', `
+		passenger_manage_lib_files(httpd_t)
+		passenger_getattr_log_files(httpd_t)
+	',`
+		passenger_domtrans(httpd_t)
+		passenger_read_lib_files(httpd_t)
+		passenger_stream_connect(httpd_t)
+		passenger_manage_tmp_files(httpd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`httpd_run_stickshift', `
+		oddjob_dbus_chat(httpd_t)
+	')
+')
+
+optional_policy(`
+    tunable_policy(`httpd_run_preupgrade', `
+        anaconda_manage_lib_files_preupgrade(httpd_t)
+        anaconda_domtrans_preupgrade(httpd_t)
+    ',`
+        anaconda_read_lib_files_preupgrade(httpd_t)
+        anaconda_exec_preupgrade(httpd_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`httpd_run_preupgrade', `
+        corenet_tcp_bind_preupgrade_port(httpd_t)
+    ')
+') 
+
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_helper_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_helper_t)
+	userdom_use_inherited_user_terminals(httpd_helper_t)
 ')
 
 ########################################
 #
-# Suexec local policy
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(httpd_php_t)
+	corenet_tcp_connect_mssql_port(httpd_php_t)
+	corenet_sendrecv_mssql_client_packets(httpd_php_t)
+	corenet_tcp_connect_oracle_port(httpd_php_t)
+	corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_php_t)
+	mysql_rw_db_sockets(httpd_php_t)
+	mysql_read_config(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_php_t)
+	')
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_php_t)
+	postgresql_unpriv_client(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_php_t)
+	')
+')
+
+########################################
+#
+# Apache suexec local policy
 #
 
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
 
 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
 
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
 dev_read_urand(httpd_suexec_t)
 
 fs_read_iso9660_files(httpd_suexec_t)
 fs_search_auto_mountpoints(httpd_suexec_t)
 
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
@@ -950,123 +1350,78 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
-miscfiles_read_localization(httpd_suexec_t)
 miscfiles_read_public_files(httpd_suexec_t)
 
-tunable_policy(`httpd_builtin_scripting',`
-	exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
-	allow httpd_suexec_t httpdcontent:dir list_dir_perms;
-	allow httpd_suexec_t httpdcontent:file read_file_perms;
-	allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
 
 tunable_policy(`httpd_can_network_connect',`
+	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
 	corenet_tcp_connect_all_ports(httpd_suexec_t)
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
-	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
 	corenet_tcp_connect_gds_db_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
-	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
-	corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_oracledb_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+	corenet_tcp_connect_oracle_port(httpd_suexec_t)
+	corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
 ')
 
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
 tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_smtp_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
-	corenet_sendrecv_pop_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_pop_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
 	mta_send_mail(httpd_suexec_t)
-	mta_signal_system_mail(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_read_cifs_files(httpd_suexec_t)
-	fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_suexec_t)
+	manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
+        fs_list_auto_mountpoints(httpd_suexec_t)
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
-	can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_suexec_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_cifs_dirs(httpd_suexec_t)
-	fs_manage_cifs_files(httpd_suexec_t)
-	fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_suexec_t)
+	fs_read_cifs_symlinks(httpd_suexec_t)
 	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_fusefs_dirs(httpd_suexec_t)
-	fs_manage_fusefs_files(httpd_suexec_t)
-	fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_nfs_dirs(httpd_suexec_t)
-	fs_manage_nfs_files(httpd_suexec_t)
-	fs_manage_nfs_symlinks(httpd_suexec_t)
+optional_policy(`
+    	apache_rw_stream_sockets(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+	mailman_domtrans_cgi(httpd_suexec_t)
 ')
 
 optional_policy(`
-	mailman_domtrans_cgi(httpd_suexec_t)
+	mta_stub(httpd_suexec_t)
+
+	# apache should set close-on-exec
+	# dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
 optional_policy(`
 	mysql_stream_connect(httpd_suexec_t)
+	mysql_rw_db_sockets(httpd_suexec_t)
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1438,108 @@ optional_policy(`
 	')
 ')
 
-tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
 ########################################
 #
-# Common script local policy
+# Apache system script local policy
 #
 
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
 
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
 
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
 
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
 
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_send_syslog_msg(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
 
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
-	allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
 
-	manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-	manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-	manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
 
-	can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	allow httpd_script_domains self:process { setsched signal_perms };
-	allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
-	kernel_read_system_state(httpd_script_domains)
-
-	fs_getattr_all_fs(httpd_script_domains)
-
-	files_read_etc_runtime_files(httpd_script_domains)
-	files_read_usr_files(httpd_script_domains)
-
-	libs_read_lib_files(httpd_script_domains)
-
-	miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+	mta_send_mail(httpd_sys_script_t)
 ')
 
 optional_policy(`
-	tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-		nis_use_ypbind_uncond(httpd_script_domains)
+	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+		spamassassin_domtrans_client(httpd_t)
 	')
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
-	corenet_tcp_connect_gds_db_port(httpd_script_domains)
-	corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
-	corenet_sendrecv_mssql_client_packets(httpd_script_domains)
-	corenet_tcp_connect_mssql_port(httpd_script_domains)
-	corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
-	corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
-	corenet_tcp_connect_oracledb_port(httpd_script_domains)
-	corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
-	mysql_read_config(httpd_script_domains)
-	mysql_stream_connect(httpd_script_domains)
-
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		mysql_tcp_connect(httpd_script_domains)
-	')
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+	corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_mongod_port(httpd_sys_script_t)
 ')
 
-optional_policy(`
-	postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_script_domains)
-	')
-')
+tunable_policy(`httpd_use_nfs',`
+        fs_list_auto_mountpoints(httpd_sys_script_t)
+	fs_manage_nfs_dirs(httpd_sys_script_t)
+	fs_manage_nfs_files(httpd_sys_script_t)
+	fs_manage_nfs_symlinks(httpd_sys_script_t)
+	fs_exec_nfs_files(httpd_sys_script_t)
 
-optional_policy(`
-	nscd_use(httpd_script_domains)
+        fs_list_auto_mountpoints(httpd_suexec_t)
+	fs_manage_nfs_dirs(httpd_suexec_t)
+	fs_manage_nfs_files(httpd_suexec_t)
+	fs_manage_nfs_symlinks(httpd_suexec_t)
+	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
-	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_pop_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
-	mta_send_mail(httpd_sys_script_t)
-	mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_bind_generic_node(httpd_sys_script_t)
+	corenet_udp_bind_generic_node(httpd_sys_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_tcp_connect_all_ports(httpd_sys_script_t)
+	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_search_user_home_dirs(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
-	allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+        fs_list_auto_mountpoints(httpd_sys_script_t)
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1547,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
 	fs_manage_cifs_dirs(httpd_sys_script_t)
 	fs_manage_cifs_files(httpd_sys_script_t)
 	fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_sys_script_t)
+	fs_manage_cifs_dirs(httpd_suexec_t)
+	fs_manage_cifs_files(httpd_suexec_t)
+	fs_manage_cifs_symlinks(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
 	fs_manage_fusefs_dirs(httpd_sys_script_t)
 	fs_manage_fusefs_files(httpd_sys_script_t)
-	fs_read_fusefs_symlinks(httpd_sys_script_t)
+	fs_manage_fusefs_symlinks(httpd_sys_script_t)
+	fs_manage_fusefs_dirs(httpd_suexec_t)
+	fs_manage_fusefs_files(httpd_suexec_t)
+	fs_manage_fusefs_symlinks(httpd_suexec_t)
+	fs_exec_fusefs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
-	fs_manage_nfs_dirs(httpd_sys_script_t)
-	fs_manage_nfs_files(httpd_sys_script_t)
-	fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_sys_script_t)
+	clamav_domtrans_clamscan(httpd_t)
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+	mysql_stream_connect(httpd_sys_script_t)
+	mysql_rw_db_sockets(httpd_sys_script_t)
+	mysql_read_config(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(httpd_sys_script_t)
+	postgresql_stream_connect(httpd_sys_script_t)
+	postgresql_unpriv_client(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
-	postgresql_unpriv_client(httpd_sys_script_t)
+    snmp_read_snmp_var_lib_files(httpd_sys_script_t)
 ')
 
 ########################################
 #
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
 #
 
-allow httpd_rotatelogs_t self:capability dac_override;
+allow httpd_rotatelogs_t self:capability { dac_read_search dac_override };
 
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
 
-files_read_etc_files(httpd_rotatelogs_t)
 
 logging_search_logs(httpd_rotatelogs_t)
 
-miscfiles_read_localization(httpd_rotatelogs_t)
 
 ########################################
 #
@@ -1321,8 +1622,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
-	apache_content_template(unconfined)
+	type httpd_unconfined_script_t;
+	type httpd_unconfined_script_exec_t;
+	domain_type(httpd_unconfined_script_t)
+	domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
 	unconfined_domain(httpd_unconfined_script_t)
+
+	role system_r types httpd_unconfined_script_t;
+	allow httpd_t httpd_unconfined_script_t:process signal_perms;
 ')
 
 ########################################
@@ -1330,49 +1638,43 @@ optional_policy(`
 # User content local policy
 #
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_user_script_t)
-	fs_read_cifs_files(httpd_user_script_t)
-	fs_read_cifs_symlinks(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
 
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_user_script_t httpdcontent:file entrypoint;
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(httpd_user_script_t)
-	fs_read_nfs_files(httpd_user_script_t)
-	fs_read_nfs_symlinks(httpd_user_script_t)
-')
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_search_user_home_content(httpd_t)
+	userdom_search_user_home_content(httpd_suexec_t)
+	userdom_search_user_home_content(httpd_user_script_t)
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_user_script_t)
+	read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+	read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+	list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
+    allow httpd_t httpd_user_content_type:file map;
 ')
 
 tunable_policy(`httpd_read_user_content',`
+	userdom_read_user_home_content_files(httpd_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
 	userdom_read_user_home_content_files(httpd_user_script_t)
 ')
 
-optional_policy(`
-	postgresql_unpriv_client(httpd_user_script_t)
-')
-
 ########################################
 #
-# Passwd local policy
+# httpd_passwd local policy
 #
 
 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
 
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1684,109 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
+
 auth_use_nsswitch(httpd_passwd_t)
 
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
 
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
 
-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
 
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
 
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
 
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
 
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
 
-tunable_policy(`httpd_gpg_anon_write',`
-	miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+	nis_use_ypbind_uncond(httpd_script_type)
 ')
 
 optional_policy(`
-	apache_manage_sys_rw_content(httpd_gpg_t)
+	nscd_socket_use(httpd_script_type)
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+allow httpd_t httpd_content_type:file map;
+
+tunable_policy(`httpd_builtin_scripting',`
+	allow httpd_t httpd_content_type:dir search_dir_perms;
+	allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+	allow httpd_t httpd_content_type:dir list_dir_perms;
+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+	corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+	corenet_tcp_connect_glance_port(httpd_sys_script_t)
+	corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+    corenet_tcp_connect_osapi_compute_port(httpd_t)
+    corenet_tcp_bind_commplex_main_port(httpd_t)
 ')
 
 optional_policy(`
-	gpg_entry_type(httpd_gpg_t)
-	gpg_exec(httpd_gpg_t)
+    tunable_policy(`httpd_use_openstack',`
+        keystone_read_log(httpd_t)
+    ')
 ')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13c87..97c204fe51 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,18 +1,23 @@
+/etc/apcupsd/powerfail	--	gen_context(system_u:object_r:apcupsd_power_t,s0)
+
 /etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/apcupsd.*  -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
 /sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /usr/sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /var/lock/subsys/apcupsd	--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK..			--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
 
 /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 
 /var/run/apcupsd\.pid	--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
 
-/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0abac62..f6e25eda4c 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
 ########################################
 ## <summary>
 ##	Execute a domain transition to
-##	run httpd_apcupsd_cgi_script.
+##	run apcupsd_cgi_script.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -112,17 +112,61 @@ interface(`apcupsd_append_log',`
 #
 interface(`apcupsd_cgi_script_domtrans',`
 	gen_require(`
-		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+		type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
 	')
 
 	files_search_var($1)
-	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+	domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
 
 	optional_policy(`
 		apache_search_sys_content($1)
 	')
 ')
 
+########################################
+## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_systemctl',`
+	gen_require(`
+		type apcupsd_t;
+		type apcupsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 apcupsd_unit_file_t:file read_file_perms;
+	allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+## <summary>
+##	Create configuration files in /var/lock 
+##	with a named file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_filetrans_named_content',`
+	gen_require(`
+		type apcupsd_lock_t;
+	')
+
+	files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+	files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
 	gen_require(`
 		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
 		type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+		type apcupsd_unit_file_t;
+		type apcupsd_power_t;
 	')
 
-	allow $1 apcupsd_t:process { ptrace signal_perms };
+	allow $1 apcupsd_t:process signal_perms;
 	ps_process_pattern($1, apcupsd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 apcupsd_t:process ptrace;
+	')
+
 	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, apcupsd_var_run_t)
+
+	apcupsd_systemctl($1)
+	admin_pattern($1, apcupsd_unit_file_t)
+	allow $1 apcupsd_unit_file_t:service all_service_perms;
+
+	manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
+	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4ddba..b295381b86 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t)
 type apcupsd_var_run_t;
 files_pid_file(apcupsd_var_run_t)
 
+type apcupsd_power_t;
+files_type(apcupsd_power_t)
+
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config };
 allow apcupsd_t self:process signal;
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
 allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
 files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
 
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
 logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
 
 manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
 corecmd_exec_bin(apcupsd_t)
 corecmd_exec_shell(apcupsd_t)
 
-corenet_all_recvfrom_unlabeled(apcupsd_t)
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +73,38 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
 corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
 
 corenet_udp_bind_snmp_port(apcupsd_t)
 corenet_sendrecv_snmp_server_packets(apcupsd_t)
 corenet_udp_sendrecv_snmp_port(apcupsd_t)
 
+fs_getattr_xattr_fs(apcupsd_t)
+
+dev_read_sysfs(apcupsd_t)
+
 dev_rw_generic_usb_dev(apcupsd_t)
 
-files_read_etc_files(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
 files_manage_etc_runtime_files(apcupsd_t)
 files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
 
-term_use_unallocated_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
 
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+auth_use_nsswitch(apcupsd_t)
 
-miscfiles_read_localization(apcupsd_t)
+logging_send_syslog_msg(apcupsd_t)
 
 sysnet_dns_name_resolve(apcupsd_t)
 
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
 
 optional_policy(`
 	hostname_exec(apcupsd_t)
@@ -101,6 +119,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
 
+optional_policy(`
+	systemd_start_power_services(apcupsd_t)
+	systemd_status_power_services(apcupsd_t)
+')
+
 ########################################
 #
 # CGI local policy
@@ -108,20 +131,20 @@ optional_policy(`
 
 optional_policy(`
 	apache_content_template(apcupsd_cgi)
-
-	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
-	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-
-	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
-	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-	corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
-	corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
-	corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-
-	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+	apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
+
+	allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+	allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
+	corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
+	corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
+
+	sysnet_dns_name_resolve(apcupsd_cgi_script_t)
 ')
diff --git a/apm.fc b/apm.fc
index ce27d2fb33..b2ba16a046 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.*  --              gen_context(system_u:object_r:apmd_unit_file_t,s0)
 /etc/rc\.d/init\.d/acpid	--	gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
 
 /usr/bin/apm	--	gen_context(system_u:object_r:apm_exec_t,s0)
@@ -7,6 +8,8 @@
 /usr/sbin/powersaved	--	gen_context(system_u:object_r:apmd_exec_t,s0)
 
 /var/lock/subsys/acpid	--	gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/subsys/lmt-req\.lock	--	gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/lmt-req\.lock	--	gen_context(system_u:object_r:apmd_lock_t,s0)
 
 /var/log/acpid.*	--	gen_context(system_u:object_r:apmd_log_t,s0)
 
diff --git a/apm.if b/apm.if
index 1a7a97e5c3..2c7252a391 100644
--- a/apm.if
+++ b/apm.if
@@ -139,6 +139,30 @@ interface(`apm_stream_connect',`
 	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
 ')
 
+########################################
+## <summary>
+##	Execute apmd server in the apmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apmd_systemctl',`
+	gen_require(`
+		type apmd_t;
+		type apmd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 apmd_unit_file_t:file read_file_perms;
+	allow $1 apmd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, apmd_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -163,9 +187,13 @@ interface(`apm_admin',`
 		type apmd_tmp_t;
 	')
 
-	allow $1 apmd_t:process { ptrace signal_perms };
+	allow $1 apmd_t:process { signal_perms };
 	ps_process_pattern($1, apmd_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 apmd_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, apmd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 7fd431bcd7..f944eccf15 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
 type apmd_var_run_t;
 files_pid_file(apmd_var_run_t)
 
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
 ########################################
 #
 # Client local policy
 #
 
-allow apm_t self:capability { dac_override sys_admin };
+allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource };
 
 kernel_read_system_state(apm_t)
 
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
 
 fs_getattr_xattr_fs(apm_t)
 
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
 
 domain_use_interactive_fds(apm_t)
 
@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
 # Server local policy
 #
 
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
 allow apmd_t self:process { signal_perms getsession };
 allow apmd_t self:fifo_file rw_fifo_file_perms;
 allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:netlink_generic_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket { accept listen };
 
 allow apmd_t apmd_lock_t:file manage_file_perms;
@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
 kernel_rw_all_sysctls(apmd_t)
 kernel_read_system_state(apmd_t)
 kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
 
 dev_read_input(apmd_t)
 dev_read_mouse(apmd_t)
@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
 fs_dontaudit_getattr_all_symlinks(apmd_t)
 fs_dontaudit_getattr_all_pipes(apmd_t)
 fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
 
 corecmd_exec_all_executables(apmd_t)
 
@@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t)
 auth_use_nsswitch(apmd_t)
 
 init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
+init_dbus_chat(apmd_t)
 
 libs_exec_ld_so(apmd_t)
 libs_exec_lib_files(apmd_t)
@@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t)
 logging_send_audit_msgs(apmd_t)
 logging_send_syslog_msg(apmd_t)
 
-miscfiles_read_localization(apmd_t)
 miscfiles_read_hwdata(apmd_t)
 
 modutils_domtrans_insmod(apmd_t)
 modutils_read_module_config(apmd_t)
 
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
 userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
 
 optional_policy(`
 	automount_domtrans(apmd_t)
@@ -206,11 +212,20 @@ optional_policy(`
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(apmd_t)
+	shutdown_domtrans(apmd_t)
 ')
 
 optional_policy(`
-	shutdown_domtrans(apmd_t)
+	sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(apmd_t)
+')
+
+optional_policy(`
+	systemd_start_power_services(apmd_t)
+	systemd_status_power_services(apmd_t)
 ')
 
 optional_policy(`
diff --git a/apt.if b/apt.if
index cde81d2486..2fe02018af 100644
--- a/apt.if
+++ b/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+	dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
 	allow $1 apt_var_cache_t:file read_file_perms;
 ')
 
diff --git a/apt.te b/apt.te
index efa853059d..ae5d0c9f2a 100644
--- a/apt.te
+++ b/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
 # Local policy
 #
 
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid };
 allow apt_t self:process { signal setpgid fork };
 allow apt_t self:fd use;
 allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
 corecmd_exec_bin(apt_t)
 corecmd_exec_shell(apt_t)
 
-corenet_all_recvfrom_unlabeled(apt_t)
 corenet_all_recvfrom_netlabel(apt_t)
 corenet_tcp_sendrecv_generic_if(apt_t)
 corenet_tcp_sendrecv_generic_node(apt_t)
@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
 domain_use_interactive_fds(apt_t)
 
 files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
 term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
 
 libs_exec_ld_so(apt_t)
 libs_exec_lib_files(apt_t)
 
 logging_send_syslog_msg(apt_t)
 
-miscfiles_read_localization(apt_t)
-
 seutil_use_newrole_fds(apt_t)
 
 sysnet_read_config(apt_t)
 
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
 
 optional_policy(`
 	backup_manage_store_files(apt_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0fb8c..9a1a61f82f 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/arpwatch	--	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/arpwatch.* --	gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
 /usr/sbin/arpwatch	--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
 
 /var/arpwatch(/.*)?	gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c87e..533a555a2a 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -117,6 +117,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
 	dontaudit $1 arpwatch_t:packet_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_systemctl',`
+	gen_require(`
+		type arpwatch_t;
+		type arpwatch_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 arpwatch_unit_file_t:file read_file_perms;
+	allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, arpwatch_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
 	gen_require(`
 		type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
 		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_unit_file_t;
 	')
 
-	allow $1 arpwatch_t:process { ptrace signal_perms };
+	allow $1 arpwatch_t:process signal_perms;
 	ps_process_pattern($1, arpwatch_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 arpwatch_t:process ptrace;
+	')
+
 	arpwatch_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, arpwatch_var_run_t)
+
+	arpwatch_systemctl($1)
+	admin_pattern($1, arpwatch_unit_file_t)
+	allow $1 arpwatch_unit_file_t:service all_service_perms;
 ')
diff --git a/arpwatch.te b/arpwatch.te
index 2d7bf345b0..04d3ea1c85 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
 type arpwatch_var_run_t;
 files_pid_file(arpwatch_var_run_t)
 
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -31,8 +34,11 @@ dontaudit arpwatch_t self:capability sys_tty_config;
 allow arpwatch_t self:process signal_perms;
 allow arpwatch_t self:unix_stream_socket { accept listen };
 allow arpwatch_t self:tcp_socket { accept listen };
-allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:packet_socket { create_socket_perms map };
 allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
+allow arpwatch_t self:bluetooth_socket create_socket_perms;
 
 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,13 +51,26 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
 files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
 
-kernel_read_kernel_sysctls(arpwatch_t)
 kernel_read_network_state(arpwatch_t)
+# meminfo
 kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
 kernel_request_load_module(arpwatch_t)
 
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
 dev_read_sysfs(arpwatch_t)
 dev_read_usbmon_dev(arpwatch_t)
+dev_map_usbmon_dev(arpwatch_t)
 dev_rw_generic_usb_dev(arpwatch_t)
 
 fs_getattr_all_fs(arpwatch_t)
@@ -59,15 +78,12 @@ fs_search_auto_mountpoints(arpwatch_t)
 
 domain_use_interactive_fds(arpwatch_t)
 
-files_read_usr_files(arpwatch_t)
 files_search_var_lib(arpwatch_t)
 
 auth_use_nsswitch(arpwatch_t)
 
 logging_send_syslog_msg(arpwatch_t)
 
-miscfiles_read_localization(arpwatch_t)
-
 userdom_dontaudit_search_user_home_dirs(arpwatch_t)
 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
 
diff --git a/asterisk.if b/asterisk.if
index 2077053eac..198a02ab43 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
 		type asterisk_var_lib_t, asterisk_initrc_exec_t;
 	')
 
-	allow $1 asterisk_t:process { ptrace signal_perms };
+	allow $1 asterisk_t:process signal_perms;
 	ps_process_pattern($1, asterisk_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 asterisk_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 7e41350229..1e0f4c49bc 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
 logging_log_file(asterisk_log_t)
 
 type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
 
 type asterisk_tmp_t;
 files_tmp_file(asterisk_tmp_t)
@@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk")
 # Local policy
 #
 
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin };
 dontaudit asterisk_t self:capability { sys_module sys_tty_config };
 allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
 allow asterisk_t self:fifo_file rw_fifo_file_perms;
@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
 
 manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
 
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
 can_exec(asterisk_t, asterisk_exec_t)
 
 kernel_read_kernel_sysctls(asterisk_t)
@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
 corecmd_exec_bin(asterisk_t)
 corecmd_exec_shell(asterisk_t)
 
-corenet_all_recvfrom_unlabeled(asterisk_t)
 corenet_all_recvfrom_netlabel(asterisk_t)
 corenet_tcp_sendrecv_generic_if(asterisk_t)
 corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
 
 corenet_sendrecv_sip_client_packets(asterisk_t)
 corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_http_port(asterisk_t)
 
 dev_rw_generic_usb_dev(asterisk_t)
 dev_read_sysfs(asterisk_t)
@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
 
 domain_use_interactive_fds(asterisk_t)
 
-files_read_usr_files(asterisk_t)
 files_search_spool(asterisk_t)
 files_dontaudit_search_home(asterisk_t)
 
@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
 logging_search_logs(asterisk_t)
 logging_send_syslog_msg(asterisk_t)
 
-miscfiles_read_localization(asterisk_t)
-
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
 userdom_dontaudit_search_user_home_dirs(asterisk_t)
 
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000000..4579cfe178
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py		--	gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)?		gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 0000000000..316c324f21
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## <summary>policy for authconfig</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the authconfig domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`authconfig_domtrans',`
+	gen_require(`
+		type authconfig_t, authconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+## <summary>
+##	Search authconfig lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_search_lib',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	allow $1 authconfig_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read authconfig lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_read_lib_files',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage authconfig lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_manage_lib_files',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage authconfig lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_manage_lib_dirs',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an authconfig environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_admin',`
+	gen_require(`
+		type authconfig_t;
+		type authconfig_var_lib_t;
+	')
+
+	allow $1 authconfig_t:process { ptrace signal_perms };
+	ps_process_pattern($1, authconfig_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, authconfig_var_lib_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 0000000000..dca8e7905b
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,37 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
+
+optional_policy(`
+    policykit_dbus_chat(authconfig_t)
+')
diff --git a/automount.fc b/automount.fc
index 92adb37e15..0a2ffc62dd 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
 /etc/apm/event\.d/autofs	--	gen_context(system_u:object_r:automount_exec_t,s0)
 /etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/autofs.*	--	gen_context(system_u:object_r:automount_unit_file_t,s0)
+
 /usr/sbin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
 
 /var/lock/subsys/autofs	--	gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index f24e369606..4484a98da2 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`automount_signal',`
 	gen_require(`
 		type automount_t;
@@ -112,6 +111,25 @@ interface(`automount_dontaudit_write_pipes',`
 	dontaudit $1 automount_t:fifo_file write;
 ')
 
+########################################
+## <summary>
+##	Allow domain to search of automount temporary
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_search_tmp_dirs',`
+	gen_require(`
+		type automount_tmp_t;
+	')
+    
+    search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get
@@ -132,6 +150,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
 	dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Execute automount server in the automount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`automount_systemctl',`
+	gen_require(`
+		type automount_t;
+		type automount_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 automount_unit_file_t:file read_file_perms;
+	allow $1 automount_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, automount_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -153,12 +195,16 @@ interface(`automount_admin',`
 	gen_require(`
 		type automount_t, automount_lock_t, automount_tmp_t;
 		type automount_var_run_t, automount_initrc_exec_t;
-		type automount_keytab_t;
+		type automount_unit_file_t, automount_keytab_t;
 	')
 
-	allow $1 automount_t:process { ptrace signal_perms };
+	allow $1 automount_t:process signal_perms;
 	ps_process_pattern($1, automount_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 automount_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, automount_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 automount_initrc_exec_t system_r;
@@ -175,4 +221,8 @@ interface(`automount_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, automount_var_run_t)
+
+	automount_systemctl($1)
+	admin_pattern($1, automount_unit_file_t)
+	allow $1 automount_unit_file_t:service all_service_perms;
 ')
diff --git a/automount.te b/automount.te
index 27d2f400b9..f74f75f1b6 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
 files_tmp_file(automount_tmp_t)
 files_mountpoint(automount_tmp_t)
 
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
 type automount_var_run_t;
 files_pid_file(automount_var_run_t)
 
@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
 # Local policy
 #
 
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability {  setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin };
+allow automount_t self:capability2 block_suspend;
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
 corecmd_exec_bin(automount_t)
 corecmd_exec_shell(automount_t)
 
-corenet_all_recvfrom_unlabeled(automount_t)
 corenet_all_recvfrom_netlabel(automount_t)
 corenet_tcp_sendrecv_generic_if(automount_t)
 corenet_udp_sendrecv_generic_if(automount_t)
@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
 files_getattr_default_dirs(automount_t)
 files_getattr_home_dir(automount_t)
 files_getattr_isid_type_dirs(automount_t)
@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
 files_mounton_all_mountpoints(automount_t)
 files_mounton_mnt(automount_t)
 files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
 files_search_boot(automount_t)
 files_search_all(automount_t)
 files_unmount_all_file_type_fs(automount_t)
@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
 fs_mount_all_fs(automount_t)
 fs_mount_autofs(automount_t)
 fs_read_nfs_files(automount_t)
+fs_read_nfs_symlinks(automount_t)
 fs_search_all(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_unmount_all_fs(automount_t)
@@ -135,14 +139,18 @@ auth_use_nsswitch(automount_t)
 logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 
-miscfiles_read_localization(automount_t)
 miscfiles_read_generic_certs(automount_t)
 
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 
+optional_policy(`
+	# Run mount in the mount_t domain.
+	mount_domtrans(automount_t)
+	mount_domtrans_showmount(automount_t)
+	mount_signal(automount_t)
+    mount_rw_pid_files(automount_t)
+')
+
 optional_policy(`
 	fstools_domtrans(automount_t)
 ')
@@ -166,3 +174,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(automount_t)
 ')
+
+tunable_policy(`mount_anyfile',`
+	files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2cac15..4c2d0769ef 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/avahi.*    --  gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
 /usr/sbin/avahi-daemon	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-dnsconfd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-autoipd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index 9078c3d852..2f6b2503e6 100644
--- a/avahi.if
+++ b/avahi.if
@@ -209,6 +209,30 @@ interface(`avahi_dontaudit_search_pid',`
 	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_systemctl',`
+	gen_require(`
+		type avahi_t;
+		type avahi_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 avahi_unit_file_t:file read_file_perms;
+	allow $1 avahi_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, avahi_t)
+')
+
 ########################################
 ## <summary>
 ##	Create specified objects in generic
@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
 interface(`avahi_admin',`
 	gen_require(`
 		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+		type avahi_unit_file_t;
 		type avahi_var_lib_t;
 	')
 
-	allow $1 avahi_t:process { ptrace signal_perms };
+	allow $1 avahi_t:process signal_perms;
 	ps_process_pattern($1, avahi_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 avahi_t:process ptrace;
+	')
+
 	avahi_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 avahi_initrc_exec_t system_r;
@@ -274,4 +303,8 @@ interface(`avahi_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, avahi_var_lib_t)
+
+	avahi_systemctl($1)
+	admin_pattern($1, avahi_unit_file_t)
+	allow $1 avahi_unit_file_t:service all_service_perms;
 ')
diff --git a/avahi.te b/avahi.te
index b8355b32f6..51ce1b60fd 100644
--- a/avahi.te
+++ b/avahi.te
@@ -13,17 +13,21 @@ type avahi_initrc_exec_t;
 init_script_file(avahi_initrc_exec_t)
 
 type avahi_var_lib_t;
-files_pid_file(avahi_var_lib_t)
+files_type(avahi_var_lib_t)
 
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
 dontaudit avahi_t self:capability sys_tty_config;
 allow avahi_t self:process { setrlimit signal_perms getcap setcap };
 allow avahi_t self:fifo_file rw_fifo_file_perms;
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
 corecmd_exec_bin(avahi_t)
 corecmd_exec_shell(avahi_t)
 
-corenet_all_recvfrom_unlabeled(avahi_t)
 corenet_all_recvfrom_netlabel(avahi_t)
 corenet_tcp_sendrecv_generic_if(avahi_t)
 corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
 fs_list_inotifyfs(avahi_t)
 
 domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
 
 files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
 
 auth_use_nsswitch(avahi_t)
 
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
 
 logging_send_syslog_msg(avahi_t)
 
-miscfiles_read_localization(avahi_t)
 miscfiles_read_generic_certs(avahi_t)
 
 sysnet_domtrans_ifconfig(avahi_t)
 sysnet_manage_config(avahi_t)
 sysnet_etc_filetrans_config(avahi_t)
 
+systemd_login_signull(avahi_t)
+
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
 
diff --git a/awstats.fc b/awstats.fc
index 11e6d5ffe0..73b4ea47c8 100644
--- a/awstats.fc
+++ b/awstats.fc
@@ -1,5 +1,5 @@
 /usr/share/awstats/tools/.+\.pl	--	gen_context(system_u:object_r:awstats_exec_t,s0)
-/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:httpd_awstats_content_t,s0)
-/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:awstats_script_exec_t,s0)
 
 /var/lib/awstats(/.*)?	gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/awstats.te b/awstats.te
index c1b16c3929..ffbf2cb8fe 100644
--- a/awstats.te
+++ b/awstats.te
@@ -26,6 +26,7 @@ type awstats_var_lib_t;
 files_type(awstats_var_lib_t)
 
 apache_content_template(awstats)
+apache_content_alias_template(awstats, awstats)
 
 ########################################
 #
@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
 
 manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
 
-allow awstats_t { httpd_awstats_content_t  httpd_awstats_script_exec_t }:dir search_dir_perms;
+allow awstats_t { awstats_content_t  awstats_script_exec_t }:dir search_dir_perms;
 
-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
 
 kernel_dontaudit_read_system_state(awstats_t)
 
@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
 dev_read_urand(awstats_t)
 
 files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
 
 fs_list_inotifyfs(awstats_t)
 
@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
 
 logging_read_generic_logs(awstats_t)
 
-miscfiles_read_localization(awstats_t)
-
 sysnet_dns_name_resolve(awstats_t)
 
 tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +87,13 @@ optional_policy(`
 # CGI local policy
 #
 
-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+apache_read_log(awstats_script_t)
+
+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
 
-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-files_search_var_lib(httpd_awstats_script_t)
+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
 
-apache_read_log(httpd_awstats_script_t)
+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(awstats_script_t)
diff --git a/backup.te b/backup.te
index 7811450b6b..e787033406 100644
--- a/backup.te
+++ b/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
 # Local policy
 #
 
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { dac_read_search  dac_override };
 allow backup_t self:process signal;
 allow backup_t self:fifo_file rw_fifo_file_perms;
 allow backup_t self:tcp_socket create_socket_perms;
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
 corecmd_exec_bin(backup_t)
 corecmd_exec_shell(backup_t)
 
-corenet_all_recvfrom_unlabeled(backup_t)
 corenet_all_recvfrom_netlabel(backup_t)
 corenet_tcp_sendrecv_generic_if(backup_t)
 corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
 
 sysnet_read_config(backup_t)
 
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
 
 optional_policy(`
 	cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.fc b/bacula.fc
index 27ec3d5193..65aa71bf63 100644
--- a/bacula.fc
+++ b/bacula.fc
@@ -8,6 +8,8 @@
 /usr/sbin/bat	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
 /usr/sbin/bconsole	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
 
+/var/bacula(/.*)?   gen_context(system_u:object_r:bacula_store_t,s0)
+
 /var/lib/bacula.*	gen_context(system_u:object_r:bacula_var_lib_t,s0)
 
 /var/log/bacula.*	gen_context(system_u:object_r:bacula_log_t,s0)
diff --git a/bacula.if b/bacula.if
index dcd774ee4a..c240ffaf69 100644
--- a/bacula.if
+++ b/bacula.if
@@ -69,6 +69,7 @@ interface(`bacula_admin',`
 		type bacula_t, bacula_etc_t, bacula_log_t;
 		type bacula_spool_t, bacula_var_lib_t;
 		type bacula_var_run_t, bacula_initrc_exec_t;
+        attribute_role bacula_admin_roles;
 	')
 
 	allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index f16b000086..1a7c80f01e 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
 files_type(bacula_store_t)
 files_mountpoint(bacula_store_t)
 
+type bacula_tmp_t;
+files_tmp_file(bacula_tmp_t)
+
 type bacula_var_lib_t;
 files_type(bacula_var_lib_t)
 
@@ -38,21 +41,30 @@ type bacula_admin_exec_t;
 application_domain(bacula_admin_t, bacula_admin_exec_t)
 role bacula_admin_roles types bacula_admin_t;
 
+type bacula_unconfined_script_exec_t;
+application_executable_file(bacula_unconfined_script_exec_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
 allow bacula_t self:process signal;
 allow bacula_t self:fifo_file rw_fifo_file_perms;
 allow bacula_t self:tcp_socket { accept listen };
 
 read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
 
+manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file })
+
+manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
 append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
 create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
 setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
 
 manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
 manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
@@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t)
 corenet_sendrecv_generic_server_packets(bacula_t)
 corenet_udp_bind_generic_port(bacula_t)
 
+
+#TODO: check port labels for hplip a bacula
+corenet_tcp_bind_bacula_port(bacula_t)
+
 corenet_sendrecv_hplip_server_packets(bacula_t)
 corenet_tcp_bind_hplip_port(bacula_t)
 corenet_udp_bind_hplip_port(bacula_t)
@@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t)
 dev_getattr_all_blk_files(bacula_t)
 dev_getattr_all_chr_files(bacula_t)
 
+files_getattr_all_pipes(bacula_t)
+files_getattr_all_sockets(bacula_t)
+
 files_dontaudit_getattr_all_sockets(bacula_t)
+files_dontaudit_getattr_all_pipes(bacula_t)
 files_read_all_files(bacula_t)
 files_read_all_symlinks(bacula_t)
 
 fs_getattr_xattr_fs(bacula_t)
 fs_list_all(bacula_t)
 
+storage_raw_read_fixed_disk(bacula_t)
+storage_read_tape(bacula_t)
+storage_write_tape(bacula_t)
+
+auth_use_nsswitch(bacula_t)
 auth_read_shadow(bacula_t)
 
 logging_send_syslog_msg(bacula_t)
 
 sysnet_dns_name_resolve(bacula_t)
 
+userdom_home_manager(bacula_t)
+
 optional_policy(`
 	mysql_stream_connect(bacula_t)
 	mysql_tcp_connect(bacula_t)
@@ -125,6 +152,12 @@ optional_policy(`
 	ldap_stream_connect(bacula_t)
 ')
 
+optional_policy(`
+    postgresql_tcp_connect(bacula_t)
+    postgresql_stream_connect(bacula_t)
+')
+
+
 ########################################
 #
 # Client local policy
@@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
 
 domain_use_interactive_fds(bacula_admin_t)
 
-files_read_etc_files(bacula_admin_t)
-
-miscfiles_read_localization(bacula_admin_t)
-
 sysnet_dns_name_resolve(bacula_admin_t)
 
 userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
 userdom_use_user_ptys(bacula_admin_t)
+
+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+         type bacula_unconfined_script_t;
+         domain_type(bacula_unconfined_script_t)
+
+         domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t)
+         role system_r types bacula_unconfined_script_t;
+ 
+         allow bacula_t bacula_unconfined_script_t:process signal_perms;
+
+         domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t)
+
+         allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir search_dir_perms;
+         allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir read_file_perms;
+         allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:file ioctl;
+
+         optional_policy(`
+            unconfined_domain(bacula_unconfined_script_t)
+        ')
+')
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e352b3..8af0e14ced 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/bcfg2-server.*		--	gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
 /usr/sbin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
 
 /var/lib/bcfg2(/.*)?	gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d361ee..186271b74e 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -115,6 +115,32 @@ interface(`bcfg2_manage_lib_dirs',`
 	manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Execute bcfg2 server in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_systemctl',`
+	gen_require(`
+		type bcfg2_t;
+		type bcfg2_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 bcfg2_unit_file_t:file read_file_perms;
+	allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bcfg2_t)
+')
+
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
 	gen_require(`
 		type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
 		type bcfg2_var_run_t;
+		type bcfg2_unit_file_t;
 	')
 
-	allow $1 bcfg2_t:process { ptrace signal_perms };
+	allow $1 bcfg2_t:process { signal_perms };
 	ps_process_pattern($1, bcfg2_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 bcfg2_t:process ptrace;
+    ')
+
 	bcfg2_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, bcfg2_var_lib_t)
+
+	bcfg2_systemctl($1)
+	admin_pattern($1, bcfg2_unit_file_t)
+	allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/bcfg2.te b/bcfg2.te
index c3fd7b1483..e18959384d 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
 type bcfg2_var_lib_t;
 files_type(bcfg2_var_lib_t)
 
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
 type bcfg2_var_run_t;
 files_pid_file(bcfg2_var_run_t)
 
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
 
 domain_use_interactive_fds(bcfg2_t)
 
-files_read_usr_files(bcfg2_t)
 
 auth_use_nsswitch(bcfg2_t)
 
 logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a10d4..982ce9b718 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,78 @@
-/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named-sdb --     gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 
-/etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key 	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key 	--	gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* --  gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.*	--	gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named-sdb.* --	gen_context(system_u:object_r:named_unit_file_t,s0)
 
 /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named	--	gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf	--	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-pkcs11	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
 /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor --	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf --	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-control   --  gen_context(system_u:object_r:named_exec_t,s0)
 
-/var/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
-/var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc		-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
 
-/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)?			gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+')
 
-/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/softhsm(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/proc(/.*)?	<<none>>
-/var/named/chroot/var/run/named.*	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/chroot/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 531a8f244e..3fcf187225 100644
--- a/bind.if
+++ b/bind.if
@@ -18,6 +18,30 @@ interface(`bind_initrc_domtrans',`
 	init_labeled_script_domtrans($1, named_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_systemctl',`
+	gen_require(`
+		type named_unit_file_t;
+		type named_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 named_unit_file_t:file read_file_perms;
+	allow $1 named_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, named_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute ndc in the ndc domain.
@@ -169,6 +193,7 @@ interface(`bind_read_config',`
 		type named_conf_t;
 	')
 
+	allow $1 named_conf_t:dir  list_dir_perms;
 	read_files_pattern($1, named_conf_t, named_conf_t)
 ')
 
@@ -210,6 +235,25 @@ interface(`bind_manage_config_dirs',`
 	manage_dirs_pattern($1, named_conf_t, named_conf_t)
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	BIND configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
 ########################################
 ## <summary>
 ##	Search bind cache directories.
@@ -308,6 +352,47 @@ interface(`bind_read_zone',`
 	read_files_pattern($1, named_zone_t, named_zone_t)
 ')
 
+########################################
+## <summary>
+##	Read BIND zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_log',`
+	gen_require(`
+		type named_zone_t;
+		type named_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_zone_t:dir search_dir_perms;
+	read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bind zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_zone_dirs',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1  named_zone_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -342,6 +427,25 @@ interface(`bind_udp_chat_named',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##	Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_state',`
+	gen_require(`
+		type named_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, named_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -364,11 +468,17 @@ interface(`bind_admin',`
 		type named_t, named_tmp_t, named_log_t;
 		type named_cache_t, named_zone_t, named_initrc_exec_t;
 		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
-		type named_keytab_t;
+		type named_keytab_t, named_unit_file_t;
 	')
 
-	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { named_t ndc_t })
+	allow $1 named_t:process signal_perms;
+	ps_process_pattern($1, named_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 named_t:process ptrace;
+	')
+
+	bind_run_ndc($1, $2)
 
 	init_labeled_script_domtrans($1, named_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -384,11 +494,15 @@ interface(`bind_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { named_keytab_t named_conf_t })
 
+	admin_pattern($1, named_keytab_t)
+
 	files_list_var($1)
 	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
 
 	files_list_pids($1)
 	admin_pattern($1, named_var_run_t)
 
-	bind_run_ndc($1, $2)
+	admin_pattern($1, named_unit_file_t)
+	bind_systemctl($1)
+	allow $1 named_unit_file_t:service all_service_perms;
 ')
diff --git a/bind.te b/bind.te
index 124112346e..710af00bc7 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
 init_system_domain(named_t, named_checkconf_exec_t)
 
 type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
 files_mountpoint(named_conf_t)
 
 # for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
 type named_initrc_exec_t;
 init_script_file(named_initrc_exec_t)
 
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
 type named_keytab_t;
 files_type(named_keytab_t)
 
@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
 # Local policy
 #
 
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_read_search dac_override fowner net_raw net_admin setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
 allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
 read_files_pattern(named_t, named_conf_t, named_conf_t)
 read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
 
+manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
 manage_files_pattern(named_t, named_cache_t, named_cache_t)
 manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
 
 allow named_t named_keytab_t:file read_file_perms;
 
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
 logging_log_filetrans(named_t, named_log_t, file)
 
 manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 kernel_read_kernel_sysctls(named_t)
 kernel_read_system_state(named_t)
 kernel_read_network_state(named_t)
+kernel_read_net_sysctls(named_t)
 
 corecmd_search_bin(named_t)
 
-corenet_all_recvfrom_unlabeled(named_t)
 corenet_all_recvfrom_netlabel(named_t)
 corenet_tcp_sendrecv_generic_if(named_t)
 corenet_udp_sendrecv_generic_if(named_t)
@@ -127,9 +130,15 @@ corenet_udp_bind_generic_node(named_t)
 corenet_sendrecv_all_server_packets(named_t)
 corenet_tcp_bind_dns_port(named_t)
 corenet_udp_bind_dns_port(named_t)
+corenet_udp_bind_ipp_port(named_t)
+corenet_udp_bind_rtsp_port(named_t)
+corenet_udp_bind_dhcpc_port(named_t)
+corenet_udp_bind_kerberos_port(named_t)
+corenet_udp_bind_flash_port(named_t)
+corenet_udp_bind_bgp_port(named_t)
 corenet_tcp_sendrecv_dns_port(named_t)
 corenet_udp_sendrecv_dns_port(named_t)
-
+corenet_udp_bind_whois_port(named_t)
 corenet_tcp_bind_rndc_port(named_t)
 corenet_tcp_sendrecv_rndc_port(named_t)
 
@@ -140,14 +149,18 @@ corenet_udp_sendrecv_all_ports(named_t)
 corenet_sendrecv_all_client_packets(named_t)
 corenet_tcp_connect_all_ports(named_t)
 corenet_tcp_sendrecv_all_ports(named_t)
+corenet_udp_bind_all_ephemeral_ports(named_t)
+corenet_tcp_bind_all_ephemeral_ports(named_t)
 
 dev_read_sysfs(named_t)
 dev_read_rand(named_t)
 dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
 
 domain_use_interactive_fds(named_t)
 
 files_read_etc_runtime_files(named_t)
+files_mmap_usr_files(named_t)
 
 fs_getattr_all_fs(named_t)
 fs_search_auto_mountpoints(named_t)
@@ -174,6 +187,19 @@ tunable_policy(`named_write_master_zones',`
 	manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 ')
 
+optional_policy(`
+	cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
+	# needed by FreeIPA with DNS support
+	dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+	dnssec_trigger_manage_pid_files(named_t)
+')
+
 optional_policy(`
 	dbus_system_domain(named_t, named_exec_t)
 
@@ -187,7 +213,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+    ipa_manage_lib(named_t)
+')
+
+optional_policy(`
+    ipsec_rw_inherited_pipes(named_t)
+')
+
+optional_policy(`
+    kerberos_filetrans_named_content(named_t)
 	kerberos_read_keytab(named_t)
+    kerberos_read_host_rcache(named_t)
 	kerberos_use(named_t)
 ')
 
@@ -214,8 +250,9 @@ optional_policy(`
 # NDC local policy
 #
 
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability { dac_read_search dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
@@ -229,10 +266,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
-kernel_read_kernel_sysctls(ndc_t)
 kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
 
-corenet_all_recvfrom_unlabeled(ndc_t)
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)
 corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -242,6 +278,9 @@ corenet_tcp_bind_generic_node(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
 corenet_sendrecv_rndc_client_packets(ndc_t)
 
+dev_read_rand(ndc_t)
+dev_read_urand(ndc_t)
+
 domain_use_interactive_fds(ndc_t)
 
 files_search_pids(ndc_t)
@@ -257,7 +296,7 @@ init_use_script_ptys(ndc_t)
 
 logging_send_syslog_msg(ndc_t)
 
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
 
 userdom_use_user_terminals(ndc_t)
 
diff --git a/bird.te b/bird.te
index 1d60c27304..f8bb70055b 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
 corenet_tcp_sendrecv_bgp_port(bird_t)
 
 # /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
 
 logging_send_syslog_msg(bird_t)
 
diff --git a/bitlbee.fc b/bitlbee.fc
index e9708d6cc5..61362d0887 100644
--- a/bitlbee.fc
+++ b/bitlbee.fc
@@ -7,7 +7,7 @@
 
 /var/lib/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_t,s0)
 
-/var/log/bip(/.*)?	gen_context(system_u:object_r:bitlbee_log_t,s0)
+/var/log/bip.*	gen_context(system_u:object_r:bitlbee_log_t,s0)
 
 /var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 /var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/bitlbee.if b/bitlbee.if
index e73fb799e8..2badfc0d9b 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
 		type bitlbee_log_t, bitlbee_tmp_t;
 	')
 
-	allow $1 bitlbee_t:process { ptrace signal_perms };
+	allow $1 bitlbee_t:process signal_perms;
 	ps_process_pattern($1, bitlbee_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bitlbee_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index f5c1a48b60..102fa8eae2 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t)
 # Local policy
 #
 
-allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice };
 allow bitlbee_t self:process { setsched signal };
+
 allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
 allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
 manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
 
 manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
 manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
 files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
 
 manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
-files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file})
 
 manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
 
-kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
 
 corenet_sendrecv_ircd_server_packets(bitlbee_t)
 corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
 corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_interwise_port(bitlbee_t)
 corenet_tcp_connect_ircd_port(bitlbee_t)
 corenet_tcp_sendrecv_ircd_port(bitlbee_t)
 
@@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
 
-files_read_usr_files(bitlbee_t)
-
 libs_legacy_use_shared_libs(bitlbee_t)
 
 auth_use_nsswitch(bitlbee_t)
 
 logging_send_syslog_msg(bitlbee_t)
 
-miscfiles_read_localization(bitlbee_t)
+optional_policy(`
+    dbus_system_bus_client(bitlbee_t)
+')
 
 optional_policy(`
 	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
 ')
+
diff --git a/blkmapd.fc b/blkmapd.fc
new file mode 100644
index 0000000000..5e59fb4148
--- /dev/null
+++ b/blkmapd.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/blkmapd	--	gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
+
+/usr/sbin/blkmapd		--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
+
+/var/run/blkmapd\.pid		--	gen_context(system_u:object_r:blkmapd_var_run_t,s0)
diff --git a/blkmapd.if b/blkmapd.if
new file mode 100644
index 0000000000..76663796f7
--- /dev/null
+++ b/blkmapd.if
@@ -0,0 +1,121 @@
+
+## <summary>The blkmapd daemon performs device discovery and mapping for pNFS block layout client.</summary>
+
+########################################
+## <summary>
+##	Execute blkmapd_exec_t in the blkmapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`blkmapd_domtrans',`
+	gen_require(`
+		type blkmapd_t, blkmapd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
+')
+
+######################################
+## <summary>
+##	Execute blkmapd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blkmapd_exec',`
+	gen_require(`
+		type blkmapd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, blkmapd_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute blkmapd server in the blkmapd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blkmapd_initrc_domtrans',`
+	gen_require(`
+		type blkmapd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
+')
+########################################
+## <summary>
+##	Read blkmapd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blkmapd_read_pid_files',`
+	gen_require(`
+		type blkmapd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an blkmapd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`blkmapd_admin',`
+	gen_require(`
+		type blkmapd_t;
+		type blkmapd_initrc_exec_t;
+		type blkmapd_var_run_t;
+	')
+
+	allow $1 blkmapd_t:process { signal_perms };
+	ps_process_pattern($1, blkmapd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 blkmapd_t:process ptrace;
+    ')
+
+	blkmapd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 blkmapd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_pids($1)
+	admin_pattern($1, blkmapd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/blkmapd.te b/blkmapd.te
new file mode 100644
index 0000000000..6cfb35592d
--- /dev/null
+++ b/blkmapd.te
@@ -0,0 +1,44 @@
+policy_module(blkmapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type blkmapd_t;
+type blkmapd_exec_t;
+init_daemon_domain(blkmapd_t, blkmapd_exec_t)
+
+type blkmapd_initrc_exec_t;
+init_script_file(blkmapd_initrc_exec_t)
+
+type blkmapd_var_run_t;
+files_pid_file(blkmapd_var_run_t)
+
+
+########################################
+#
+# blkmapd local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+
+manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
+files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
+
+kernel_read_system_state(blkmapd_t)
+
+dev_list_sysfs(blkmapd_t)
+
+fs_list_rpc(blkmapd_t)
+fs_rw_rpc_named_pipes(blkmapd_t)
+
+storage_raw_read_fixed_disk(blkmapd_t)
+storage_raw_read_removable_device(blkmapd_t)
+
+
+logging_send_syslog_msg(blkmapd_t)
+
+optional_policy(`
+   rpc_read_nfs_state_data(blkmapd_t)
+')
diff --git a/blueman.fc b/blueman.fc
index c295d2e018..4f84e9c141 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
 /usr/libexec/blueman-mechanism	--	gen_context(system_u:object_r:blueman_exec_t,s0)
 
 /var/lib/blueman(/.*)?	gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec52526a..1dd40595cf 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
 
 	allow $1 blueman_t:dbus send_msg;
 	allow blueman_t $1:dbus send_msg;
+	ps_process_pattern(blueman_t, $1)
 ')
 
 ########################################
diff --git a/blueman.te b/blueman.te
index 3a5032e06d..7987a21b1b 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
 
 type blueman_t;
 type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
 
 type blueman_var_lib_t;
 files_type(blueman_var_lib_t)
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
 #
 
 allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
 allow blueman_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
 manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
 files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
 
-kernel_read_net_sysctls(blueman_t)
+kernel_rw_net_sysctls(blueman_t)
 kernel_read_system_state(blueman_t)
 kernel_request_load_module(blueman_t)
 
@@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t)
 dev_read_rand(blueman_t)
 dev_read_urand(blueman_t)
 dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
 
 domain_use_interactive_fds(blueman_t)
 
 files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
+files_dontaudit_write_all_mountpoints(blueman_t)
 
 auth_use_nsswitch(blueman_t)
 
 logging_send_syslog_msg(blueman_t)
 
-miscfiles_read_localization(blueman_t)
-
 sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
 
 optional_policy(`
 	avahi_domtrans(blueman_t)
 ')
 
+optional_policy(`
+    bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+	dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
 optional_policy(`
 	dnsmasq_domtrans(blueman_t)
 	dnsmasq_read_pid_files(blueman_t)
 ')
 
+optional_policy(`
+	gnome_search_gconf(blueman_t)
+')
+
 optional_policy(`
 	iptables_domtrans(blueman_t)
 ')
+
+optional_policy(`
+	xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f3296..0086b95d12 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,14 @@
 /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/bluetooth.*  -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
 /usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
 /usr/bin/dund	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/hidd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
 /usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0ae05..d3611b6589 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
 	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
 
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+	allow $2 bluetooth_helper_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 bluetooth_helper_t:process ptrace;
+	')
 
 	allow $2 bluetooth_t:socket rw_socket_perms;
 
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
 	allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 	allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
+	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	bluetooth_stream_connect($2)
 	stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
-	files_search_pids($2)
 ')
 
 #####################################
@@ -63,11 +70,14 @@ interface(`bluetooth_role',`
 interface(`bluetooth_stream_connect',`
 	gen_require(`
 		type bluetooth_t, bluetooth_var_run_t;
+		type bluetooth_tmp_t;
 	')
 
 	files_search_pids($1)
 	allow $1 bluetooth_t:socket rw_socket_perms;
+	allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
 	stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+	stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
 ')
 
 ########################################
@@ -128,6 +138,27 @@ interface(`bluetooth_dbus_chat',`
 	allow bluetooth_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	dontaudit Send and receive messages from
+##	bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+	gen_require(`
+		type bluetooth_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 bluetooth_t:dbus send_msg;
+	dontaudit bluetooth_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
@@ -188,6 +219,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 	dontaudit $1 bluetooth_helper_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Execute bluetooth server in the bluetooth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_systemctl',`
+	gen_require(`
+		type bluetooth_t;
+		type bluetooth_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 bluetooth_unit_file_t:file read_file_perms;
+	allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bluetooth_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -210,12 +265,16 @@ interface(`bluetooth_admin',`
 		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
 		type bluetooth_var_lib_t, bluetooth_var_run_t;
 		type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
-		type bluetooth_initrc_exec_t;
+		type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
 	')
 
-	allow $1 bluetooth_t:process { ptrace signal_perms };
+	allow $1 bluetooth_t:process signal_perms;
 	ps_process_pattern($1, bluetooth_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bluetooth_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +294,8 @@ interface(`bluetooth_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, bluetooth_var_run_t)
+
+	bluetooth_systemctl($1)
+	admin_pattern($1, bluetooth_unit_file_t)
+	allow $1 bluetooth_unit_file_t:service all_service_perms;
 ')
diff --git a/bluetooth.te b/bluetooth.te
index 851769e555..903bc0f9eb 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -10,6 +10,7 @@ attribute_role bluetooth_helper_roles;
 type bluetooth_t;
 type bluetooth_exec_t;
 init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+init_nnp_daemon_domain(bluetooth_t)
 
 type bluetooth_conf_t;
 files_config_file(bluetooth_conf_t)
@@ -49,12 +50,15 @@ files_type(bluetooth_var_lib_t)
 type bluetooth_var_run_t;
 files_pid_file(bluetooth_var_run_t)
 
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getcap setcap getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_fifo_file_perms;
@@ -62,6 +66,8 @@ allow bluetooth_t self:shm create_shm_perms;
 allow bluetooth_t self:socket create_stream_socket_perms;
 allow bluetooth_t self:unix_stream_socket { accept connectto listen };
 allow bluetooth_t self:tcp_socket { accept listen };
+allow bluetooth_t self:alg_socket create_stream_socket_perms;
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
 allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
@@ -78,10 +84,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 
 manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
 
 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+allow bluetooth_t bluetooth_var_lib_t:file map;
 files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
 
 manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
@@ -90,27 +98,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)
 kernel_request_load_module(bluetooth_t)
 kernel_search_debugfs(bluetooth_t)
 
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
-
-dev_read_sysfs(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_rw_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
 dev_rw_generic_usb_dev(bluetooth_t)
 dev_read_urand(bluetooth_t)
 dev_rw_input_dev(bluetooth_t)
 dev_rw_wireless(bluetooth_t)
+dev_rw_uhid_dev(bluetooth_t)
 
 domain_use_interactive_fds(bluetooth_t)
 domain_dontaudit_search_all_domains_state(bluetooth_t)
 
 files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +140,6 @@ auth_use_nsswitch(bluetooth_t)
 
 logging_send_syslog_msg(bluetooth_t)
 
-miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
 
@@ -130,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
@@ -200,7 +221,6 @@ dev_read_urand(bluetooth_helper_t)
 domain_read_all_domains_state(bluetooth_helper_t)
 
 files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
 files_dontaudit_list_default(bluetooth_helper_t)
 
 term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad60d..bda740a711 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
-/usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client	-- 		gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
-/var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client			--		gen_context(system_u:object_r:boinc_exec_t,s0)
 
-/var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service        --  gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)?				gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.*				--		gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaaf76..308616e8dd 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,166 @@
-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an boinc environment.
+##	Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+	gen_require(`
+		type boinc_t, boinc_exec_t;
+	')
+
+	domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+##	Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+	gen_require(`
+		type boinc_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Dontaudit getattr on boinc lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`boinc_dontaudit_getattr_lib',`
+    gen_require(`
+        type boinc_var_lib_t;
+    ')
+
+    dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Search boinc lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	allow $1 boinc_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read boinc lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	boinc lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`boinc_systemctl',`
+    gen_require(`
+        type boinc_t;
+        type boinc_unit_file_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 boinc_unit_file_t:file read_file_perms;
+    allow $1 boinc_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, boinc_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an boinc environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -19,26 +176,32 @@
 #
 interface(`boinc_admin',`
 	gen_require(`
-
-		type boinc_t, boinc_project_t, boinc_log_t;
-		type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
-		type boinc_project_var_lib_t, boinc_project_tmp_t;
+		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+		type boinc_unit_file_t;
 	')
 
-	allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { boinc_t boinc_project_t })
+	allow $1 boinc_t:process signal_perms;
+	ps_process_pattern($1, boinc_t)
 
-	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 boinc_t:process ptrace;
+	')
+
+	boinc_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 boinc_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	logging_search_logs($1)
-	admin_pattern($1, boinc_log_t)
+	files_list_var_lib($1)
+	admin_pattern($1, boinc_var_lib_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+	boinc_systemctl($1)
+	admin_pattern($1, boinc_unit_file_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+	allow $1 boinc_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/boinc.te b/boinc.te
index 687d4c48df..8ba0f8bdbd 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
 ## </desc>
 gen_tunable(boinc_execmem, true)
 
-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
 type boinc_exec_t;
 init_daemon_domain(boinc_t, boinc_exec_t)
 
@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
 type boinc_var_lib_t;
 files_type(boinc_var_lib_t)
 
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
 type boinc_log_t;
 logging_log_file(boinc_log_t)
 
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
 type boinc_project_t;
 domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
 role system_r types boinc_project_t;
 
 type boinc_project_tmp_t;
 files_tmp_file(boinc_project_tmp_t)
 
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+    allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(boinc_domain)
+')
+
 ########################################
 #
-# Local policy
+# boinc local policy
 #
 
 allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
 allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
 
 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
 manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -60,75 +100,51 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
 
 manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
 fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+allow boinc_t boinc_tmpfs_t:file map;
 
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
 
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+allow boinc_t boinc_project_var_lib_t:file map;
 
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
 
+# needs read /proc/interrupts
 kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
 corenet_all_recvfrom_netlabel(boinc_t)
 corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
 corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
 corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
 corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
 corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
 corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
 corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
 corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
 
 files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
 
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
 
 term_getattr_all_ptys(boinc_t)
 term_getattr_unallocated_ttys(boinc_t)
@@ -137,8 +153,9 @@ init_read_utmp(boinc_t)
 
 logging_send_syslog_msg(boinc_t)
 
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
+
+xserver_stream_connect(boinc_t)
 
 tunable_policy(`boinc_execmem',`
 	allow boinc_t self:process { execstack execmem };
@@ -148,48 +165,61 @@ optional_policy(`
 	mta_send_mail(boinc_t)
 ')
 
-optional_policy(`
-	sysnet_dns_name_resolve(boinc_t)
-')
-
 ########################################
 #
-# Project local policy
+# boinc-projects local policy
 #
 
 allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+	allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
 
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
 
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
 kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
 
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
 corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
 
 files_dontaudit_search_home(boinc_project_t)
 
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+	gnome_read_gconf_config(boinc_project_t)	
+')
+
 optional_policy(`
 	java_exec(boinc_project_t)
 ')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+	unconfined_domain(boinc_project_t)
+')
diff --git a/boltd.fc b/boltd.fc
new file mode 100644
index 0000000000..e0bdf7663f
--- /dev/null
+++ b/boltd.fc
@@ -0,0 +1,5 @@
+/usr/libexec/boltd		--	gen_context(system_u:object_r:boltd_exec_t,s0)
+
+/var/lib/boltd(/.*)?		gen_context(system_u:object_r:boltd_var_lib_t,s0)
+
+/var/run/boltd(/.*)?		gen_context(system_u:object_r:boltd_var_run_t,s0)
diff --git a/boltd.if b/boltd.if
new file mode 100644
index 0000000000..cdec3f10d9
--- /dev/null
+++ b/boltd.if
@@ -0,0 +1,213 @@
+
+## <summary>policy for boltd</summary>
+
+########################################
+## <summary>
+##	Execute boltd_exec_t in the boltd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`boltd_domtrans',`
+	gen_require(`
+		type boltd_t, boltd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, boltd_exec_t, boltd_t)
+')
+
+######################################
+## <summary>
+##	Execute boltd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_exec',`
+	gen_require(`
+		type boltd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, boltd_exec_t)
+')
+
+########################################
+## <summary>
+##	Search boltd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_search_lib',`
+	gen_require(`
+		type boltd_var_lib_t;
+	')
+
+	allow $1 boltd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read boltd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_read_lib_files',`
+	gen_require(`
+		type boltd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, boltd_var_lib_t, boltd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage boltd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_manage_lib_files',`
+	gen_require(`
+		type boltd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, boltd_var_lib_t, boltd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage boltd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_manage_lib_dirs',`
+	gen_require(`
+		type boltd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, boltd_var_lib_t, boltd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an boltd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`boltd_admin',`
+	gen_require(`
+		type boltd_t;
+		type boltd_var_lib_t;
+	')
+
+	allow $1 boltd_t:process { signal_perms };
+	ps_process_pattern($1, boltd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 boltd_t:process ptrace;
+    ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, boltd_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+
+########################################
+
+## <summary>
+##	Mounton boltd lib  directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_mounton_var_lib',`
+	gen_require(`
+		type boltd_var_lib_t;
+	')
+
+	allow $1 boltd_var_lib_t:dir mounton;
+')
+
+########################################
+
+## <summary>
+##	Mounton boltd var_run  directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_mounton_var_run',`
+	gen_require(`
+		type boltd_var_run_t;
+	')
+
+	allow $1 boltd_var_run_t:dir mounton;
+')
+
+######################################
+## <summary>
+##	Write to boltd named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boltd_write_var_run_pipes',`
+	gen_require(`
+		type boltd_var_run_t;
+	')
+
+	allow $1 boltd_var_run_t:fd use;
+	allow $1 boltd_var_run_t:fifo_file write;
+')
diff --git a/boltd.te b/boltd.te
new file mode 100644
index 0000000000..6106dddde7
--- /dev/null
+++ b/boltd.te
@@ -0,0 +1,74 @@
+policy_module(boltd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boltd_t;
+type boltd_exec_t;
+init_daemon_domain(boltd_t, boltd_exec_t)
+
+type boltd_var_lib_t;
+files_type(boltd_var_lib_t)
+
+type boltd_var_run_t;
+files_pid_file(boltd_var_run_t)
+
+########################################
+#
+# boltd local policy
+#
+allow boltd_t self:capability dac_read_search;
+
+allow boltd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow boltd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(boltd_t, boltd_var_lib_t, boltd_var_lib_t)
+manage_files_pattern(boltd_t, boltd_var_lib_t, boltd_var_lib_t)
+manage_lnk_files_pattern(boltd_t, boltd_var_lib_t, boltd_var_lib_t)
+files_var_lib_filetrans(boltd_t, boltd_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(boltd_t, boltd_var_run_t, boltd_var_run_t)
+manage_files_pattern(boltd_t, boltd_var_run_t, boltd_var_run_t)
+manage_fifo_files_pattern(boltd_t, boltd_var_run_t, boltd_var_run_t)
+files_pid_filetrans(boltd_t, boltd_var_run_t, { dir file fifo_file })
+
+kernel_dgram_send(boltd_t)
+
+auth_use_nsswitch(boltd_t)
+
+dev_list_sysfs(boltd_t)
+dev_rw_sysfs(boltd_t)
+
+files_mmap_usr_files(boltd_t)
+fs_getattr_tmpfs(boltd_t)
+fs_getattr_xattr_fs(boltd_t)
+
+init_named_socket_activation(boltd_t, boltd_var_lib_t, "boltd")
+
+logging_send_syslog_msg(boltd_t)
+logging_stream_connect_syslog(boltd_t)
+
+optional_policy(`
+    dbus_acquire_svc_system_dbusd(boltd_t)
+    dbus_stream_connect_system_dbusd(boltd_t)
+    dbus_send_system_bus(boltd_t)
+    policykit_dbus_chat(boltd_t)
+')
+
+optional_policy(`
+    gnome_read_generic_cache_files(boltd_t)
+')
+
+optional_policy(`
+    udev_read_db(boltd_t)
+')
+
+optional_policy(`
+    xserver_dbus_chat_xdm(boltd_t)
+')
+
+optional_policy(`
+    unconfined_dbus_send(boltd_t)
+')
diff --git a/brctl.te b/brctl.te
index c5a91138c9..1919abdd88 100644
--- a/brctl.te
+++ b/brctl.te
@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
 allow brctl_t self:tcp_socket create_socket_perms;
 
 kernel_request_load_module(brctl_t)
+kernel_read_system_state(brctl_t)
 kernel_read_network_state(brctl_t)
 kernel_read_sysctl(brctl_t)
 
@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
 
 domain_use_interactive_fds(brctl_t)
 
-files_read_etc_files(brctl_t)
-
 term_dontaudit_use_console(brctl_t)
 
-miscfiles_read_localization(brctl_t)
-
 optional_policy(`
 	xen_append_log(brctl_t)
 	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
index 0000000000..05e3528979
--- /dev/null
+++ b/brltty.fc
@@ -0,0 +1,10 @@
+/tmp/brltty\.log.*	 			--	gen_context(system_u:object_r:brltty_log_t,s0)
+
+/usr/lib/systemd/system/brltty.*		--	gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty		--	gen_context(system_u:object_r:brltty_exec_t,s0)
+
+/var/lib/BrlAPI(/.*)?		gen_context(system_u:object_r:brltty_var_lib_t,s0)
+
+/var/run/brltty(/.*)?		gen_context(system_u:object_r:brltty_var_run_t,s0)
+
diff --git a/brltty.if b/brltty.if
new file mode 100644
index 0000000000..968c957aba
--- /dev/null
+++ b/brltty.if
@@ -0,0 +1,80 @@
+
+## <summary>brltty is refreshable braille display driver for Linux/Unix</summary>
+
+########################################
+## <summary>
+##	Execute brltty in the brltty domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brltty_domtrans',`
+	gen_require(`
+		type brltty_t, brltty_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, brltty_exec_t, brltty_t)
+')
+########################################
+## <summary>
+##	Execute brltty server in the brltty domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`brltty_systemctl',`
+	gen_require(`
+		type brltty_t;
+		type brltty_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 brltty_unit_file_t:file read_file_perms;
+	allow $1 brltty_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, brltty_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an brltty environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`brltty_admin',`
+	gen_require(`
+		type brltty_t;
+	type brltty_unit_file_t;
+	')
+
+	allow $1 brltty_t:process { signal_perms };
+	ps_process_pattern($1, brltty_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 brltty_t:process ptrace;
+    ')
+
+	brltty_systemctl($1)
+	admin_pattern($1, brltty_unit_file_t)
+	allow $1 brltty_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
index 0000000000..a4265adc94
--- /dev/null
+++ b/brltty.te
@@ -0,0 +1,72 @@
+policy_module(brltty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type brltty_t;
+type brltty_exec_t;
+init_daemon_domain(brltty_t, brltty_exec_t)
+
+type brltty_var_lib_t;
+files_type(brltty_var_lib_t)
+
+type brltty_var_run_t;
+files_pid_file(brltty_var_run_t)
+
+type brltty_log_t;
+logging_log_file(brltty_log_t)
+
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
+########################################
+#
+# brltty local policy
+#
+allow brltty_t self:capability { sys_admin  sys_tty_config mknod };
+allow brltty_t self:process { fork signal_perms };
+
+allow brltty_t self:fifo_file rw_fifo_file_perms;
+allow brltty_t self:unix_stream_socket create_stream_socket_perms;
+allow brltty_t self:tcp_socket listen;
+
+manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
+
+manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
+
+manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
+allow brltty_t brltty_var_run_t:dir mounton;
+
+kernel_read_system_state(brltty_t)
+kernel_read_usermodehelper_state(brltty_t)
+
+auth_use_nsswitch(brltty_t)
+
+corenet_tcp_bind_brlp_port(brltty_t)
+
+dev_read_sysfs(brltty_t)
+dev_rw_generic_usb_dev(brltty_t)
+dev_rw_input_dev(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
+logging_send_syslog_msg(brltty_t)
+
+modutils_domtrans_insmod(brltty_t)
+
+sysnet_dns_name_resolve(brltty_t)
+
+term_use_unallocated_ttys(brltty_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6ebff..9efceac4ec 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)?		gen_context(system_u:object_r:bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi	--	gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
 
-/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262d51..d9ea246a17 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -12,10 +12,10 @@
 #
 interface(`bugzilla_search_content',`
 	gen_require(`
-		type httpd_bugzilla_content_t;
+		type bugzilla_content_t;
 	')
 
-	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+	allow $1 bugzilla_content_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
 #
 interface(`bugzilla_dontaudit_rw_stream_sockets',`
 	gen_require(`
-		type httpd_bugzilla_script_t;
+		type bugzilla_script_t;
 	')
 
-	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+	dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
 ')
 
 ########################################
@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
 interface(`bugzilla_admin',`
 	gen_require(`
-		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-		type httpd_bugzilla_htaccess_t;
+		type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
+		type bugzilla_rw_content_t, bugzilla_script_exec_t;
+		type bugzilla_htaccess_t, bugzilla_tmp_t;
+	')
+
+	allow $1 bugzilla_script_t:process signal_perms;
+	ps_process_pattern($1, bugzilla_script_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bugzilla_script_t:process ptrace;
 	')
 
-	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
-	ps_process_pattern($1, httpd_bugzilla_script_t)
+	files_list_tmp($1)
+	admin_pattern($1, bugzilla_tmp_t)
 
-	files_search_usr($1)
-	admin_pattern($1, httpd_bugzilla_script_exec_t)
-	admin_pattern($1, httpd_bugzilla_script_t)
-	admin_pattern($1, httpd_bugzilla_content_t)
-	admin_pattern($1, httpd_bugzilla_htaccess_t)
-	admin_pattern($1, httpd_bugzilla_ra_content_t)
+	files_list_var_lib(bugzilla_script_t)
+
+	admin_pattern($1, bugzilla_script_exec_t)
+	admin_pattern($1, bugzilla_script_t)
+	admin_pattern($1, bugzilla_content_t)
+	admin_pattern($1, bugzilla_htaccess_t)
+	admin_pattern($1, bugzilla_ra_content_t)
 
 	files_search_tmp($1)
 	files_search_var_lib($1)
-	admin_pattern($1, httpd_bugzilla_rw_content_t)
+	admin_pattern($1, bugzilla_rw_content_t)
 
-	apache_list_sys_content($1)
+	optional_policy(`
+		apache_list_sys_content($1)
+	')
 ')
diff --git a/bugzilla.te b/bugzilla.te
index 18623e39ea..c62f617e15 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
 #
 
 apache_content_template(bugzilla)
+apache_content_alias_template(bugzilla, bugzilla)
+
+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
+files_tmp_file(bugzilla_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
+allow bugzilla_script_t self:tcp_socket { accept listen };
+
+corenet_all_recvfrom_netlabel(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
+
+corenet_sendrecv_http_client_packets(bugzilla_script_t)
+corenet_tcp_connect_http_port(bugzilla_script_t)
+corenet_tcp_sendrecv_http_port(bugzilla_script_t)
+
+corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
+corenet_tcp_connect_smtp_port(bugzilla_script_t)
+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
+
+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
 
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+files_search_var_lib(bugzilla_script_t)
 
-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
+auth_read_passwd(bugzilla_script_t)
 
-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+dev_read_sysfs(bugzilla_script_t)
 
-files_search_var_lib(httpd_bugzilla_script_t)
+sysnet_read_config(bugzilla_script_t)
+sysnet_use_ldap(bugzilla_script_t)
 
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
-sysnet_use_ldap(httpd_bugzilla_script_t)
+miscfiles_read_certs(bugzilla_script_t)
 
 optional_policy(`
-	mta_send_mail(httpd_bugzilla_script_t)
+	mta_send_mail(bugzilla_script_t)
 ')
 
 optional_policy(`
-	mysql_stream_connect(httpd_bugzilla_script_t)
-	mysql_tcp_connect(httpd_bugzilla_script_t)
+	mysql_stream_connect(bugzilla_script_t)
+	mysql_tcp_connect(bugzilla_script_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(httpd_bugzilla_script_t)
-	postgresql_tcp_connect(httpd_bugzilla_script_t)
+	postgresql_stream_connect(bugzilla_script_t)
+	postgresql_tcp_connect(bugzilla_script_t)
 ')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 0000000000..b5ee23be76
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed		--	gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.*			gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 0000000000..2d2e60c199
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,122 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
+## <summary>
+##	Execute bumblebee in the bumblebee domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bumblebee_domtrans',`
+	gen_require(`
+		type bumblebee_t, bumblebee_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	Read bumblebee PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_read_pid_files',`
+	gen_require(`
+		type bumblebee_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute bumblebee server in the bumblebee domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_systemctl',`
+	gen_require(`
+		type bumblebee_t;
+		type bumblebee_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 bumblebee_unit_file_t:file read_file_perms;
+	allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	Connect to bumblebee over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_stream_connect',`
+	gen_require(`
+		type bumblebee_t, bumblebee_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bumblebee environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bumblebee_admin',`
+	gen_require(`
+		type bumblebee_t;
+		type bumblebee_var_run_t;
+		type bumblebee_unit_file_t;
+	')
+
+	allow $1 bumblebee_t:process { signal_perms };
+	ps_process_pattern($1, bumblebee_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 bumblebee_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, bumblebee_var_run_t)
+
+	bumblebee_systemctl($1)
+	admin_pattern($1, bumblebee_unit_file_t)
+	allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 0000000000..acaf51906e
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,62 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_read_network_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_use_nsswitch(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
+xserver_signal(bumblebee_t)
+xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
+corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+    apm_stream_connect(bumblebee_t)
+')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c7902bb..aa03fc8ae5 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_dev_t,s0)
 
 /sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
 
 /usr/sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
 
-/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)?		gen_context(system_u:object_r:cachefiles_var_t,s0)
 
-/var/run/cachefilesd\.pid	--	gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid --	gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9c52..3b419455f8 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## <summary>CacheFiles user-space management daemon.</summary>
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an cachefilesd environment.
+##	Execute a domain transition to run cachefilesd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
 	gen_require(`
-		type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
-		type cachefilesd_var_run_t;
+		type cachefilesd_t, cachefilesd_exec_t;
 	')
 
-	allow $1 cachefilesd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, cachefilesd_t)
-
-	init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cachefilesd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_var($1)
-	admin_pattern($1, cachefilesd_cache_t)
-
-	files_search_pids($1)
-	admin_pattern($1, cachefilesd_var_run_t)
+	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
 ')
diff --git a/cachefilesd.te b/cachefilesd.te
index a3760bc924..22ed920b74 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,125 @@
 policy_module(cachefilesd, 1.1.0)
 
-########################################
+###############################################################################
 #
 # Declarations
 #
 
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
 type cachefilesd_t;
 type cachefilesd_exec_t;
 init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
 
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
 type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)
 
-########################################
 #
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
 #
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+	rpm_use_script_fds(cachefilesd_t)
+')
 
-allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do.  This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache.  It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override };
+allow cachefilesd_t self:process signal_perms;
 
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
 manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
 files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
 
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
 
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
 
+# Permit statfs on the backing filesystem
 fs_getattr_xattr_fs(cachefilesd_t)
 
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
 term_dontaudit_use_generic_ptys(cachefilesd_t)
 term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
 
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+#   (1) the security context used by the module to access files in the cache,
+#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
 
-miscfiles_read_localization(cachefilesd_t)
+#
+#   (2) the label that will be assigned to new files and directories created in
+#       the cache by the module, which will be the same as the label on the
+#       directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
 
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
 
-optional_policy(`
-	rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
index cd9c52871a..ba793b748a 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
 		attribute_role calamaris_roles;
 	')
 
-	lightsquid_domtrans($1)
+	calamaris_domtrans($1)
 	roleattribute $2 calamaris_roles;
 ')
 
diff --git a/calamaris.te b/calamaris.te
index 7e574604be..8d8cd78e54 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -23,7 +23,7 @@ files_type(calamaris_www_t)
 # Local policy
 #
 
-allow calamaris_t self:capability dac_override;
+allow calamaris_t self:capability { dac_read_search dac_override };
 allow calamaris_t self:process { signal_perms setsched };
 allow calamaris_t self:fifo_file rw_fifo_file_perms;
 allow calamaris_t self:unix_stream_socket { accept listen };
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
 
 corecmd_exec_bin(calamaris_t)
 
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
 dev_read_urand(calamaris_t)
 
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
 files_read_etc_runtime_files(calamaris_t)
 
-libs_read_lib_files(calamaris_t)
-
 auth_use_nsswitch(calamaris_t)
 
 logging_send_syslog_msg(calamaris_t)
 
-miscfiles_read_localization(calamaris_t)
-
 userdom_dontaudit_list_user_home_dirs(calamaris_t)
 
 optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 0e5be4cdfc..b9a407f900 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
 
 auth_use_nsswitch(callweaver_t)
 
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07a26..f416e22a7a 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
 		type canna_var_run_t, canna_initrc_exec_t;
 	')
 
-	allow $1 canna_t:process { ptrace signal_perms };
+	allow $1 canna_t:process signal_perms;
 	ps_process_pattern($1, canna_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 canna_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, canna_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 9fe61621f0..5c505e7ded 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
 kernel_read_kernel_sysctls(canna_t)
 kernel_read_system_state(canna_t)
 
-corenet_all_recvfrom_unlabeled(canna_t)
 corenet_all_recvfrom_netlabel(canna_t)
 corenet_tcp_sendrecv_generic_if(canna_t)
 corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
 
 domain_use_interactive_fds(canna_t)
 
-files_read_etc_files(canna_t)
 files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
 files_search_tmp(canna_t)
 files_dontaudit_read_root_files(canna_t)
 
-logging_send_syslog_msg(canna_t)
+auth_use_nsswitch(canna_t)
 
-miscfiles_read_localization(canna_t)
+logging_send_syslog_msg(canna_t)
 
 sysnet_read_config(canna_t)
 
diff --git a/ccs.if b/ccs.if
index 5ded72d378..cb94e5ea7c 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
+		type ccs_var_lib_t, ccs_var_log_t;
 		type ccs_var_run_t, ccs_tmp_t;
 	')
 
-	allow $1 ccs_t:process { ptrace signal_perms };
+	allow $1 ccs_t:process { signal_perms };
 	ps_process_pattern($1, ccs_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ccs_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, ccs_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ccs_initrc_exec_t system_r;
 	allow $2 system_r;
 
 	files_search_etc($1)
-	admin_pattern($1, ccs_conf_t)
+	admin_pattern($1, cluster_conf_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index 658134d8ad..58deeceaab 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
 
 allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
 allow ccs_t self:fifo_file rw_fifo_file_perms;
 allow ccs_t self:unix_stream_socket { accept connectto listen };
 allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
 corecmd_list_bin(ccs_t)
 corecmd_exec_bin(ccs_t)
 
-corenet_all_recvfrom_unlabeled(ccs_t)
 corenet_all_recvfrom_netlabel(ccs_t)
 corenet_tcp_sendrecv_generic_if(ccs_t)
 corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
 
 dev_read_urand(ccs_t)
 
-files_read_etc_files(ccs_t)
 files_read_etc_runtime_files(ccs_t)
 
 init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
 
 logging_send_syslog_msg(ccs_t)
 
-miscfiles_read_localization(ccs_t)
-
 sysnet_dns_name_resolve(ccs_t)
 
 userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
-	aisexec_stream_connect(ccs_t)
-	corosync_stream_connect(ccs_t)
+	rhcs_stream_connect_cluster(ccs_t)
 ')
 
 optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f6945..4de4a005cc 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
 
 	allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
 
-	allow $2 cdrecord_t:process { ptrace signal_perms };
+	allow $2 cdrecord_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 cdrecord_t:process ptrace;
+	')
 	ps_process_pattern($2, cdrecord_t)
 ')
diff --git a/cdrecord.te b/cdrecord.te
index 16883c9c30..97e9a429eb 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
 # Local policy
 #
 
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio };
 allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
 allow cdrecord_t self:unix_stream_socket { accept listen };
 
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
 domain_interactive_fd(cdrecord_t)
 domain_use_interactive_fds(cdrecord_t)
 
-files_read_etc_files(cdrecord_t)
-
 term_use_controlling_term(cdrecord_t)
 term_list_ptys(cdrecord_t)
 
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
 
 logging_send_syslog_msg(cdrecord_t)
 
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
 
 tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
 	fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
 	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	files_search_mnt(cdrecord_t)
-	fs_read_nfs_files(cdrecord_t)
-	fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
 
 optional_policy(`
 	resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b189bd..ef29f6e6c3 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
 interface(`certmaster_admin',`
 	gen_require(`
 		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-		type certmaster_etc_rw_t, certmaster_var_log_t;
-		type certmaster_initrc_exec_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
 	')
 
-	allow $1 certmaster_t:process { ptrace signal_perms };
+	allow $1 certmaster_t:process signal_perms;
 	ps_process_pattern($1, certmaster_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 certmaster_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index 4a878730b6..113f3b32fd 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
 dev_read_urand(certmaster_t)
 
 files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
 
 auth_use_nsswitch(certmaster_t)
 
-miscfiles_read_localization(certmaster_t)
 miscfiles_manage_generic_cert_dirs(certmaster_t)
 miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8b66..c887648384 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -1,7 +1,12 @@
+/etc/systemd/system/dirsrv.target.wants(/.*)?      gen_context(system_u:object_r:certmonger_unit_file_t,s0)
+/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0)
+
 /etc/rc\.d/init\.d/certmonger	--	gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
 
 /usr/sbin/certmonger	--	gen_context(system_u:object_r:certmonger_exec_t,s0)
 
+/usr/lib/ipa/certmonger(/.*)?		gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
 /var/lib/certmonger(/.*)?	gen_context(system_u:object_r:certmonger_var_lib_t,s0)
 
 /var/run/certmonger.*	gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef262..144c0740a6 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
 	')
 
 	ps_process_pattern($1, certmonger_t)
-	allow $1 certmonger_t:process { ptrace signal_perms };
+	allow $1 certmonger_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 certmonger_t:process ptrace;
+	')
 
 	certmonger_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 certmonger_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, certmonger_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, certmonger_var_run_t)
 ')
diff --git a/certmonger.te b/certmonger.te
index 550b287cec..d350a87329 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
 type certmonger_var_run_t;
 files_pid_file(certmonger_var_run_t)
 
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
+type certmonger_unit_file_t;
+systemd_unit_file(certmonger_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
 dontaudit certmonger_t self:capability sys_tty_config;
 allow certmonger_t self:capability2 block_suspend;
+
 allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
 manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(certmonger_t)
 kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
 
 corenet_all_recvfrom_unlabeled(certmonger_t)
 corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,18 +58,27 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
 
 corenet_sendrecv_certmaster_client_packets(certmonger_t)
 corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_ldap_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
 corenet_tcp_sendrecv_certmaster_port(certmonger_t)
 
 corecmd_exec_bin(certmonger_t)
 corecmd_exec_shell(certmonger_t)
 
+dev_read_rand(certmonger_t)
 dev_read_urand(certmonger_t)
 
 domain_use_interactive_fds(certmonger_t)
 
-files_read_usr_files(certmonger_t)
 files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
 
+fs_getattr_xattr_fs(certmonger_t)
 fs_search_cgroup_dirs(certmonger_t)
 
 auth_use_nsswitch(certmonger_t)
@@ -68,18 +86,26 @@ auth_rw_cache(certmonger_t)
 
 init_getattr_all_script_files(certmonger_t)
 
+libs_exec_ldconfig(certmonger_t)
+
 logging_send_syslog_msg(certmonger_t)
 
-miscfiles_read_localization(certmonger_t)
-miscfiles_manage_generic_cert_files(certmonger_t)
+miscfiles_manage_all_certs(certmonger_t)
+
+systemd_exec_systemctl(certmonger_t)
+systemd_manage_all_unit_files(certmonger_t)
+systemd_start_systemd_services(certmonger_t)
+systemd_status_all_unit_files(certmonger_t)
+
 
 userdom_search_user_home_content(certmonger_t)
+userdom_write_user_tmp_dirs(certmonger_t)
 
 optional_policy(`
-	apache_initrc_domtrans(certmonger_t)
-	apache_search_config(certmonger_t)
+	apache_read_config(certmonger_t)
 	apache_signal(certmonger_t)
 	apache_signull(certmonger_t)
+	apache_systemctl(certmonger_t)
 ')
 
 optional_policy(`
@@ -92,11 +118,77 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_read_keytab(certmonger_t)
+	dirsrv_manage_config(certmonger_t)
+	dirsrv_signal(certmonger_t)
+	dirsrv_signull(certmonger_t)
+    dirsrv_stream_connect(certmonger_t)
+')
+
+optional_policy(`
+    ipa_manage_lib(certmonger_t)
+    ipa_manage_log(certmonger_t)
+    ipa_manage_pid_files(certmonger_t)
+	ipa_named_filetrans_log_dir(certmonger_t)
+')
+
+optional_policy(`
 	kerberos_use(certmonger_t)
+	kerberos_read_keytab(certmonger_t)
+	kerberos_manage_kdc_config(certmonger_t)
+    kerberos_filetrans_named_content(certmonger_t)
+')
+
+optional_policy(`
+    mta_send_mail(certmonger_t)
 ')
 
 optional_policy(`
 	pcscd_read_pid_files(certmonger_t)
 	pcscd_stream_connect(certmonger_t)
 ')
+
+optional_policy(`
+	pki_rw_tomcat_cert(certmonger_t)
+	pki_read_tomcat_lib_files(certmonger_t)
+    pki_tomcat_systemctl(certmonger_t)
+')
+
+optional_policy(`
+    rhcs_start_haproxy_services(certmonger_t)
+')
+
+optional_policy(`
+	sssd_delete_public_files(certmonger_t)
+')
+
+optional_policy(`
+    allow certmonger_t certmonger_unit_file_t:service manage_service_perms;
+    allow certmonger_t certmonger_unit_file_t:file manage_file_perms;
+    allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms;
+    systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+	type certmonger_unconfined_t;
+	domain_type(certmonger_unconfined_t)
+
+	domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+	role system_r types certmonger_unconfined_t;
+
+	domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+	allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+	allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+	allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+	init_domtrans_script(certmonger_unconfined_t)
+
+	optional_policy(`
+		unconfined_domain(certmonger_unconfined_t)
+	')
+')
diff --git a/certwatch.te b/certwatch.te
index 171fafb990..69d01f6fa0 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -18,34 +18,47 @@ role certwatch_roles types certwatch_t;
 # Local policy
 #
 
-allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:capability { dac_read_search dac_override sys_nice };
 allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
 
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
 dev_read_urand(certwatch_t)
 
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
 files_read_usr_symlinks(certwatch_t)
 files_list_tmp(certwatch_t)
 
 fs_list_inotifyfs(certwatch_t)
 
 auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
 auth_var_filetrans_cache(certwatch_t)
 
 logging_send_syslog_msg(certwatch_t)
 
 miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+miscfiles_map_generic_certs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
 
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
 
 optional_policy(`
+	apache_domtrans(certwatch_t)
 	apache_exec_modules(certwatch_t)
 	apache_read_config(certwatch_t)
 ')
 
+optional_policy(`
+    mta_send_mail(certwatch_t)
+')
+
 optional_policy(`
 	cron_system_entry(certwatch_t, certwatch_exec_t)
 ')
diff --git a/cfengine.if b/cfengine.if
index a7311229f7..5279d4e3a5 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
 template(`cfengine_domain_template',`
 	gen_require(`
 		attribute cfengine_domain;
-		type cfengine_log_t, cfengine_var_lib_t;
 	')
 
 	########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
 	# Policy
 	#
 
+	kernel_read_system_state(cfengine_$1_t)
+
 	auth_use_nsswitch(cfengine_$1_t)
+
+	logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+## <summary>
+##  Search cfengine lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cfengine_search_lib_files',`
+	gen_require(`
+		type cfengine_var_lib_t;
+	')
+
+	allow $1 cfengine_var_lib_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
 	dontaudit $1 cfengine_var_log_t:file write_file_perms;
 ')
 
+#####################################
+## <summary>
+##      Allow the specified domain to append cfengine's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cfengine_append_inherited_log',`
+        gen_require(`
+                type cfengine_var_log_t;
+        ')
+
+        cfengine_search_lib_files($1)
+		allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+## <summary>
+##      Dontaudit the specified domain to write cfengine's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cfengine_dontaudit_write_log',`
+        gen_require(`
+                type cfengine_var_log_t;
+        ')
+
+		dontaudit $1 cfengine_var_log_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
 		type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
 	')
 
-	allow $1 cfengine_domain:process { ptrace signal_perms };
+	allow $1 cfengine_domain:process { signal_perms };
 	ps_process_pattern($1, cfengine_domain)
 
 	init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
 ')
+
diff --git a/cfengine.te b/cfengine.te
index fbe3ad9555..21ab8e1767 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
 setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
 logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
 
-kernel_read_system_state(cfengine_domain)
-
 corecmd_exec_bin(cfengine_domain)
 corecmd_exec_shell(cfengine_domain)
 
 dev_read_urand(cfengine_domain)
 dev_read_sysfs(cfengine_domain)
 
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
 sysnet_domtrans_ifconfig(cfengine_domain)
 
 ########################################
@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
 # Monitord local policy
 #
 
-kernel_read_hotplug_sysctls(cfengine_monitord_t)
+kernel_read_usermodehelper_state(cfengine_monitord_t)
 kernel_read_network_state(cfengine_monitord_t)
 
 domain_read_all_domains_state(cfengine_monitord_t)
diff --git a/cgdcbxd.fc b/cgdcbxd.fc
new file mode 100644
index 0000000000..756703813d
--- /dev/null
+++ b/cgdcbxd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/cgdcbxd\.service		--	gen_context(system_u:object_r:cgdcbxd_unit_file_t,s0)
+
+/usr/sbin/cgdcbxd		--	gen_context(system_u:object_r:cgdcbxd_exec_t,s0)
+
+/var/run/cgdcbxd\.pid		--	gen_context(system_u:object_r:cgdcbxd_var_run_t,s0)
diff --git a/cgdcbxd.if b/cgdcbxd.if
new file mode 100644
index 0000000000..1efacf1d17
--- /dev/null
+++ b/cgdcbxd.if
@@ -0,0 +1,99 @@
+
+## <summary>policy for cgdcbxd</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cgdcbxd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgdcbxd_domtrans',`
+	gen_require(`
+		type cgdcbxd_t, cgdcbxd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cgdcbxd_exec_t, cgdcbxd_t)
+')
+########################################
+## <summary>
+##	Read cgdcbxd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cgdcbxd_read_pid_files',`
+	gen_require(`
+		type cgdcbxd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute cgdcbxd server in the cgdcbxd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cgdcbxd_systemctl',`
+	gen_require(`
+		type cgdcbxd_t;
+		type cgdcbxd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 cgdcbxd_unit_file_t:file read_file_perms;
+	allow $1 cgdcbxd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cgdcbxd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cgdcbxd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgdcbxd_admin',`
+	gen_require(`
+		type cgdcbxd_t;
+		type cgdcbxd_var_run_t;
+    	type cgdcbxd_unit_file_t;
+	')
+
+	allow $1 cgdcbxd_t:process { signal_perms };
+	ps_process_pattern($1, cgdcbxd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 cgdcbxd_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, cgdcbxd_var_run_t)
+
+	cgdcbxd_systemctl($1)
+	admin_pattern($1, cgdcbxd_unit_file_t)
+	allow $1 cgdcbxd_unit_file_t:service all_service_perms;
+
+')
diff --git a/cgdcbxd.te b/cgdcbxd.te
new file mode 100644
index 0000000000..32640a7b08
--- /dev/null
+++ b/cgdcbxd.te
@@ -0,0 +1,40 @@
+policy_module(cgdcbxd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgdcbxd_t;
+type cgdcbxd_exec_t;
+init_daemon_domain(cgdcbxd_t, cgdcbxd_exec_t)
+
+type cgdcbxd_var_run_t;
+files_pid_file(cgdcbxd_var_run_t)
+
+type cgdcbxd_unit_file_t;
+systemd_unit_file(cgdcbxd_unit_file_t)
+
+########################################
+#
+# cgdcbxd local policy
+#
+
+allow cgdcbxd_t self:fifo_file rw_fifo_file_perms;
+allow cgdcbxd_t self:unix_stream_socket create_stream_socket_perms;
+allow cgdcbxd_t self:udp_socket create_socket_perms;
+allow cgdcbxd_t self:unix_dgram_socket create_socket_perms;
+
+dontaudit cgdcbxd_t self:capability sys_ptrace;
+allow cgdcbxd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_files_pattern(cgdcbxd_t, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+files_pid_filetrans(cgdcbxd_t, cgdcbxd_var_run_t, { file })
+
+kernel_read_system_state(cgdcbxd_t)
+kernel_read_network_state(cgdcbxd_t)
+kernel_search_network_sysctl(cgdcbxd_t)
+
+fs_manage_cgroup_files(cgdcbxd_t)
+
+domain_dontaudit_read_all_domains_state(cgdcbxd_t)
diff --git a/cgroup.if b/cgroup.if
index 85ca63f9a7..1d1c99c8fc 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
 		type cgrules_etc_t, cgclear_t;
 	')
 
-	allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+	allow $1 cgclear_t:process signal_perms;
+	ps_process_pattern($1, cgclear_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgclear_t:process ptrace;
+	')
+
+	allow $1 cgconfig_t:process signal_perms;
+	ps_process_pattern($1, cgconfig_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgconfig_t:process ptrace;
+	')
+
+	allow $1 cgred_t:process signal_perms;
+	ps_process_pattern($1, cgred_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgred_t:process ptrace;
+	')
 
 	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
 	files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index 80a88a27a8..514eb47f24 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
 type cgrules_etc_t;
 files_config_file(cgrules_etc_t)
 
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
 init_daemon_domain(cgconfig_t, cgconfig_exec_t)
 
 type cgconfig_initrc_exec_t;
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
 
 allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
 
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
 
 kernel_read_system_state(cgclear_t)
 
+auth_use_nsswitch(cgclear_t)
+
 domain_setpriority_all_domains(cgclear_t)
 
 fs_manage_cgroup_dirs(cgclear_t)
@@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t)
 # cgconfig local policy
 #
 
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
+allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config };
 
 allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 
 kernel_list_unlabeled(cgconfig_t)
 kernel_read_system_state(cgconfig_t)
 
-files_read_etc_files(cgconfig_t)
-
 fs_manage_cgroup_dirs(cgconfig_t)
 fs_manage_cgroup_files(cgconfig_t)
 fs_mount_cgroup(cgconfig_t)
 fs_mounton_cgroup(cgconfig_t)
 fs_unmount_cgroup(cgconfig_t)
 
+auth_use_nsswitch(cgconfig_t)
+
 ########################################
 #
 # cgred local policy
 #
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
 
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t self:netlink_connector_socket create_socket_perms;
 
+allow cgred_t cgconfig_etc_t:file read_file_perms;
 allow cgred_t cgrules_etc_t:file read_file_perms;
 
 allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
 files_getattr_all_files(cgred_t)
 files_getattr_all_sockets(cgred_t)
 files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
 
-fs_write_cgroup_files(cgred_t)
+fs_manage_cgroup_dirs(cgred_t)
+fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
 
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
 
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 0000000000..5c6bdb68dd
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,11 @@
+/opt/google/chrome[^/]*/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/opt/google/chrome[^/]*/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/google-chrome-unstable(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 0000000000..aa308eba61
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,137 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+	gen_require(`
+		type chrome_sandbox_t, chrome_sandbox_exec_t;
+	')
+
+	domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+	ps_process_pattern(chrome_sandbox_t, $1)
+
+	allow $1 chrome_sandbox_t:fd use;
+
+	dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+	allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
+	ifdef(`hide_broken_symptoms',`
+		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+	')
+')
+
+
+########################################
+## <summary>
+##	Execute chrome_sandbox in the chrome_sandbox domain, and
+##	allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the chrome_sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+	gen_require(`
+		type chrome_sandbox_t;
+		type chrome_sandbox_nacl_t;
+	')
+
+	chrome_domtrans_sandbox($1)
+	role $2 types chrome_sandbox_t;
+	role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+## <summary>
+##	Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chrome_role_notrans',`
+	gen_require(`
+		type chrome_sandbox_t;
+		type chrome_sandbox_tmpfs_t;
+		type chrome_sandbox_nacl_t;
+	')
+
+	role $1 types chrome_sandbox_t;
+	role $1 types chrome_sandbox_nacl_t;
+
+	ps_process_pattern($2, chrome_sandbox_t)
+	allow $2 chrome_sandbox_t:process signal_perms;
+
+	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+	allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
+	allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
+	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
+	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+	allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+	allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chrome_role',`
+	chrome_role_notrans($1, $2)
+	chrome_domtrans_sandbox($2)
+')
+
+########################################
+## <summary>
+##	Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+	gen_require(`
+		type chrome_sandbox_t;
+	')
+
+	dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 0000000000..5dce7aba49
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,257 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_read_search dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process { setcap setsched };
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+auth_dontaudit_read_passwd(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+term_dontaudit_use_console(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_execute_user_tmp_files(chrome_sandbox_t)
+userdom_map_tmp_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+	gnome_exec_config_home_files(chrome_sandbox_t)
+	gnome_read_generic_cache_files(chrome_sandbox_t)
+	gnome_rw_inherited_config(chrome_sandbox_t)
+	gnome_read_home_config(chrome_sandbox_t)
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
+')
+
+optional_policy(`
+	mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+	xserver_use_user_fonts(chrome_sandbox_t)
+	xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(chrome_sandbox_t)
+	fs_exec_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_files(chrome_sandbox_t)
+	fs_rw_inherited_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_symlinks(chrome_sandbox_t)
+	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(chrome_sandbox_t)
+	fs_exec_cifs_files(chrome_sandbox_t)
+	fs_rw_inherited_cifs_files(chrome_sandbox_t)
+	fs_read_cifs_files(chrome_sandbox_t)
+	fs_read_cifs_symlinks(chrome_sandbox_t)
+	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+    fs_search_fusefs(chrome_sandbox_t)
+    fs_read_fusefs_files(chrome_sandbox_t)
+    fs_exec_fusefs_files(chrome_sandbox_t)
+	fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+        fs_read_ecryptfs_files(chrome_sandbox_t)
+		fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+		fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+	bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+	cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+	sandbox_use_ptys(chrome_sandbox_t)
+')
+
+optional_policy(`
+    unconfined_dontaudit_write_state(chrome_sandbox_t)
+')
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+	gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143ed8f..940434abe7 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,13 +1,20 @@
-/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/chrony.*	--      gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
 
 /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)
 
 /var/log/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_log_t,s0)
 
-/var/run/chronyd(/.*)	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony(/.*)?   gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony-helper(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 /var/run/chronyd\.pid	--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 /var/run/chronyd\.sock	-s	gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265c2e..ffebaf512b 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
 	can_exec($1, chronyd_exec_t)
 ')
 
+########################################
+## <summary>
+##	Send generic signals to chronyd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_signal',`
+	gen_require(`
+		type chronyd_t;
+	')
+
+	allow $1 chronyd_t:process signal;
+')
+
 #####################################
 ## <summary>
 ##	Read chronyd log files.
@@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',`
 
 ########################################
 ## <summary>
-##	Connect to chronyd using a unix
-##	domain stream socket.
+##	Read chronyd keys files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,19 +126,17 @@ interface(`chronyd_rw_shm',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',`
 	gen_require(`
-		type chronyd_t, chronyd_var_run_t;
+		type chronyd_keys_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 ')
 
 ########################################
 ## <summary>
-##	Send to chronyd using a unix domain
-##	datagram socket.
+##	Append chronyd keys files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -129,18 +144,62 @@ interface(`chronyd_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',`
+	gen_require(`
+		type chronyd_keys_t;
+	')
+
+	append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+##	Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_systemctl',`
+	gen_require(`
+		type chronyd_t;
+		type chronyd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 chronyd_unit_file_t:file read_file_perms;
+	allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+## <summary>
+##  Connect to chronyd using a unix
+##  domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`chronyd_stream_connect',`
 	gen_require(`
 		type chronyd_t, chronyd_var_run_t;
 	')
 
 	files_search_pids($1)
-	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
 ########################################
 ## <summary>
-##	Read chronyd key files.
+##	Send to chronyd using a unix domain
+##	datagram socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -148,13 +207,13 @@ interface(`chronyd_dgram_send',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',`
 	gen_require(`
-		type chronyd_keys_t;
+		type chronyd_t, chronyd_var_run_t;
 	')
 
-	files_search_etc($1)
-	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+	files_search_pids($1)
+	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
 ####################################
@@ -176,28 +235,81 @@ interface(`chronyd_read_key_files',`
 #
 interface(`chronyd_admin',`
 	gen_require(`
-		type chronyd_t, chronyd_var_log_t;
-		type chronyd_var_run_t, chronyd_var_lib_t;
-		type chronyd_initrc_exec_t, chronyd_keys_t;
+		type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+		type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+		type chronyd_keys_t, chronyd_unit_file_t;
 	')
 
-	allow $1 chronyd_t:process { ptrace signal_perms };
+	allow $1 chronyd_t:process signal_perms;
 	ps_process_pattern($1, chronyd_t)
 
-	chronyd_initrc_domtrans($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 chronyd_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, chronyd_keys_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, chronyd_var_log_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, chronyd_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, chronyd_var_run_t)
+
+	admin_pattern($1, chronyd_tmpfs_t)
+
+	admin_pattern($1, chronyd_unit_file_t)
+	chronyd_systemctl($1)
+	allow $1 chronyd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans_chronyc',`
+	gen_require(`
+		type chronyc_t, chronyc_exec_t;
+	')
+
+	domtrans_pattern($1, chronyc_exec_t, chronyc_t)
+')
+
+########################################
+## <summary>
+##	Execute chronyc in the chronyc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_run_chronyc',`
+	gen_require(`
+		type chronyc_t;
+        attribute_role chronyc_roles;
+	')
+
+    chronyd_domtrans_chronyc($1)
+    roleattribute $2 chronyc_roles;
 ')
diff --git a/chronyd.te b/chronyd.te
index e5b621c29c..13fff22f47 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
 # Declarations
 #
 
+attribute_role chronyc_roles;
+roleattribute system_r chronyc_roles;
+
 type chronyd_t;
 type chronyd_exec_t;
 init_daemon_domain(chronyd_t, chronyd_exec_t)
@@ -18,6 +21,9 @@ files_type(chronyd_keys_t)
 type chronyd_tmpfs_t;
 files_tmpfs_file(chronyd_tmpfs_t)
 
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
 
@@ -27,21 +33,40 @@ logging_log_file(chronyd_var_log_t)
 type chronyd_var_run_t;
 files_pid_file(chronyd_var_run_t)
 
+type chronyd_tmp_t;
+files_tmp_file(chronyd_tmp_t)
+
+type chronyc_t;
+type chronyc_exec_t;
+domain_type(chronyc_t, chronyc_exec_t)
+init_system_domain(chronyc_t, chronyc_exec_t)
+role chronyc_roles types chronyc_t;
+
 ########################################
 #
 # Local policy
 #
 
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin };
+allow chronyd_t self:capability2 block_suspend;
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
+allow chronyd_t chronyc_t:unix_dgram_socket sendto;
+
+allow chronyd_t chronyc_exec_t:file mmap_file_perms;
+
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
 manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
 fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+allow chronyd_t chronyd_tmpfs_t:file map;
 
 manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
 manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -61,6 +86,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
+kernel_request_load_module(chronyd_t)
+
+can_exec(chronyd_t,chronyc_exec_t)
+
+clock_read_adjtime(chronyd_t)
 
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)
@@ -76,18 +106,87 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
+
 dev_rw_realtime_clock(chronyd_t)
 
 auth_use_nsswitch(chronyd_t)
 
+corecmd_exec_bin(chronyd_t)
+corecmd_exec_shell(chronyd_t)
+
 logging_send_syslog_msg(chronyd_t)
 
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
+sysnet_read_dhcpc_state(chronyd_t)
+
+systemd_exec_systemctl(chronyd_t)
+
+userdom_dgram_send(chronyd_t)
 
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
 
 optional_policy(`
-	mta_send_mail(chronyd_t)
+    virt_read_lib_files(chronyd_t)
+')
+
+optional_policy(`
+    timemaster_stream_connect(chronyd_t)
+    timemaster_read_pid_files(chronyd_t)
+    timemaster_rw_shm(chronyd_t)
+')
+
+optional_policy(`
+    ptp4l_rw_shm(chronyd_t)
+    phc2sys_rw_shm(chronyd_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow chronyc_t self:capability { dac_read_search dac_override };
+allow chronyc_t self:udp_socket create_socket_perms;
+allow chronyc_t self:unix_dgram_socket create_socket_perms;
+allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow chronyc_t chronyd_t:unix_dgram_socket sendto;
+
+allow chronyc_t chronyd_keys_t:file manage_file_perms;
+
+manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t)
+
+manage_dirs_pattern(chronyc_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyc_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyc_t, chronyd_tmpfs_t, { dir file })
+
+manage_files_pattern(chronyc_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyc_t, chronyd_var_lib_t, file)
+
+manage_files_pattern(chronyc_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyc_t, chronyd_var_log_t, file)
+
+manage_files_pattern(chronyc_t, chronyd_tmp_t, chronyd_tmp_t)
+files_tmp_filetrans(chronyc_t, chronyd_tmp_t, file)
+
+corecmd_exec_bin(chronyc_t)
+
+sysnet_read_config(chronyc_t)
+
+userdom_use_user_ptys(chronyc_t)
+userdom_use_inherited_user_ttys(chronyc_t)
+userdom_rw_stream(chronyc_t)
+
+optional_policy(`
+    nscd_shm_use(chronyc_t)
 ')
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
index 0000000000..4b318b783e
--- /dev/null
+++ b/cinder.fc
@@ -0,0 +1,16 @@
+
+/usr/bin/cinder-api             --  gen_context(system_u:object_r:cinder_api_exec_t,s0)
+/usr/bin/cinder-backup          --  gen_context(system_u:object_r:cinder_backup_exec_t,s0)     
+/usr/bin/cinder-scheduler       --  gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
+/usr/bin/cinder-volume          --  gen_context(system_u:object_r:cinder_volume_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-cinder-api.*		--	gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-backup.*	--	gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-scheduler.*	--	gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-volume.*		--	gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
+
+/var/lib/cinder(/.*)?     gen_context(system_u:object_r:cinder_var_lib_t,s0)
+
+/var/log/cinder(/.*)?     gen_context(system_u:object_r:cinder_log_t,s0)
+
+/var/run/cinder(/.*)?     gen_context(system_u:object_r:cinder_var_run_t,s0)
diff --git a/cinder.if b/cinder.if
new file mode 100644
index 0000000000..fc9cae7c76
--- /dev/null
+++ b/cinder.if
@@ -0,0 +1,57 @@
+## <summary>openstack-cinder</summary>
+
+######################################
+## <summary>
+##  Manage cinder lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cinder_manage_lib_files',`
+    gen_require(`
+                type cinder_var_lib_t;
+                                ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  openstack-cinder systemd daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`cinder_domain_template',`
+	gen_require(`
+		attribute cinder_domain;
+	')
+
+	type cinder_$1_t, cinder_domain;
+	type cinder_$1_exec_t;
+	init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
+
+	type cinder_$1_unit_file_t;
+	systemd_unit_file(cinder_$1_unit_file_t)
+
+	type cinder_$1_tmp_t;
+	files_tmp_file(cinder_$1_tmp_t)
+
+	manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+	manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+	files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
+	can_exec(cinder_$1_t, cinder_$1_tmp_t)
+
+	kernel_read_system_state(cinder_$1_t)
+
+    logging_send_syslog_msg(cinder_$1_t)
+
+')
diff --git a/cinder.te b/cinder.te
new file mode 100644
index 0000000000..a05691d8fc
--- /dev/null
+++ b/cinder.te
@@ -0,0 +1,171 @@
+policy_module(cinder, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# cinder-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute cinder_domain;
+
+cinder_domain_template(api)
+cinder_domain_template(backup)
+cinder_domain_template(scheduler)
+cinder_domain_template(volume)
+
+type cinder_log_t;
+logging_log_file(cinder_log_t)
+
+type cinder_var_lib_t;
+files_type(cinder_var_lib_t)
+
+type cinder_var_run_t;
+files_pid_file(cinder_var_run_t)
+
+######################################
+#
+# cinder general domain local policy
+#
+
+allow cinder_domain self:process signal_perms;
+allow cinder_domain self:fifo_file rw_fifo_file_perms;
+allow cinder_domain self:tcp_socket create_stream_socket_perms;
+allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+
+corenet_tcp_connect_amqp_port(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+kernel_read_network_state(cinder_domain)
+
+corecmd_exec_bin(cinder_domain)
+corecmd_exec_shell(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+auth_read_passwd(cinder_domain)
+
+dev_read_sysfs(cinder_domain)
+dev_read_urand(cinder_domain)
+
+fs_getattr_xattr_fs(cinder_domain)
+
+init_read_utmp(cinder_domain)
+
+libs_exec_ldconfig(cinder_domain)
+
+optional_policy(`
+    mysql_stream_connect(cinder_domain)
+    mysql_read_db_lnk_files(cinder_domain)
+')
+
+optional_policy(`
+	sysnet_read_config(cinder_domain)
+	sysnet_exec_ifconfig(cinder_domain)
+')
+
+#######################################
+#
+# cinder api local policy
+#
+
+allow cinder_api_t self:process setfscreate;
+allow cinder_api_t self:key write;
+allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_api_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_api_t)
+
+corenet_tcp_bind_generic_node(cinder_api_t)
+corenet_udp_bind_generic_node(cinder_api_t)
+# should be add to booleans
+corenet_tcp_connect_all_ports(cinder_api_t)
+corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
+
+auth_read_passwd(cinder_api_t)
+
+logging_send_syslog_msg(cinder_api_t)
+
+miscfiles_read_certs(cinder_api_t)
+
+optional_policy(`
+	iptables_domtrans(cinder_api_t)
+')
+
+optional_policy(`
+	ssh_exec_keygen(cinder_api_t)
+')
+
+optional_policy(`
+    gnome_dontaudit_search_config(cinder_api_t)
+')
+
+optional_policy(`
+	unconfined_domain(cinder_api_t)
+')
+
+#######################################
+#
+# cinder backup local policy
+#
+
+allow cinder_backup_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(cinder_backup_t)
+
+systemd_dbus_chat_logind(cinder_backup_t)
+
+optional_policy(`
+    unconfined_domain(cinder_backup_t)
+')
+
+#######################################
+#
+# cinder scheduler local policy
+#
+
+allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_scheduler_t self:udp_socket create_socket_perms;
+
+auth_read_passwd(cinder_scheduler_t)
+
+init_read_utmp(cinder_scheduler_t)
+
+optional_policy(`
+    unconfined_domain(cinder_scheduler_t)
+')
+
+#######################################
+#
+# cinder volume local policy
+#
+
+allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow cinder_volume_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_volume_t)
+
+logging_send_syslog_msg(cinder_volume_t)
+
+systemd_dbus_chat_logind(cinder_volume_t)
+
+optional_policy(`
+	lvm_domtrans(cinder_volume_t)
+')
+
+optional_policy(`
+    unconfined_domain(cinder_volume_t)
+')
+
diff --git a/cipe.te b/cipe.te
index a0aa693d14..af571edbba 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
 corecmd_exec_shell(ciped_t)
 corecmd_exec_bin(ciped_t)
 
-corenet_all_recvfrom_unlabeled(ciped_t)
 corenet_all_recvfrom_netlabel(ciped_t)
 corenet_udp_sendrecv_generic_if(ciped_t)
 corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
 
 domain_use_interactive_fds(ciped_t)
 
-files_read_etc_files(ciped_t)
 files_read_etc_runtime_files(ciped_t)
 files_dontaudit_search_var(ciped_t)
 
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
 
 logging_send_syslog_msg(ciped_t)
 
-miscfiles_read_localization(ciped_t)
-
 sysnet_read_config(ciped_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc314..c53b80dcd2 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
 /usr/bin/clamdscan	--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam	--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 
+/usr/lib/systemd/system/clamd.*  --  gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
 /usr/sbin/clamd	--	gen_context(system_u:object_r:clamd_exec_t,s0)
 /usr/sbin/clamav-milter	--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
diff --git a/clamav.if b/clamav.if
index 4cc4a5cd0e..a6c6322903 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## <summary>ClamAV Virus Scanner.</summary>
+## <summary>ClamAV Virus Scanner</summary>
 
 ########################################
 ## <summary>
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
 		type clamd_t, clamd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, clamd_exec_t, clamd_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to clamd using a unix
-##	domain stream socket.
+##	Connect to run clamd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
 
 ########################################
 ## <summary>
-##	Append clamav log files.
+##	Allow the specified domain to append
+##	to clamav log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59,27 +58,6 @@ interface(`clamav_append_log',`
 	append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
 ')
 
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	clamav pid content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clamav_manage_pid_content',`
-	gen_require(`
-		type clamd_var_run_t;
-	')
-
-	files_search_pids($1)
-	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
 ########################################
 ## <summary>
 ##	Read clamav configuration files.
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
 
 ########################################
 ## <summary>
-##	Search clamav library directories.
+##	Search clamav libraries directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
 		type clamscan_t, clamscan_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute clamscan in the caller domain.
+##	Execute clamscan without a transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
 		type clamscan_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, clamscan_exec_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Read clamd process state files.
+##	Manage clamd pid content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
 ##	</summary>
 ## </param>
 #
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
 	gen_require(`
-		type clamd_t;
+		type clamd_var_run_t;
 	')
 
-	kernel_search_proc($1)
-	allow $1 clamd_t:dir list_dir_perms;
-	read_files_pattern($1, clamd_t, clamd_t)
-	read_lnk_files_pattern($1, clamd_t, clamd_t)
+	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+## <summary>
+##      Read clamd state files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`clamav_read_state_clamd',`
+        gen_require(`
+                type clamd_t;
+        ')
+
+        kernel_search_proc($1)
+        ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+## <summary>
+##      Execute clamd server in the clamd domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`clamd_systemctl',`
+        gen_require(`
+                type clamd_t;
+                type clamd_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 clamd_unit_file_t:file read_file_perms;
+        allow $1 clamd_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, clamd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an clamav environment.
+##	All of the rules required to administrate
+##	an clamav environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the clamav domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
 interface(`clamav_admin',`
 	gen_require(`
 		type clamd_t, clamd_etc_t, clamd_tmp_t;
-		type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
-		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+		type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
 		type freshclam_t, freshclam_var_log_t;
+		type clamd_unit_file_t;
 	')
 
-	allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+	allow $1 clamd_t:process signal_perms;
+	ps_process_pattern($1, clamd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 clamd_t:process ptrace;
+		allow $1 clamscan_t:process ptrace;
+		allow $1 freshclam_t:process ptrace;
+	')
+
+	allow $1 clamscan_t:process signal_perms;
+	ps_process_pattern($1, clamscan_t)
+
+	allow $1 freshclam_t:process signal_perms;
+	ps_process_pattern($1, freshclam_t)
 
 	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 clamd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	clamd_systemctl($1)
+	admin_pattern($1, clamd_unit_file_t)
+	allow $1 clamd_unit_file_t:service all_service_perms;
+
 	files_list_etc($1)
 	admin_pattern($1, clamd_etc_t)
 
@@ -217,11 +252,21 @@ interface(`clamav_admin',`
 	admin_pattern($1, clamd_var_lib_t)
 
 	logging_list_logs($1)
-	admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+	admin_pattern($1, clamd_var_log_t)
 
 	files_list_pids($1)
 	admin_pattern($1, clamd_var_run_t)
 
 	files_list_tmp($1)
-	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+	admin_pattern($1, clamd_tmp_t)
+
+	admin_pattern($1, clamscan_tmp_t)
+
+	admin_pattern($1, freshclam_var_log_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+
 ')
diff --git a/clamav.te b/clamav.te
index ce3836acd0..0263671f79 100644
--- a/clamav.te
+++ b/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
 type clamd_initrc_exec_t;
 init_script_file(clamd_initrc_exec_t)
 
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)
 
@@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t)
 # Clamd local policy
 #
 
-allow clamd_t self:capability { kill setgid setuid dac_override };
+allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:process signal;
+
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { accept connectto listen };
 allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
 
 corecmd_exec_shell(clamd_t)
 
-corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
 corenet_tcp_sendrecv_generic_if(clamd_t)
 corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
 
 corenet_sendrecv_generic_client_packets(clamd_t)
 corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
 
 corenet_sendrecv_clamd_server_packets(clamd_t)
 corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
 
 logging_send_syslog_msg(clamd_t)
 
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
-	allow clamd_t self:process execmem;
-',`
-	dontaudit clamd_t self:process execmem;
-')
-
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
 	amavis_read_spool_files(clamd_t)
-	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+	amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
 	amavis_create_pid_files(clamd_t)
 ')
 
@@ -165,12 +161,37 @@ optional_policy(`
 	mta_send_mail(clamd_t)
 ')
 
+optional_policy(`
+	spamd_stream_connect(clamd_t)
+	spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+	allow clamd_t self:process execmem;
+	allow clamscan_t self:process execmem;
+',`
+	dontaudit clamd_t self:process execmem;
+	dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+    antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+    antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+    antivirus_domain_template(freshclam_t)
+')
+
 ########################################
 #
 # Freshclam local policy
 #
 
-allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:capability { setgid setuid dac_read_search dac_override };
 allow freshclam_t self:fifo_file rw_fifo_file_perms;
 allow freshclam_t self:unix_stream_socket { accept listen };
 allow freshclam_t self:tcp_socket { accept listen };
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
 
 logging_send_syslog_msg(freshclam_t)
 
-miscfiles_read_localization(freshclam_t)
 
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
@@ -240,6 +260,10 @@ optional_policy(`
 	amavis_manage_spool_files(freshclam_t)
 ')
 
+optional_policy(`
+	clamd_systemctl(freshclam_t)
+')
+
 optional_policy(`
 	cron_system_entry(freshclam_t, freshclam_exec_t)
 ')
@@ -249,7 +273,7 @@ optional_policy(`
 # Clamscam local policy
 #
 
-allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:capability { setgid setuid dac_read_search dac_override };
 allow clamscan_t self:fifo_file rw_fifo_file_perms;
 allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
 allow clamscan_t self:unix_dgram_socket create_socket_perms;
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
 kernel_read_kernel_sysctls(clamscan_t)
 kernel_read_system_state(clamscan_t)
 
-corenet_all_recvfrom_unlabeled(clamscan_t)
 corenet_all_recvfrom_netlabel(clamscan_t)
 corenet_tcp_sendrecv_generic_if(clamscan_t)
 corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
 
 corecmd_read_all_executables(clamscan_t)
 
-files_read_etc_files(clamscan_t)
 files_read_etc_runtime_files(clamscan_t)
 files_search_var_lib(clamscan_t)
 
 init_read_utmp(clamscan_t)
 init_dontaudit_write_utmp(clamscan_t)
 
-miscfiles_read_localization(clamscan_t)
 miscfiles_read_public_files(clamscan_t)
 
 sysnet_dns_name_resolve(clamscan_t)
@@ -309,10 +330,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
 	files_getattr_all_sockets(clamscan_t)
 ')
 
-optional_policy(`
-	amavis_read_spool_files(clamscan_t)
-')
-
 optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')
diff --git a/clockspeed.te b/clockspeed.te
index d3e2a67e53..f5b330c087 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
 
 read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
 corenet_all_recvfrom_netlabel(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
 corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
 
 files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
 
-miscfiles_read_localization(clockspeed_cli_t)
 
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
 
 ########################################
 #
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
 manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
 corenet_all_recvfrom_netlabel(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
 corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
 
 files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
 
-miscfiles_read_localization(clockspeed_srv_t)
 
 optional_policy(`
 	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 4a5b3d1a59..cd146bd5a3 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
 
 logging_send_syslog_msg(clogd_t)
 
-miscfiles_read_localization(clogd_t)
-
 optional_policy(`
-	aisexec_stream_connect(clogd_t)
-	corosync_stream_connect(clogd_t)
+	rhcs_stream_connect_cluster(clogd_t)
 ')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000000..3849f134a5
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+
+/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-cloud-agent    --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/lib/min-cloud-agent(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init.*\.log.*  --  gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)?             gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)?	gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.*		--		gen_context(system_u:object_r:iwhd_log_t,s0)
+
+/var/run/iwhd\.pid               --      gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 0000000000..55fe0d6686
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,116 @@
+## <summary>cloudform policy</summary>
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  cloudform daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`cloudform_domain_template',`
+    gen_require(`
+        attribute cloudform_domain;
+    ')
+
+    type $1_t, cloudform_domain;
+    type $1_exec_t;
+    init_daemon_domain($1_t, $1_exec_t)
+
+    kernel_read_system_state($1_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run cloud_init.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_init_domtrans',`
+	gen_require(`
+		type cloud_init_t, cloud_init_exec_t;
+	')
+
+	domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudform_exec_mongod',`
+    gen_require(`
+	type mongod_exec_t;
+    ')
+
+    can_exec($1, mongod_exec_t)
+')
+
+#######################################
+## <summary>
+##  Allow read to cloud lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cloudform_read_lib_files',`
+    gen_require(`
+        type cloud_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Allow read to cloud lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cloudform_read_lib_lnk_files',`
+    gen_require(`
+        type cloud_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudform_dontaudit_write_cloud_log',`
+    gen_require(`
+	type cloud_log_t;
+    ')
+
+    dontaudit $1 cloud_log_t:file write_inherited_file_perms;
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000000..44e5777093
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,253 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_read_search dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+auth_use_nsswitch(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_dbus_chat_timedated(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+    certmonger_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+	rhsmcertd_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+    networkmanager_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+    dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    iptables_filetrans_named_content(cloud_init_t)
+')
+
+optional_policy(`
+    hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+    mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    # it check file context and run restorecon
+    seutil_read_file_contexts(cloud_init_t)
+    seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+    ssh_exec_keygen(cloud_init_t)
+    ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+    sysnet_domtrans_ifconfig(cloud_init_t)
+    sysnet_read_dhcpc_state(cloud_init_t)
+    sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+    rpm_run(cloud_init_t, system_r)
+    rpm_transition_script(cloud_init_t, system_r)
+')
+
+optional_policy(`
+    unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_read_search dac_override setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+kernel_read_network_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+	sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb969..f348d27465 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
 		type cmirrord_t, cmirrord_tmpfs_t;
 	')
 
-	allow $1 cmirrord_t:shm rw_shm_perms;
+	allow $1 cmirrord_t:shm { rw_shm_perms destroy };
 
 	allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
 	rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	fs_search_tmpfs($1)
 ')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
 		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
 	')
 
-	allow $1 cmirrord_t:process { ptrace signal_perms };
+	allow $1 cmirrord_t:process signal_perms;
 	ps_process_pattern($1, cmirrord_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cmirrord_t:process ptrace;
+	')
+
 	cmirrord_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index bbdd3960ef..28b1761820 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
 # Local policy
 #
 
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
 dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process { setfscreate signal };
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
 allow cmirrord_t self:sem create_sem_perms;
 allow cmirrord_t self:shm create_shm_perms;
 allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:netlink_connector_socket create_socket_perms;
 allow cmirrord_t self:unix_stream_socket { accept listen };
 
 manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
 domain_use_interactive_fds(cmirrord_t)
 domain_obj_id_change_exemption(cmirrord_t)
 
-files_read_etc_files(cmirrord_t)
-
 storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
 
 seutil_read_file_contexts(cmirrord_t)
 
 logging_send_syslog_msg(cmirrord_t)
 
-miscfiles_read_localization(cmirrord_t)
-
 optional_policy(`
 	corosync_stream_connect(cmirrord_t)
 ')
+
+optional_policy(`
+    rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208ff6..6ce88039ff 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,11 +4,15 @@
 
 /usr/bin/cobblerd	--	gen_context(system_u:object_r:cobblerd_exec_t,s0)
 
+/var/cache/cobbler(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/cobbler(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 
+/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/boot(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/etc(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/grub(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/images(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images2(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/memdisk	--	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/menu\.c32	--	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/ppc(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f81328..8b567c1911 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
 ')
 
+
+
+########################################
+## <summary>
+##	Read cobbler configuration dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_list_config',`
+	gen_require(`
+		type cobbler_etc_t;
+	')
+
+	list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+	files_search_etc($1)
+')
+
+
 ########################################
 ## <summary>
 ##	Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
 
 	files_search_var_lib($1)
 	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 
 ########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 
 ########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
 interface(`cobbler_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t;
+		type cobbler_tmp_t;
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
 
 	logging_search_logs($1)
 	admin_pattern($1, cobbler_var_log_t)
-
-	apache_search_sys_content($1)
-	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
diff --git a/cobbler.te b/cobbler.te
index 5f306dd442..b6d1c0f703 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -62,7 +62,7 @@ files_tmp_file(cobbler_tmp_t)
 # Local policy
 #
 
-allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice };
 dontaudit cobblerd_t self:capability sys_tty_config;
 allow cobblerd_t self:process { getsched setsched signal };
 allow cobblerd_t self:fifo_file rw_fifo_file_perms;
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
 
 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
 
 kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
 
 corecmd_exec_bin(cobblerd_t)
 corecmd_exec_shell(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
 corenet_tcp_connect_http_port(cobblerd_t)
 corenet_sendrecv_http_client_packets(cobblerd_t)
 
+dev_read_sysfs(cobblerd_t)
 dev_read_urand(cobblerd_t)
 
 files_list_boot(cobblerd_t)
 files_list_tmp(cobblerd_t)
 files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
 files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
 
 fs_getattr_all_fs(cobblerd_t)
 fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
 
 term_use_console(cobblerd_t)
 
+auth_use_nsswitch(cobblerd_t)
+
 logging_send_syslog_msg(cobblerd_t)
 
 miscfiles_read_localization(cobblerd_t)
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
 ')
 
 optional_policy(`
+	apache_domtrans(cobblerd_t)
 	apache_search_sys_content(cobblerd_t)
 ')
 
@@ -170,6 +173,7 @@ optional_policy(`
 	bind_domtrans(cobblerd_t)
 	bind_initrc_domtrans(cobblerd_t)
 	bind_manage_zone(cobblerd_t)
+	bind_systemctl(cobblerd_t)
 ')
 
 optional_policy(`
@@ -179,12 +183,22 @@ optional_policy(`
 optional_policy(`
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
+	dhcpd_systemctl(cobblerd_t)
 ')
 
 optional_policy(`
 	dnsmasq_domtrans(cobblerd_t)
 	dnsmasq_initrc_domtrans(cobblerd_t)
 	dnsmasq_write_config(cobblerd_t)
+	dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+    libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(cobblerd_t)
 ')
 
 optional_policy(`
@@ -192,13 +206,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rsync_exec(cobblerd_t)
 	rsync_read_config(cobblerd_t)
-	rsync_manage_config_files(cobblerd_t)
+	rsync_manage_config(cobblerd_t)
 	rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
 ')
 
 optional_policy(`
-	tftp_manage_config_files(cobblerd_t)
-	tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+	tftp_manage_config(cobblerd_t)
 	tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
 ')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 0000000000..bf801737de
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,13 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.*	--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/var/lib/cockpit(/.*)?      gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit-ws(/.*)?   gen_context(system_u:object_r:cockpit_var_run_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000000..d5920c061c
--- /dev/null
+++ b/cockpit.if
@@ -0,0 +1,188 @@
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_ws_domtrans',`
+	gen_require(`
+		type cockpit_ws_t, cockpit_ws_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_session_domtrans',`
+	gen_require(`
+		type cockpit_session_t, cockpit_session_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+## <summary>
+##	Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	allow $1 cockpit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+	gen_require(`
+		type cockpit_ws_t;
+		type cockpit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 cockpit_unit_file_t:file read_file_perms;
+	allow $1 cockpit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cockpit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+	gen_require(`
+		type cockpit_ws_t;
+		type cockpit_session_t;
+		type cockpit_var_lib_t;
+		type cockpit_var_run_t;
+		type cockpit_unit_file_t;
+	')
+
+	allow $1 cockpit_ws_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_ws_t)
+
+	allow $1 cockpit_session_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_session_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cockpit_ws_t:process ptrace;
+		allow $1 cockpit_session_t:process ptrace;
+	')
+
+	files_search_var_lib($1)
+	admin_pattern($1, cockpit_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, cockpit_var_run_t)
+
+	cockpit_systemctl($1)
+	admin_pattern($1, cockpit_unit_file_t)
+	allow $1 cockpit_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 0000000000..6b84d6f0f4
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,123 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_var_run_t;
+files_pid_file(cockpit_var_run_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t)  # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
+
+read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+files_mmap_usr_files(cockpit_ws_t)
+
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+optional_policy(`
+    kerberos_use(cockpit_ws_t)
+    kerberos_etc_filetrans_keytab(cockpit_ws_t)
+')
+
+optional_policy(`
+	ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+#  cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource };
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_passwd(cockpit_session_t)
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+optional_policy(`
+    userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe3ab..bc83ff9381 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,9 +1,16 @@
 /etc/rc\.d/init\.d/collectd	--	gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/collectd.*  -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
 /usr/sbin/collectd	--	gen_context(system_u:object_r:collectd_exec_t,s0)
 
 /var/lib/collectd(/.*)?	gen_context(system_u:object_r:collectd_var_lib_t,s0)
 
+/var/log/collectd(/.*)?		gen_context(system_u:object_r:collectd_log_t,s0)
+/var/log/collectd.log   	--	gen_context(system_u:object_r:collectd_log_t,s0)
+/var/log/collectd.json.log  --  gen_context(system_u:object_r:collectd_log_t,s0)
+
 /var/run/collectd\.pid	--	gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd-unixsock  -s  gen_context(system_u:object_r:collectd_var_run_t,s0)
 
-/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e644..c4f158fd07 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,165 @@
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an collectd environment.
+##	Transition to collectd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`collectd_domtrans',`
+	gen_require(`
+		type collectd_t, collectd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+## <summary>
+##	Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_initrc_domtrans',`
+	gen_require(`
+		type collectd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search collectd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_search_lib',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	allow $1 collectd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read collectd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_read_lib_files',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_lib_files',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_lib_dirs',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd httpd rw content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_rw_content',`
+	gen_require(`
+		type collectd_rw_content_t;
+	')
+
+	manage_dirs_pattern($1, collectd_rw_content_t, collectd_rw_content_t)
+	manage_files_pattern($1, collectd_rw_content_t, collectd_rw_content_t)
+	manage_lnk_files_pattern($1, collectd_rw_content_t, collectd_rw_content_t)
+')
+
+########################################
+## <summary>
+##	Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`collectd_systemctl',`
+	gen_require(`
+		type collectd_t;
+		type collectd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 collectd_unit_file_t:file read_file_perms;
+	allow $1 collectd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, collectd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an collectd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -20,13 +177,17 @@
 interface(`collectd_admin',`
 	gen_require(`
 		type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
-		type collectd_var_lib_t;
+        type collectd_var_lib_t, collectd_unit_file_t;
 	')
 
-	allow $1 collectd_t:process { ptrace signal_perms };
+	allow $1 collectd_t:process signal_perms;
 	ps_process_pattern($1, collectd_t)
 
-	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 collectd_t:process ptrace;
+	')
+
+	collectd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 collectd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -36,4 +197,9 @@ interface(`collectd_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, collectd_var_lib_t)
+
+	collectd_systemctl($1)
+	admin_pattern($1, collectd_unit_file_t)
+	allow $1 collectd_unit_file_t:service all_service_perms;
 ')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8c42..73e2839bee 100644
--- a/collectd.te
+++ b/collectd.te
@@ -20,49 +20,72 @@ init_daemon_domain(collectd_t, collectd_exec_t)
 type collectd_initrc_exec_t;
 init_script_file(collectd_initrc_exec_t)
 
+type collectd_log_t;
+logging_log_file(collectd_log_t)
+
 type collectd_var_lib_t;
 files_type(collectd_var_lib_t)
 
 type collectd_var_run_t;
 files_pid_file(collectd_var_run_t)
 
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
 apache_content_template(collectd)
+apache_content_alias_template(collectd, collectd)
+
+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
+files_tmp_file(collectd_script_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid };
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
-allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:unix_stream_socket { accept listen connectto };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
+
+manage_dirs_pattern(collectd_t, collectd_log_t, collectd_log_t)
+manage_files_pattern(collectd_t, collectd_log_t, collectd_log_t)
+logging_log_filetrans(collectd_t, collectd_log_t, { dir file })
 
 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
 manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
 files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
 
 manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
 
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
+
+auth_use_nsswitch(collectd_t)
 
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
 
 dev_read_rand(collectd_t)
 dev_read_sysfs(collectd_t)
 dev_read_urand(collectd_t)
 
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
 files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
 
 fs_getattr_all_fs(collectd_t)
+fs_getattr_all_dirs(collectd_t)
 
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
 
 logging_send_syslog_msg(collectd_t)
 
@@ -74,17 +97,40 @@ tunable_policy(`collectd_tcp_network_connect',`
 	corenet_tcp_sendrecv_all_ports(collectd_t)
 ')
 
+optional_policy(`
+	mysql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+    netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+    snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
 optional_policy(`
 	virt_read_config(collectd_t)
+	virt_stream_connect(collectd_t)
 ')
 
 ########################################
 #
-# Web local policy
+# Web collectd local policy
 #
 
-optional_policy(`
-	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(collectd_script_t)	
+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+
+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })	
+
+auth_read_passwd(collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 71639eb543..08ab891711 100644
--- a/colord.fc
+++ b/colord.fc
@@ -7,5 +7,7 @@
 /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
+/usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
 /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
 /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37c1b..c69be28b92 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## <summary>GNOME color manager.</summary>
+## <summary>GNOME color manager</summary>
 
 ########################################
 ## <summary>
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
 		type colord_t, colord_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, colord_exec_t, colord_t)
 ')
 
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
 
 	allow $1 colord_t:dbus send_msg;
 	allow colord_t $1:dbus send_msg;
+	ps_process_pattern(colord_t, $1)
 ')
 
 ######################################
@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
 	files_search_var_lib($1)
 	read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Execute colord server in the colord domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`colord_systemctl',`
+	gen_require(`
+		type colord_t;
+		type colord_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 colord_unit_file_t:file read_file_perms;
+	allow $1 colord_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 9f2dfb2330..ad8ae42281 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
 type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
 
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
 type colord_var_lib_t;
 files_type(colord_var_lib_t)
 
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
 allow colord_t self:capability { dac_read_search dac_override };
 dontaudit colord_t self:capability sys_admin;
 allow colord_t self:process signal;
+
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
 allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
 dev_write_video_dev(colord_t)
 dev_rw_printer(colord_t)
 dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
 dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
 dev_rw_generic_usb_dev(colord_t)
 
 domain_use_interactive_fds(colord_t)
 
 files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
 
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
 fs_list_noxattr_fs(colord_t)
 fs_read_noxattr_fs_files(colord_t)
 fs_search_all(colord_t)
 fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
 
 storage_getattr_fixed_disk_dev(colord_t)
 storage_getattr_removable_dev(colord_t)
@@ -100,19 +106,17 @@ init_read_state(colord_t)
 
 auth_use_nsswitch(colord_t)
 
+init_read_state(colord_t)
+
 logging_send_syslog_msg(colord_t)
 
-miscfiles_read_localization(colord_t)
+systemd_read_logind_sessions_files(colord_t)
+systemd_hwdb_manage_config(colord_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_getattr_nfs(colord_t)
-	fs_read_nfs_files(colord_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_getattr_cifs(colord_t)
-	fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmp_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
 
 optional_policy(`
 	cups_read_config(colord_t)
@@ -120,6 +124,13 @@ optional_policy(`
 	cups_read_state(colord_t)
 	cups_stream_connect(colord_t)
 	cups_dbus_chat(colord_t)
+	cups_read_state(colord_t)
+')
+
+optional_policy(`
+	gnome_read_home_icc_data_content(colord_t)
+	# Fixes lots of breakage in F16 on upgrade
+	gnome_read_generic_data_home_files(colord_t)
 ')
 
 optional_policy(`
@@ -137,3 +148,17 @@ optional_policy(`
 	udev_read_db(colord_t)
 	udev_read_pid_files(colord_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(colord_t)
+	xserver_read_xdm_state(colord_t)
+	# /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+	xserver_read_inherited_xdm_lib_files(colord_t)
+    # allow to read /run/initial-setup-$username
+    xserver_read_xdm_pid(colord_t)
+    xserver_map_xdm_pid(colord_t)
+')
+
+optional_policy(`
+	zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index c63cf8556e..dc6998b60d 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
 kernel_read_network_state(comsat_t)
 kernel_read_system_state(comsat_t)
 
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
 dev_read_urand(comsat_t)
 
 fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
 
 logging_send_syslog_msg(comsat_t)
 
-miscfiles_read_localization(comsat_t)
-
 userdom_dontaudit_getattr_user_ttys(comsat_t)
 
 mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index ad2b69606a..28d1af0202 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,6 +1,7 @@
 /etc/condor(/.*)?	gen_context(system_u:object_r:condor_conf_t,s0)
 
 /etc/rc\.d/init\.d/condor	--	gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.*        --  gen_context(system_u:object_r:condor_unit_file_t,s0)
 
 /usr/sbin/condor_collector	--	gen_context(system_u:object_r:condor_collector_exec_t,s0)
 /usr/sbin/condor_master	--	gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
index 881d92f35e..a2d588a51c 100644
--- a/condor.if
+++ b/condor.if
@@ -1,75 +1,391 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  condor init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`condor_domain_template',`
+    gen_require(`
+        type condor_master_t;
+        attribute condor_domain;
+    ')
+
+    #############################
+    #
+    # Declarations
+    #
+
+    type condor_$1_t, condor_domain;
+    type condor_$1_exec_t;
+    init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+    role system_r types condor_$1_t;
+
+    domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+    allow condor_master_t condor_$1_exec_t:file ioctl;
+
+	kernel_read_system_state(condor_$1_t)
+
+	corenet_all_recvfrom_netlabel(condor_$1_t)
+	corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+    auth_use_nsswitch(condor_$1_t)
+
+    logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+## <summary>
+##	Transition to condor.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`condor_domtrans_master',`
+	gen_require(`
+		type condor_master_t, condor_master_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
+## <summary>
+##  Allows to start userland processes
+##  by transitioning to the specified domain,
+##  with a range transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The process type entered by condor_startd.
+##  </summary>
+## </param>
+## <param name="entrypoint">
+##  <summary>
+##  The executable type for the entrypoint.
+##  </summary>
+## </param>
+## <param name="range">
+##  <summary>
+##  Range for the domain.
+##  </summary>
+## </param>
+#
+interface(`condor_startd_ranged_domtrans_to',`
+    gen_require(`
+        type sshd_t;
+    ')
+    condor_startd_domtrans_to($1, $2)
+
+
+    ifdef(`enable_mcs',`
+        range_transition condor_startd_t $2:process $3;
+    ')
+
+')
 
 #######################################
 ## <summary>
-##	The template to define a condor domain.
+##  Allows to start userlandprocesses
+##  by transitioning to the specified domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="domain">
+##  <summary>
+##  The process type entered by condor_startd.
+##  </summary>
+## </param>
+## <param name="entrypoint">
+##  <summary>
+##  The executable type for the entrypoint.
+##  </summary>
+## </param>
+#
+interface(`condor_startd_domtrans_to',`
+    gen_require(`
+        type condor_startd_t;
+    ')
+
+    domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+## <summary>
+##	Read condor's log files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Domain prefix to be used.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-template(`condor_domain_template',`
+interface(`condor_read_log',`
 	gen_require(`
-		attribute condor_domain;
-		type condor_master_t;
+		type condor_log_t;
 	')
 
-	#############################
-	#
-	# Declarations
-	#
+	logging_search_logs($1)
+	read_files_pattern($1, condor_log_t, condor_log_t)
+')
 
-	type condor_$1_t, condor_domain;
-	type condor_$1_exec_t;
-	domain_type(condor_$1_t)
-	domain_entry_file(condor_$1_t, condor_$1_exec_t)
-	role system_r types condor_$1_t;
+########################################
+## <summary>
+##	Append to condor log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_append_log',`
+	gen_require(`
+		type condor_log_t;
+	')
 
-	#############################
-	#
-	# Policy
-	#
+	logging_search_logs($1)
+	append_files_pattern($1, condor_log_t, condor_log_t)
+')
 
-	domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-	allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+## <summary>
+##	Manage condor log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_log',`
+	gen_require(`
+		type condor_log_t;
+	')
 
-	auth_use_nsswitch(condor_$1_t)
+	logging_search_logs($1)
+	manage_dirs_pattern($1, condor_log_t, condor_log_t)
+	manage_files_pattern($1, condor_log_t, condor_log_t)
+	manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an condor environment.
+##	Search condor lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`condor_search_lib',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	allow $1 condor_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read condor lib files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+## <summary>
+##  Read and write condor lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_lib_files',`
+    gen_require(`
+        type condor_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage condor lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_lib_files',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage condor lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_lib_dirs',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read condor PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_read_pid_files',`
 	gen_require(`
-		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
-		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+		type condor_var_run_t;
 	')
 
-	allow $1 condor_domain:process { ptrace signal_perms };
+	files_search_pids($1)
+	allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute condor server in the condor domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`condor_systemctl',`
+	gen_require(`
+		type condor_domain;
+		type condor_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 condor_unit_file_t:file read_file_perms;
+	allow $1 condor_unit_file_t:service manage_service_perms;
+
 	ps_process_pattern($1, condor_domain)
+')
+
+#######################################
+## <summary>
+##  Read and write condor_startd server TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_startd',`
+	gen_require(`
+		type condor_startd_t;
+	')
 
-	init_labeled_script_domtrans($1, condor_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 condor_initrc_exec_t system_r;
-	allow $2 system_r;
+	allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+## <summary>
+##  Read and write condor_schedd server TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+    gen_require(`
+        type condor_schedd_t;
+    ')
+
+    allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an condor environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_admin',`
+    gen_require(`
+        attribute condor_domain;
+        type condor_initrc_exec_t, condor_log_t, condor_conf_t;
+        type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+        type condor_var_run_t, condor_startd_tmp_t;
+		type condor_unit_file_t;
+    ')
+
+	allow $1 condor_domain:process { signal_perms };
+	ps_process_pattern($1, condor_domain)
+
+    init_labeled_script_domtrans($1, condor_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 condor_initrc_exec_t system_r;
+    allow $2 system_r;
 
 	files_search_etc($1)
 	admin_pattern($1, condor_conf_t)
@@ -77,8 +393,8 @@ interface(`condor_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, condor_log_t)
 
-	files_search_locks($1)
-	admin_pattern($1, condor_var_lock_t)
+    files_search_locks($1)
+    admin_pattern($1, condor_var_lock_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, condor_var_lib_t)
@@ -88,4 +404,13 @@ interface(`condor_admin',`
 
 	files_search_tmp($1)
 	admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+	condor_systemctl($1)
+	admin_pattern($1, condor_unit_file_t)
+	allow $1 condor_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/condor.te b/condor.te
index ce9f040e2f..990ada3adc 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
 type condor_startd_tmpfs_t;
 files_tmpfs_file(condor_startd_tmpfs_t)
 
-type condor_conf_t;
+type condor_conf_t alias condor_etc_rw_t;
 files_config_file(condor_conf_t)
 
 type condor_log_t;
@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
 type condor_var_run_t;
 files_pid_file(condor_var_run_t)
 
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
 condor_domain_template(collector)
 condor_domain_template(negotiator)
 condor_domain_template(procd)
@@ -60,10 +63,18 @@ condor_domain_template(startd)
 # Global local policy
 #
 
+allow condor_domain self:capability { dac_read_search dac_override };
+allow condor_domain self:capability2 block_suspend;
+
 allow condor_domain self:process signal_perms;
 allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
 
 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
 
@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
 
 allow condor_domain condor_master_t:process signull;
 allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
 
-kernel_read_kernel_sysctls(condor_domain)
 kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
+kernel_rw_kernel_sysctl(condor_domain)
+kernel_search_network_sysctl(condor_domain)
 
 corecmd_exec_bin(condor_domain)
 corecmd_exec_shell(condor_domain)
 
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
 corenet_tcp_sendrecv_generic_if(condor_domain)
 corenet_tcp_sendrecv_generic_node(condor_domain)
 
@@ -109,9 +119,9 @@ dev_read_rand(condor_domain)
 dev_read_sysfs(condor_domain)
 dev_read_urand(condor_domain)
 
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
 
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
 
 sysnet_dns_name_resolve(condor_domain)
 
@@ -130,7 +140,7 @@ optional_policy(`
 # Master local policy
 #
 
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin };
 
 allow condor_master_t condor_domain:process { sigkill signal };
 
@@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
 
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+kernel_read_fs_sysctls(condor_master_t)
+kernel_rw_net_sysctls(condor_master_t)
+
 corenet_udp_sendrecv_generic_if(condor_master_t)
 corenet_udp_sendrecv_generic_node(condor_master_t)
 corenet_tcp_bind_generic_node(condor_master_t)
@@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t)
 
 auth_use_nsswitch(condor_master_t)
 
+logging_send_syslog_msg(condor_master_t)
+
 optional_policy(`
 	mta_send_mail(condor_master_t)
 	mta_read_config(condor_master_t)
@@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
 
 kernel_read_network_state(condor_collector_t)
 
+corenet_tcp_bind_http_port(condor_collector_t)
+
 #####################################
 #
 # Negotiator local policy
@@ -183,12 +203,14 @@ allow condor_negotiator_t self:capability { setuid setgid };
 allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_negotiator_t condor_master_t:udp_socket getattr;
 
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
 ######################################
 #
 # Procd local policy
 #
 
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace };
 
 allow condor_procd_t condor_domain:process sigkill;
 
@@ -199,13 +221,15 @@ domain_read_all_domains_state(condor_procd_t)
 # Schedd local policy
 #
 
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
+allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override };
 
 allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_schedd_t condor_master_t:udp_socket getattr;
 
 allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
 
+allow condor_schedd_t condor_master_tmp_t:dir getattr;  
+
 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
 domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
 
@@ -214,12 +238,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
 
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
+optional_policy(`
+	mta_send_mail(condor_schedd_t)
+	mta_read_config(condor_schedd_t)
+')
+
 #####################################
 #
 # Startd local policy
 #
 
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
+allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override };
 allow condor_startd_t self:process execmem;
 
 manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
@@ -238,11 +269,10 @@ domain_read_all_domains_state(condor_startd_t)
 mcs_process_set_categories(condor_startd_t)
 
 init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
 
 libs_exec_lib_files(condor_startd_t)
 
-files_read_usr_files(condor_startd_t)
-
 optional_policy(`
 	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 	ssh_domtrans(condor_startd_t)
@@ -254,3 +284,7 @@ optional_policy(`
 		kerberos_use(condor_startd_ssh_t)
 	')
 ')
+
+optional_policy(`
+    unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 0000000000..397da66fbc
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/conman.*		--	gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand		--	gen_context(system_u:object_r:conman_exec_t,s0)
+
+/usr/share/conman/exec(/.*)?		gen_context(system_u:object_r:conman_unconfined_script_exec_t,s0)
+
+/var/log/conman(/.*)?			gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.d(/.*)?			gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)?		gen_context(system_u:object_r:conman_log_t,s0)
+
+/var/run/conmand.*      --      gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000000..1cc5fa4643
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,143 @@
+## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
+
+########################################
+## <summary>
+##	Execute conman in the conman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`conman_domtrans',`
+	gen_require(`
+		type conman_t, conman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+## <summary>
+##	Read conman's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_read_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Append to conman log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_append_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Manage conman log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_manage_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, conman_log_t, conman_log_t)
+	manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Execute conman server in the conman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`conman_systemctl',`
+	gen_require(`
+		type conman_t;
+		type conman_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 conman_unit_file_t:file read_file_perms;
+	allow $1 conman_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an conman environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`conman_admin',`
+	gen_require(`
+		type conman_t;
+		type conman_log_t;
+	    type conman_unit_file_t;
+	')
+
+	allow $1 conman_t:process { signal_perms };
+	ps_process_pattern($1, conman_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 conman_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, conman_log_t)
+
+	conman_systemctl($1)
+	admin_pattern($1, conman_unit_file_t)
+	allow $1 conman_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 0000000000..8d5d884006
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,117 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##	Determine whether conman can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(conman_can_network, false)
+
+## <desc>
+## <p>
+## Allow conman to manage nfs files
+## </p>
+## </desc>
+gen_tunable(conman_use_nfs, false)
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_tmp_t;
+files_tmp_file(conman_tmp_t)
+
+type conman_var_run_t;
+files_pid_file(conman_var_run_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+type conman_unconfined_script_t;
+type conman_unconfined_script_exec_t;
+application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+init_system_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+allow conman_t conman_unconfined_script_t:process sigkill;
+allow conman_t conman_unconfined_script_exec_t:dir list_dir_perms;
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
+
+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
+files_pid_filetrans(conman_t, conman_var_run_t, file)
+
+auth_use_nsswitch(conman_t)
+
+kernel_read_system_state(conman_t)
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corenet_tcp_connect_all_ephemeral_ports(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+dev_read_urand(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+term_use_ptmx(conman_t)
+term_use_usb_ttys(conman_t)
+term_getattr_pty_fs(conman_t)
+
+tunable_policy(`conman_can_network',`
+	corenet_sendrecv_all_client_packets(conman_t)
+	corenet_tcp_connect_all_ports(conman_t)
+	corenet_tcp_sendrecv_all_ports(conman_t)
+')
+
+tunable_policy(`conman_use_nfs',`
+	fs_manage_nfs_files(conman_t)
+	fs_read_nfs_symlinks(conman_t)
+')
+
+optional_policy(`
+    freeipmi_stream_connect(conman_t)
+')
+
+########################################
+#
+# conman script local policy
+#
+
+domtrans_pattern(conman_t, conman_unconfined_script_exec_t, conman_unconfined_script_t)
+
+optional_policy(`
+	unconfined_domain(conman_unconfined_script_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c95582fa..29e5fd38df 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
 
 /var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec9c4..78025c5e70 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -19,6 +19,27 @@ interface(`consolekit_domtrans',`
 	domtrans_pattern($1, consolekit_exec_t, consolekit_t)
 ')
 
+########################################
+## <summary>
+##	dontaudit Send and receive messages from
+##	consolekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+	gen_require(`
+		type consolekit_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 consolekit_t:dbus send_msg;
+	dontaudit consolekit_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -40,6 +61,24 @@ interface(`consolekit_dbus_chat',`
 	allow consolekit_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read consolekit log files.
@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
 	allow $1 consolekit_var_run_t:dir list_dir_perms;
 	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 ')
+
+########################################
+## <summary>
+##	List consolekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+	gen_require(`
+		type consolekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the domain to read consolekit state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_state',`
+	gen_require(`
+		type consolekit_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+## <summary>
+##	Execute consolekit server in the consolekit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`consolekit_systemctl',`
+	gen_require(`
+		type consolekit_t;
+		type consolekit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 consolekit_unit_file_t:file read_file_perms;
+	allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index bd18063f69..94407f8541 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
 
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace };
+
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
 
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
 
 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
 
-files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 files_search_all_mountpoints(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 
-mcs_ptrace_all(consolekit_t)
-
 term_use_all_terms(consolekit_t)
 
 auth_use_nsswitch(consolekit_t)
 auth_manage_pam_console_data(consolekit_t)
 auth_write_login_records(consolekit_t)
 auth_create_pam_console_data_dirs(consolekit_t)
-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+
+init_read_utmp(consolekit_t)
 
 logging_send_syslog_msg(consolekit_t)
 logging_send_audit_msgs(consolekit_t)
 
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
 
+userdom_read_all_users_state(consolekit_t)
 userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
 userdom_read_user_tmp_files(consolekit_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(consolekit_t)
+optional_policy(`
+	cron_read_system_job_lib_files(consolekit_t)
 ')
 
 optional_policy(`
@@ -109,13 +110,6 @@ optional_policy(`
 	')
 ')
 
-optional_policy(`
-	hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
-	networkmanager_append_log_files(consolekit_t)
-')
 
 optional_policy(`
 	policykit_domtrans_auth(consolekit_t)
diff --git a/container.fc b/container.fc
new file mode 100644
index 0000000000..bad12f4214
--- /dev/null
+++ b/container.fc
@@ -0,0 +1,31 @@
+/root/\.docker	gen_context(system_u:object_r:container_home_t,s0)
+
+/usr/bin/docker			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/docker-novolume-plugin		--	gen_context(system_u:object_r:container_auth_exec_t,s0)
+/usr/lib/docker/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/docker-novolume-plugin.service	--	gen_context(system_u:object_r:container_unit_file_t,s0)
+
+/etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+
+/var/lib/docker(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/containers(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker/overlay(/.*)?	gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/kublet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+
+/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/containerd(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
+/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)
+
+/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)
+
+/var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+
+/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:container_share_t,s0)
+/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:container_share_t,s0)
diff --git a/container.if b/container.if
new file mode 100644
index 0000000000..785affa3f5
--- /dev/null
+++ b/container.if
@@ -0,0 +1,542 @@
+
+## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
+##	Execute docker in the docker domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`container_runtime_domtrans',`
+	gen_require(`
+		type container_runtime_t, container_runtime_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, container_runtime_exec_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+##	Execute docker in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`container_runtime_exec',`
+	gen_require(`
+		type container_runtime_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, container_runtime_exec_t)
+')
+
+########################################
+## <summary>
+##	Search docker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_lib',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	allow $1 container_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Execute docker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_exec_lib',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	allow $1 container_var_lib_t:dir search_dir_perms;
+	can_exec($1, container_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read docker lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_lib_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read docker share files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_share_files',`
+	gen_require(`
+		type container_share_t;
+	')
+
+	files_search_var_lib($1)
+	list_dirs_pattern($1, container_share_t, container_share_t)
+	read_files_pattern($1, container_share_t, container_share_t)
+	read_lnk_files_pattern($1, container_share_t, container_share_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to execute docker shared files
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_exec_share_files',`
+	gen_require(`
+		type container_share_t;
+	')
+
+	can_exec($1, container_share_t)
+')
+
+########################################
+## <summary>
+##	Manage docker lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_lib_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
+	manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage docker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_lib_dirs',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create objects in a docker var lib directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_lib_filetrans',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	filetrans_pattern($1, container_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read docker PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_pid_files',`
+	gen_require(`
+		type container_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, container_var_run_t, container_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute docker server in the docker domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`container_systemctl',`
+	gen_require(`
+		type container_runtime_t;
+		type container_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 container_unit_file_t:file read_file_perms;
+	allow $1 container_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, container_runtime_t)
+')
+
+########################################
+## <summary>
+##	Read and write docker shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_sem',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	allow $1 container_runtime_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write the docker pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`container_use_ptys',`
+    gen_require(`
+        type container_devpts_t;
+    ')
+
+    allow $1 container_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow domain to create docker content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`container_filetrans_named_content',`
+
+    gen_require(`
+        type container_var_lib_t;
+        type container_share_t;
+    	type container_log_t;
+	    type container_var_run_t;
+        type container_home_t;
+    ')
+
+    files_pid_filetrans($1, container_var_run_t, file, "docker.pid")
+    files_pid_filetrans($1, container_var_run_t, sock_file, "docker.sock")
+    files_pid_filetrans($1, container_var_run_t, dir, "docker-client")
+    logging_log_filetrans($1, container_log_t, dir, "lxc")
+    files_var_lib_filetrans($1, container_var_lib_t, dir, "docker")
+    filetrans_pattern($1, container_var_lib_t, container_share_t, file, "config.env")
+    filetrans_pattern($1, container_var_lib_t, container_share_t, file, "hosts")
+    filetrans_pattern($1, container_var_lib_t, container_share_t, file, "hostname")
+    filetrans_pattern($1, container_var_lib_t, container_share_t, file, "resolv.conf")
+    filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "init")
+    userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".docker")
+')
+
+########################################
+## <summary>
+##	Connect to docker over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect',`
+	gen_require(`
+		type container_runtime_t, container_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+##	Connect to SPC containers over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_spc_stream_connect',`
+	gen_require(`
+		type spc_t, spc_var_run_t;
+	')
+
+	files_search_pids($1)
+	files_write_all_pid_sockets($1)
+	allow $1 spc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an docker environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin',`
+	gen_require(`
+		type container_runtime_t;
+		type container_var_lib_t, container_var_run_t;
+		type container_unit_file_t;
+		type container_lock_t;
+		type container_log_t;
+		type container_config_t;
+	')
+
+	allow $1 container_runtime_t:process { ptrace signal_perms };
+	ps_process_pattern($1, container_runtime_t)
+
+	admin_pattern($1, container_config_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, container_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, container_var_run_t)
+
+	files_search_locks($1)
+	admin_pattern($1, container_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, container_log_t)
+
+	container_systemctl($1)
+	admin_pattern($1, container_unit_file_t)
+	allow $1 container_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read the process state of spc containers
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_spc_read_state',`
+	gen_require(`
+		type spc_t;
+	')
+
+	ps_process_pattern($1, spc_t)
+')
+
+########################################
+## <summary>
+##	Execute container_auth_exec_t in the container_auth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`container_auth_domtrans',`
+	gen_require(`
+		type container_auth_t, container_auth_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, container_auth_exec_t, container_auth_t)
+')
+
+######################################
+## <summary>
+##	Execute container_auth in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_auth_exec',`
+	gen_require(`
+		type container_auth_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, container_auth_exec_t)
+')
+
+########################################
+## <summary>
+##	Connect to container_auth over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_auth_stream_connect',`
+	gen_require(`
+		type container_auth_t, container_plugin_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
+')
+
+########################################
+## <summary>
+##	docker domain typebounds calling domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to be typebound.
+## </summary>
+## </param>
+#
+interface(`container_runtime_typebounds',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	typebounds container_runtime_t $1;
+')
+
+########################################
+## <summary>
+##	Allow any container_runtime_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`container_entrypoint',`
+	gen_require(`
+		type container_runtime_exec_t;
+	')
+	allow $1 container_runtime_exec_t:file entrypoint;
+')
+
+########################################
+## <summary>
+##	rw configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_config',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	rw_files_pattern($1, container_config_t, container_config_t)
+	files_search_etc($1)
+')
+
diff --git a/container.te b/container.te
new file mode 100644
index 0000000000..5a929c4277
--- /dev/null
+++ b/container.te
@@ -0,0 +1,391 @@
+policy_module(container, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Determine whether docker can
+##  connect to all TCP ports.
+##  </p>
+## </desc>
+gen_tunable(container_connect_any, false)
+
+type container_runtime_t alias docker_t;
+type container_runtime_exec_t alias docker_exec_t;
+init_daemon_domain(container_runtime_t, container_runtime_exec_t)
+domain_subj_id_change_exemption(container_runtime_t)
+domain_role_change_exemption(container_runtime_t)
+
+type spc_t;
+domain_type(spc_t)
+role system_r types spc_t;
+
+type container_auth_t alias docker_auth_t;
+type container_auth_exec_t alias docker_auth_exec_t;
+init_daemon_domain(container_auth_t, container_auth_exec_t)
+
+type spc_var_run_t;
+files_pid_file(spc_var_run_t)
+
+type container_var_lib_t alias docker_var_lib_t;
+files_type(container_var_lib_t)
+
+type container_home_t alias docker_home_t;
+userdom_user_home_content(container_home_t)
+
+type container_config_t alias docker_config_t;
+files_config_file(container_config_t)
+
+type container_lock_t alias docker_lock_t;
+files_lock_file(container_lock_t)
+
+type container_log_t alias docker_log_t;
+logging_log_file(container_log_t)
+
+type container_runtime_tmp_t alias docker_tmp_t;
+files_tmp_file(container_runtime_tmp_t)
+
+type container_runtime_tmpfs_t alias docker_tmpfs_t;
+files_tmpfs_file(container_runtime_tmpfs_t)
+
+type container_var_run_t alias docker_var_run_t;
+files_pid_file(container_var_run_t)
+
+type container_plugin_var_run_t alias docker_plugin_var_run_t;
+files_pid_file(container_plugin_var_run_t)
+
+type container_unit_file_t alias docker_unit_file_t;
+systemd_unit_file(container_unit_file_t)
+
+type container_devpts_t alias docker_devpts_t;
+term_pty(container_devpts_t)
+
+type container_share_t alias docker_share_t;
+files_type(container_share_t)
+
+########################################
+#
+# docker local policy
+#
+allow container_runtime_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
+allow container_runtime_t self:tun_socket relabelto;
+allow container_runtime_t self:process { getattr signal_perms setrlimit setfscreate };
+allow container_runtime_t self:fifo_file rw_fifo_file_perms;
+allow container_runtime_t self:unix_stream_socket create_stream_socket_perms;
+allow container_runtime_t self:tcp_socket create_stream_socket_perms;
+allow container_runtime_t self:udp_socket create_socket_perms;
+allow container_runtime_t self:capability2 block_suspend;
+
+container_auth_stream_connect(container_runtime_t)
+
+manage_files_pattern(container_runtime_t, container_home_t, container_home_t)
+manage_dirs_pattern(container_runtime_t, container_home_t, container_home_t)
+manage_lnk_files_pattern(container_runtime_t, container_home_t, container_home_t)
+userdom_admin_home_dir_filetrans(container_runtime_t, container_home_t, dir, ".docker")
+
+manage_dirs_pattern(container_runtime_t, container_config_t, container_config_t)
+manage_files_pattern(container_runtime_t, container_config_t, container_config_t)
+files_etc_filetrans(container_runtime_t, container_config_t, dir, "docker")
+
+manage_dirs_pattern(container_runtime_t, container_lock_t, container_lock_t)
+manage_files_pattern(container_runtime_t, container_lock_t, container_lock_t)
+files_lock_filetrans(container_runtime_t, container_lock_t, { dir file }, "lxc")
+
+manage_dirs_pattern(container_runtime_t, container_log_t, container_log_t)
+manage_files_pattern(container_runtime_t, container_log_t, container_log_t)
+manage_lnk_files_pattern(container_runtime_t, container_log_t, container_log_t)
+logging_log_filetrans(container_runtime_t, container_log_t, { dir file lnk_file })
+allow container_runtime_t container_log_t:dir_file_class_set { relabelfrom relabelto };
+
+manage_dirs_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t)
+manage_lnk_files_pattern(container_runtime_t, container_runtime_tmp_t, container_runtime_tmp_t)
+files_tmp_filetrans(container_runtime_t, container_runtime_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_lnk_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_fifo_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_chr_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+manage_blk_files_pattern(container_runtime_t, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
+allow container_runtime_t container_runtime_tmpfs_t:dir relabelfrom;
+can_exec(container_runtime_t, container_runtime_tmpfs_t)
+fs_tmpfs_filetrans(container_runtime_t, container_runtime_tmpfs_t, { dir file })
+allow container_runtime_t container_runtime_tmpfs_t:chr_file mounton;
+
+manage_dirs_pattern(container_runtime_t, container_share_t, container_share_t)
+manage_files_pattern(container_runtime_t, container_share_t, container_share_t)
+manage_lnk_files_pattern(container_runtime_t, container_share_t, container_share_t)
+allow container_runtime_t container_share_t:dir_file_class_set { relabelfrom relabelto };
+
+can_exec(container_runtime_t, container_share_t)
+#container_filetrans_named_content(container_runtime_t)
+
+manage_dirs_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_chr_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_blk_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+manage_lnk_files_pattern(container_runtime_t, container_var_lib_t, container_var_lib_t)
+allow container_runtime_t container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
+files_var_lib_filetrans(container_runtime_t, container_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+manage_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+manage_sock_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+manage_lnk_files_pattern(container_runtime_t, container_var_run_t, container_var_run_t)
+files_pid_filetrans(container_runtime_t, container_var_run_t, { dir file lnk_file sock_file })
+
+allow container_runtime_t container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(container_runtime_t, container_devpts_t)
+
+kernel_read_system_state(container_runtime_t)
+kernel_read_network_state(container_runtime_t)
+kernel_read_all_sysctls(container_runtime_t)
+kernel_rw_net_sysctls(container_runtime_t)
+kernel_setsched(container_runtime_t)
+kernel_read_all_proc(container_runtime_t)
+
+domain_use_interactive_fds(container_runtime_t)
+domain_dontaudit_read_all_domains_state(container_runtime_t)
+
+corecmd_exec_bin(container_runtime_t)
+corecmd_exec_shell(container_runtime_t)
+
+corenet_tcp_bind_generic_node(container_runtime_t)
+corenet_tcp_sendrecv_generic_if(container_runtime_t)
+corenet_tcp_sendrecv_generic_node(container_runtime_t)
+corenet_tcp_sendrecv_generic_port(container_runtime_t)
+corenet_tcp_bind_all_ports(container_runtime_t)
+corenet_tcp_connect_http_port(container_runtime_t)
+corenet_tcp_connect_commplex_main_port(container_runtime_t)
+corenet_udp_sendrecv_generic_if(container_runtime_t)
+corenet_udp_sendrecv_generic_node(container_runtime_t)
+corenet_udp_sendrecv_all_ports(container_runtime_t)
+corenet_udp_bind_generic_node(container_runtime_t)
+corenet_udp_bind_all_ports(container_runtime_t)
+
+files_read_config_files(container_runtime_t)
+files_dontaudit_getattr_all_dirs(container_runtime_t)
+files_dontaudit_getattr_all_files(container_runtime_t)
+
+fs_read_cgroup_files(container_runtime_t)
+fs_read_tmpfs_symlinks(container_runtime_t)
+fs_search_all(container_runtime_t)
+fs_getattr_all_fs(container_runtime_t)
+
+storage_raw_rw_fixed_disk(container_runtime_t)
+
+auth_use_nsswitch(container_runtime_t)
+auth_dontaudit_getattr_shadow(container_runtime_t)
+
+init_read_state(container_runtime_t)
+init_status(container_runtime_t)
+
+logging_send_audit_msgs(container_runtime_t)
+logging_send_syslog_msg(container_runtime_t)
+
+miscfiles_read_localization(container_runtime_t)
+
+mount_domtrans(container_runtime_t)
+
+seutil_read_default_contexts(container_runtime_t)
+seutil_read_config(container_runtime_t)
+
+sysnet_dns_name_resolve(container_runtime_t)
+sysnet_exec_ifconfig(container_runtime_t)
+
+optional_policy(`
+	rpm_exec(container_runtime_t)
+	rpm_read_db(container_runtime_t)
+	rpm_exec(container_runtime_t)
+')
+
+optional_policy(`
+	fstools_domtrans(container_runtime_t)
+')
+
+optional_policy(`
+	iptables_domtrans(container_runtime_t)
+')
+
+optional_policy(`
+	openvswitch_stream_connect(container_runtime_t)
+')
+
+#
+# lxc rules
+#
+
+allow container_runtime_t self:capability { dac_read_search dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
+
+allow container_runtime_t self:process { getcap setcap setexec setpgid setsched signal_perms };
+
+allow container_runtime_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow container_runtime_t self:netlink_audit_socket create_netlink_socket_perms;
+allow container_runtime_t self:unix_dgram_socket { create_socket_perms sendto };
+allow container_runtime_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow container_runtime_t container_var_lib_t:dir mounton;
+allow container_runtime_t container_var_lib_t:chr_file mounton;
+can_exec(container_runtime_t, container_var_lib_t)
+
+kernel_dontaudit_setsched(container_runtime_t)
+kernel_get_sysvipc_info(container_runtime_t)
+kernel_request_load_module(container_runtime_t)
+kernel_mounton_messages(container_runtime_t)
+kernel_mounton_all_proc(container_runtime_t)
+kernel_mounton_all_sysctls(container_runtime_t)
+kernel_unlabeled_entry_type(spc_t)
+kernel_unlabeled_domtrans(container_runtime_t, spc_t)
+
+dev_getattr_all(container_runtime_t)
+dev_getattr_sysfs_fs(container_runtime_t)
+dev_read_urand(container_runtime_t)
+dev_read_lvm_control(container_runtime_t)
+dev_rw_sysfs(container_runtime_t)
+dev_rw_loop_control(container_runtime_t)
+dev_rw_lvm_control(container_runtime_t)
+
+files_getattr_isid_type_dirs(container_runtime_t)
+files_manage_isid_type_dirs(container_runtime_t)
+files_manage_isid_type_files(container_runtime_t)
+files_manage_isid_type_symlinks(container_runtime_t)
+files_manage_isid_type_chr_files(container_runtime_t)
+files_manage_isid_type_blk_files(container_runtime_t)
+files_exec_isid_files(container_runtime_t)
+files_mounton_isid(container_runtime_t)
+files_mounton_non_security(container_runtime_t)
+files_mounton_isid_type_chr_file(container_runtime_t)
+
+fs_mount_all_fs(container_runtime_t)
+fs_unmount_all_fs(container_runtime_t)
+fs_remount_all_fs(container_runtime_t)
+files_mounton_isid(container_runtime_t)
+fs_manage_cgroup_dirs(container_runtime_t)
+fs_manage_cgroup_files(container_runtime_t)
+fs_relabelfrom_xattr_fs(container_runtime_t)
+fs_relabelfrom_tmpfs(container_runtime_t)
+fs_read_tmpfs_symlinks(container_runtime_t)
+fs_list_hugetlbfs(container_runtime_t)
+
+term_use_generic_ptys(container_runtime_t)
+term_use_ptmx(container_runtime_t)
+term_getattr_pty_fs(container_runtime_t)
+term_relabel_pty_fs(container_runtime_t)
+term_mounton_unallocated_ttys(container_runtime_t)
+
+modutils_domtrans_insmod(container_runtime_t)
+
+systemd_status_all_unit_files(container_runtime_t)
+systemd_start_systemd_services(container_runtime_t)
+
+userdom_stream_connect(container_runtime_t)
+userdom_search_user_home_content(container_runtime_t)
+userdom_read_all_users_state(container_runtime_t)
+userdom_relabel_user_home_files(container_runtime_t)
+userdom_relabel_user_tmp_files(container_runtime_t)
+userdom_relabel_user_tmp_dirs(container_runtime_t)
+
+optional_policy(`
+	gpm_getattr_gpmctl(container_runtime_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(container_runtime_t)
+	init_dbus_chat(container_runtime_t)
+	init_start_transient_unit(container_runtime_t)
+
+	optional_policy(`
+		systemd_dbus_chat_logind(container_runtime_t)
+	')
+
+	optional_policy(`
+		firewalld_dbus_chat(container_runtime_t)
+	')
+')
+
+optional_policy(`
+	udev_read_db(container_runtime_t)
+')
+
+optional_policy(`
+	virt_read_config(container_runtime_t)
+	virt_exec(container_runtime_t)
+	virt_stream_connect(container_runtime_t)
+	virt_stream_connect_sandbox(container_runtime_t)
+	virt_exec_sandbox_files(container_runtime_t)
+	virt_manage_sandbox_files(container_runtime_t)
+	virt_relabel_sandbox_filesystem(container_runtime_t)
+	# for lxc
+	virt_transition_svirt_sandbox(container_runtime_t, system_r)
+	virt_mounton_sandbox_file(container_runtime_t)
+#	virt_attach_sandbox_tun_iface(container_runtime_t)
+	allow container_runtime_t svirt_sandbox_domain:tun_socket relabelfrom;
+')
+
+tunable_policy(`container_connect_any',`
+    corenet_tcp_connect_all_ports(container_runtime_t)
+    corenet_sendrecv_all_packets(container_runtime_t)
+    corenet_tcp_sendrecv_all_ports(container_runtime_t)
+')
+
+########################################
+#
+# spc local policy
+#
+allow spc_t { container_var_lib_t container_share_t }:file entrypoint;
+role system_r types spc_t;
+
+domtrans_pattern(container_runtime_t, container_share_t, spc_t)
+domtrans_pattern(container_runtime_t, container_var_lib_t, spc_t)
+allow container_runtime_t spc_t:process { setsched signal_perms };
+ps_process_pattern(container_runtime_t, spc_t)
+allow container_runtime_t spc_t:socket_class_set { relabelto relabelfrom };
+filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "overlay")
+
+optional_policy(`
+	dbus_chat_system_bus(spc_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(spc_t)
+')
+
+optional_policy(`
+	unconfined_domain(container_runtime_t)
+')
+
+optional_policy(`
+	virt_transition_svirt_sandbox(spc_t, system_r)
+')
+
+########################################
+#
+# container_auth local policy
+#
+allow container_auth_t self:fifo_file rw_fifo_file_perms;
+allow container_auth_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit container_auth_t self:capability net_admin;
+
+container_stream_connect(container_auth_t)
+
+manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
+files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file })
+
+domain_use_interactive_fds(container_auth_t)
+
+kernel_read_net_sysctls(container_auth_t)
+
+auth_use_nsswitch(container_auth_t)
+
+files_read_etc_files(container_auth_t)
+
+miscfiles_read_localization(container_auth_t)
+
+sysnet_dns_name_resolve(container_auth_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0fccc..b26d3e0a47 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/corosync	--	gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/corosync.*  -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
 /usr/sbin/corosync	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 /usr/sbin/corosync-notifyd	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 
@@ -10,3 +12,5 @@
 /var/run/cman_.*	-s	gen_context(system_u:object_r:corosync_var_run_t,s0)
 /var/run/corosync\.pid	--	gen_context(system_u:object_r:corosync_var_run_t,s0)
 /var/run/rsctmp(/.*)?	gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync-qdevice(/.*)?	gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync-qnetd(/.*)?	gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/corosync.if b/corosync.if
index 694a037dad..d8596812db 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
 	read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
 ')
 
+#######################################
+## <summary>
+##	Setattr corosync log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_setattr_log',`
+	gen_require(`
+		type corosync_var_log_t;
+	')
+
+	setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
 #####################################
 ## <summary>
 ##	Connect to corosync over a unix
@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
 interface(`corosync_stream_connect',`
 	gen_require(`
 		type corosync_t, corosync_var_run_t;
+		type corosync_var_lib_t;
 	')
 
 	files_search_pids($1)
+	stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
 	stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
 ')
 
 ######################################
 ## <summary>
-##	Read and write corosync tmpfs files.
+##  Allow the specified domain to read/write corosync's tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`corosync_rw_tmpfs',`
+    gen_require(`
+        type corosync_tmpfs_t;
+    ')
+
+	rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+## <summary>
+##	Execute corosync server in the corosync domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
 	gen_require(`
-		type corosync_tmpfs_t;
+		type corosync_t;
+		type corosync_unit_file_t;
 	')
 
-	fs_search_tmpfs($1)
-	rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 corosync_unit_file_t:file read_file_perms;
+	allow $1 corosync_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, corosync_t)
 ')
 
 ######################################
@@ -160,12 +205,17 @@ interface(`corosync_admin',`
 		type corosync_t, corosync_var_lib_t, corosync_var_log_t;
 		type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
 		type corosync_initrc_exec_t;
+		type corosync_unit_file_t;
 	')
 
-	allow $1 corosync_t:process { ptrace signal_perms };
+	allow $1 corosync_t:process signal_perms;
 	ps_process_pattern($1, corosync_t)
 
-	corosync_initrc_domtrans($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 corosync_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 corosync_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -183,4 +233,8 @@ interface(`corosync_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, corosync_var_run_t)
+
+	corosync_systemctl($1)
+	admin_pattern($1, corosync_unit_file_t)
+	allow $1 corosync_unit_file_t:service all_service_perms;
 ')
diff --git a/corosync.te b/corosync.te
index d5aa1e446e..9a25701453 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t)
 type corosync_var_run_t;
 files_pid_file(corosync_var_run_t)
 
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
 # for hearbeat
 allow corosync_t self:capability { net_raw chown };
 allow corosync_t self:process { setpgid setrlimit setsched signal signull };
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
 domain_read_all_domains_state(corosync_t)
 
 files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
 
 auth_use_nsswitch(corosync_t)
 
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
 miscfiles_read_localization(corosync_t)
 
 userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmp_files(corosync_t)
+userdom_rw_user_tmp_files(corosync_t)
+
+optional_policy(`
+	fs_manage_tmpfs_files(corosync_t)
+	init_manage_script_status_files(corosync_t)
+')
 
 optional_policy(`
 	ccs_read_config(corosync_t)
@@ -128,21 +136,30 @@ optional_policy(`
 	drbd_domtrans(corosync_t)
 ')
 
+optional_policy(`
+	lvm_rw_clvmd_tmpfs_files(corosync_t)
+	lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
 optional_policy(`
 	qpidd_rw_shm(corosync_t)
 ')
 
 optional_policy(`
-	rhcs_getattr_fenced_exec_files(corosync_t)
+	rhcs_getattr_fenced(corosync_t)
+	# to communication with RHCS
 	rhcs_rw_cluster_shm(corosync_t)
 	rhcs_rw_cluster_semaphores(corosync_t)
 	rhcs_stream_connect_cluster(corosync_t)
+	rhcs_read_cluster_lib_files(corosync_t)
+	rhcs_manage_cluster_lib_files(corosync_t)
+	rhcs_relabel_cluster_lib_files(corosync_t)
 ')
 
 optional_policy(`
-	rgmanager_manage_tmpfs_files(corosync_t)
+	rpc_search_nfs_state_data(corosync_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+    wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c0863022d1..5380ab6415 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,8 +1,10 @@
-/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
-
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 
-/usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
+/usr/lib/systemd/system/couchdb.*		--	gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
+/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
+
+/usr/libexec/couchdb    --  gen_context(system_u:object_r:couchdb_exec_t,s0)
 
 /var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
 
diff --git a/couchdb.if b/couchdb.if
index 715a826f15..a1cbdb29ef 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Read couchdb log files.
+##	Allow to read couchdb log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
 		type couchdb_log_t;
 	')
 
-	logging_search_logs($1)
+	files_search_var_lib($1)
 	read_files_pattern($1, couchdb_log_t, couchdb_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Read, write, and create couchdb lib files.
+##	Allow to read couchdb lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`couchdb_manage_lib_files',`
+interface(`couchdb_read_lib_files',`
 	gen_require(`
 		type couchdb_var_lib_t;
 	')
@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	Read couchdb config files.
+##	All of the rules required to
+##	administrate an couchdb environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_manage_lib_files',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage couchdb lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_manage_lib_dirs',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow to read couchdb conf files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
 		type couchdb_conf_t;
 	')
 
-	files_search_etc($1)
+	files_search_var_lib($1)
 	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	Read couchdb pid files.
+##	Read couchdb PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+	allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##      Search couchdb PID dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`couchdb_search_pid_dirs',`
+        gen_require(`
+                type couchdb_var_run_t;
+        ')
+
+        files_search_pids($1)
+        allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Allow domain to manage couchdb content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`couchdb_manage_files',`
+        gen_require(`
+                type couchdb_var_run_t;
+                type couchdb_log_t;
+                type couchdb_var_lib_t;
+                type couchdb_conf_t;
+        ')
+
+    manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+    manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+    manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+    manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an couchdb environment.
+##	Execute couchdb server in the couchdb domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
+#
+interface(`couchdb_systemctl',`
+	gen_require(`
+		type couchdb_t;
+		type couchdb_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 couchdb_unit_file_t:file read_file_perms;
+	allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an couchdb environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## </summary>
+## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
 #
 interface(`couchdb_admin',`
 	gen_require(`
+		type couchdb_unit_file_t;
 		type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
 		type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
 		type couchdb_tmp_t;
 	')
 
-	allow $1 couchdb_t:process { ptrace signal_perms };
+	allow $1 couchdb_t:process { signal_perms };
 	ps_process_pattern($1, couchdb_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 couchdb_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 couchdb_initrc_exec_t system_r;
@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, couchdb_var_run_t)
+
+	admin_pattern($1, couchdb_unit_file_t)
+	couchdb_systemctl($1)
+	allow $1 couchdb_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/couchdb.te b/couchdb.te
index ae1c1b12a6..9b3a328c2c 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
 type couchdb_var_run_t;
 files_pid_file(couchdb_var_run_t)
 
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:process { execmem setsched signal signull sigkill };
 allow couchdb_t self:fifo_file rw_fifo_file_perms;
 allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
+allow couchdb_t self:unix_dgram_socket create_socket_perms;
 allow couchdb_t self:tcp_socket { accept listen };
 
-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
-allow couchdb_t couchdb_conf_t:file read_file_perms;
+manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
 
 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
 append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
 
 manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
 manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
+files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
 
 can_exec(couchdb_t, couchdb_exec_t)
 
+kernel_read_network_state(couchdb_t)
 kernel_read_system_state(couchdb_t)
+kernel_read_fs_sysctls(couchdb_t)
+kernel_dgram_send(couchdb_t)
 
 corecmd_exec_bin(couchdb_t)
 corecmd_exec_shell(couchdb_t)
@@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
 corenet_tcp_bind_couchdb_port(couchdb_t)
 corenet_tcp_sendrecv_couchdb_port(couchdb_t)
 
+# disksup tries to monitor the local disks
+fs_getattr_all_files(couchdb_t)
+fs_getattr_all_dirs(couchdb_t)
+fs_getattr_all_fs(couchdb_t)
+files_getattr_all_mountpoints(couchdb_t)
+files_search_all_mountpoints(couchdb_t)
+files_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+
 dev_list_sysfs(couchdb_t)
 dev_read_sysfs(couchdb_t)
 dev_read_urand(couchdb_t)
 
-files_read_usr_files(couchdb_t)
+auth_use_nsswitch(couchdb_t)
 
-fs_getattr_xattr_fs(couchdb_t)
+optional_policy(`
+    gnome_dontaudit_search_config(couchdb_t)
+')
+
+optional_policy(`
+    rpc_read_nfs_state_data(couchdb_t)
+')
 
-auth_use_nsswitch(couchdb_t)
 
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 2f017a076b..defdc871e4 100644
--- a/courier.fc
+++ b/courier.fc
@@ -11,17 +11,18 @@
 /usr/sbin/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 
 /usr/lib/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 /usr/lib/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
 
 /var/lib/courier(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
 /var/lib/courier-imap(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820fc74..acdb179e8d 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## <summary>Courier IMAP and POP3 email servers.</summary>
+## <summary>Courier IMAP and POP3 email servers</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a courier domain.
+##	Template for creating courier server processes.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix name of the server process.
 ##	</summary>
 ## </param>
 #
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
 		attribute courier_domain;
 	')
 
-	########################################
+	##############################
 	#
 	# Declarations
 	#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
 	type courier_$1_exec_t;
 	init_daemon_domain(courier_$1_t, courier_$1_exec_t)
 
-	########################################
+	##############################
 	#
-	# Policy
+	# Declarations
 	#
 
 	can_exec(courier_$1_t, courier_$1_exec_t)
+
+	kernel_read_system_state(courier_$1_t)
+
+	corenet_all_recvfrom_netlabel(courier_$1_t)
+	corenet_tcp_sendrecv_generic_if(courier_$1_t)
+	corenet_udp_sendrecv_generic_if(courier_$1_t)
+	corenet_tcp_sendrecv_generic_node(courier_$1_t)
+	corenet_udp_sendrecv_generic_node(courier_$1_t)
+	corenet_tcp_sendrecv_all_ports(courier_$1_t)
+	corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+	logging_send_syslog_msg(courier_$1_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the courier authentication
-##	daemon with a domain transition.
+##	Execute the courier authentication daemon with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
 		type courier_authdaemon_t, courier_authdaemon_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
 ')
 
 #######################################
 ## <summary>
-##	Connect to courier-authdaemon over
-##	a unix stream socket.
+##  Connect to courier-authdaemon over a unix stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`courier_stream_connect_authdaemon',`
-	gen_require(`
-		type courier_authdaemon_t, courier_spool_t;
-	')
+    gen_require(`
+        type courier_authdaemon_t, courier_spool_t;
+    ')
 
 	files_search_spool($1)
-	stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+    stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the courier POP3 and IMAP
-##	server with a domain transition.
+##	Execute the courier POP3 and IMAP server with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
 		type courier_pop_t, courier_pop_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
 
 ########################################
 ## <summary>
-##	Read courier config files.
+##	Read courier config files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
 ##	Create, read, write, and delete courier
 ##	spool files.
 ## </summary>
-## <param name="domain">
+## <param name="domains">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	read_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write courier spool pipes.
+##	Read and write to courier spool pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
 	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
 ')
diff --git a/courier.te b/courier.te
index ae3bc70e9a..d64452f774 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
 files_config_file(courier_etc_t)
 
 type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
 
 type courier_var_lib_t;
 files_type(courier_var_lib_t)
@@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t)
 # Common local policy
 #
 
-allow courier_domain self:capability dac_override;
+allow courier_domain self:capability { dac_read_search dac_override };
 dontaudit courier_domain self:capability sys_tty_config;
 allow courier_domain self:process { setpgid signal_perms };
 allow courier_domain self:fifo_file rw_fifo_file_perms;
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
 files_pid_filetrans(courier_domain, courier_var_run_t, dir)
 
 kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
 
 corecmd_exec_bin(courier_domain)
 
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
 
 domain_use_interactive_fds(courier_domain)
 
-files_read_etc_files(courier_domain)
 files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
 
 fs_getattr_xattr_fs(courier_domain)
 fs_search_auto_mountpoints(courier_domain)
 
-logging_send_syslog_msg(courier_domain)
-
 sysnet_read_config(courier_domain)
 
 userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -76,6 +71,10 @@ optional_policy(`
 	seutil_sigchld_newrole(courier_domain)
 ')
 
+optional_policy(`
+	mysql_stream_connect(courier_domain)
+')
+
 optional_policy(`
 	udev_read_db(courier_domain)
 ')
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
 create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
 
 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
 
 libs_read_lib_files(courier_authdaemon_t)
 
-miscfiles_read_localization(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
 dev_read_rand(courier_tcpd_t)
 dev_read_urand(courier_tcpd_t)
 
-miscfiles_read_localization(courier_tcpd_t)
 
 ########################################
 #
diff --git a/cpucontrol.te b/cpucontrol.te
index af72c4e55c..afab0367f2 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
 init_use_fds(cpucontrol_domain)
 init_use_script_ptys(cpucontrol_domain)
 
-logging_send_syslog_msg(cpucontrol_domain)
-
 userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
 
 optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
 read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
 read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
 
-kernel_list_proc(cpucontrol_t)
 kernel_read_proc_symlinks(cpucontrol_t)
 
 dev_read_sysfs(cpucontrol_t)
 dev_rw_cpu_microcode(cpucontrol_t)
 
+logging_send_syslog_msg(cpucontrol_t)
+
 optional_policy(`
 	rhgb_use_ptys(cpucontrol_t)
 ')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
 
 domain_read_all_domains_state(cpuspeed_t)
 
-files_read_etc_files(cpuspeed_t)
 files_read_etc_runtime_files(cpuspeed_t)
 
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index 6cedb87247..530e250e50 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
 # Local policy
 #
 
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
 allow cpufreqselector_t self:process getsched;
 allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
 
 kernel_read_system_state(cpufreqselector_t)
 
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
 dev_rw_sysfs(cpufreqselector_t)
 
-miscfiles_read_localization(cpufreqselector_t)
-
 userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
 
 optional_policy(`
 	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
 	policykit_read_lib(cpufreqselector_t)
 	policykit_read_reload(cpufreqselector_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cpuplug.fc b/cpuplug.fc
new file mode 100644
index 0000000000..be203ff492
--- /dev/null
+++ b/cpuplug.fc
@@ -0,0 +1,3 @@
+/etc/rc.d/init.d/cpuplugd	--	gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
+
+/usr/sbin/cpuplugd		--	gen_context(system_u:object_r:cpuplug_exec_t,s0)
diff --git a/cpuplug.if b/cpuplug.if
new file mode 100644
index 0000000000..c68d1d3cfb
--- /dev/null
+++ b/cpuplug.if
@@ -0,0 +1,20 @@
+## <summary>cpuplugd - Linux on System z CPU and memory hotplug daemon</summary>
+
+########################################
+## <summary>
+##	Execute cpuplug in the cpuplug domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cpuplug_domtrans',`
+	gen_require(`
+		type cpuplug_t, cpuplug_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
+')
diff --git a/cpuplug.te b/cpuplug.te
new file mode 100644
index 0000000000..074f3e04de
--- /dev/null
+++ b/cpuplug.te
@@ -0,0 +1,40 @@
+policy_module(cpuplug, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpuplug_t;
+type cpuplug_exec_t;
+init_daemon_domain(cpuplug_t, cpuplug_exec_t)
+
+type cpuplug_initrc_exec_t;
+init_script_file(cpuplug_initrc_exec_t)
+
+type cpuplug_lock_t;
+files_lock_file(cpuplug_lock_t)
+
+type cpuplug_var_run_t;
+files_pid_file(cpuplug_var_run_t)
+
+########################################
+#
+# cpuplug local policy
+#
+allow cpuplug_t self:fifo_file rw_fifo_file_perms;
+allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
+files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
+
+manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
+files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
+
+kernel_read_system_state(cpuplug_t)
+kernel_rw_vm_sysctls(cpuplug_t)
+
+dev_rw_sysfs(cpuplug_t)
+
+logging_send_syslog_msg(cpuplug_t)
+
diff --git a/cron.fc b/cron.fc
index ad0bae948b..18a4dd4156 100644
--- a/cron.fc
+++ b/cron.fc
@@ -1,66 +1,77 @@
-/etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
 
-/etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
-/usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
 
-/usr/libexec/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/libexec/fcronsighup	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/usr/sbin/anacron	--	gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/atd	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/cron(d)?	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcronsighup	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/libexec/fcron  --  gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup    --  gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
+/usr/sbin/anacron		--	gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.*             gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 
-/var/run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/atd\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.reboot	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo	-s	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.*	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.*		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 
-/var/spool/anacron(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/at(/.*)?	gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)?	gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
 
-/var/spool/cron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]*	--	<<none>>
+/var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
+#/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
 
-/var/spool/cron/crontabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/crontabs/.*	--	<<none>>
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
-/var/spool/fcron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.*	<<none>>
+/var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.*			<<none>>
 /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab\.tmp	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/rm\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+')
 
 ifdef(`distro_debian',`
-/var/spool/cron/atjobs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.*		--	gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/atjobs/[^/]*	--	<<none>>
-/var/spool/cron/atspool	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 ')
 
 ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 ')
 
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
-/var/spool/cron/tabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 ')
diff --git a/cron.if b/cron.if
index 1303b3036b..f5bd4aee87 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
 
 #######################################
 ## <summary>
-##	The template to define a crontab domain.
+##	The common rules for a crontab domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="userdomain_prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
 ##	</summary>
 ## </param>
 #
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
 
+	kernel_read_system_state($1_t)
+
 	auth_domtrans_chk_passwd($1_t)
 	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	userdom_home_reader($1_t)
+
 ')
 
 ########################################
 ## <summary>
-##	Role access for cron.
+##	Role access for cron
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -60,56 +68,66 @@ interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
 		type user_cron_spool_t, crond_t;
-		bool cron_userdomain_transition;
+        bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+    ##############################
+    #
+    # Declarations
+    #
 
 	role $1 types { cronjob_t crontab_t };
 
-	##############################
-	#
-	# Local policy
-	#
+    ##############################
+    #
+    # Local policy
+    #
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 	allow $2 crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+    allow $2 user_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
+	# crontab shows up in user ps
+	allow $2 crontab_t:process signal_perms;
 	ps_process_pattern($2, crontab_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 crontab_t:process ptrace;
+	')
+
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
 	corecmd_exec_bin(crontab_t)
 	corecmd_exec_shell(crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
 
-		allow $2 user_cron_spool_t:file entrypoint;
+	    # needs to be authorized SELinux context for cron
+	    allow $2 user_cron_spool_t:file entrypoint;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+        allow $2 cronjob_t:process { signal_perms };
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+        ps_process_pattern($2, cronjob_t)
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+        dontaudit $2 user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
 
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
+        dontaudit $2 cronjob_t:process { signal_perms };
+    ')
 
 	optional_policy(`
 		gen_require(`
@@ -119,78 +137,75 @@ interface(`cron_role',`
 		dbus_stub(cronjob_t)
 
 		allow cronjob_t $2:dbus send_msg;
-	')
+	')		
 ')
 
 ########################################
 ## <summary>
-##	Role access for unconfined cron.
+##	Role access for unconfined cronjobs
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
 		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
+        type crond_t, user_cron_spool_t;
+        bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	role $1 types { unconfined_cronjob_t crontab_t };
-
-	##############################
-	#
-	# Local policy
-	#
-
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
+    ##############################
+    #
+    # Declarations
+    #
+    
+    role $1 types unconfined_cronjob_t;
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+    ##############################
+    #
+    # Local policy
+    #
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+    dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
+    allow $2 crond_t:process sigchld;
 
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
+    allow $2 user_cron_spool_t:file { getattr read write ioctl };
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
+	# cronjob shows up in user ps
+	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process signal_perms;
 
-		allow $2 user_cron_spool_t:file entrypoint;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 unconfined_cronjob_t:process ptrace;
+	')
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
 
-		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, unconfined_cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+        allow $2 user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+    ')
 
 	optional_policy(`
 		gen_require(`
@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',`
 		')
 
 		dbus_stub(unconfined_cronjob_t)
-
 		allow unconfined_cronjob_t $2:dbus send_msg;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for admin cron.
+##	Role access for cron
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_admin_role',`
 	gen_require(`
-		type cronjob_t, crontab_exec_t, admin_crontab_t;
+		type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+		type user_cron_spool_t, crond_t;
 		class passwd crontab;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
+        bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+    ##############################
+    #
+    # Declarations
+    #
 
-	role $1 types { cronjob_t admin_crontab_t };
+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
 
-	##############################
-	#
-	# Local policy
-	#
+    ##############################
+    #
+    # Local policy
+    #
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
 
 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2 crond_t:process sigchld;
 
-	allow $2 admin_crontab_t:process { ptrace signal_perms };
+	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
+	allow $2 admin_crontab_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 admin_crontab_t:process ptrace;
+	')
 
 	# Manipulate other users crontab.
 	allow $2 self:passwd crontab;
@@ -254,28 +274,26 @@ interface(`cron_admin_role',`
 	corecmd_exec_bin(admin_crontab_t)
 	corecmd_exec_shell(admin_crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
 
-		allow $2 user_cron_spool_t:file entrypoint;
+        allow $2 user_cron_spool_t:file entrypoint;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+        allow $2 cronjob_t:process { signal_perms };
+        ps_process_pattern($2, cronjob_t)
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
+        dontaudit $2 user_cron_spool_t:file entrypoint;
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 cronjob_t:process { signal_perms };
+    ')
 
 	optional_policy(`
 		gen_require(`
@@ -285,13 +303,13 @@ interface(`cron_admin_role',`
 		dbus_stub(admin_cronjob_t)
 
 		allow cronjob_t $2:dbus send_msg;
-	')
+	')		
 ')
 
 ########################################
 ## <summary>
-##	Make the specified program domain
-##	accessable from the system cron jobs.
+##	Make the specified program domain accessable
+##	from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -307,15 +325,15 @@ interface(`cron_admin_role',`
 interface(`cron_system_entry',`
 	gen_require(`
 		type crond_t, system_cronjob_t;
-		type user_cron_spool_log_t;
 	')
 
-	rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
 	domtrans_pattern(system_cronjob_t, $2, $1)
 	domtrans_pattern(crond_t, $2, $1)
 
 	role system_r types $1;
+
+	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -333,13 +351,12 @@ interface(`cron_domtrans',`
 		type system_cronjob_t, crond_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, crond_exec_t, system_cronjob_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute crond in the caller domain. 
+##	Execute crond_exec_t 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -352,7 +369,6 @@ interface(`cron_exec',`
 		type crond_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, crond_exec_t)
 ')
 
@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Use crond file descriptors.
+##	Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_systemctl',`
+	gen_require(`
+		type crond_unit_file_t;
+		type crond_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 crond_unit_file_t:file read_file_perms;
+	allow $1 crond_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from the cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to crond.
+##	Send a SIGCHLD signal to the cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
-##	Set the attributes of cron log files.
+##	Send a generic signal to cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	allow $1 cron_log_t:file setattr_file_perms;
+	allow $1 crond_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Create cron log files.
+##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	create_files_pattern($1, cron_log_t, cron_log_t)
+	allow $1 crond_t:fifo_file read_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write to cron log files.
+##	Read crond state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	allow $1 cron_log_t:file write_file_perms;
+	kernel_search_proc($1)
+	ps_process_pattern($1, crond_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Create, read, write and delete
-##	cron log files.
+##	Send and receive messages from
+##	crond over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
+		class dbus send_msg;
 	')
 
-	manage_files_pattern($1, cron_log_t, cron_log_t)
-
-	logging_search_logs($1)
+	allow $1 crond_t:dbus send_msg;
+	allow crond_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	log directories with the cron log file type.
+##	Do not audit attempts to write cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	logging_log_filetrans($1, cron_log_t, $2, $3)
+	dontaudit $1 crond_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read cron daemon unnamed pipes.
+##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
 	gen_require(`
 		type crond_t;
 	')
 
-	allow $1 crond_t:fifo_file read_fifo_file_perms;
+	allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	cron daemon unnamed pipes.
+##	Do not audit attempts to setattr cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_dontaudit_setattr_pipes',`
 	gen_require(`
 		type crond_t;
 	')
 
-	dontaudit $1 crond_t:fifo_file write;
+	dontaudit $1 crond_t:fifo_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write crond unnamed pipes.
+##	Read and write inherited user spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
 	gen_require(`
-		type crond_t;
+		type user_cron_spool_t;
 	')
 
-	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 user_cron_spool_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write crond TCP sockets.
+##	Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+	gen_require(`
+		type cron_spool_t;
+	')
+
+	allow $1 cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write cron daemon TCP sockets.
+##	Dontaudit Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Search cron spool directories.
+##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	crond pid files.
+##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_pid_files',`
+interface(`cron_manage_system_spool',`
 	gen_require(`
-		type crond_var_run_t;
+		type cron_system_spool_t;
 	')
 
-	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+	files_search_spool($1)
+	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute anacron in the cron
-##	system domain.
+##	Manage pid files used by cron
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`cron_anacron_domtrans_system_job',`
+interface(`cron_manage_pid_files',`
 	gen_require(`
-		type system_cronjob_t, anacron_exec_t;
+		type crond_var_run_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+	files_search_pids($1)
+	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Use system cron job file descriptors.
+##	Read pid files used by cron
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_use_system_job_fds',`
+interface(`cron_read_pid_files',`
 	gen_require(`
-		type system_cronjob_t;
+		type crond_var_run_t;
 	')
 
-	allow $1 system_cronjob_t:fd use;
+	files_search_pids($1)
+	read_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Read system cron job lib files.
+##	Execute anacron in the cron system domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_anacron_domtrans_system_job',`
 	gen_require(`
-		type system_cronjob_var_lib_t;
+		type system_cronjob_t, anacron_exec_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	system cron job lib files.
+##	Inherit and use a file descriptor
+##	from system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_use_system_job_fds',`
 	gen_require(`
-		type system_cronjob_var_lib_t;
+		type system_cronjob_t;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+	allow $1 system_cronjob_t:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Write system cron job unnamed pipes.
+##	Write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:file write;
+	allow $1 system_cronjob_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read and write system cron job
-##	unnamed pipes.
+##	Read and write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write inherited system cron
-##	job unix domain stream sockets.
+##	Allow read/write unix stream sockets from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
 
 ########################################
 ## <summary>
-##	Read system cron job temporary files.
+##	Read temporary files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
-		type system_cronjob_tmp_t;
+		type system_cronjob_tmp_t, cron_var_run_t;
 	')
 
 	files_search_tmp($1)
 	allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+	files_search_pids($1)
+	allow $1 cron_var_run_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to append temporary
-##	system cron job files.
+##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to write temporary
-##	system cron job files.
+##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 interface(`cron_dontaudit_write_system_job_tmp_files',`
 	gen_require(`
 		type system_cronjob_tmp_t;
+		type cron_var_run_t;
 	')
 
 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+	dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+	gen_require(`
+		type system_cronjob_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+	gen_require(`
+		type system_cronjob_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Create, read, write and delete
+##  cron log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cron_manage_log_files',`
+    gen_require(`
+        type cron_log_t;
+    ')
+
+    manage_files_pattern($1, cron_log_t, cron_log_t)
+
+    logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##  Create specified objects in generic
+##  log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  Class of the object being created.
+##  </summary>
+## </param>
+## <param name="name" optional="true">
+##  <summary>
+##  The name of the object being created.
+##  </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+    gen_require(`
+        type cron_log_t;
+    ')
+
+    logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+#######################################
+## <summary>
+##  Create specified objects in generic
+##  log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  Class of the object being created.
+##  </summary>
+## </param>
+## <param name="name" optional="true">
+##  <summary>
+##  The name of the object being created.
+##  </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log_insights',`
+    gen_require(`
+        type var_log_t;
+    ')
+
+    logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
 ')
diff --git a/cron.te b/cron.te
index 7de385956a..b9b2c8f7f8 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
 
 ## <desc>
 ##	<p>
-##	Determine whether system cron jobs
-##	can relabel filesystem for
-##	restoring file contexts.
+##	Allow system cron jobs to relabel filesystem
+##	for restoring file contexts.
 ##	</p>
 ## </desc>
 gen_tunable(cron_can_relabel, false)
 
 ## <desc>
-##	<p>
-##	Determine whether crond can execute jobs
-##	in the user domain as opposed to the
-##	the generic cronjob domain.
-##	</p>
+##  <p>
+##  Determine whether crond can execute jobs
+##  in the user domain as opposed to the
+##  the generic cronjob domain.
+##  </p>
+## </desc>
+gen_tunable(cron_userdomain_transition, true)
+
+## <desc>
+##  <p>
+##  Allow system cronjob to be executed on
+##  on NFS, CIFS or FUSE filesystem.
+##  </p>
 ## </desc>
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_system_cronjob_use_shares, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether extra rules
-##	should be enabled to support fcron.
+##	Enable extra rules in the cron domain
+##	to support fcron.
 ##	</p>
 ## </desc>
 gen_tunable(fcron_crond, false)
 
-attribute cron_spool_type;
 attribute crontab_domain;
+attribute cron_spool_type;
 
 type anacron_exec_t;
 application_executable_file(anacron_exec_t)
 
 type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
 
+# var/lib files
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
 
 type cron_var_run_t;
 files_pid_file(cron_var_run_t)
 
+# var/log files
 type cron_log_t;
 logging_log_file(cron_log_t)
 
@@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
 type crond_initrc_exec_t;
 init_script_file(crond_initrc_exec_t)
 
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 files_poly_parent(crond_tmp_t)
@@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
 typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
 typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
 typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
 
 type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
 
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+corecmd_bin_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
-
+# Type of user crontabs once moved to cron spool.
 type user_cron_spool_t, cron_spool_type;
 typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
 mta_system_content(user_cron_spool_t)
 
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
 ')
 
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
-	dontaudit crontab_domain crond_t:process signal;
-')
-
 ########################################
 #
-# Admin local policy
+# Admin crontab local policy
 #
 
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
 
+# Manipulate other users crontab.
 selinux_get_fs_mount(admin_crontab_t)
 selinux_validate_context(admin_crontab_t)
 selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
 selinux_compute_user_contexts(admin_crontab_t)
 
 tunable_policy(`fcron_crond',`
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
 	allow admin_crontab_t self:process setfscreate;
 ')
 
 ########################################
 #
-# Daemon local policy
+# Cron daemon local policy
 #
 
 allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
 allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
 allow crond_t self:shm create_shm_perms;
 allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
 logging_log_filetrans(crond_t, cron_log_t, file)
 
 manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
 
 list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
 
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
 
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
 
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
 
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
 
 corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
 corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
 domain_subj_id_change_exemption(crond_t)
 domain_role_change_exemption(crond_t)
 
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
 files_read_etc_runtime_files(crond_t)
 files_read_generic_spool(crond_t)
 files_list_usr(crond_t)
+# Read from /var/spool/cron.
 files_search_var_lib(crond_t)
 files_search_default(crond_t)
 files_read_all_locks(crond_t)
 
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
 mls_file_read_all_levels(crond_t)
 mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
 mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
 
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
 
 init_read_state(crond_t)
 init_rw_utmp(crond_t)
 init_spec_domtrans_script(crond_t)
 
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
 auth_use_nsswitch(crond_t)
 
 logging_send_audit_msgs(crond_t)
@@ -312,41 +264,46 @@ logging_set_loginuid(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
 
-miscfiles_read_localization(crond_t)
 
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
 userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
 
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit crond_t cronjob_t:process transition;
-	dontaudit crond_t cronjob_t:fd use;
-	dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
-	allow crond_t cronjob_t:process transition;
-	allow crond_t cronjob_t:fd use;
-	allow crond_t cronjob_t:key manage_key_perms;
-')
+mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
 
 ifdef(`distro_debian',`
+	# pam_limits is used
 	allow crond_t self:process setrlimit;
 
-	optional_policy(`
-		logwatch_search_cache_dir(crond_t)
-	')
+')
+
+optional_policy(`
+	logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+	bind_read_config(crond_t)
 ')
 
 ifdef(`distro_redhat',`
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(crond_t)
 	')
 ')
 
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
 	files_polyinstantiate_all(crond_t)
 ')
 
-tunable_policy(`fcron_crond',`
-	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+	allow crond_t system_cron_spool_t:file manage_file_perms;
 ')
 
 optional_policy(`
@@ -354,103 +311,141 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client(crond_t)
-
-	optional_policy(`
-		hal_dbus_chat(crond_t)
-	')
-
-	optional_policy(`
-		unconfined_dbus_send(crond_t)
-	')
+	djbdns_search_tinydns_keys(crond_t)
+	djbdns_link_tinydns_keys(crond_t)
 ')
 
 optional_policy(`
-	amanda_search_var_lib(crond_t)
+	locallogin_search_keys(crond_t)
+	locallogin_link_keys(crond_t)
 ')
 
 optional_policy(`
-	amavis_search_lib(crond_t)
+	# these should probably be unconfined_crond_t
+	dbus_system_bus_client(crond_t)
+	init_dbus_send_script(crond_t)
+	init_dbus_chat(crond_t)
 ')
 
 optional_policy(`
-	djbdns_search_tinydns_keys(crond_t)
-	djbdns_link_tinydns_keys(crond_t)
+	amanda_search_var_lib(crond_t)
 ')
 
 optional_policy(`
-	hal_write_log(crond_t)
+	antivirus_search_db(crond_t)
 ')
 
 optional_policy(`
-	locallogin_search_keys(crond_t)
-	locallogin_link_keys(crond_t)
+	hal_dbus_chat(crond_t)
+	hal_write_log(crond_t)
+	hal_dbus_chat(system_cronjob_t)
 ')
 
 optional_policy(`
-	mta_send_mail(crond_t)
+	# cjp: why?
+	munin_search_lib(crond_t)
 ')
 
 optional_policy(`
-	munin_search_lib(crond_t)
+	rpc_search_nfs_state_data(crond_t)
 ')
 
 optional_policy(`
-	postgresql_search_db(crond_t)
+	# Commonly used from postinst scripts
+	rpm_read_pipes(crond_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(crond_t)
+	# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+	postgresql_search_db(crond_t)
 ')
 
 optional_policy(`
-	rpm_read_pipes(crond_t)
+	systemd_use_fds_logind(crond_t)
+	systemd_write_inherited_logind_sessions_pipes(crond_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(crond_t)
+	udev_read_db(crond_t)
 ')
 
 optional_policy(`
-	udev_read_db(crond_t)
+	vnstatd_search_lib(crond_t)
 ')
 
 ########################################
 #
-# System local policy
+# System cron process domain
 #
 
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+#  Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
+# This is to handle /var/lib/misc directory.  Used currently
+# by prelink var/lib files for cron 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
 allow system_cronjob_t cron_var_run_t:file manage_file_perms;
 files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
 
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
 
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+tunable_policy(`cron_system_cronjob_use_shares',`
+    fs_fusefs_entrypoint(system_cronjob_t)
+    fs_nfs_entrypoint(system_cronjob_t)
+    fs_cifs_entrypoint(system_cronjob_t)
+')
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
 
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
 
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
@@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
+# ps does not need to access /boot when run from cron
 files_dontaudit_search_boot(system_cronjob_t)
 
 corecmd_exec_all_executables(system_cronjob_t)
 
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
 corenet_all_recvfrom_netlabel(system_cronjob_t)
 corenet_tcp_sendrecv_generic_if(system_cronjob_t)
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
 fs_getattr_all_pipes(system_cronjob_t)
 fs_getattr_all_sockets(system_cronjob_t)
 
+# quiet other ps operations
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
@@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t)
 files_getattr_all_symlinks(system_cronjob_t)
 files_getattr_all_pipes(system_cronjob_t)
 files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
 files_read_var_files(system_cronjob_t)
+# for nscd:
 files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)
 
 init_domtrans_script(system_cronjob_t)
-init_read_utmp(system_cronjob_t)
 init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
 
 auth_use_nsswitch(system_cronjob_t)
 
@@ -516,20 +517,28 @@ logging_read_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
-miscfiles_read_localization(system_cronjob_t)
+miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
 
 seutil_read_config(system_cronjob_t)
 
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
 ifdef(`distro_redhat',`
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+
+	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
 	')
 ')
 
+selinux_get_fs_mount(system_cronjob_t)
+
 tunable_policy(`cron_can_relabel',`
 	seutil_domtrans_setfiles(system_cronjob_t)
 ',`
-	selinux_get_fs_mount(system_cronjob_t)
 	selinux_validate_context(system_cronjob_t)
 	selinux_compute_access_vector(system_cronjob_t)
 	selinux_compute_create_context(system_cronjob_t)
@@ -539,10 +548,26 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
+	# Needed for certwatch
 	apache_exec_modules(system_cronjob_t)
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
+	apache_manage_lib(system_cronjob_t)
+	apache_delete_cache_dirs(system_cronjob_t)
+	apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+	bind_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+    cron_generic_log_filetrans_log_insights(system_cronjob_t)
+')
+
+optional_policy(`
+    chronyd_run_chronyc(system_cronjob_t,system_r)
 ')
 
 optional_policy(`
@@ -551,10 +576,6 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(system_cronjob_t)
-
-	optional_policy(`
-		networkmanager_dbus_chat(system_cronjob_t)
-	')
 ')
 
 optional_policy(`
@@ -566,6 +587,10 @@ optional_policy(`
 	exim_read_spool_files(system_cronjob_t)
 ')
 
+optional_policy(`
+	firewalld_dbus_chat(system_cronjob_t)
+')
+
 optional_policy(`
 	ftp_read_log(system_cronjob_t)
 ')
@@ -591,14 +616,39 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(system_cronjob_t)
 	mta_send_mail(system_cronjob_t)
+	mta_system_content(system_cron_spool_t)
 ')
 
 optional_policy(`
 	mysql_read_config(system_cronjob_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
+    pcp_filetrans_named_content(system_cronjob_t)
+')
+
 optional_policy(`
 	postfix_read_config(system_cronjob_t)
+')	
+
+optional_policy(`
+	prelink_delete_cache(system_cronjob_t)
+	prelink_manage_lib(system_cronjob_t)
+	prelink_manage_log(system_cronjob_t)
+	prelink_read_cache(system_cronjob_t)
+	prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+    rkhunter_manage_lib_files(system_cronjob_t)
+')
+
+optional_policy(`
+    rhsmcertd_dbus_chat(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -606,8 +656,13 @@ optional_policy(`
 	samba_read_log(system_cronjob_t)
 ')
 
+optional_policy(`
+    snapper_dbus_chat(system_cronjob_t)
+')
+
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
+	spamassassin_manage_home_client(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -615,12 +670,27 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_dbus_chat_timedated(system_cronjob_t)
+	systemd_dbus_chat_hostnamed(system_cronjob_t)
+	systemd_dbus_chat_localed(system_cronjob_t)
+	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_domain(crond_t)
+	unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(crond_t)
+	unconfined_dbus_send(crond_t)
+	userdom_filetrans_home_content(crond_t)
 ')
 
 ########################################
 #
-# Cronjob local policy
+# User cronjobs local policy
 #
 
 allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +698,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
 kernel_read_system_state(cronjob_t)
 kernel_read_kernel_sysctls(cronjob_t)
 
+# ps does not need to access /boot when run from cron
 files_dontaudit_search_boot(cronjob_t)
 
-corenet_all_recvfrom_unlabeled(cronjob_t)
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +731,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
 corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
 
 dev_read_urand(cronjob_t)
 
 fs_getattr_all_fs(cronjob_t)
 
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
 domain_dontaudit_read_all_domains_state(cronjob_t)
 domain_dontaudit_getattr_all_domains(cronjob_t)
 
 files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
 files_dontaudit_search_pids(cronjob_t)
 
 libs_exec_lib_files(cronjob_t)
 libs_exec_ld_so(cronjob_t)
 
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
 logging_search_logs(cronjob_t)
 
 seutil_read_config(cronjob_t)
 
-miscfiles_read_localization(cronjob_t)
 
 userdom_manage_user_tmp_files(cronjob_t)
 userdom_manage_user_tmp_symlinks(cronjob_t)
 userdom_manage_user_tmp_pipes(cronjob_t)
 userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
 userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
 userdom_manage_user_home_content_files(cronjob_t)
 userdom_manage_user_home_content_symlinks(cronjob_t)
 userdom_manage_user_home_content_pipes(cronjob_t)
 userdom_manage_user_home_content_sockets(cronjob_t)
 
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit cronjob_t crond_t:fd use;
-	dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-	dontaudit cronjob_t crond_t:process sigchld;
-
-	dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
-	allow cronjob_t crond_t:fd use;
-	allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-	allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
 
-	allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')
 
+# need a per-role version of this:
+#optional_policy(`
+#	mono_domtrans(cronjob_t)
+#')
+
 optional_policy(`
 	nis_use_ypbind(cronjob_t)
 ')
 
+##############################
+#
+# crontab common policy
+#
+
+# dac_override is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search  dac_override };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+corecmd_exec_bin(crontab_domain)
+corecmd_exec_shell(crontab_domain)
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
+	dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+	ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+	openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+	openshift_transition(system_cronjob_t)
+')
+
 ########################################
 #
-# Unconfined local policy
+# Unconfined cronjobs local policy
 #
 
 type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6f3b..84ece3e4a7 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -1,12 +1,20 @@
 /etc/rc\.d/init\.d/ctdb	--	gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
 
+/etc/ctdb/events\.d/.*       --  gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
 /usr/sbin/ctdbd	--	gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/usr/sbin/ctdbd_wrapper --  gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdb(/.*)?    gen_context(system_u:object_r:ctdbd_var_t,s0)
 
+/var/lib/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
 /var/lib/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
 
 /var/log/ctdb\.log.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
 /var/log/log\.ctdb.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
 
+
+/var/run/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
 /var/run/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
 
 /var/spool/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d12d..06895f39ae 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,178 @@
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
+
+## <summary>policy for ctdbd</summary>
+
+########################################
+## <summary>
+##	Transition to ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_domtrans',`
+	gen_require(`
+		type ctdbd_t, ctdbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+## <summary>
+##	Execute ctdbd server in the ctdbd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_initrc_domtrans',`
+	gen_require(`
+		type ctdbd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Allow domain to signal ctdbd.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_signal',`
+    gen_require(`
+        type ctdbd_t;
+    ')
+        allow $1 ctdbd_t:process signal;
+')
+
+#######################################
+## <summary>
+##  Allow domain to sigchld ctdbd.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_sigchld',`
+    gen_require(`
+        type ctdbd_t;
+    ')
+        allow $1 ctdbd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read ctdbd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ctdbd_read_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to ctdbd log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`ctdbd_append_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage ctdbd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_manage_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+        manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+        manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Search ctdbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_search_lib',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read ctdbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_read_lib_files',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	ctdbd lib files.
+##	Manage ctdbd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+        manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Connect to ctdbd with a unix
-##	domain stream socket.
+##	Manage ctdbd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_lib_dirs',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read ctdbd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_read_pid_files',`
 	gen_require(`
-		type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+		type ctdbd_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+	allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Connect to ctdbd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_stream_connect',`
+    gen_require(`
+        type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+    stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ctdb environment.
+##	All of the rules required to administrate
+##	an ctdbd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
 	gen_require(`
-		type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+		type ctdbd_t, ctdbd_initrc_exec_t;
 		type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
 	')
 
-	allow $1 ctdbd_t:process { ptrace signal_perms };
+	allow $1 ctdbd_t:process signal_perms;
 	ps_process_pattern($1, ctdbd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ctdbd_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+	ctdbd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 ctdbd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, ctdbd_log_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, ctdbd_tmp_t)
-
 	files_search_var_lib($1)
 	admin_pattern($1, ctdbd_var_lib_t)
 
 	files_search_pids($1)
 	admin_pattern($1, ctdbd_var_run_t)
 ')
+
diff --git a/ctdb.te b/ctdb.te
index 001b502e6f..1b73c4d799 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
 type ctdbd_var_lib_t;
 files_type(ctdbd_var_lib_t)
 
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
 type ctdbd_var_run_t;
 files_pid_file(ctdbd_var_run_t)
 
@@ -32,13 +35,17 @@ files_pid_file(ctdbd_var_run_t)
 # Local policy
 #
 
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-allow ctdbd_t self:process { setpgid signal_perms setsched };
+allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
+allow ctdbd_t self:capability2 block_suspend;
+allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched };
 allow ctdbd_t self:fifo_file rw_fifo_file_perms;
 allow ctdbd_t self:unix_stream_socket { accept connectto listen };
 allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
 allow ctdbd_t self:packet_socket create_socket_perms;
 allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
+allow ctdbd_t self:rawip_socket create_socket_perms;
+allow ctdbd_t self:netlink_tcpdiag_socket create_socket_perms;
 
 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
 create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -57,12 +64,24 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
 exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
 manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
 manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
 
 manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
 manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
 files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
 
+setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
+write_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
+
+can_exec(ctdbd_t, ctdbd_exec_t)
+
 kernel_read_network_state(ctdbd_t)
 kernel_read_system_state(ctdbd_t)
 kernel_rw_net_sysctls(ctdbd_t)
@@ -72,27 +91,41 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
 corenet_tcp_sendrecv_generic_if(ctdbd_t)
 corenet_tcp_sendrecv_generic_node(ctdbd_t)
 corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
 
 corenet_sendrecv_ctdb_server_packets(ctdbd_t)
 corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_bind_smbd_port(ctdbd_t)
+corenet_tcp_bind_all_rpc_ports(ctdbd_t)
+corenet_udp_bind_all_rpc_ports(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
 corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
+corenet_tcp_connect_gluster_port(ctdbd_t)
+corenet_tcp_connect_nfs_port(ctdbd_t)
+corenet_tcp_connect_portmap_port(ctdbd_t)
 
 corecmd_exec_bin(ctdbd_t)
 corecmd_exec_shell(ctdbd_t)
+corecmd_getattr_all_executables(ctdbd_t)
 
 dev_read_sysfs(ctdbd_t)
 dev_read_urand(ctdbd_t)
 
 domain_dontaudit_read_all_domains_state(ctdbd_t)
 
-files_read_etc_files(ctdbd_t)
 files_search_all_mountpoints(ctdbd_t)
 
+fs_getattr_all_fs(ctdbd_t)
+
+auth_use_nsswitch(ctdbd_t)
+
 logging_send_syslog_msg(ctdbd_t)
 
-miscfiles_read_localization(ctdbd_t)
 miscfiles_read_public_files(ctdbd_t)
 
+userdom_home_manager(ctdbd_t)
+
 optional_policy(`
 	consoletype_exec(ctdbd_t)
 ')
@@ -106,9 +139,23 @@ optional_policy(`
 ')
 
 optional_policy(`
+    rpc_domtrans_rpcd(ctdbd_t)
+    rpc_manage_nfs_state_data_dir(ctdbd_t)
+    rpc_read_nfs_state_data(ctdbd_t)
+')
+
+optional_policy(`
+    samba_signull_smbd(ctdbd_t)
 	samba_initrc_domtrans(ctdbd_t)
 	samba_domtrans_net(ctdbd_t)
-	samba_rw_var_files(ctdbd_t)
+	samba_manage_var_dirs(ctdbd_t)
+	samba_manage_var_files(ctdbd_t)
+	samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
+    samba_signull_winbind(ctdbd_t)
+    samba_signull_unconfined_net(ctdbd_t)
 ')
 
 optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011ec86..9437dbe018 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/etc/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
 
 /etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
 
-/etc/hp(/.*)?	gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
 
-/lib/udev/udev-configure-printer	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/opt/brother/Printers(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.*	--	gen_context(system_u:object_r:cupsd_unit_file_t,s0)
 
-/usr/bin/cups-config-daemon	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
-/usr/Brother/fax/.*\.log.*	gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd	--	gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.*	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/usr/libexec/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* --	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/usr/local/linuxprinter/ppd(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
-/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed 	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
-/usr/share/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/var/cache/alchemist/printconf.*	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 
 /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 
-/var/lib/hp(/.*)?	gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)?		gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/var/log/cups(/.*)?	gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.*	gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 
-/var/ccpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)?       gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*)		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)?	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)?        gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 3023be7f6d..27938e4b4e 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
 interface(`cups_read_config',`
 	gen_require(`
 		type cupsd_etc_t, cupsd_rw_etc_t;
+		type hplip_etc_t;
 	')
 
 	files_search_etc($1)
-	read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
 ')
 
 ########################################
@@ -304,6 +307,30 @@ interface(`cups_stream_connect_ptal',`
 	stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
 ')
 
+########################################
+## <summary>
+##	Execute cupsd server in the cupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cupsd_systemctl',`
+	gen_require(`
+		type cupsd_t;
+		type cupsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 cupsd_unit_file_t:file read_file_perms;
+	allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cupsd_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of cupsd.
@@ -344,18 +371,23 @@ interface(`cups_read_state',`
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
 		type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
 		type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
 		type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-		type hplip_t, ptal_t;
+		type ptal_t;
+		type cupsd_unit_file_t;
 	')
 
-	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-	allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+	allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+	ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -368,13 +400,48 @@ interface(`cups_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
 
-	files_list_spool($1)
-	admin_pattern($1, cupsd_spool_t)
-
 	files_list_tmp($1)
 	admin_pattern($1, { cupsd_tmp_t  cupsd_lpd_tmp_t })
-
-	files_list_pids($1)
 	admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
 	admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+	cupsd_systemctl($1)
+	admin_pattern($1, cupsd_unit_file_t)
+	allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Transition to cups named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_filetrans_named_content',`
+	gen_require(`
+		type cupsd_rw_etc_t;
+		type cupsd_etc_t;
+	')
+
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+	files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap")
+	files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+	files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppd")
+	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "ppd")
+	files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
diff --git a/cups.te b/cups.te
index c91813ccbc..8d9b894e5e 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
 # Declarations
 #
 
-type cupsd_config_t;
+## <desc>
+## <p>
+## Allow cups execmem/execstack
+## </p>
+## </desc>
+gen_tunable(cups_execmem, false)
+
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
 type cupsd_config_exec_t;
 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
 
 type cupsd_config_var_run_t;
 files_pid_file(cupsd_config_var_run_t)
 
-type cupsd_t;
+type cupsd_t, cups_domain;
 type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
 init_daemon_domain(cupsd_t, cupsd_exec_t)
 mls_trusted_object(cupsd_t)
 
 type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
 files_config_file(cupsd_etc_t)
 
 type cupsd_initrc_exec_t;
@@ -33,13 +45,15 @@ type cupsd_lock_t;
 files_lock_file(cupsd_lock_t)
 
 type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
 logging_log_file(cupsd_log_t)
 
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
 type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 
 type cupsd_lpd_tmp_t;
 files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
 type cupsd_lpd_var_run_t;
 files_pid_file(cupsd_lpd_var_run_t)
 
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
 type cups_pdf_exec_t;
 cups_backend(cups_pdf_t, cups_pdf_exec_t)
 
@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
 files_tmp_file(cups_pdf_tmp_t)
 
 type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
 files_tmp_file(cupsd_tmp_t)
 
 type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
 files_pid_file(cupsd_var_run_t)
 init_daemon_run_dir(cupsd_var_run_t, "cups")
 mls_trusted_object(cupsd_var_run_t)
 
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
 
 type ptal_t;
 type ptal_exec_t;
@@ -97,34 +99,65 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
 
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+    lpd_manage_spool(cups_domain)
+')
+
 ########################################
 #
 # Cups local policy
 #
 
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched };
 allow cupsd_t self:unix_stream_socket { accept connectto listen };
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
 allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
 allow cupsd_t self:appletalk_socket create_socket_perms;
 
-allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-allow cupsd_t cupsd_etc_t:file setattr_file_perms;
+allow cupsd_t cupsd_etc_t:dir manage_dir_perms;
+allow cupsd_t cupsd_etc_t:file { map setattr_file_perms };
 read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 
 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
+can_exec(cupsd_t, cupsd_rw_etc_t)
 
 allow cupsd_t cupsd_exec_t:dir search_dir_perms;
 allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -136,22 +169,24 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
 
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
 
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
 
-allow cupsd_t hplip_t:process { signal sigkill };
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
 
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
-allow cupsd_t hplip_var_run_t:file read_file_perms;
 
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
 
 kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
 kernel_request_load_module(cupsd_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_t)
 corenet_all_recvfrom_netlabel(cupsd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_t)
 corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_bind_all_rpc_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
 
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
 
 dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
 dev_rw_input_dev(cupsd_t)
 dev_rw_generic_usb_dev(cupsd_t)
 dev_rw_usbfs(cupsd_t)
@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t)
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
 files_read_var_files(cupsd_t)
 files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
 files_dontaudit_getattr_all_tmp_files(cupsd_t)
 files_dontaudit_list_home(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
 
-fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 fs_search_fusefs(cupsd_t)
 fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
 
+mls_dbus_send_all_levels(cupsd_t)
 mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_all_levels(cupsd_t)
@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t)
 
 term_search_ptys(cupsd_t)
 term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
 
 selinux_compute_access_vector(cupsd_t)
 selinux_validate_context(cupsd_t)
@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
 
-libs_read_lib_files(cupsd_t)
 libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
 
 logging_send_audit_msgs(cupsd_t)
 logging_send_syslog_msg(cupsd_t)
 
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-
 seutil_read_config(cupsd_t)
 
 sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
 userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
+tunable_policy(`cups_execmem',`
+	allow cupsd_t self:process { execmem execstack };
+')
+
 
 optional_policy(`
 	apm_domtrans_client(cupsd_t)
@@ -272,18 +321,26 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(cupsd_t)
 
+	init_dbus_chat(cupsd_t)
+
 	userdom_dbus_send_all_users(cupsd_t)
 
 	optional_policy(`
 		avahi_dbus_chat(cupsd_t)
 	')
 
+	optional_policy(`
+		colord_read_lib_files(cupsd_t)
+	')
+
 	optional_policy(`
 		hal_dbus_chat(cupsd_t)
 	')
 
+	# talk to processes that do not have policy
 	optional_policy(`
 		unconfined_dbus_chat(cupsd_t)
+		files_write_generic_pid_pipes(cupsd_t)
 	')
 ')
 
@@ -296,8 +353,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
 	kerberos_manage_host_rcache(cupsd_t)
-	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
 
 optional_policy(`
@@ -306,7 +363,6 @@ optional_policy(`
 
 optional_policy(`
 	lpd_exec_lpr(cupsd_t)
-	lpd_manage_spool(cupsd_t)
 	lpd_read_config(cupsd_t)
 	lpd_relabel_spool(cupsd_t)
 ')
@@ -315,6 +371,10 @@ optional_policy(`
 	mta_send_mail(cupsd_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(cupsd_t)
+')
+
 optional_policy(`
 	samba_read_config(cupsd_t)
 	samba_rw_var_files(cupsd_t)
@@ -334,7 +394,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	virt_rw_all_image_chr_files(cupsd_t)
+	virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+    vmware_read_system_config(cupsd_t)
 ')
 
 ########################################
@@ -342,12 +406,11 @@ optional_policy(`
 # Configuration daemon local policy
 #
 
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config };
 dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
 
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t, cupsd_t)
 
@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
 
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
 
 stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
 
 kernel_read_system_state(cupsd_config_t)
 kernel_read_all_sysctls(cupsd_config_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
 corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_sendrecv_all_client_packets(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
 
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
 dev_rw_generic_usb_dev(cupsd_config_t)
 
 files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
 files_read_var_symlinks(cupsd_config_t)
 files_search_all_mountpoints(cupsd_config_t)
 
-fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
 
 domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
 
 logging_send_syslog_msg(cupsd_config_t)
 
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
@@ -448,10 +496,13 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+    gnome_dontaudit_read_config(cupsd_config_t)
+')
+
 optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
-	hal_dontaudit_use_fds(hplip_t)
 ')
 
 optional_policy(`
@@ -466,6 +517,10 @@ optional_policy(`
 	lpd_read_config(cupsd_config_t)
 ')
 
+optional_policy(`
+	libs_exec_ldconfig(cupsd_config_t)
+')
+
 optional_policy(`
 	rpm_read_db(cupsd_config_t)
 ')
@@ -487,10 +542,6 @@ optional_policy(`
 # Lpd local policy
 #
 
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
 corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
 
 corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
 
 corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
 
 logging_send_syslog_msg(cupsd_lpd_t)
 
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
@@ -549,8 +597,7 @@ optional_policy(`
 # Pdf local policy
 #
 
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override };
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 
 kernel_read_system_state(cups_pdf_t)
 
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
 auth_use_nsswitch(cups_pdf_t)
 
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
 userdom_manage_user_home_content_dirs(cups_pdf_t)
 userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
 	fs_manage_nfs_files(cups_pdf_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(cups_pdf_t)
-	fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
 
 optional_policy(`
-	lpd_manage_spool(cups_pdf_t)
+	gnome_read_config(cups_pdf_t)
 ')
 
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
-	dbus_system_bus_client(hplip_t)
-
-	optional_policy(`
-		userdom_dbus_send_all_users(hplip_t)
-	')
-')
-
-optional_policy(`
-	lpd_read_config(hplip_t)
-	lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
-	snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
-	udev_read_db(hplip_t)
-')
 
 ########################################
 #
@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
 
-corenet_all_recvfrom_unlabeled(ptal_t)
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
 
-dev_read_sysfs(ptal_t)
 dev_read_usbfs(ptal_t)
 dev_rw_printer(ptal_t)
 
 domain_use_interactive_fds(ptal_t)
 
-files_read_etc_files(ptal_t)
 files_read_etc_runtime_files(ptal_t)
 
 fs_getattr_all_fs(ptal_t)
@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
 
 logging_send_syslog_msg(ptal_t)
 
-miscfiles_read_localization(ptal_t)
-
 sysnet_read_config(ptal_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +690,4 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
+
diff --git a/cvs.fc b/cvs.fc
index 75c8be90cd..4c1a965c03 100644
--- a/cvs.fc
+++ b/cvs.fc
@@ -1,13 +1,16 @@
+HOME_DIR/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
+/root/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
+
 /etc/rc\.d/init\.d/cvs	--	gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
 
 /opt/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
 
 /usr/bin/cvs	--	gen_context(system_u:object_r:cvs_exec_t,s0)
 
-/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:cvs_script_exec_t,s0)
 
 /var/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
 
 /var/run/cvs\.pid	--	gen_context(system_u:object_r:cvs_var_run_t,s0)
 
-/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:cvs_script_exec_t,s0)
diff --git a/cvs.if b/cvs.if
index 64775fd372..91a60569cd 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
 ## <summary>Concurrent versions system.</summary>
 
+######################################
+## <summary>
+##  Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`cvs_dontaudit_list_data',`
+    gen_require(`
+        type cvs_data_t;
+    ')
+
+    dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read CVS data and metadata content.
@@ -39,6 +57,24 @@ interface(`cvs_exec',`
 	can_exec($1, cvs_exec_t)
 ')
 
+########################################
+## <summary>
+##	Transition to cvs named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cvs_filetrans_home_content',`
+	gen_require(`
+		type cvs_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -60,11 +96,17 @@ interface(`cvs_admin',`
 	gen_require(`
 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
 		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+		type cvs_home_t;
 	')
 
-	allow $1 cvs_t:process { ptrace signal_perms };
+	allow $1 cvs_t:process signal_perms;
 	ps_process_pattern($1, cvs_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cvs_t:process ptrace;
+	')
+
+	# Allow cvs_t to restart the apache service
 	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 cvs_initrc_exec_t system_r;
@@ -81,4 +123,7 @@ interface(`cvs_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, cvs_var_run_t)
+
+	userdom_search_user_home_dirs($1)
+	admin_pattern($1, cvs_home_t)
 ')
diff --git a/cvs.te b/cvs.te
index 0f7755005f..36e4a38cfb 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
 ##	password files.
 ##	</p>
 ## </desc>
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
 
 type cvs_t;
 type cvs_exec_t;
@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
 type cvs_var_run_t;
 files_pid_file(cvs_var_run_t)
 
+type cvs_home_t;
+userdom_user_home_content(cvs_home_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow cvs_t self:tcp_socket { accept listen };
 
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
+
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
 corecmd_exec_bin(cvs_t)
 corecmd_exec_shell(cvs_t)
 
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
 dev_read_urand(cvs_t)
 
 files_read_etc_runtime_files(cvs_t)
@@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t)
 
 init_read_utmp(cvs_t)
 
+init_dontaudit_read_utmp(cvs_t)
+
 logging_send_syslog_msg(cvs_t)
 logging_send_audit_msgs(cvs_t)
 
-miscfiles_read_localization(cvs_t)
-
 mta_send_mail(cvs_t)
 
-userdom_dontaudit_search_user_home_dirs(cvs_t)
-
 # cjp: typeattribute doesnt work in conditionals yet
 auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
-	allow cvs_t self:capability dac_override;
+tunable_policy(`cvs_read_shadow',`
+	allow cvs_t self:capability { dac_read_search dac_override };
 	auth_tunable_read_shadow(cvs_t)
 ')
 
@@ -116,8 +129,10 @@ optional_policy(`
 
 optional_policy(`
 	apache_content_template(cvs)
+	apache_content_alias_template(cvs, cvs)
 
-	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
-	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
+	manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
 ')
diff --git a/cyphesis.te b/cyphesis.te
index 77ffc7355c..86e11f5e33 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
 corecmd_search_bin(cyphesis_t)
 corecmd_getattr_bin_files(cyphesis_t)
 
-corenet_all_recvfrom_unlabeled(cyphesis_t)
 corenet_tcp_sendrecv_generic_if(cyphesis_t)
 corenet_tcp_sendrecv_generic_node(cyphesis_t)
 corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
 
 domain_use_interactive_fds(cyphesis_t)
 
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
 
 logging_send_syslog_msg(cyphesis_t)
 
-miscfiles_read_localization(cyphesis_t)
-
 sysnet_dns_name_resolve(cyphesis_t)
 
 optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 83bfda6edd..92d9fb2e74 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
 	manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##  Allow write cyrus data files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cyrus_write_data',`
+    gen_require(`
+        type cyrus_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Connect to Cyrus using a unix
@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
 		type cyrus_keytab_t;
 	')
 
-	allow $1 cyrus_t:process { ptrace signal_perms };
+	allow $1 cyrus_t:process signal_perms;
 	ps_process_pattern($1, cyrus_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cyrus_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 4283f2de23..21d93a737a 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
 # Local policy
 #
 
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource };
 dontaudit cyrus_t self:capability sys_tty_config;
 allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow cyrus_t self:process setrlimit;
@@ -54,21 +54,24 @@ manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
 manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+allow cyrus_t cyrus_var_lib_t:file map;
 
 manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
 manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
 files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+allow cyrus_t cyrus_var_run_t:file map;
 
 kernel_read_kernel_sysctls(cyrus_t)
 kernel_read_system_state(cyrus_t)
 kernel_read_all_sysctls(cyrus_t)
+kernel_read_network_state(cyrus_t)
 
-corenet_all_recvfrom_unlabeled(cyrus_t)
 corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_generic_if(cyrus_t)
 corenet_tcp_sendrecv_generic_node(cyrus_t)
 corenet_tcp_sendrecv_all_ports(cyrus_t)
 corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_cyrus_imapd_port(cyrus_t)
 
 corenet_sendrecv_mail_server_packets(cyrus_t)
 corenet_tcp_bind_mail_port(cyrus_t)
@@ -76,6 +79,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
 corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
 
+corenet_sendrecv_innd_server_packets(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
+
 corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
 
@@ -95,8 +101,6 @@ domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
-files_read_usr_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
 
 fs_getattr_all_fs(cyrus_t)
 fs_search_auto_mountpoints(cyrus_t)
@@ -107,7 +111,6 @@ libs_exec_lib_files(cyrus_t)
 
 logging_send_syslog_msg(cyrus_t)
 
-miscfiles_read_localization(cyrus_t)
 miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
@@ -120,6 +123,14 @@ optional_policy(`
 	cron_system_entry(cyrus_t, cyrus_exec_t)
 ')
 
+optional_policy(`
+	dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+    gssproxy_stream_connect(cyrus_t)
+')
+
 optional_policy(`
 	kerberos_read_keytab(cyrus_t)
 	kerberos_use(cyrus_t)
@@ -134,8 +145,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	snmp_read_snmp_var_lib_files(cyrus_t)
-	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+	files_dontaudit_write_usr_dirs(cyrus_t)
+    snmp_manage_var_lib_files(cyrus_t)
 	snmp_stream_connect(cyrus_t)
 ')
 
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0b7b..6c8106a871 100644
--- a/daemontools.if
+++ b/daemontools.if
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
 	allow $1 svc_svc_t:file manage_file_perms;
 	allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
 ')
+
diff --git a/daemontools.te b/daemontools.te
index ee1b4aa8e0..2fd746e050 100644
--- a/daemontools.te
+++ b/daemontools.te
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
 allow svc_multilog_t svc_start_t:fd use;
 allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
 
+term_write_console(svc_multilog_t)
+
 init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
 
 logging_manage_generic_logs(svc_multilog_t)
 
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
 corecmd_exec_bin(svc_run_t)
 corecmd_exec_shell(svc_run_t)
 
-files_read_etc_files(svc_run_t)
+term_write_console(svc_run_t)
+
 files_read_etc_runtime_files(svc_run_t)
 files_search_pids(svc_run_t)
 files_search_var_lib(svc_run_t)
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
 
 can_exec(svc_start_t, svc_start_exec_t)
 
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
 domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
 
 kernel_read_kernel_sysctls(svc_start_t)
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
 corecmd_exec_bin(svc_start_t)
 corecmd_exec_shell(svc_start_t)
 
-files_read_etc_files(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
 files_read_etc_runtime_files(svc_start_t)
 files_search_var(svc_start_t)
 files_search_pids(svc_start_t)
 
 logging_send_syslog_msg(svc_start_t)
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
index 5a5e2902a3..6321a1d0a2 100644
--- a/dante.te
+++ b/dante.te
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
 
 domain_use_interactive_fds(dante_t)
 
-files_read_etc_files(dante_t)
 files_read_etc_runtime_files(dante_t)
 
 fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
index b60c464f1d..3a5246a9bb 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
 
 role dbadm_r;
 
-userdom_base_user_template(dbadm)
+userdom_confined_admin_template(dbadm)
 
 ########################################
 #
 # Local policy
 #
 
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
 
 files_dontaudit_search_all_dirs(dbadm_t)
 files_delete_generic_locks(dbadm_t)
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)
 
 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
 
 userdom_dontaudit_search_user_home_dirs(dbadm_t)
 
@@ -60,3 +61,7 @@ optional_policy(`
 optional_policy(`
 	postgresql_admin(dbadm_t, dbadm_r)
 ')
+
+optional_policy(`
+	sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/dbskk.te b/dbskk.te
index f55c420821..e9d64ab5f2 100644
--- a/dbskk.te
+++ b/dbskk.te
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
 kernel_read_system_state(dbskkd_t)
 kernel_read_network_state(dbskkd_t)
 
-corenet_all_recvfrom_unlabeled(dbskkd_t)
 corenet_all_recvfrom_netlabel(dbskkd_t)
 corenet_tcp_sendrecv_generic_if(dbskkd_t)
 corenet_udp_sendrecv_generic_if(dbskkd_t)
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
 
 fs_getattr_xattr_fs(dbskkd_t)
 
-files_read_etc_files(dbskkd_t)
 
 auth_use_nsswitch(dbskkd_t)
 
 logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
index dda905b9c2..558729530c 100644
--- a/dbus.fc
+++ b/dbus.fc
@@ -1,20 +1,29 @@
-HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
-/etc/dbus-.*(/.*)?	gen_context(system_u:object_r:dbusd_etc_t,s0)
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/bin/dbus-daemon	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/libexec/dbus-1/dbus-daemon-launch-helper   --  gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/usr/bin/dbus-daemon(-1)?	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/usr/lib/dbus-.*/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/usr/libexec/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/var/lib/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/cache/ibus(/.*)?     gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 
-/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid	--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 
+ifdef(`distro_redhat',`
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index 62d22cb460..3b6a2c833c 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
-## <summary>Desktop messaging bus.</summary>
+## <summary>Desktop messaging bus</summary>
 
 ########################################
 ## <summary>
@@ -19,7 +19,24 @@ interface(`dbus_stub',`
 
 ########################################
 ## <summary>
-##	Role access for dbus.
+##	Execute dbus-daemon in the caller domain.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dbus_exec_dbusd',`
+	gen_require(`
+        type dbusd_exec_t;
+	')
+    can_exec($1, dbusd_exec_t)
+')
+
+########################################
+## <summary>
+##	Role access for dbus
 ## </summary>
 ## <param name="role_prefix">
 ##	<summary>
@@ -41,59 +58,68 @@ interface(`dbus_stub',`
 template(`dbus_role_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
-		attribute session_bus_type;
-		type system_dbusd_t, dbusd_exec_t;
-		type session_dbusd_tmp_t, session_dbusd_home_t;
+		attribute dbusd_unconfined, session_bus_type;
+		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+		type $1_t;
 	')
 
 	##############################
 	#
-	# Declarations
+	# Delcarations
 	#
 
 	type $1_dbusd_t, session_bus_type;
-	domain_type($1_dbusd_t)
-	domain_entry_file($1_dbusd_t, dbusd_exec_t)
+	application_domain($1_dbusd_t, dbusd_exec_t)
 	ubac_constrained($1_dbusd_t)
-
 	role $2 types $1_dbusd_t;
 
+	kernel_read_system_state($1_dbusd_t)
+
+	selinux_get_fs_mount($1_dbusd_t)
+
+	userdom_home_manager($1_dbusd_t)
+
 	##############################
 	#
 	# Local policy
 	#
 
-	allow $3 $1_dbusd_t:unix_stream_socket connectto;
-	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
-	allow $3 $1_dbusd_t:fd use;
-	
-	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+	# For connecting to the bus
+	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
 
-	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+	# SE-DBus specific permissions
+	allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
 
 	ps_process_pattern($3, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { ptrace signal_perms };
+	allow $3 $1_dbusd_t:process signal_perms;
 
-	allow $1_dbusd_t $3:process sigkill;
+	tunable_policy(`deny_ptrace',`',`
+		allow $3 $1_dbusd_t:process ptrace;
+	')
 
-	corecmd_bin_domtrans($1_dbusd_t, $3)
-	corecmd_shell_domtrans($1_dbusd_t, $3)
+	# cjp: this seems very broken
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
+	corecmd_shell_domtrans($1_dbusd_t, $1_t)
+	allow $1_dbusd_t $3:process sigkill;
+	allow $3 $1_dbusd_t:fd use;
+	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
 
 	auth_use_nsswitch($1_dbusd_t)
 
-	ifdef(`hide_broken_symptoms',`
-		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+	logging_send_syslog_msg($1_dbusd_t)
+
+	optional_policy(`
+		mozilla_domtrans_spec($1_dbusd_t, $1_t)
 	')
 ')
 
 #######################################
 ## <summary>
 ##	Template for creating connections to
-##	the system bus.
+##	the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,91 +129,88 @@ template(`dbus_role_template',`
 #
 interface(`dbus_system_bus_client',`
 	gen_require(`
-		attribute dbusd_system_bus_client;
-		type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
+		type system_dbusd_t, system_dbusd_t;
+		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
+		attribute dbusd_unconfined;
 	')
 
-	typeattribute $1 dbusd_system_bus_client;
-
+	# SE-DBus specific permissions
 	allow $1 { system_dbusd_t self }:dbus send_msg;
-	allow system_dbusd_t $1:dbus send_msg;
+	allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
 
-	files_search_var_lib($1)
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	files_search_var_lib($1)
 
+	dev_read_urand($1)
+
+	# For connecting to the bus
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
 	dbus_read_config($1)
+
+    optional_policy(`
+        unconfined_server_dbus_chat($1)
+    ')
 ')
 
 #######################################
 ## <summary>
-##	Acquire service on DBUS
-##	session bus.
+##	Creating connections to specified
+##	DBUS sessions.
 ## </summary>
-## <param name="domain">
+## <param name="role_prefix">
 ##	<summary>
-##	Domain allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-#
-interface(`dbus_connect_session_bus',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
-	dbus_connect_all_session_bus($1)
-')
-
-#######################################
-## <summary>
-##	Acquire service on all DBUS
-##	session busses.
-## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_all_session_bus',`
+interface(`dbus_session_client',`
 	gen_require(`
-		attribute session_bus_type;
-		class dbus acquire_svc;
+		class dbus send_msg;
+		type $1_dbusd_t;
 	')
 
-	allow $1 session_bus_type:dbus acquire_svc;
+	allow $2 $1_dbusd_t:fd use;
+	allow $2 { $1_dbusd_t self }:dbus send_msg;
+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 ')
 
 #######################################
 ## <summary>
-##	Acquire service on specified
-##	DBUS session bus.
+##	Template for creating connections to
+##	a user DBUS.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_spec_session_bus',`
+interface(`dbus_session_bus_client',`
 	gen_require(`
-		type $1_dbusd_t;
-		class dbus acquire_svc;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus acquire_svc;
+	# SE-DBus specific permissions
+	allow $1 { session_bus_type self }:dbus send_msg;
+
+	# For connecting to the bus
+	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	allow session_bus_type $1:process sigkill;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to DBUS
-##	session bus.
+##	Send a message the session DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_session_bus_client',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
-	dbus_all_session_bus_client($1)
+interface(`dbus_send_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
+	allow $1 session_bus_type:dbus send_msg;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to all
-##	DBUS session busses.
+##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_all_session_bus_client',`
+interface(`dbus_read_config',`
 	gen_require(`
-		attribute session_bus_type, dbusd_session_bus_client;
-		class dbus send_msg;
+		type dbusd_etc_t;
 	')
 
-	typeattribute $1 dbusd_session_bus_client;
-
-	allow $1 { session_bus_type self }:dbus send_msg;
-	allow session_bus_type $1:dbus send_msg;
-	
-	allow $1 session_bus_type:unix_stream_socket connectto;
-	allow $1 session_bus_type:fd use;
+	allow $1 dbusd_etc_t:dir list_dir_perms;
+	allow $1 dbusd_etc_t:file read_file_perms;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to specified
-##	DBUS session bus.
+##	Read system dbus lib files.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_spec_session_bus_client',`
+interface(`dbus_read_lib_files',`
 	gen_require(`
-		attribute dbusd_session_bus_client;
-		type $1_dbusd_t;
-		class dbus send_msg;
+		type system_dbusd_var_lib_t;
 	')
 
-	typeattribute $2 dbusd_session_bus_client;
-
-	allow $2 { $1_dbusd_t self }:dbus send_msg;
-	allow $1_dbusd_t $2:dbus send_msg;
-
-	allow $2 $1_dbusd_t:unix_stream_socket connectto;
-	allow $2 $1_dbusd_t:fd use;
+	files_search_var_lib($1)
+	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to DBUS session bus.
+##	Create, read, write, and delete
+##	system dbus lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_session_bus',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
-	dbus_send_all_session_bus($1)
+interface(`dbus_manage_lib_files',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to all DBUS
-##	session busses.
+##	Connect to the system DBUS
+##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_all_session_bus',`
+interface(`dbus_connect_session_bus',`
 	gen_require(`
 		attribute session_bus_type;
-		class dbus send_msg;
+		class dbus acquire_svc;
 	')
 
-	allow $1 dbus_session_bus_type:dbus send_msg;
+	allow $1 session_bus_type:dbus acquire_svc;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to specified
-##	DBUS session busses.
+##	Allow a application domain to be started
+##	by the session dbus.
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain_prefix">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	User domain prefix to be used.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an
+##	entry point to this domain.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_spec_session_bus',`
+interface(`dbus_session_domain',`
 	gen_require(`
 		type $1_dbusd_t;
-		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus send_msg;
+	domtrans_pattern($1_dbusd_t, $2, $3)
+
+	dbus_session_bus_client($3)
+	dbus_connect_session_bus($3)
 ')
 
 ########################################
 ## <summary>
-##	Read dbus configuration content.
+##	Connect to the system DBUS
+##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_read_config',`
+interface(`dbus_connect_system_bus',`
 	gen_require(`
-		type dbusd_etc_t;
+		type system_dbusd_t;
+		class dbus acquire_svc;
 	')
 
-	allow $1 dbusd_etc_t:dir list_dir_perms;
-	allow $1 dbusd_etc_t:file read_file_perms;
+	allow $1 system_dbusd_t:dbus acquire_svc;
 ')
 
 ########################################
 ## <summary>
-##	Read system dbus lib files.
+##	Send a message on the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_read_lib_files',`
+interface(`dbus_send_system_bus',`
 	gen_require(`
-		type system_dbusd_var_lib_t;
+		type system_dbusd_t;
+		class dbus send_msg;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	allow $1 system_dbusd_t:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	system dbus lib files.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_manage_lib_files',`
+interface(`dbus_system_bus_unconfined',`
 	gen_require(`
-		type system_dbusd_var_lib_t;
+		type system_dbusd_t;
+		class dbus all_dbus_perms;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	allow $1 system_dbusd_t:dbus *;
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Create a domain for processes
+##	which can be started by the system dbus
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
@@ -397,199 +409,251 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Type of the program to be used as an entry point to this domain.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_session_domain',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
-	dbus_all_session_domain($1, $2)
+interface(`dbus_system_domain',`
+	gen_require(`
+		attribute system_bus_type;
+		type system_dbusd_t;
+		role system_r;
+	')
+	typeattribute $1  system_bus_type;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	domtrans_pattern(system_dbusd_t, $2, $1)
+    allow system_dbusd_t $2:file map;
+	init_system_domain($1, $2)
+
+	ps_process_pattern($1, system_dbusd_t)
+
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Use and inherit system DBUS file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="entry_point">
+#
+interface(`dbus_use_system_bus_fds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_all_session_domain',`
+interface(`dbus_unconfined',`
 	gen_require(`
-		type session_bus_type;
+		attribute dbusd_unconfined;
 	')
 
-	domtrans_pattern(session_bus_type, $2, $1)
-
-	dbus_all_session_bus_client($1)
-	dbus_connect_all_session_bus($1)
+	typeattribute $1 dbusd_unconfined;
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Delete all dbus pid files
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`dbus_delete_pid_files',`
+	gen_require(`
+		type system_dbusd_var_run_t;
+	')
+
+	files_search_pids($1)
+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read all dbus pid files
+## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="entry_point">
+#
+interface(`dbus_read_pid_files',`
+	gen_require(`
+		type system_dbusd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to connect to
+##	session bus types with a unix
+##	stream socket.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_spec_session_domain',`
+interface(`dbus_dontaudit_stream_connect_session_bus',`
 	gen_require(`
-		type $1_dbusd_t;
+		attribute session_bus_type;
 	')
 
-	domtrans_pattern($1_dbusd_t, $2, $3)
-
-	dbus_spec_session_bus_client($1, $2)
-	dbus_connect_spec_session_bus($1, $2)
+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Acquire service on the DBUS system bus.
+##	Allow attempts to connect to
+##	session bus types with a unix
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_system_bus',`
+interface(`dbus_stream_connect_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus acquire_svc;
+		attribute session_bus_type;
 	')
 
-	allow $1 system_dbusd_t:dbus acquire_svc;
+	allow $1 session_bus_type:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Send messages to the DBUS system bus.
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_system_bus',`
+interface(`dbus_chat_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute session_bus_type;
 		class dbus send_msg;
 	')
 
-	allow $1 system_dbusd_t:dbus send_msg;
+	allow $1 session_bus_type:dbus send_msg;
+	allow session_bus_type $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to DBUS system bus.
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_system_bus_unconfined',`
+interface(`dbus_dontaudit_chat_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus all_dbus_perms;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	allow $1 system_dbusd_t:dbus *;
+	dontaudit $1 session_bus_type:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create a domain for processes which
-##	can be started by the DBUS system bus.
+##	Do not audit attempts to send dbus
+##	messages to system bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <param name="entry_point">
+#
+interface(`dbus_dontaudit_chat_system_bus',`
+	gen_require(`
+		attribute system_bus_type;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 system_bus_type:dbus send_msg;
+	dontaudit system_bus_type $1:dbus send_msg;
+')
+
+
+########################################
+## <summary>
+##	Allow attempts to connect to
+##	session bus types with a unix
+##	stream socket.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Type of the program to be used as an entry point to this domain.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_system_domain',`
+interface(`dbus_stream_connect_system_dbusd',`
 	gen_require(`
 		type system_dbusd_t;
-		role system_r;
 	')
 
-	domain_type($1)
-	domain_entry_file($1, $2)
-
-	role system_r types $1;
-
-	domtrans_pattern(system_dbusd_t, $2, $1)
-
-	dbus_system_bus_client($1)
-	dbus_connect_system_bus($1)
-
-	ps_process_pattern(system_dbusd_t, $1)
-
-	userdom_read_all_users_state($1)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-	')
+	allow $1 system_dbusd_t:unix_stream_socket connectto;
 ')
 
+
 ########################################
 ## <summary>
-##	Use and inherit DBUS system bus
-##	file descriptors.
+##	Do not audit attempts to connect to
+##	session bus types with a unix
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_use_system_bus_fds',`
+interface(`dbus_dontaudit_stream_connect_system_dbusd',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute system_dbusd_t;
 	')
 
-	allow $1 system_dbusd_t:fd use;
+	dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write DBUS system bus TCP sockets.
+##	Allow attempts to send dbus
+##	messages to system bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -597,28 +661,50 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_chat_system_bus',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute system_bus_type;
+		class dbus send_msg;
 	')
 
-	dontaudit $1 system_dbusd_t:tcp_socket { read write };
+	allow $1 system_bus_type:dbus send_msg;
+	allow system_bus_type $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##      Transition to dbus named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dbus_filetrans_named_content_system',`
+    gen_require(`
+        type system_dbusd_var_lib_t;
+    ')
+    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to DBUS.
+##	Allow attempts to send dbus
+##	messages to system dbusd type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_unconfined',`
+interface(`dbus_acquire_svc_system_dbusd',`
 	gen_require(`
-		attribute dbusd_unconfined;
+		type system_dbusd_t;
+		class dbus acquire_svc;
 	')
 
-	typeattribute $1 dbusd_unconfined;
+	allow $1 system_dbusd_t:dbus acquire_svc;
+
 ')
diff --git a/dbus.te b/dbus.te
index c9998c80da..843dd09ec4 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
 	class dbus all_dbus_perms;
 ')
 
-########################################
+##############################
 #
-# Declarations
+# Delcarations
 #
 
 attribute dbusd_unconfined;
+attribute system_bus_type;
 attribute session_bus_type;
 
-attribute dbusd_system_bus_client;
-attribute dbusd_session_bus_client;
-
 type dbusd_etc_t;
 files_config_file(dbusd_etc_t)
 
@@ -22,9 +20,6 @@ type dbusd_exec_t;
 corecmd_executable_file(dbusd_exec_t)
 typealias dbusd_exec_t alias system_dbusd_exec_t;
 
-type session_dbusd_home_t;
-userdom_user_home_content(session_dbusd_home_t)
-
 type session_dbusd_tmp_t;
 typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
 typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
+mls_trusted_object(system_dbusd_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -51,59 +47,64 @@ ifdef(`enable_mls',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
 ')
 
-########################################
+##############################
 #
-# Local policy
+# System bus local policy
 #
 
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
+allow system_dbusd_t self:capability { sys_resource dac_read_search dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
+can_exec(system_dbusd_t, dbusd_exec_t)
+
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 
 manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 
 manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
-
-can_exec(system_dbusd_t, dbusd_exec_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
-
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_shell(system_dbusd_t)
+kernel_stream_connect(system_dbusd_t)
 
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
+dev_rw_inherited_input_dev(system_dbusd_t)
+dev_rw_inherited_dri(system_dbusd_t)
 
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+dev_rw_nvme(system_dbusd_t)
+
+files_rw_inherited_non_security_files(system_dbusd_t)
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_list_inotifyfs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
-fs_search_cgroup_dirs(system_dbusd_t)
 fs_dontaudit_list_nfs(system_dbusd_t)
 
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
+mls_trusted_object(system_dbusd_t)
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +124,174 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_list_home(system_dbusd_t)
+
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
-miscfiles_read_localization(system_dbusd_t)
 miscfiles_read_generic_certs(system_dbusd_t)
 
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
+userdom_home_reader(system_dbusd_t)
+
+optional_policy(`
+	bind_domtrans(system_dbusd_t)
+')
+
 optional_policy(`
 	bluetooth_stream_connect(system_dbusd_t)
 ')
 
 optional_policy(`
-	policykit_read_lib(system_dbusd_t)
+    boltd_write_var_run_pipes(system_dbusd_t)
+')
+
+optional_policy(`
+	cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+	getty_start_services(system_dbusd_t)
+')
+
+optional_policy(`
+	gnome_exec_gconf(system_dbusd_t)
+	gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+    nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
+	networkmanager_initrc_domtrans(system_dbusd_t)
+	networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(system_dbusd_t)
+	policykit_domtrans_auth(system_dbusd_t)
+	policykit_search_lib(system_dbusd_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(system_dbusd_t)
+    snapper_read_inherited_pipe(system_dbusd_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+	systemd_use_fds_logind(system_dbusd_t)
+	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+	systemd_write_inhibit_pipes(system_dbusd_t)
+# These are caused by broken systemd patch
+	systemd_start_power_services(system_dbusd_t)
+	systemd_config_all_services(system_dbusd_t)
+	files_config_all_files(system_dbusd_t)
 ')
 
 optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
 
+optional_policy(`
+	# /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+	xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
+optional_policy(`
+    unconfined_server_domtrans(system_dbusd_t)
+')
+
 ########################################
 #
-# Common session bus local policy
+# system_bus_type rules
 #
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
+
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+	abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+	rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+	unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
 
+########################################
+#
+# session_bus_type rules
+#
+allow session_bus_type self:capability2 block_suspend;
 dontaudit session_bus_type self:capability sys_resource;
 allow session_bus_type self:process { getattr sigkill signal };
-dontaudit session_bus_type self:process { ptrace setrlimit };
+dontaudit session_bus_type self:process setrlimit;
 allow session_bus_type self:file { getattr read write };
 allow session_bus_type self:fifo_file rw_fifo_file_perms;
 allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket { accept listen };
-allow session_bus_type self:tcp_socket { accept listen };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
 allow session_bus_type self:netlink_selinux_socket create_socket_perms;
 
 allow session_bus_type dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
-
 manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
 
-kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
@@ -191,23 +300,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
-corenet_all_recvfrom_unlabeled(session_bus_type)
-corenet_all_recvfrom_netlabel(session_bus_type)
 corenet_tcp_sendrecv_generic_if(session_bus_type)
 corenet_tcp_sendrecv_generic_node(session_bus_type)
 corenet_tcp_sendrecv_all_ports(session_bus_type)
 corenet_tcp_bind_generic_node(session_bus_type)
-
-corenet_sendrecv_all_server_packets(session_bus_type)
 corenet_tcp_bind_reserved_port(session_bus_type)
 
 dev_read_urand(session_bus_type)
 
-domain_read_all_domains_state(session_bus_type)
 domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
 
 files_list_home(session_bus_type)
-files_read_usr_files(session_bus_type)
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
@@ -215,7 +319,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
-selinux_get_fs_mount(session_bus_type)
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
@@ -225,18 +328,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
-logging_send_syslog_msg(session_bus_type)
-
-miscfiles_read_localization(session_bus_type)
 
 seutil_read_config(session_bus_type)
 seutil_read_default_contexts(session_bus_type)
 
-term_use_all_terms(session_bus_type)
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
 
 optional_policy(`
-	xserver_use_xdm_fds(session_bus_type)
+	gnome_read_config(session_bus_type)
+	gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+	hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+	thumb_domtrans(session_bus_type)
+')
+
+optional_policy(`
+	xserver_search_xdm_lib(session_bus_type)
 	xserver_rw_xdm_pipes(session_bus_type)
+	xserver_use_xdm_fds(session_bus_type)
+	xserver_append_xdm_home_files(session_bus_type)
 ')
 
 ########################################
@@ -244,5 +365,9 @@ optional_policy(`
 # Unconfined access to this module
 #
 
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+kernel_stream_connect(session_bus_type)
+systemd_login_read_pid_files(session_bus_type)
diff --git a/dcc.fc b/dcc.fc
index 62d3c4e666..cef59a7523 100644
--- a/dcc.fc
+++ b/dcc.fc
@@ -10,6 +10,8 @@
 /usr/libexec/dcc/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 /usr/libexec/dcc/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
 
+/usr/libexec/dcc/start-dccifd   --  gen_context(system_u:object_r:dccifd_exec_t,s0)
+
 /usr/sbin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
 /usr/sbin/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
 /usr/sbin/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0e87..46394219af 100644
--- a/dcc.if
+++ b/dcc.if
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
 		type dcc_var_t, dccifd_var_run_t, dccifd_t;
 	')
 
-	files_search_var($1)
+	files_search_pids($1)
 	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
 ')
diff --git a/dcc.te b/dcc.te
index 353fa4a09f..a5e912fca2 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
 files_type(dcc_var_t)
 
 type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
 
 type dccd_t;
 type dccd_exec_t;
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
 files_read_etc_runtime_files(cdcc_t)
 
 auth_use_nsswitch(cdcc_t)
 
 logging_send_syslog_msg(cdcc_t)
 
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
 
 ########################################
 #
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
 
 allow dcc_client_t dcc_client_map_t:file rw_file_perms;
 
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
+
 manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
 manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
 files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_client_t)
 
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
 files_read_etc_runtime_files(dcc_client_t)
 
 fs_getattr_all_fs(dcc_client_t)
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
 
 logging_send_syslog_msg(dcc_client_t)
 
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
 
 optional_policy(`
-	amavis_read_spool_files(dcc_client_t)
+	antivirus_read_db(dcc_client_t)
 ')
 
 optional_policy(`
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_dbclean_t)
 
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
 files_read_etc_runtime_files(dcc_dbclean_t)
 
 auth_use_nsswitch(dcc_dbclean_t)
 
 logging_send_syslog_msg(dcc_dbclean_t)
 
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
 
 ########################################
 #
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
 kernel_read_system_state(dccd_t)
 kernel_read_kernel_sysctls(dccd_t)
 
-corenet_all_recvfrom_unlabeled(dccd_t)
 corenet_all_recvfrom_netlabel(dccd_t)
 corenet_udp_sendrecv_generic_if(dccd_t)
 corenet_udp_sendrecv_generic_node(dccd_t)
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
 
 logging_send_syslog_msg(dccd_t)
 
-miscfiles_read_localization(dccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
 userdom_dontaudit_search_user_home_dirs(dccd_t)
 
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
 kernel_read_system_state(dccifd_t)
 kernel_read_kernel_sysctls(dccifd_t)
 
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
 dev_read_sysfs(dccifd_t)
 
 domain_use_interactive_fds(dccifd_t)
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
 
 logging_send_syslog_msg(dccifd_t)
 
-miscfiles_read_localization(dccifd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
 userdom_dontaudit_search_user_home_dirs(dccifd_t)
 
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
 kernel_read_system_state(dccm_t)
 kernel_read_kernel_sysctls(dccm_t)
 
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
 dev_read_sysfs(dccm_t)
 
 domain_use_interactive_fds(dccm_t)
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
 
 logging_send_syslog_msg(dccm_t)
 
-miscfiles_read_localization(dccm_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
 userdom_dontaudit_search_user_home_dirs(dccm_t)
 
diff --git a/ddclient.if b/ddclient.if
index 5606b40691..cd18cf2a70 100644
--- a/ddclient.if
+++ b/ddclient.if
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
 		type ddclient_var_run_t, ddclient_initrc_exec_t;
 	')
 
-	allow $1 ddclient_t:process { ptrace signal_perms };
+	allow $1 ddclient_t:process signal_perms;
 	ps_process_pattern($1, ddclient_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ddclient_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
index a4caa1b5b5..42f30662dd 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
 # Declarations
 #
 
+
 dontaudit ddclient_t self:capability sys_tty_config;
 allow ddclient_t self:process signal_perms;
 allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
 
 read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
 setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
 corecmd_exec_shell(ddclient_t)
 corecmd_exec_bin(ddclient_t)
 
-corenet_all_recvfrom_unlabeled(ddclient_t)
 corenet_all_recvfrom_netlabel(ddclient_t)
 corenet_tcp_sendrecv_generic_if(ddclient_t)
 corenet_udp_sendrecv_generic_if(ddclient_t)
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
 corenet_udp_sendrecv_generic_node(ddclient_t)
 corenet_tcp_sendrecv_all_ports(ddclient_t)
 corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
 
 corenet_sendrecv_all_client_packets(ddclient_t)
 corenet_tcp_connect_all_ports(ddclient_t)
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
 
 domain_use_interactive_fds(ddclient_t)
 
-files_read_etc_files(ddclient_t)
 files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
 
 fs_getattr_all_fs(ddclient_t)
 fs_search_auto_mountpoints(ddclient_t)
 
+auth_read_passwd(ddclient_t)
+
 logging_send_syslog_msg(ddclient_t)
 
-miscfiles_read_localization(ddclient_t)
+mta_send_mail(ddclient_t)
 
 sysnet_exec_ifconfig(ddclient_t)
 sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
index 8fa4bb994b..8f5ffb00a3 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
 dev_read_raw_memory(ddcprobe_t)
 dev_wx_raw_memory(ddcprobe_t)
 
-files_read_etc_files(ddcprobe_t)
 files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
 
 term_use_all_ttys(ddcprobe_t)
 term_use_all_ptys(ddcprobe_t)
diff --git a/denyhosts.if b/denyhosts.if
index a7326da62d..c87b5b7c67 100644
--- a/denyhosts.if
+++ b/denyhosts.if
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`denyhosts_admin',`
 	gen_require(`
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
 	')
 
-	allow $1 denyhosts_t:process { ptrace signal_perms };
+	allow $1 denyhosts_t:process signal_perms;
 	ps_process_pattern($1, denyhosts_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 denyhosts_t:process ptrace;
+	')
+
 	denyhosts_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 denyhosts_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, denyhosts_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, denyhosts_var_log_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, denyhosts_var_lock_t)
 ')
diff --git a/denyhosts.te b/denyhosts.te
index 583a527266..91c4104c7f 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
 #
 # Local policy
 #
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
 
 allow denyhosts_t self:capability sys_tty_config;
 allow denyhosts_t self:fifo_file rw_fifo_file_perms;
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
 corecmd_exec_bin(denyhosts_t)
 corecmd_exec_shell(denyhosts_t)
 
-corenet_all_recvfrom_unlabeled(denyhosts_t)
 corenet_all_recvfrom_netlabel(denyhosts_t)
 corenet_tcp_sendrecv_generic_if(denyhosts_t)
 corenet_tcp_sendrecv_generic_node(denyhosts_t)
@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
 corenet_tcp_connect_smtp_port(denyhosts_t)
 corenet_tcp_sendrecv_smtp_port(denyhosts_t)
 
+corenet_sendrecv_sype_transport_client_packets(denyhosts_t)
+corenet_tcp_connect_sype_transport_port(denyhosts_t)
+corenet_tcp_sendrecv_sype_transport_port(denyhosts_t)
+
 dev_read_urand(denyhosts_t)
 
+auth_use_nsswitch(denyhosts_t)
+
+iptables_domtrans(denyhosts_t)
+
 logging_read_generic_logs(denyhosts_t)
 logging_send_syslog_msg(denyhosts_t)
 
-miscfiles_read_localization(denyhosts_t)
-
 sysnet_dns_name_resolve(denyhosts_t)
 sysnet_manage_config(denyhosts_t)
 sysnet_etc_filetrans_config(denyhosts_t)
@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
 optional_policy(`
 	cron_system_entry(denyhosts_t, denyhosts_exec_t)
 ')
+
+optional_policy(`
+	gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.fc b/devicekit.fc
index ae49c9d99f..b8479873e7 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -11,6 +11,7 @@
 /usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
 /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/libexec/upowerd	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 
 /var/lib/DeviceKit-.*	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
 /var/lib/upower(/.*)?	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
diff --git a/devicekit.if b/devicekit.if
index 8ce99ff486..1bc5d3aea7 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
-## <summary>Devicekit modular hardware abstraction layer.</summary>
+## <summary>Devicekit modular hardware abstraction layer</summary>
 
 ########################################
 ## <summary>
@@ -15,10 +15,27 @@ interface(`devicekit_domtrans',`
 		type devicekit_t, devicekit_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, devicekit_exec_t, devicekit_t)
 ')
 
+########################################
+## <summary>
+##	Execute a domain transition to run devicekit_disk.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`devicekit_domtrans_disk',`
+	gen_require(`
+		type devicekit_disk_t, devicekit_disk_exec_t;
+	')
+
+	domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
 ########################################
 ## <summary>
 ##	Send to devicekit over a unix domain
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
 #
 interface(`devicekit_dgram_send',`
 	gen_require(`
-		type devicekit_t, devicekit_var_run_t;
+		type devicekit_t;
 	')
 
-	files_search_pids($1)
-	dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
+	allow $1 devicekit_t:unix_dgram_socket sendto;
 ')
 
 ########################################
@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
 
 ########################################
 ## <summary>
-##	Send generic signals to devicekit power.
+##	Use file descriptors for devicekit_disk.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_signal_power',`
+interface(`devicekit_use_fds_disk',`
 	gen_require(`
-		type devicekit_power_t;
+		type devicekit_disk_t;
 	')
 
-	allow $1 devicekit_power_t:process signal;
+	allow $1 devicekit_disk_t:fd use; 
 ')
 
 ########################################
 ## <summary>
-##	Send and receive messages from
-##	devicekit power over dbus.
+##	Dontaudit Send and receive messages from
+##	devicekit disk over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_dbus_chat_power',`
+interface(`devicekit_dontaudit_dbus_chat_disk',`
 	gen_require(`
-		type devicekit_power_t;
+		type devicekit_disk_t;
 		class dbus send_msg;
 	')
 
-	allow $1 devicekit_power_t:dbus send_msg;
-	allow devicekit_power_t $1:dbus send_msg;
+	dontaudit $1 devicekit_disk_t:dbus send_msg;
+	dontaudit devicekit_disk_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Use and inherit devicekit power
-##	file descriptors.
+##	Send signal devicekit power
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_use_fds_power',`
+interface(`devicekit_signal_power',`
 	gen_require(`
 		type devicekit_power_t;
 	')
 
-	allow $1 devicekit_power_t:fd use;
+	allow $1 devicekit_power_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Append inherited devicekit log files.
+##	Send and receive messages from
+##	devicekit power over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -149,40 +165,97 @@ interface(`devicekit_use_fds_power',`
 ##	</summary>
 ## </param>
 #
+interface(`devicekit_dbus_chat_power',`
+	gen_require(`
+		type devicekit_power_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_power_t:dbus send_msg;
+	allow devicekit_power_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##  Use and inherit devicekit power
+##  file descriptors.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_use_fds_power',`
+    gen_require(`
+        type devicekit_power_t;
+    ')
+
+        allow $1 devicekit_power_t:fd use;
+')
+
+#######################################
+## <summary>
+##  Append inherited devicekit log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
 interface(`devicekit_append_inherited_log_files',`
 	gen_require(`
 		type devicekit_var_log_t;
 	')
 
 	logging_search_logs($1)
-	allow $1 devicekit_var_log_t:file { getattr_file_perms append };
+	allow $1 devicekit_var_log_t:file append_inherited_file_perms;
 
 	devicekit_use_fds_power($1)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Create, read, write, and delete
-##	devicekit log files.
+##  Allow read devicekit log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`devicekit_manage_log_files',`
+interface(`devicekit_read_log_files',`
 	gen_require(`
 		type devicekit_var_log_t;
 	')
 
 	logging_search_logs($1)
-	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	allow $1 devicekit_var_log_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to write the devicekit
+##  log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	dontaudit $1 devicekit_var_log_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel devicekit log files.
+##	Allow the domain to read devicekit_power state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -190,13 +263,13 @@ interface(`devicekit_manage_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_relabel_log_files',`
+interface(`devicekit_read_state_power',`
 	gen_require(`
-		type devicekit_var_log_t;
+		type devicekit_power_t;
 	')
 
-	logging_search_logs($1)
-	relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	kernel_search_proc($1)
+	ps_process_pattern($1, devicekit_power_t)
 ')
 
 ########################################
@@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+##	Do not audit attempts to read
 ##	devicekit PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+	gen_require(` 
+		type devicekit_var_run_t;
+	')
+
+	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
+##	Manage devicekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',`
 	')
 
 	files_search_pids($1)
+	manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
 	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+## <summary>
+##  Relabel devicekit LOG files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_relabel_log_files',`
+    gen_require(`
+        type devicekit_var_log_t;
+    ')
+
+    logging_search_logs($1)
+    relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an devicekit environment.
+##	Manage devicekit LOG files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`devicekit_manage_log_files',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an devicekit environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -259,21 +388,48 @@ interface(`devicekit_admin',`
 	gen_require(`
 		type devicekit_t, devicekit_disk_t, devicekit_power_t;
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
-		type devicekit_var_log_t;
 	')
 
-	allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
+	allow $1 devicekit_t:process signal_perms;
+	ps_process_pattern($1, devicekit_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 devicekit_t:process ptrace;
+		allow $1 devicekit_disk_t:process ptrace;
+		allow $1 devicekit_power_t:process ptrace;
+	')
+
+	allow $1 devicekit_disk_t:process signal_perms;
+	ps_process_pattern($1, devicekit_disk_t)
+
+	allow $1 devicekit_power_t:process signal_perms;
+	ps_process_pattern($1, devicekit_power_t)
 
-	files_search_tmp($1)
 	admin_pattern($1, devicekit_tmp_t)
+	files_list_tmp($1)
 
-	files_search_var_lib($1)
 	admin_pattern($1, devicekit_var_lib_t)
+	files_list_var_lib($1)
 
-	logging_search_logs($1)
-	admin_pattern($1, devicekit_var_log_t)
-
-	files_search_pids($1)
 	admin_pattern($1, devicekit_var_run_t)
+	files_list_pids($1)
+')
+
+########################################
+## <summary>
+##	Transition to devicekit named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_filetrans_named_content',`
+	gen_require(`
+		type devicekit_var_run_t, devicekit_var_log_t;
+	')
+
+	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
diff --git a/devicekit.te b/devicekit.te
index 77a5003c0d..8d3dc77cbf 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
 
 type devicekit_t;
 type devicekit_exec_t;
-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
 
 type devicekit_power_t;
 type devicekit_power_exec_t;
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
 
 type devicekit_disk_t;
 type devicekit_disk_exec_t;
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
 
 type devicekit_tmp_t;
 files_tmp_file(devicekit_tmp_t)
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
 dev_read_sysfs(devicekit_t)
 dev_read_urand(devicekit_t)
 
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
-
 optional_policy(`
+	dbus_system_domain(devicekit_t, devicekit_exec_t)
 	dbus_system_bus_client(devicekit_t)
 
 	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +61,8 @@ optional_policy(`
 # Disk local policy
 #
 
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
+files_filetrans_named_content(devicekit_disk_t)
 
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
 kernel_read_system_state(devicekit_disk_t)
 kernel_read_vm_sysctls(devicekit_disk_t)
 kernel_request_load_module(devicekit_disk_t)
-kernel_setsched(devicekit_disk_t)
+kernel_dontaudit_setsched(devicekit_disk_t)
 
 corecmd_exec_bin(devicekit_disk_t)
 corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 
 dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
+dev_rw_loop_control(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
+files_manage_etc_files(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
 
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)
 storage_raw_write_removable_device(devicekit_disk_t)
 
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
 
 auth_use_nsswitch(devicekit_disk_t)
 
 logging_send_syslog_msg(devicekit_disk_t)
 
-miscfiles_read_localization(devicekit_disk_t)
-
 userdom_read_all_users_state(devicekit_disk_t)
 userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
 
 optional_policy(`
+	dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
 	dbus_system_bus_client(devicekit_disk_t)
 
 	allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -170,6 +171,7 @@ optional_policy(`
 
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
+	mount_read_pid_files(devicekit_disk_t)
 ')
 
 optional_policy(`
@@ -182,6 +184,11 @@ optional_policy(`
 	raid_domtrans_mdadm(devicekit_disk_t)
 ')
 
+optional_policy(`
+	systemd_read_logind_sessions_files(devicekit_disk_t)
+	systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
 optional_policy(`
 	udev_domtrans(devicekit_disk_t)
 	udev_read_db(devicekit_disk_t)
@@ -192,12 +199,19 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
+optional_policy(`
+	unconfined_domain(devicekit_t)
+	unconfined_domain(devicekit_power_t)
+	unconfined_domain(devicekit_disk_t)
+')
+
 ########################################
 #
 # Power local policy
 #
 
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice };
+allow devicekit_power_t self:capability2 compromise_kernel;
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
 
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
 kernel_read_fs_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
-kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_usermodehelper_state(devicekit_power_t)
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_rw_vm_sysctls(devicekit_power_t)
 kernel_search_debugfs(devicekit_power_t)
 kernel_write_proc_files(devicekit_power_t)
-kernel_setsched(devicekit_power_t)
+kernel_dontaudit_setsched(devicekit_power_t)
 
 corecmd_exec_bin(devicekit_power_t)
 corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_runtime_files(devicekit_power_t)
-files_read_usr_files(devicekit_power_t)
 files_dontaudit_list_mnt(devicekit_power_t)
 
 fs_getattr_all_fs(devicekit_power_t)
 fs_list_inotifyfs(devicekit_power_t)
 
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
 
 auth_use_nsswitch(devicekit_power_t)
 
 init_all_labeled_script_domtrans(devicekit_power_t)
 init_read_utmp(devicekit_power_t)
 
-miscfiles_read_localization(devicekit_power_t)
-
 sysnet_domtrans_ifconfig(devicekit_power_t)
 sysnet_domtrans_dhcpc(devicekit_power_t)
 
@@ -277,6 +286,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_initrc_domtrans(devicekit_power_t)
+	cron_systemctl(devicekit_power_t)
+')
+
+optional_policy(`
+	dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
 	dbus_system_bus_client(devicekit_power_t)
 
 	allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -306,9 +321,12 @@ optional_policy(`
 	fstools_domtrans(devicekit_power_t)
 ')
 
+optional_policy(`
+	gnome_manage_home_config(devicekit_power_t)
+')
+
 optional_policy(`
 	hal_domtrans_mac(devicekit_power_t)
-	hal_manage_log(devicekit_power_t)
 	hal_manage_pid_dirs(devicekit_power_t)
 	hal_manage_pid_files(devicekit_power_t)
 ')
@@ -347,3 +365,9 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
+
+optional_policy(`
+	corenet_tcp_connect_xserver_port(devicekit_power_t)
+	xserver_stream_connect(devicekit_power_t)
+')
+
diff --git a/dhcp.fc b/dhcp.fc
index 8182c4806c..0b9bb9710b 100644
--- a/dhcp.fc
+++ b/dhcp.fc
@@ -1,6 +1,13 @@
 /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcrelay(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
-/usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd6.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcrelay.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+
+/usr/sbin/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/dhcrelay(6)?	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp(3)?/dhcpd\.leases.*	--	gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edbcd0..954c090bd5 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
 	')
 
 	sysnet_search_dhcp_state($1)
-	allow $1 dhcpd_state_t:file setattr;
+	allow $1 dhcpd_state_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -58,6 +58,31 @@ interface(`dhcpd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute dhcpd server in the dhcpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dhcpd_systemctl',`
+	gen_require(`
+		type dhcpd_unit_file_t;
+		type dhcpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_search_unit_dirs($1)
+	allow $1 dhcpd_unit_file_t:file read_file_perms;
+	allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dhcpd_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -79,11 +104,16 @@ interface(`dhcpd_admin',`
 	gen_require(`
 		type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+		type dhcpd_unit_file_t;
 	')
 
-	allow $1 dhcpd_t:process { ptrace signal_perms };
+	allow $1 dhcpd_t:process signal_perms;
 	ps_process_pattern($1, dhcpd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dhcpd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dhcpd_initrc_exec_t system_r;
@@ -97,4 +127,8 @@ interface(`dhcpd_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, dhcpd_var_run_t)
+
+	dhcpd_systemctl($1)
+	admin_pattern($1, dhcpd_unit_file_t)
+	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
diff --git a/dhcp.te b/dhcp.te
index 98a24b9897..3ca9fe61af 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 type dhcpd_initrc_exec_t;
 init_script_file(dhcpd_initrc_exec_t)
 
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process { getcap setcap signal_perms };
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
 kernel_read_network_state(dhcpd_t)
 
-corenet_all_recvfrom_unlabeled(dhcpd_t)
 corenet_all_recvfrom_netlabel(dhcpd_t)
 corenet_tcp_sendrecv_generic_if(dhcpd_t)
 corenet_udp_sendrecv_generic_if(dhcpd_t)
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
 
 domain_use_interactive_fds(dhcpd_t)
 
-files_read_usr_files(dhcpd_t)
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
@@ -102,21 +103,41 @@ auth_use_nsswitch(dhcpd_t)
 
 logging_send_syslog_msg(dhcpd_t)
 
-miscfiles_read_localization(dhcpd_t)
-
+sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
 userdom_dontaudit_search_user_home_dirs(dhcpd_t)
 
 tunable_policy(`dhcpd_use_ldap',`
-	sysnet_use_ldap(dhcpd_t)
+    allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+    corenet_tcp_sendrecv_generic_if(dhcpd_t)
+    corenet_tcp_sendrecv_generic_node(dhcpd_t)
+    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+    corenet_tcp_connect_ldap_port(dhcpd_t)
+    corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+	ldap_read_certs(dhcpd_t)
+')
+
+ifdef(`distro_gentoo',`
+	allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot };
 ')
 
 optional_policy(`
+	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
 ')
 
+optional_policy(`
+	cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(dhcpd_t)
 	dbus_connect_system_bus(dhcpd_t)
diff --git a/dictd.if b/dictd.if
index 3cc3494bd6..cb0a1f4bfa 100644
--- a/dictd.if
+++ b/dictd.if
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
 		type dictd_var_run_t, dictd_initrc_exec_t;
 	')
 
-	allow $1 dictd_t:process { ptrace signal_perms };
+	allow $1 dictd_t:process signal_perms;
 	ps_process_pattern($1, dictd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dictd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
index 433d3c5a0b..0dccebfd94 100644
--- a/dictd.te
+++ b/dictd.te
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
 kernel_read_system_state(dictd_t)
 kernel_read_kernel_sysctls(dictd_t)
 
-corenet_all_recvfrom_unlabeled(dictd_t)
 corenet_all_recvfrom_netlabel(dictd_t)
 corenet_tcp_sendrecv_generic_if(dictd_t)
 corenet_tcp_sendrecv_generic_node(dictd_t)
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
 domain_use_interactive_fds(dictd_t)
 
 files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
 files_search_var_lib(dictd_t)
 
 fs_getattr_xattr_fs(dictd_t)
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
 
 logging_send_syslog_msg(dictd_t)
 
-miscfiles_read_localization(dictd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
diff --git a/dirmngr.te b/dirmngr.te
index b3b218815a..5f917054c7 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
 
 kernel_read_crypto_sysctls(dirmngr_t)
 
-files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
index 0000000000..38b17f89f8
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/dirsrv-admin\.service	--	gen_context(system_u:object_r:dirsrvadmin_unit_file_t,s0)
+
+/etc/dirsrv/admin-serv(/.*)?		gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)?	gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin		--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?	gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv-admin      --  gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
index 0000000000..0d4e704926
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,157 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
+##	Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_run_exec',`
+	gen_require(`
+		type dirsrvadmin_exec_t;
+	')
+
+	allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+	can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
+##	Exec cgi programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_run_script_exec',`
+	gen_require(`
+		type dirsrvadmin_script_exec_t;
+	')
+
+	allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
+	can_exec($1, dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_read_config',`
+	gen_require(`
+		type dirsrvadmin_config_t;
+	')
+
+	read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+## <summary>
+##	Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_config',`
+	gen_require(`
+		type dirsrvadmin_config_t;
+	')
+
+	allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+	allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Read dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_tmp',`
+        gen_require(`
+                type dirsrvadmin_tmp_t;
+        ')
+
+        read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+##      Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_tmp',`
+        gen_require(`
+                type dirsrvadmin_tmp_t;
+        ')
+
+	manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+##	Execute dirsrv-admin server in the dirsrv-admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_systemctl',`
+	gen_require(`
+		type dirsrvadmin_t;
+		type dirsrvadmin_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 dirsrvadmin_unit_file_t:file read_file_perms;
+	allow $1 dirsrvadmin_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dirsrvadmin_t)
+')
+
+#######################################
+## <summary>
+##  Execute admin cgi programs in caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+    gen_require(`
+       type dirsrvadmin_unconfined_script_t;
+        type dirsrvadmin_unconfined_script_exec_t;
+    ')
+
+   domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+   allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
index 0000000000..51fb95d13e
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,173 @@
+policy_module(dirsrv-admin,1.0.0) 
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unit_file_t;
+systemd_unit_file(dirsrvadmin_unit_file_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+	apache_domtrans(dirsrvadmin_t)
+	apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+	apache_content_template(dirsrvadmin)
+	apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
+	allow dirsrvadmin_script_t self:process { getsched getpgid };
+	allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+	allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+	allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
+	allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+	allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+	allow dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+	manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+	files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+	kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
+    auth_read_passwd(dirsrvadmin_script_t)
+
+	corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
+	corenet_udp_bind_generic_node(dirsrvadmin_script_t)
+	corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+
+	corenet_tcp_bind_http_port(dirsrvadmin_script_t)
+	corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
+	corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
+	corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+
+	files_search_var_lib(dirsrvadmin_script_t)
+
+	sysnet_read_config(dirsrvadmin_script_t)
+
+	manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_lnk_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+    
+    miscfiles_read_certs(dirsrvadmin_script_t)
+
+    optional_policy(`
+        dirsrvadmin_systemctl(dirsrvadmin_script_t)
+    ')
+
+	optional_policy(`
+		apache_read_modules(dirsrvadmin_script_t)
+		apache_read_config(dirsrvadmin_script_t)
+        apache_read_pid_files(dirsrvadmin_script_t)
+        apache_read_tmp_symlinks(dirsrvadmin_script_t)
+        apache_read_tmp_files(dirsrvadmin_script_t)
+        apache_read_tmp_dirs(dirsrvadmin_script_t)
+		apache_signal(dirsrvadmin_script_t)
+		apache_signull(dirsrvadmin_script_t)
+	')
+
+	optional_policy(`
+		# The CGI scripts must be able to manage dirsrv-admin
+		dirsrvadmin_run_exec(dirsrvadmin_script_t)
+		dirsrvadmin_manage_config(dirsrvadmin_script_t)
+		dirsrv_domtrans(dirsrvadmin_script_t)
+		dirsrv_signal(dirsrvadmin_script_t)
+		dirsrv_signull(dirsrvadmin_script_t)
+		dirsrv_manage_log(dirsrvadmin_script_t)
+		dirsrv_manage_var_lib(dirsrvadmin_script_t)
+		dirsrv_pid_filetrans(dirsrvadmin_script_t)
+		dirsrv_manage_var_run(dirsrvadmin_script_t)
+		dirsrv_manage_config(dirsrvadmin_script_t)
+		dirsrv_read_share(dirsrvadmin_script_t)
+	')
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+   unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 0000000000..0c441124cf
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd			--	gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent			--	gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/ldap-agent-bin		--	gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv			--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid	gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
+/var/run/slapd.*    -s  gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log.*	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/dirsrv.if b/dirsrv.if
new file mode 100644
index 0000000000..943a99c98f
--- /dev/null
+++ b/dirsrv.if
@@ -0,0 +1,232 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrv_domtrans',`
+	gen_require(`
+		type dirsrv_t, dirsrv_exec_t;
+	')
+
+	domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+########################################
+## <summary>
+##	Execute dirsrv in the dirsrv domain, and
+##	allow the specified role the dirsrv domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrv_run',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	dirsrv_domtrans($1)
+	role $2 types dirsrv_t;
+')
+
+########################################
+## <summary>
+##  Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+##      Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+	gen_require(`
+		type dirsrv_var_log_t;
+	')
+
+	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_log_t:file manage_file_perms;
+	allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##		Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+        gen_require(`
+                type dirsrv_var_lib_t;
+        ')
+        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+        allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to dirsrv over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrv_stream_connect',`
+	gen_require(`
+		type dirsrv_t, dirsrv_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+	gen_require(`
+		type dirsrv_var_run_t;
+	')
+	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_run_t:file manage_file_perms;
+	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+## <summary>
+##      Allow a domain to create dirsrv pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_pid_filetrans',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        # Allow creating a dir in /var/run with this type
+        files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+## <summary>
+##      Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        allow $1 dirsrv_var_run_t:dir list_dir_perms;
+        allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+	gen_require(`
+		type dirsrv_config_t;
+	')
+
+	allow $1 dirsrv_config_t:dir manage_dir_perms;
+	allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Read dirsrv share files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+	gen_require(`
+		type dirsrv_share_t;
+	')
+
+	allow $1 dirsrv_share_t:dir list_dir_perms;
+	allow $1 dirsrv_share_t:file { map read_file_perms };
+	allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000000..dbddd4aafb
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,213 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+allow dirsrv_t dirsrv_tmpfs_t:file map;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_lib_t:file map;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+allow dirsrv_t dirsrv_var_run_t:file map;
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { dir file })
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir lnk_file })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+read_files_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
+list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+fs_read_cgroup_files(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+usermanage_read_crack_db(dirsrv_t)
+
+optional_policy(`
+	apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+	dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+optional_policy(`
+	kerberos_use(dirsrv_t)
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
+optional_policy(`
+	prelink_exec(dirsrv_t)
+')
+
+optional_policy(`
+	rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+    uuidd_stream_connect_manager(dirsrv_t)
+')
+
+optional_policy(`
+	systemd_manage_passwd_run(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+kernel_read_system_state(dirsrv_snmp_t)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+userdom_use_inherited_user_ptys(dirsrv_snmp_t)
+
+optional_policy(`
+	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+	snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+	snmp_manage_var_lib_files(dirsrv_snmp_t)
+	snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/distcc.if b/distcc.if
index 24d8c740c5..1790ec5dcb 100644
--- a/distcc.if
+++ b/distcc.if
@@ -19,7 +19,7 @@
 #
 interface(`distcc_admin',`
 	gen_require(`
-		type distccd_t, distccd_t, distccd_log_t;
+		type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
 		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
diff --git a/distcc.te b/distcc.te
index 898b2f4339..8a1725b623 100644
--- a/distcc.te
+++ b/distcc.te
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
 kernel_read_system_state(distccd_t)
 kernel_read_kernel_sysctls(distccd_t)
 
-corenet_all_recvfrom_unlabeled(distccd_t)
 corenet_all_recvfrom_netlabel(distccd_t)
 corenet_tcp_sendrecv_generic_if(distccd_t)
 corenet_tcp_sendrecv_generic_node(distccd_t)
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
 
 logging_send_syslog_msg(distccd_t)
 
-miscfiles_read_localization(distccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(distccd_t)
 userdom_dontaudit_search_user_home_dirs(distccd_t)
 
diff --git a/djbdns.if b/djbdns.if
index 671d3c0a15..6d36c951a3 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
 
 	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
 	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+	corenet_all_recvfrom_netlabel(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_tcp_bind_generic_node(djbdns_$1_t)
+	corenet_udp_bind_generic_node(djbdns_$1_t)
+	corenet_tcp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_generic_port(djbdns_$1_t)
+	corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+	corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+	files_search_var(djbdns_$1_t)
 ')
 
 #####################################
diff --git a/djbdns.te b/djbdns.te
index 87ca536ae3..ebd327ad1a 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
 
 files_search_var(djbdns_domain)
 
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+
 ########################################
 #
 # axfrdns local policy
diff --git a/dkim.fc b/dkim.fc
index 5818418af7..674367b3a7 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -9,7 +9,6 @@
 
 /var/lib/dkim-milter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/var/run/dkim-filter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/dkim-milter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/dkim-milter\.pid	--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f67701..653a1ecbb5 100644
--- a/dmidecode.if
+++ b/dmidecode.if
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
 	domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
 ')
 
+######################################
+## <summary>
+##	Execute dmidecode in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dmidecode_exec',`
+	gen_require(`
+		type dmidecode_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dmidecode_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index aa0ef6e944..d55bbd34c4 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,9 @@ mls_file_read_all_levels(dmidecode_t)
 
 locallogin_use_fds(dmidecode_t)
 
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+    rhsmcertd_rw_lock_files(dmidecode_t)
+    rhsmcertd_read_log(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808d82..84735a8cb3 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,13 +1,16 @@
 /etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)?		gen_context(system_u:object_r:dnsmasq_etc_t,s0)
 
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
 /usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
-/var/log/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
-/var/run/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 /var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b80b9..a79982cd6e 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_domtrans',`
 	gen_require(`
 		type dnsmasq_exec_t, dnsmasq_t;
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
 	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
 ')
 
+#######################################
+## <summary>
+##  Execute dnsmasq server in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`dnsmasq_exec',`
+    gen_require(`
+        type dnsmasq_exec_t;
+    ')
+
+    can_exec($1, dnsmasq_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write dnsmasq pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_rw_inherited_pipes',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute the dnsmasq init script in
@@ -40,6 +75,49 @@ interface(`dnsmasq_initrc_domtrans',`
 	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_systemctl',`
+	gen_require(`
+		type dnsmasq_unit_file_t;
+		type dnsmasq_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 dnsmasq_unit_file_t:file read_file_perms;
+	allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Send sigchld to dnsmasq.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_sigchld',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+    allow $1 dnsmasq_t:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Send generic signals to dnsmasq.
@@ -145,15 +223,16 @@ interface(`dnsmasq_write_config',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_delete_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',`
 
 ########################################
 ## <summary>
-##	Read dnsmasq pid files.
+##	Read dnsmasq pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,12 +263,12 @@ interface(`dnsmasq_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_read_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
@@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',`
 
 ########################################
 ## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the dnsmasq pid file type.
+##	Create dnsmasq pid directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
+#
+interface(`dnsmasq_read_state',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+    ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The object class of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+## <param name="private type">
 ##	<summary>
-##	The name of the object being created.
+##	The type of the directory for the object to be created.
 ##	</summary>
 ## </param>
 #
-interface(`dnsmasq_spec_filetrans_pid',`
+interface(`dnsmasq_filetrans_named_content_fromdir',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
-	filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
+	filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+	filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+#######################################
+## <summary>
+##      Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dnsmasq_filetrans_named_content',`
+		gen_require(`
+            type dnsmasq_etc_t;
+			type dnsmasq_var_run_t;
+	')
+
+	files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+	files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+	virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+	files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+	files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
 ')
 
 ########################################
@@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
 interface(`dnsmasq_admin',`
 	gen_require(`
 		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
-		type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+        type dnsmasq_var_log_t;
+		type dnsmasq_initrc_exec_t;
+		type dnsmasq_unit_file_t;
 	')
 
-	allow $1 dnsmasq_t:process { ptrace signal_perms };
+	allow $1 dnsmasq_t:process signal_perms;
 	ps_process_pattern($1, dnsmasq_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dnsmasq_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, dnsmasq_lease_t)
 
-	logging_seearch_logs($1)
+	logging_search_logs($1)
 	admin_pattern($1, dnsmasq_var_log_t)
 
 	files_list_pids($1)
 	admin_pattern($1, dnsmasq_var_run_t)
+
+	dnsmasq_systemctl($1)
+	admin_pattern($1, dnsmasq_unit_file_t)
+	allow $1 dnsmasq_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	dnsmasq over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_dbus_chat',`
+	gen_require(`
+		type dnsmasq_t;
+		class dbus send_msg;
+	')
+
+	allow $1 dnsmasq_t:dbus send_msg;
+	allow dnsmasq_t $1:dbus send_msg;
 ')
+
+
diff --git a/dnsmasq.te b/dnsmasq.te
index 37a3b7b30e..3d07c22fa4 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,12 +24,18 @@ logging_log_file(dnsmasq_var_log_t)
 type dnsmasq_var_run_t;
 files_pid_file(dnsmasq_var_run_t)
 
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
+type dnsmasq_tmp_t;
+files_tmp_file(dnsmasq_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
+allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw };
 dontaudit dnsmasq_t self:capability sys_tty_config;
 allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +44,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
 read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
 
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -51,12 +58,19 @@ manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 
+manage_dirs_pattern(dnsmasq_t, dnsmasq_tmp_t, dnsmasq_tmp_t)
+manage_files_pattern(dnsmasq_t, dnsmasq_tmp_t, dnsmasq_tmp_t)
+files_tmp_filetrans(dnsmasq_t, dnsmasq_tmp_t, { file dir })
+
 kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
 kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
 kernel_request_load_module(dnsmasq_t)
 
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corecmd_exec_bin(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
 corenet_all_recvfrom_netlabel(dnsmasq_t)
 corenet_tcp_sendrecv_generic_if(dnsmasq_t)
 corenet_udp_sendrecv_generic_if(dnsmasq_t)
@@ -80,15 +94,16 @@ dev_read_urand(dnsmasq_t)
 domain_use_interactive_fds(dnsmasq_t)
 
 files_read_etc_runtime_files(dnsmasq_t)
+files_manage_mnt_files(dnsmasq_t)
 
 fs_getattr_all_fs(dnsmasq_t)
 fs_search_auto_mountpoints(dnsmasq_t)
 
 auth_use_nsswitch(dnsmasq_t)
 
-logging_send_syslog_msg(dnsmasq_t)
+libs_exec_ldconfig(dnsmasq_t)
 
-miscfiles_read_localization(dnsmasq_t)
+logging_send_syslog_msg(dnsmasq_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -97,13 +112,27 @@ optional_policy(`
 	cobbler_read_lib_files(dnsmasq_t)
 ')
 
+optional_policy(`
+	cron_manage_pid_files(dnsmasq_t)
+')
+
 optional_policy(`
 	dbus_connect_system_bus(dnsmasq_t)
 	dbus_system_bus_client(dnsmasq_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(dnsmasq_t)
+	')
 ')
 
 optional_policy(`
-	networkmanager_read_pid_files(dnsmasq_t)
+	dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+	networkmanager_read_conf(dnsmasq_t)
+	networkmanager_manage_pid_files(dnsmasq_t)
+    networkmanager_manage_lib(dnsmasq_t)
 ')
 
 optional_policy(`
@@ -124,6 +153,18 @@ optional_policy(`
 
 optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
+	virt_read_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
 	virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 ')
+
+optional_policy(`
+    neutron_manage_lib_files(dnsmasq_t)
+    neutron_stream_connect(dnsmasq_t)
+    neutron_rw_fifo_file(dnsmasq_t)
+    neutron_sigchld(dnsmasq_t)
+')
+
+optional_policy(`
+    systemd_resolved_read_pid(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000000..1714fa6618
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/dnssec-triggerd.*    --  gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
+
+/usr/sbin/dnssec-triggerd	--	gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+/usr/libexec/dnssec-trigger-script  --  gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.*			gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
index 0000000000..a846ce0308
--- /dev/null
+++ b/dnssec.if
@@ -0,0 +1,104 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
+########################################
+## <summary>
+##	Transition to dnssec_trigger.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_domtrans',`
+	gen_require(`
+		type dnssec_trigger_t, dnssec_trigger_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
+########################################
+## <summary>
+##	Read dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_read_pid_files',`
+	gen_require(`
+		type dnssec_trigger_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_manage_pid_files',`
+	gen_require(`
+		type dnssec_trigger_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+	manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+	manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	Send signull to dnssec_trigger.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnssec_trigger_signull',`
+	gen_require(`
+		type dnssec_trigger_t;
+	')
+
+    allow $1 dnssec_trigger_t:process signull;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an dnssec_trigger environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_admin',`
+	gen_require(`
+		type dnssec_trigger_t;
+		type dnssec_trigger_var_run_t;
+	')
+
+	allow $1 dnssec_trigger_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dnssec_trigger_t)
+
+	files_search_pids($1)
+	admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 0000000000..bc3fac51c4
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,81 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnssec_trigger_t;
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_unit_file_t;
+systemd_unit_file(dnssec_trigger_unit_file_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
+type dnssec_trigger_tmp_t;
+files_tmp_file(dnssec_trigger_tmp_t)
+
+########################################
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability { net_admin linux_immutable };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file  relabelfrom_file_perms;
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
+
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir })
+
+kernel_read_system_state(dnssec_trigger_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_use_nsswitch(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+sysnet_filetrans_named_content(dnssec_trigger_t)
+
+optional_policy(`
+    dbus_system_bus_client(dnssec_trigger_t)
+')
+
+optional_policy(`
+    bind_domtrans(dnssec_trigger_t)
+	bind_read_config(dnssec_trigger_t)
+	bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+optional_policy(`
+    networkmanager_stream_connect(dnssec_trigger_t)
+    networkmanager_sigchld(dnssec_trigger_t)
+    networkmanager_sigkill(dnssec_trigger_t)
+    networkmanager_signull(dnssec_trigger_t)
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e782f..e6fe2f402f 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
 
 logging_send_syslog_msg(dnssec_triggerd_t)
 
-miscfiles_read_localization(dnssec_triggerd_t)
-
 sysnet_dns_name_resolve(dnssec_triggerd_t)
 sysnet_manage_config(dnssec_triggerd_t)
 sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/dovecot.fc b/dovecot.fc
index c880070041..444805588a 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -1,36 +1,48 @@
-/etc/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot/passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
-/etc/dovecot\.conf.*	gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot\.passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /etc
+#
+/etc/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.*			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
+/etc/pki/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_cert_t,s0)
 /etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
 
-/usr/sbin/dovecot	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
 
-/usr/share/ssl/certs/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /usr
+#
+/usr/sbin/dovecot		--	gen_context(system_u:object_r:dovecot_exec_t,s0)
 
-/etc/ssl/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/certs/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
 
-/usr/lib/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ifdef(`distro_debian', `
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/dovecot-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
 
-/usr/libexec/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
 
-/var/run/dovecot(-login)?(/.*)?	gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat	--	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/lib/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/log/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/log/dovecot\.log.*	gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
 
-/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
index d5badb7557..c2431fc731 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
-## <summary>POP and IMAP mail server.</summary>
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  dovecot daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`dovecot_basic_types_template',`
+	gen_require(`
+		attribute dovecot_domain;
+	')
+
+	type $1_t, dovecot_domain;
+	type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
 
 #######################################
 ## <summary>
-##	Connect to dovecot using a unix
-##	domain stream socket.
+##  Connect to dovecot unix domain stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`dovecot_stream_connect',`
-	gen_require(`
-		type dovecot_t, dovecot_var_run_t;
-	')
+    gen_require(`
+        type dovecot_t, dovecot_var_run_t;
+    ')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+    files_search_pids($1)
+    stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to dovecot using a unix
-##	domain stream socket.
+##	Connect to dovecot auth unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
 
 ########################################
 ## <summary>
-##	Execute dovecot_deliver in the
-##	dovecot_deliver domain.
+##	Execute dovecot_deliver in the dovecot_deliver domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
 		type dovecot_deliver_t, dovecot_deliver_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	dovecot spool files.
+##	Create, read, write, and delete the dovecot spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
 	')
 
 	files_search_spool($1)
-	allow $1 dovecot_spool_t:dir manage_dir_perms;
-	allow $1 dovecot_spool_t:file manage_file_perms;
-	allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
+	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to delete
-##	dovecot lib files.
+##	Do not audit attempts to delete dovecot lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 		type dovecot_var_lib_t;
 	')
 
-	dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
+	dontaudit $1 dovecot_var_lib_t:file unlink;
 ')
 
 ######################################
 ## <summary>
-##	Write inherited dovecot tmp files.
+##	Allow attempts to write inherited
+##	dovecot tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
 	allow $1 dovecot_tmp_t:file write;
 ')
 
+####################################
+## <summary>
+##	Read dovecot configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dovecot_read_config',`
+	gen_require(`
+		type dovecot_etc_t;
+	')
+
+	files_search_etc($1)
+	list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
+	read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an dovecot environment.
+##	All of the rules required to administrate
+##	an dovecot environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the dovecot domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
 		type dovecot_keytab_t;
 	')
 
-	allow $1 dovecot_t:process { ptrace signal_perms };
+	allow $1 dovecot_t:process signal_perms;
 	ps_process_pattern($1, dovecot_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dovecot_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dovecot_initrc_exec_t system_r;
@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
 
-	logging_list_logs($1)
-	admin_pattern($1, dovecot_var_log_t)
+	files_list_tmp($1)
+	admin_pattern($1, dovecot_auth_tmp_t)
+	admin_pattern($1, dovecot_tmp_t)
+
+	admin_pattern($1, dovecot_keytab_t)
 
 	files_list_spool($1)
 	admin_pattern($1, dovecot_spool_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
-
 	files_list_var_lib($1)
 	admin_pattern($1, dovecot_var_lib_t)
 
+	logging_search_logs($1)
+	admin_pattern($1, dovecot_var_log_t)
+
 	files_list_pids($1)
 	admin_pattern($1, dovecot_var_run_t)
 
-	admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
+	admin_pattern($1, dovecot_cert_t)
+
+	admin_pattern($1, dovecot_passwd_t)
 ')
diff --git a/dovecot.te b/dovecot.te
index 0aabc7e663..641a03465a 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
 
 attribute dovecot_domain;
 
-type dovecot_t, dovecot_domain;
-type dovecot_exec_t;
+dovecot_basic_types_template(dovecot)
 init_daemon_domain(dovecot_t, dovecot_exec_t)
 
-type dovecot_auth_t, dovecot_domain;
-type dovecot_auth_exec_t;
+dovecot_basic_types_template(dovecot_auth)
 domain_type(dovecot_auth_t)
 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
 type dovecot_cert_t;
 miscfiles_cert_type(dovecot_cert_t)
 
-type dovecot_deliver_t, dovecot_domain;
-type dovecot_deliver_exec_t;
+dovecot_basic_types_template(dovecot_deliver)
 domain_type(dovecot_deliver_t)
 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
 role system_r types dovecot_deliver_t;
@@ -45,11 +42,12 @@ type dovecot_passwd_t;
 files_type(dovecot_passwd_t)
 
 type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
 
 type dovecot_tmp_t;
 files_tmp_file(dovecot_tmp_t)
 
+# /var/lib/dovecot holds SSL parameters file
 type dovecot_var_lib_t;
 files_type(dovecot_var_lib_t)
 
@@ -59,20 +57,20 @@ logging_log_file(dovecot_var_log_t)
 type dovecot_var_run_t;
 files_pid_file(dovecot_var_run_t)
 
-########################################
+#######################################
 #
-# Common local policy
+# dovecot domain local policy
 #
 
-allow dovecot_domain self:capability2 block_suspend;
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
+allow dovecot_domain self:capability sys_resource;
+dontaudit dovecot_domain self:capability2 block_suspend;
+allow dovecot_domain self:process signal_perms;
 
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
 
 kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
+kernel_read_network_state(dovecot_domain)
 
 corecmd_exec_bin(dovecot_domain)
 corecmd_exec_shell(dovecot_domain)
@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain)
 dev_read_rand(dovecot_domain)
 dev_read_urand(dovecot_domain)
 
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
 files_read_etc_runtime_files(dovecot_domain)
 
-logging_send_syslog_msg(dovecot_domain)
-
-miscfiles_read_localization(dovecot_domain)
-
 ########################################
 #
-# Local policy
+# dovecot local policy
 #
 
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot sys_resource };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
 
 allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
 
 allow dovecot_t dovecot_keytab_t:file read_file_perms;
 
@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
 
+# Allow dovecot to create and read SSL parameters file
 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
 
 manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
 
 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
 
-corenet_all_recvfrom_unlabeled(dovecot_t)
 corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_generic_if(dovecot_t)
 corenet_tcp_sendrecv_generic_node(dovecot_t)
 corenet_tcp_sendrecv_all_ports(dovecot_t)
 corenet_tcp_bind_generic_node(dovecot_t)
-
-corenet_sendrecv_mail_server_packets(dovecot_t)
 corenet_tcp_bind_mail_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
-corenet_sendrecv_sieve_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
 corenet_tcp_bind_sieve_port(dovecot_t)
-
-corenet_sendrecv_all_client_packets(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
 
 domain_use_interactive_fds(dovecot_t)
 
-files_read_var_lib_files(dovecot_t)
-files_read_var_symlinks(dovecot_t)
 files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
 files_dontaudit_list_default(dovecot_t)
 files_dontaudit_search_all_dirs(dovecot_t)
 files_search_all_mountpoints(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_getattr_all_dirs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
+files_read_var_lib_files(dovecot_t)
 
 init_getattr_utmp(dovecot_t)
 
@@ -171,45 +168,45 @@ auth_use_nsswitch(dovecot_t)
 
 miscfiles_read_generic_certs(dovecot_t)
 
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
+logging_send_syslog_msg(dovecot_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(dovecot_t)
-	fs_manage_nfs_files(dovecot_t)
-	fs_manage_nfs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(dovecot_t)
-	fs_manage_cifs_files(dovecot_t)
-	fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+	mta_manage_home_rw(dovecot_t)
+    mta_mmap_home_rw(dovecot_t)
+	mta_manage_spool(dovecot_t)
 ')
 
 optional_policy(`
 	kerberos_manage_host_rcache(dovecot_t)
 	kerberos_read_keytab(dovecot_t)
-	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+	kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
 	kerberos_use(dovecot_t)
 ')
 
 optional_policy(`
-	mta_manage_spool(dovecot_t)
-	mta_manage_mail_home_rw_content(dovecot_t)
-	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
-	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	gnome_manage_data(dovecot_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(dovecot_t)
+	postfix_manage_private_sockets(dovecot_t)
+	postfix_search_spool(dovecot_t)
 ')
 
 optional_policy(`
-	postfix_manage_private_sockets(dovecot_t)
-	postfix_search_spool(dovecot_t)
+	postgresql_stream_connect(dovecot_t)
 ')
 
 optional_policy(`
+	# Handle sieve scripts
 	sendmail_domtrans(dovecot_t)
 ')
 
@@ -227,103 +224,155 @@ optional_policy(`
 
 ########################################
 #
-# Auth local policy
+# dovecot auth local policy
 #
 
-allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
+allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice };
 allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
 read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
 
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+
 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
 
 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
 
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+dovecot_stream_connect_auth(dovecot_auth_t)
 
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
+corecmd_exec_bin(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
 
 auth_domtrans_chk_passwd(dovecot_auth_t)
 auth_use_nsswitch(dovecot_auth_t)
 
-init_rw_utmp(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
 
-logging_send_audit_msgs(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
 
-seutil_dontaudit_search_config(dovecot_auth_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
+init_rw_utmp(dovecot_auth_t)
+init_stream_connect(dovecot_auth_t)
 
 sysnet_use_ldap(dovecot_auth_t)
 
+systemd_login_read_pid_files(dovecot_auth_t)
+systemd_dbus_chat_logind(dovecot_auth_t)
+systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t)
+
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
 optional_policy(`
+	kerberos_use(dovecot_auth_t)
+
+	# for gssapi (kerberos)
 	userdom_list_user_tmp(dovecot_auth_t)
 	userdom_read_user_tmp_files(dovecot_auth_t)
 	userdom_read_user_tmp_symlinks(dovecot_auth_t)
 ')
 
 optional_policy(`
+	mysql_search_db(dovecot_auth_t)
 	mysql_stream_connect(dovecot_auth_t)
 	mysql_read_config(dovecot_auth_t)
 	mysql_tcp_connect(dovecot_auth_t)
+    mysql_rw_db_sockets(dovecot_auth_t)
 ')
 
 optional_policy(`
 	nis_authenticate(dovecot_auth_t)
 ')
 
+optional_policy(`
+	dbus_system_bus_client(dovecot_auth_t)
+	optional_policy(`
+		oddjob_dbus_chat(dovecot_auth_t)
+		oddjob_domtrans_mkhomedir(dovecot_auth_t)
+	')
+')
+
 optional_policy(`
 	postfix_manage_private_sockets(dovecot_auth_t)
+	postfix_rw_inherited_master_pipes(dovecot_deliver_t)
 	postfix_search_spool(dovecot_auth_t)
 ')
 
 ########################################
 #
-# Deliver local policy
+# dovecot deliver local policy
 #
 
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
 
-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir })
 
 manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
 manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
 files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
 
 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
-
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
 
 can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 
-allow dovecot_deliver_t dovecot_t:process signull;
+auth_use_nsswitch(dovecot_deliver_t)
 
-fs_getattr_all_fs(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+logging_send_syslog_msg(dovecot_deliver_t)
 
-auth_use_nsswitch(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
 
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(dovecot_deliver_t)
-	fs_manage_nfs_files(dovecot_deliver_t)
-	fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_filetrans_home_content(dovecot_deliver_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(dovecot_deliver_t)
-	fs_manage_cifs_files(dovecot_deliver_t)
-	fs_manage_cifs_symlinks(dovecot_deliver_t)
+userdom_home_manager(dovecot_deliver_t)
+
+optional_policy(`
+	gnome_manage_data(dovecot_deliver_t)
 ')
 
 optional_policy(`
 	mta_mailserver_delivery(dovecot_deliver_t)
+    mta_mmap_home_rw(dovecot_deliver_t)
+	mta_manage_spool(dovecot_deliver_t)
 	mta_read_queue(dovecot_deliver_t)
 ')
 
@@ -332,5 +381,6 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Handle sieve scripts
 	sendmail_domtrans(dovecot_deliver_t)
 ')
diff --git a/dpkg.te b/dpkg.te
index 50af48c896..5ab49010f4 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
 # Local policy
 #
 
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
 allow dpkg_t self:process { setpgid fork getsched setfscreate };
 allow dpkg_t self:fd use;
 allow dpkg_t self:fifo_file rw_fifo_file_perms;
diff --git a/drbd.fc b/drbd.fc
index 671a3fb6f4..47b4958d08 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
 /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
 /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
@@ -11,3 +11,5 @@
 /var/lib/drbd(/.*)?	gen_context(system_u:object_r:drbd_var_lib_t,s0)
 
 /var/lock/subsys/drbd	--	gen_context(system_u:object_r:drbd_lock_t,s0)
+
+/var/run/drbd(/.*)?		gen_context(system_u:object_r:drbd_var_run_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a21639361..26c59868b4 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run drbd.
+##	Execute a domain transition to run drbd.
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ## </summary>
 ## </param>
 #
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
 		type drbd_t, drbd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, drbd_exec_t, drbd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an drbd environment.
+##	Search drbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_search_lib',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	allow $1 drbd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read drbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_read_lib_files',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	drbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_manage_lib_files',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage drbd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_manage_lib_dirs',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an drbd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`drbd_admin',`
 	gen_require(`
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
 		type drbd_var_lib_t;
 	')
 
-	allow $1 drbd_t:process { ptrace signal_perms };
+	allow $1 drbd_t:process signal_perms;
 	ps_process_pattern($1, drbd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 drbd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, drbd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 drbd_initrc_exec_t system_r;
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, drbd_var_lib_t)
 ')
+
diff --git a/drbd.te b/drbd.te
index f2516cc073..af2c2ad81d 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,38 +18,72 @@ files_type(drbd_var_lib_t)
 type drbd_lock_t;
 files_lock_file(drbd_lock_t)
 
+type drbd_var_run_t;
+files_pid_file(drbd_var_run_t)
+
+type drbd_tmp_t;
+files_tmp_file(drbd_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow drbd_t self:capability { kill net_admin };
+allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin };
 dontaudit drbd_t self:capability sys_tty_config;
 allow drbd_t self:fifo_file rw_fifo_file_perms;
 allow drbd_t self:unix_stream_socket create_stream_socket_perms;
 allow drbd_t self:netlink_socket create_socket_perms;
-allow drbd_t self:netlink_route_socket nlmsg_write;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
 
 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
 
+manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })
+
 manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
 files_lock_filetrans(drbd_t, drbd_lock_t, file)
 
-can_exec(drbd_t, drbd_exec_t)
+manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
 
 kernel_read_system_state(drbd_t)
+kernel_load_module(drbd_t)
+
+auth_use_nsswitch(drbd_t)
+
+can_exec(drbd_t, drbd_exec_t)
+
+corecmd_exec_bin(drbd_t)
+
+corenet_tcp_connect_http_port(drbd_t)
 
 dev_read_rand(drbd_t)
 dev_read_sysfs(drbd_t)
 dev_read_urand(drbd_t)
 
-files_read_etc_files(drbd_t)
+files_read_kernel_modules(drbd_t)
 
-storage_raw_read_fixed_disk(drbd_t)
+logging_send_syslog_msg(drbd_t)
+
+fs_getattr_xattr_fs(drbd_t)
 
-miscfiles_read_localization(drbd_t)
+modutils_read_module_config(drbd_t)
+modutils_exec_insmod(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
+storage_raw_write_fixed_disk(drbd_t)
 
 sysnet_dns_name_resolve(drbd_t)
+
+optional_policy(`
+    rhcs_read_log_cluster(drbd_t)
+    rhcs_rw_cluster_tmpfs(drbd_t)
+    rhcs_manage_cluster_lib_files(drbd_t)
+')
diff --git a/dspam.fc b/dspam.fc
index 5eddac51c8..b5fcb77608 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -2,11 +2,16 @@
 
 /usr/bin/dspam	--	gen_context(system_u:object_r:dspam_exec_t,s0)
 
-/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:dspam_script_exec_t,s0)
 
 /var/lib/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)?	gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
 
 /var/log/dspam(/.*)?	gen_context(system_u:object_r:dspam_log_t,s0)
 
 /var/run/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+/var/www/dspam/.*\.cgi 	--	gen_context(system_u:object_r:dspam_script_exec_t,s0)
+/var/www/dspam(/.*?)		gen_context(system_u:object_r:dspam_content_t,s0)
+
+/var/lib/dspam/data(/.*)?			gen_context(system_u:object_r:dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f2452509..a446210f0d 100644
--- a/dspam.if
+++ b/dspam.if
@@ -1,13 +1,15 @@
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
+
+## <summary>policy for dspam</summary>
+
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run dspam.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`dspam_domtrans',`
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
 		type dspam_t, dspam_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, dspam_exec_t, dspam_t)
 ')
 
-#######################################
+
+########################################
 ## <summary>
-##	Connect to dspam using a unix
-##	domain stream socket.
+##	Execute dspam server in the dspam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`dspam_initrc_domtrans',`
+	gen_require(`
+		type dspam_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read dspam's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`dspam_stream_connect',`
+interface(`dspam_read_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	dspam log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`dspam_append_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage dspam log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+        manage_files_pattern($1, dspam_log_t, dspam_log_t)
+        manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Search dspam lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_search_lib',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	allow $1 dspam_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read dspam lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_read_lib_files',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	dspam lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_lib_files',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage dspam lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_lib_dirs',`
 	gen_require(`
-		type dspam_t, dspam_var_run_t, dspam_tmp_t;
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	Read dspam PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_read_pid_files',`
+	gen_require(`
+		type dspam_var_run_t;
 	')
 
 	files_search_pids($1)
+	allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Connect to DSPAM using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dspam_stream_connect',`
+    gen_require(`
+        type dspam_t, dspam_var_run_t, dspam_tmp_t;
+    ')
+
+    files_search_pids($1)
 	files_search_tmp($1)
-	stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+    stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+    stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an dspam environment.
+##	All of the rules required to administrate
+##	an dspam environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
 #
 interface(`dspam_admin',`
 	gen_require(`
-		type dspam_t, dspam_initrc_exec_t, dspam_log_t;
-		type dspam_var_lib_t, dspam_var_run_t;
+		type dspam_t;
+		type dspam_initrc_exec_t;
+		type dspam_log_t;
+		type dspam_var_lib_t;
+		type dspam_var_run_t;
 	')
 
-	allow $1 dspam_t:process { ptrace signal_perms };
+	allow $1 dspam_t:process signal_perms;
 	ps_process_pattern($1, dspam_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dspam_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+	dspam_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 dspam_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, dspam_var_run_t)
+
 ')
diff --git a/dspam.te b/dspam.te
index ef6236335e..6b0dc19d12 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
 
 allow dspam_t self:capability net_admin;
 allow dspam_t self:process signal;
+
+allow dspam_t self:tcp_socket { listen accept };
+
 allow dspam_t self:fifo_file rw_fifo_file_perms;
 allow dspam_t self:unix_stream_socket { accept listen };
 
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
 corenet_tcp_bind_spamd_port(dspam_t)
 corenet_tcp_connect_spamd_port(dspam_t)
 corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
 
 files_search_spool(dspam_t)
 
@@ -64,14 +73,33 @@ auth_use_nsswitch(dspam_t)
 
 logging_send_syslog_msg(dspam_t)
 
-miscfiles_read_localization(dspam_t)
-
 optional_policy(`
 	apache_content_template(dspam)
+	apache_content_alias_template(dspam, dspam)
+
+    allow dspam_t dspam_rw_content_t:file map;
+	read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+	auth_read_passwd(dspam_script_t)
+
+	files_search_var_lib(dspam_script_t)
+
+	domain_dontaudit_read_all_domains_state(dspam_script_t)
+
+	term_dontaudit_search_ptys(dspam_script_t)
+	term_dontaudit_getattr_all_ttys(dspam_script_t)
+	term_dontaudit_getattr_all_ptys(dspam_script_t)
 
-	list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-	manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-	manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+	init_read_utmp(dspam_script_t)
+
+	logging_send_syslog_msg(dspam_script_t)
+
+	mta_send_mail(dspam_script_t)
+
+	optional_policy(`
+	    mysql_tcp_connect(dspam_script_t)
+	    mysql_stream_connect(dspam_script_t)
+	')
 ')
 
 optional_policy(`
@@ -87,3 +115,12 @@ optional_policy(`
 
 	postgresql_tcp_connect(dspam_t)
 ')
+
+optional_policy(`
+    postfix_rw_inherited_master_pipes(dspam_t)
+    postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
+    procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
index b8b8328c07..e3dc7c72c8 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
 ##	the entropy feeds.
 ##	</p>
 ## </desc>
-gen_tunable(entropyd_use_audio, false)
+gen_tunable(entropyd_use_audio, true)
 
 type entropyd_t;
 type entropyd_exec_t;
@@ -29,7 +29,7 @@ files_pid_file(entropyd_var_run_t)
 # Local policy
 #
 
-allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin };
 dontaudit entropyd_t self:capability sys_tty_config;
 allow entropyd_t self:process signal_perms;
 
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
 
-files_read_etc_files(entropyd_t)
-files_read_usr_files(entropyd_t)
-
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
 
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
 
 logging_send_syslog_msg(entropyd_t)
 
-miscfiles_read_localization(entropyd_t)
+auth_use_nsswitch(entropyd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/etcd.fc b/etcd.fc
new file mode 100644
index 0000000000..eac30a338e
--- /dev/null
+++ b/etcd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/etcd.*  --  gen_context(system_u:object_r:etcd_unit_file_t,s0)
+
+/usr/bin/etcd                   --  gen_context(system_u:object_r:etcd_exec_t,s0)
+
+/var/lib/etcd(/.*)?                 gen_context(system_u:object_r:etcd_var_lib_t,s0)
diff --git a/etcd.if b/etcd.if
new file mode 100644
index 0000000000..d1a05a6507
--- /dev/null
+++ b/etcd.if
@@ -0,0 +1,161 @@
+## <summary>A highly-available key value store for shared configuration.</summary>
+
+########################################
+## <summary>
+##	Execute etcd in the etcd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`etcd_domtrans',`
+	gen_require(`
+		type etcd_t, etcd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, etcd_exec_t, etcd_t)
+')
+
+########################################
+## <summary>
+##	Search etcd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_search_lib',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	allow $1 etcd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read etcd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_read_lib_files',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage etcd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_manage_lib_files',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage etcd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_manage_lib_dirs',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute etcd server in the etcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`etcd_systemctl',`
+	gen_require(`
+		type etcd_t;
+		type etcd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 etcd_unit_file_t:file read_file_perms;
+	allow $1 etcd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, etcd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an etcd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`etcd_admin',`
+	gen_require(`
+		type etcd_t;
+		type etcd_var_lib_t;
+	    type etcd_unit_file_t;
+	')
+
+	allow $1 etcd_t:process { signal_perms };
+	ps_process_pattern($1, etcd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 etcd_t:process ptrace;
+    ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, etcd_var_lib_t)
+
+	etcd_systemctl($1)
+	admin_pattern($1, etcd_unit_file_t)
+	allow $1 etcd_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/etcd.te b/etcd.te
new file mode 100644
index 0000000000..7cee445f6a
--- /dev/null
+++ b/etcd.te
@@ -0,0 +1,42 @@
+policy_module(etcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type etcd_t;
+type etcd_exec_t;
+init_daemon_domain(etcd_t,etcd_exec_t)
+
+permissive etcd_t;
+
+type etcd_unit_file_t;
+systemd_unit_file(etcd_unit_file_t)
+
+type etcd_var_lib_t;
+files_type(etcd_var_lib_t)
+
+########################################
+#
+# ectd local policy
+#
+
+allow etcd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_lnk_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+files_var_lib_filetrans(etcd_t, etcd_var_lib_t, dir)
+
+kernel_read_unix_sysctls(etcd_t)
+kernel_read_net_sysctls(etcd_t)
+
+corenet_tcp_bind_generic_node(etcd_t)
+
+corenet_tcp_bind_kubernetes_port(etcd_t)
+corenet_tcp_bind_afs3_callback_port(etcd_t)
+
+fs_getattr_xattr_fs(etcd_t)
+
+logging_send_syslog_msg(etcd_t)
diff --git a/evolution.fc b/evolution.fc
index 597f305dae..85206539cc 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,6 @@
 HOME_DIR/\.camel_certs(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
 HOME_DIR/\.evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.cache/evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
 
 /tmp/\.exchange-USER(/.*)?	gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
 
diff --git a/evolution.te b/evolution.te
index c99e07c483..ab9dd9f90f 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
 
 domain_dontaudit_read_all_domains_state(evolution_t)
 
-files_read_usr_files(evolution_t)
 
 fs_search_auto_mountpoints(evolution_t)
 
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
 
 userdom_manage_user_home_content_dirs(evolution_t)
 userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_filetrans_home_content(evolution_t)
 
 userdom_write_user_tmp_sockets(evolution_t)
 
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
 
 dev_read_urand(evolution_alarm_t)
 
-files_read_usr_files(evolution_alarm_t)
 
 fs_search_auto_mountpoints(evolution_alarm_t)
 
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
 
 dev_read_urand(evolution_exchange_t)
 
-files_read_usr_files(evolution_exchange_t)
 
 fs_search_auto_mountpoints(evolution_exchange_t)
 
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
 
 dev_read_urand(evolution_server_t)
 
-files_read_usr_files(evolution_server_t)
 
 fs_search_auto_mountpoints(evolution_server_t)
 
diff --git a/exim.if b/exim.if
index 9bbc6907a9..4a8d0536b4 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute exim in the exim domain,
-##	and allow the specified role
-##	the exim domain.
+##     Execute the mailman program in the mailman domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##     <summary>
+##     The role to allow the mailman domain.
+##     </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`exim_run',`
+       gen_require(`
+               type exim_t;
+       ')
+
+       exim_domtrans($1)
+       role $2 types exim_t;
+')
+
+########################################
+## <summary>
+##	Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`exim_initrc_domtrans',`
 	gen_require(`
-		attribute_role exim_roles;
+		type exim_initrc_exec_t;
 	')
 
-	exim_domtrans($1)
-	roleattribute $2 exim_roles;
+	init_labeled_script_domtrans($1, exim_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read exim
-##	temporary tmp files.
+##	Do not audit attempts to read, 
+##	exim tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read exim temporary files.
+##	Allow domain to read, exim tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read exim pid files.
+##	Read exim PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Read exim log files.
+##	Allow the specified domain to read exim's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
 
 ########################################
 ## <summary>
-##	Append exim log files.
+##	Allow the specified domain to append
+##	exim log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	exim log files.
+##	Allow the specified domain to manage exim's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	exim spool directories.
+##	exim spool dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`exim_admin',`
 	gen_require(`
@@ -285,10 +300,14 @@ interface(`exim_admin',`
 		type exim_keytab_t;
 	')
 
-	allow $1 exim_t:process { ptrace signal_perms };
+	allow $1 exim_t:process signal_perms;
 	ps_process_pattern($1, exim_t)
 
-	init_labeled_script_domtrans($1, exim_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 exim_t:process ptrace;
+	')
+
+	exim_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
diff --git a/exim.te b/exim.te
index 4086c51b90..3e7a99099c 100644
--- a/exim.te
+++ b/exim.te
@@ -55,7 +55,7 @@ type exim_log_t;
 logging_log_file(exim_log_t)
 
 type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
 
 type exim_tmp_t;
 files_tmp_file(exim_tmp_t)
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
 kernel_read_crypto_sysctls(exim_t)
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
 
 corecmd_search_bin(exim_t)
 
-corenet_all_recvfrom_unlabeled(exim_t)
 corenet_all_recvfrom_netlabel(exim_t)
 corenet_tcp_sendrecv_generic_if(exim_t)
 corenet_udp_sendrecv_generic_if(exim_t)
@@ -151,10 +150,10 @@ fs_getattr_xattr_fs(exim_t)
 fs_list_inotifyfs(exim_t)
 
 auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
 
 logging_send_syslog_msg(exim_t)
 
-miscfiles_read_localization(exim_t)
 miscfiles_read_generic_certs(exim_t)
 
 userdom_dontaudit_search_user_home_dirs(exim_t)
@@ -170,9 +169,9 @@ tunable_policy(`exim_can_connect_db',`
 	corenet_sendrecv_mssql_client_packets(exim_t)
 	corenet_tcp_connect_mssql_port(exim_t)
 	corenet_tcp_sendrecv_mssql_port(exim_t)
-	corenet_sendrecv_oracledb_client_packets(exim_t)
-	corenet_tcp_connect_oracledb_port(exim_t)
-	corenet_tcp_sendrecv_oracledb_port(exim_t)
+	corenet_sendrecv_oracle_client_packets(exim_t)
+	corenet_tcp_connect_oracle_port(exim_t)
+	corenet_tcp_sendrecv_oracle_port(exim_t)
 ')
 
 tunable_policy(`exim_read_user_files',`
@@ -186,8 +185,8 @@ tunable_policy(`exim_manage_user_files',`
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(exim_t)
-	clamav_stream_connect(exim_t)
+	antivirus_domtrans(exim_t)
+	antivirus_stream_connect(exim_t)
 ')
 
 optional_policy(`
@@ -209,11 +208,6 @@ optional_policy(`
 	kerberos_use(exim_t)
 ')
 
-optional_policy(`
-	mailman_read_data_files(exim_t)
-	mailman_domtrans(exim_t)
-')
-
 optional_policy(`
 	nagios_search_spool(exim_t)
 ')
@@ -236,6 +230,7 @@ optional_policy(`
 
 optional_policy(`
 	procmail_domtrans(exim_t)
+	procmail_read_home_files(exim_t)
 ')
 
 optional_policy(`
diff --git a/fail2ban.if b/fail2ban.if
index 50d0084d42..94e1936060 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
 	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute the fail2ban client in
-##	the fail2ban client domain.
+##  Execute the fail2ban client in
+##  the fail2ban client domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
 interface(`fail2ban_domtrans_client',`
-	gen_require(`
-		type fail2ban_client_t, fail2ban_client_exec_t;
-	')
+    gen_require(`
+        type fail2ban_client_t, fail2ban_client_exec_t;
+    ')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+    corecmd_search_bin($1)
+    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute fail2ban client in the
-##	fail2ban client domain, and allow
-##	the specified role the fail2ban
-##	client domain.
+##  Execute fail2ban client in the
+##  fail2ban client domain, and allow
+##  the specified role the fail2ban
+##  client domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 #
 interface(`fail2ban_run_client',`
-	gen_require(`
-		attribute_role fail2ban_client_roles;
-	')
+    gen_require(`
+        attribute_role fail2ban_client_roles;
+    ')
 
-	fail2ban_domtrans_client($1)
-	roleattribute $2 fail2ban_client_roles;
+    fail2ban_domtrans_client($1)
+    roleattribute $2 fail2ban_client_roles;
 ')
 
 #####################################
 ## <summary>
-##	Connect to fail2ban over a
-##	unix domain stream socket.
+##	Connect to fail2ban over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
 	')
 
 	files_search_tmp($1)
-	allow $1 fail2ban_tmp_t:file { read write };
+	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use
-##	fail2ban file descriptors.
+##	Read and write to an fail2ba unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_use_fds',`
+interface(`fail2ban_rw_stream_sockets',`
 	gen_require(`
 		type fail2ban_t;
 	')
 
-	dontaudit $1 fail2ban_t:fd use;
+	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write fail2ban unix stream sockets
+##  Do not audit attempts to use
+##  fail2ban file descriptors.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
+##  <summary>
+##  Domain to not audit.
+##  </summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
-	gen_require(`
-		type fail2ban_t;
-	')
+interface(`fail2ban_dontaudit_use_fds',`
+    gen_require(`
+        type fail2ban_t;
+    ')
 
-	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+    dontaudit $1 fail2ban_t:fd use;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Read and write fail2ban unix
-##	stream sockets.
+##  Do not audit attempts to read and
+##  write fail2ban unix stream sockets
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain to not audit.
+##  </summary>
 ## </param>
 #
-interface(`fail2ban_rw_stream_sockets',`
-	gen_require(`
-		type fail2ban_t;
-	')
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
 
-	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 
 ########################################
@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 fail2ban_var_lib_t:file read_file_perms;
+	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read fail2ban log files.
+##	Allow the specified domain to read fail2ban's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Append fail2ban log files.
+##	Allow the specified domain to append
+##	fail2ban log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read fail2ban pid files.
+##	Read fail2ban PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an fail2ban environment.
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+ 	dontaudit $1 fail2ban_t:tcp_socket { read write };
+	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fail2ban environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the fail2ban domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fail2ban_admin',`
 	gen_require(`
-		type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
-		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
-		type fail2ban_var_lib_t, fail2ban_client_t;
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+		type fail2ban_client_t;
 	')
 
-	allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fail2ban_initrc_exec_t system_r;
@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
 	files_list_pids($1)
 	admin_pattern($1, fail2ban_var_run_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, fail2ban_var_lib_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, fail2ban_tmp_t)
 
 	fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index cf0e567725..62fb6587ae 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
 #
 
 allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
+allow fail2ban_t self:process { setsched signal };
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { accept connectto listen };
 allow fail2ban_t self:tcp_socket { accept listen };
@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
 
-corenet_all_recvfrom_unlabeled(fail2ban_t)
 corenet_all_recvfrom_netlabel(fail2ban_t)
 corenet_tcp_sendrecv_generic_if(fail2ban_t)
 corenet_tcp_sendrecv_generic_node(fail2ban_t)
@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
 domain_dontaudit_read_all_domains_state(fail2ban_t)
 
 files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 
@@ -92,23 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 
 logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
+logging_mmap_generic_logs(fail2ban_t)
 
-miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
 
 sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
 
 optional_policy(`
 	apache_read_log(fail2ban_t)
 ')
 
+optional_policy(`
+	dbus_system_bus_client(fail2ban_t)
+	dbus_connect_system_bus(fail2ban_t)
+
+	optional_policy(`
+		firewalld_dbus_chat(fail2ban_t)
+	')
+')
+
 optional_policy(`
 	ftp_read_log(fail2ban_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(fail2ban_t)
+')
+
 optional_policy(`
 	iptables_domtrans(fail2ban_t)
 ')
@@ -117,6 +129,10 @@ optional_policy(`
 	libs_exec_ldconfig(fail2ban_t)
 ')
 
+optional_policy(`
+	rpm_exec(fail2ban_t)
+')
+
 optional_policy(`
 	shorewall_domtrans(fail2ban_t)
 ')
@@ -126,27 +142,37 @@ optional_policy(`
 # Client Local policy
 #
 
-allow fail2ban_client_t self:capability dac_read_search;
+allow fail2ban_client_t self:capability { dac_read_search dac_override };
 allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
+allow fail2ban_client_t fail2ban_t:process { rlimitinh };
+
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
 stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 
 kernel_read_system_state(fail2ban_client_t)
 
 corecmd_exec_bin(fail2ban_client_t)
 
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
 domain_use_interactive_fds(fail2ban_client_t)
 
-files_read_etc_files(fail2ban_client_t)
-files_read_usr_files(fail2ban_client_t)
 files_search_pids(fail2ban_client_t)
 
+auth_use_nsswitch(fail2ban_client_t)
+
 logging_getattr_all_logs(fail2ban_client_t)
 logging_search_all_logs(fail2ban_client_t)
-
-miscfiles_read_localization(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
 
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
 userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+    apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
index ce358fb3f6..cdc11a7f9b 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t)
 # Local policy
 #
 
-allow fcoemon_t self:capability { dac_override kill net_admin };
+allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override };
 allow fcoemon_t self:fifo_file rw_fifo_file_perms;
 allow fcoemon_t self:unix_stream_socket { accept listen };
 allow fcoemon_t self:netlink_socket create_socket_perms;
 allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+allow fcoemon_t self:netlink_scsitransport_socket create_socket_perms;
+allow fcoemon_t self:packet_socket create_socket_perms;
+allow fcoemon_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
 
-files_read_etc_files(fcoemon_t)
-
-dev_read_sysfs(fcoemon_t)
+dev_rw_sysfs(fcoemon_t)
 
 logging_send_syslog_msg(fcoemon_t)
 
 miscfiles_read_localization(fcoemon_t)
 
+userdom_dgram_send(fcoemon_t)
+
 optional_policy(`
 	lldpad_dgram_send(fcoemon_t)
 ')
+
+optional_policy(`
+    networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee67d..a47a12fe77 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
 HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
 
 /etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
 
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916602..cab3954f3d 100644
--- a/fetchmail.if
+++ b/fetchmail.if
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
 		type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
 	')
 
+	ps_process_pattern($1, fetchmail_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 fetchmail_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fetchmail_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	allow $1 fetchmail_t:process { ptrace signal_perms };
-	ps_process_pattern($1, fetchmail_t)
-
 	files_list_etc($1)
 	admin_pattern($1, fetchmail_etc_t)
 
diff --git a/fetchmail.te b/fetchmail.te
index 742559a54d..fa51d09dd0 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
 #
 # Local policy
 #
-
+allow fetchmail_t self:capability setuid;
 dontaudit fetchmail_t self:capability sys_tty_config;
 allow fetchmail_t self:process { signal_perms setrlimit };
 allow fetchmail_t self:unix_stream_socket { accept listen };
+allow fetchmail_t self:key manage_key_perms;
 
 allow fetchmail_t fetchmail_etc_t:file read_file_perms;
 
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
 read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
 
 manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
 corecmd_exec_bin(fetchmail_t)
 corecmd_exec_shell(fetchmail_t)
 
-corenet_all_recvfrom_unlabeled(fetchmail_t)
 corenet_all_recvfrom_netlabel(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
 corenet_tcp_sendrecv_generic_node(fetchmail_t)
@@ -84,15 +87,24 @@ fs_search_auto_mountpoints(fetchmail_t)
 
 domain_use_interactive_fds(fetchmail_t)
 
-auth_use_nsswitch(fetchmail_t)
+auth_read_passwd(fetchmail_t)
 
 logging_send_syslog_msg(fetchmail_t)
 
-miscfiles_read_localization(fetchmail_t)
 miscfiles_read_generic_certs(fetchmail_t)
 
+sysnet_dns_name_resolve(fetchmail_t)
+
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+    mta_send_mail(fetchmail_t)
+    mta_read_spool(fetchmail_t)
+')
+
+optional_policy(`
+	kerberos_use(fetchmail_t)
+')
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
index 35da09d97a..85f1e03d41 100644
--- a/finger.te
+++ b/finger.te
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
 kernel_read_kernel_sysctls(fingerd_t)
 kernel_read_system_state(fingerd_t)
 
-corenet_all_recvfrom_unlabeled(fingerd_t)
 corenet_all_recvfrom_netlabel(fingerd_t)
 corenet_tcp_sendrecv_generic_if(fingerd_t)
 corenet_tcp_sendrecv_generic_node(fingerd_t)
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
 domain_use_interactive_fds(fingerd_t)
 
 files_read_etc_runtime_files(fingerd_t)
+files_search_home(fingerd_t)
 
 fs_getattr_all_fs(fingerd_t)
 fs_search_auto_mountpoints(fingerd_t)
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
 term_getattr_all_ptys(fingerd_t)
 
 auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
 
 init_read_utmp(fingerd_t)
 init_dontaudit_write_utmp(fingerd_t)
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
 
 mta_getattr_spool(fingerd_t)
 
-miscfiles_read_localization(fingerd_t)
+sysnet_read_config(fingerd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
 
diff --git a/firewalld.fc b/firewalld.fc
index 21d7b84422..0e272bd0e3 100644
--- a/firewalld.fc
+++ b/firewalld.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/firewalld.*  -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
 /etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
 
 /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
index c62c5670a3..2d9e254b43 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Read firewalld configuration files.
+##	Read firewalld config
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -10,7 +10,7 @@
 ## </summary>
 ## </param>
 #
-interface(`firewalld_read_config_files',`
+interface(`firewalld_read_config',`
 	gen_require(`
 		type firewalld_etc_rw_t;
 	')
@@ -19,6 +19,48 @@ interface(`firewalld_read_config_files',`
 	read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
 ')
 
+########################################
+## <summary>
+##	Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`firewalld_initrc_domtrans',`
+	gen_require(`
+		type firewalld_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`firewalld_systemctl',`
+	gen_require(`
+		type firewalld_t;
+		type firewalld_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 firewalld_unit_file_t:file read_file_perms;
+	allow $1 firewalld_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, firewalld_t)
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read, snd
-##	write firewalld temporary files.
+##	Dontaudit attempts to write
+##	firewalld tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',`
 ##	</summary>
 ## </param>
 #
-interface(`firewalld_dontaudit_rw_tmp_files',`
+interface(`firewalld_dontaudit_write_tmp_files',`
 	gen_require(`
 		type firewalld_tmp_t;
 	')
 
-	dontaudit $1 firewalld_tmp_t:file { read write };
+	dontaudit $1 firewalld_tmp_t:file write;
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an firewalld environment.
+##	Read firewalld PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`firewalld_read_pid_files',`
+	gen_require(`
+		type firewalld_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 firewalld_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an firewalld environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
 interface(`firewalld_admin',`
 	gen_require(`
 		type firewalld_t, firewalld_initrc_exec_t;
-		type firewall_etc_rw_t, firewalld_var_run_t;
+		type firewalld_etc_rw_t, firewalld_var_run_t;
 		type firewalld_var_log_t;
 	')
 
-	allow $1 firewalld_t:process { ptrace signal_perms };
+	allow $1 firewalld_t:process signal_perms;
 	ps_process_pattern($1, firewalld_t)
 
-	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 firewalld_t:process ptrace;
+	')
+
+	firewalld_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 firewalld_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -97,6 +162,9 @@ interface(`firewalld_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, firewalld_var_log_t)
 
-	files_search_etc($1)
-	admin_pattern($1, firewall_etc_rw_t)
+	admin_pattern($1, firewalld_etc_rw_t)
+
+	admin_pattern($1, firewalld_unit_file_t)
+	firewalld_systemctl($1)
+	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
diff --git a/firewalld.te b/firewalld.te
index 98072a3a13..5fd0906be6 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t)
 type firewalld_tmp_t;
 files_tmp_file(firewalld_tmp_t)
 
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
 type firewalld_var_run_t;
 files_pid_file(firewalld_var_run_t)
 
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow firewalld_t self:capability { dac_override net_admin };
+allow firewalld_t self:capability { dac_read_search dac_override net_admin };
 dontaudit firewalld_t self:capability sys_tty_config;
 allow firewalld_t self:fifo_file rw_fifo_file_perms;
 allow firewalld_t self:unix_stream_socket { accept listen };
@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
 files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
 
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
+
 manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir })
+can_exec(firewalld_t, firewalld_var_run_t)
 
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
 kernel_rw_net_sysctls(firewalld_t)
 
+files_list_kernel_modules(firewalld_t)
+
 corecmd_exec_bin(firewalld_t)
 corecmd_exec_shell(firewalld_t)
 
@@ -63,20 +79,24 @@ dev_search_sysfs(firewalld_t)
 
 domain_use_interactive_fds(firewalld_t)
 
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
+files_dontaudit_access_check_tmp(firewalld_t)
 files_dontaudit_list_tmp(firewalld_t)
 
 fs_getattr_xattr_fs(firewalld_t)
+fs_dontaudit_all_access_check(firewalld_t)
 
-logging_send_syslog_msg(firewalld_t)
+auth_use_nsswitch(firewalld_t)
 
-miscfiles_read_localization(firewalld_t)
+libs_exec_ldconfig(firewalld_t)
 
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
+
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_manage_config(firewalld_t)
 
-sysnet_read_config(firewalld_t)
+userdom_dontaudit_create_admin_dir(firewalld_t)
+userdom_dontaudit_manage_admin_dir(firewalld_t)
 
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -94,6 +114,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	gnome_read_generic_data_home_dirs(firewalld_t)
+')
+
 optional_policy(`
 	iptables_domtrans(firewalld_t)
 ')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1fd0..941f4ef733 100644
--- a/firewallgui.if
+++ b/firewallgui.if
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
 		type firewallgui_t;
 	')
 
-	dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
 ')
diff --git a/firewallgui.te b/firewallgui.te
index 2094546645..2481a97049 100644
--- a/firewallgui.te
+++ b/firewallgui.te
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
 dev_read_sysfs(firewallgui_t)
 dev_read_urand(firewallgui_t)
 
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
 files_list_kernel_modules(firewallgui_t)
-files_read_usr_files(firewallgui_t)
 
 auth_use_nsswitch(firewallgui_t)
 
@@ -60,12 +62,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_read_generic_gconf_home_content(firewallgui_t)
+	gnome_read_gconf_home_files(firewallgui_t)
 ')
 
 optional_policy(`
 	iptables_domtrans(firewallgui_t)
 	iptables_initrc_domtrans(firewallgui_t)
+	iptables_systemctl(firewallgui_t)
 ')
 
 optional_policy(`
diff --git a/firstboot.fc b/firstboot.fc
index 12c782c891..ba614e457b 100644
--- a/firstboot.fc
+++ b/firstboot.fc
@@ -1,5 +1,3 @@
-/etc/rc\.d/init\.d/firstboot.*	--	gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/sbin/firstboot		--	gen_context(system_u:object_r:firstboot_exec_t,s0)
 
-/usr/sbin/firstboot	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot/firstboot\.py	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/share/firstboot/firstboot\.py --	gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
index 280f875f0b..f3a67c911b 100644
--- a/firstboot.if
+++ b/firstboot.if
@@ -1,4 +1,7 @@
-## <summary>Initial system configuration utility.</summary>
+## <summary>
+##	Final system configuration run during the first boot
+##	after installation of Red Hat/Fedora systems.
+## </summary>
 
 ########################################
 ## <summary>
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
 		type firstboot_t, firstboot_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, firstboot_exec_t, firstboot_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute firstboot in the firstboot
-##	domain, and allow the specified role
-##	the firstboot domain.
+##	Execute firstboot in the firstboot domain, and
+##	allow the specified role the firstboot domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
 #
 interface(`firstboot_run',`
 	gen_require(`
-		attribute_role firstboot_roles;
+		type firstboot_t;
 	')
 
 	firstboot_domtrans($1)
-	roleattribute $2 firstboot_roles;
+	role $2 types firstboot_t;
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use firstboot file descriptors.
+##	Inherit and use a file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit
-##	firstboot file descriptors.
+##	Do not audit attempts to inherit a
+##	file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Write firstboot unnamed pipes.
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_leaks',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:socket_class_set { read write };
+	dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
 		type firstboot_t;
 	')
 
+	allow $1 firstboot_t:fd use;
 	allow $1 firstboot_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read and Write firstboot unnamed pipes.
+##	Read and Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and
-##	write firstboot unnamed pipes.
+## 	Do not audit attemps to read and write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and
-##	write firstboot unix domain
-##	stream sockets.
+## 	Do not audit attemps to read and write to a firstboot
+##	unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/firstboot.te b/firstboot.te
index 5010f04e1b..0341ae121b 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
 policy_module(firstboot, 1.13.0)
 
 gen_require(`
-	class passwd { passwd chfn chsh rootok };
+	class passwd { passwd chfn chsh rootok crontab };
 ')
 
 ########################################
@@ -9,17 +9,12 @@ gen_require(`
 # Declarations
 #
 
-attribute_role firstboot_roles;
-
 type firstboot_t;
 type firstboot_exec_t;
 init_system_domain(firstboot_t, firstboot_exec_t)
 domain_obj_id_change_exemption(firstboot_t)
 domain_subj_id_change_exemption(firstboot_t)
-role firstboot_roles types firstboot_t;
-
-type firstboot_initrc_exec_t;
-init_script_file(firstboot_initrc_exec_t)
+role system_r types firstboot_t;
 
 type firstboot_etc_t;
 files_config_file(firstboot_etc_t)
@@ -29,31 +24,28 @@ files_config_file(firstboot_etc_t)
 # Local policy
 #
 
-allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:capability { dac_read_search dac_override setgid };
 allow firstboot_t self:process setfscreate;
 allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
 allow firstboot_t self:passwd { rootok passwd chfn chsh };
 
 allow firstboot_t firstboot_etc_t:file read_file_perms;
 
+files_manage_generic_tmp_dirs(firstboot_t)
+files_manage_generic_tmp_files(firstboot_t)
+
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
 
-corecmd_exec_all_executables(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
 
 dev_read_urand(firstboot_t)
 
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-files_create_boot_flag(firstboot_t)
-files_delete_boot_flag(firstboot_t)
-
 selinux_get_fs_mount(firstboot_t)
 selinux_validate_context(firstboot_t)
 selinux_compute_access_vector(firstboot_t)
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
 
 auth_dontaudit_getattr_shadow(firstboot_t)
 
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
 init_domtrans_script(firstboot_t)
 init_rw_utmp(firstboot_t)
 
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
 
 logging_send_syslog_msg(firstboot_t)
 
-miscfiles_read_localization(firstboot_t)
-
 sysnet_dns_name_resolve(firstboot_t)
 
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
+
+# Add/remove user home directories
 userdom_manage_user_home_content_dirs(firstboot_t)
 userdom_manage_user_home_content_files(firstboot_t)
 userdom_manage_user_home_content_symlinks(firstboot_t)
 userdom_manage_user_home_content_pipes(firstboot_t)
 userdom_manage_user_home_content_sockets(firstboot_t)
 userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(firstboot_t)
 
 optional_policy(`
 	dbus_system_bus_client(firstboot_t)
@@ -101,21 +104,18 @@ optional_policy(`
 	modutils_read_module_deps(firstboot_t)
 ')
 
-optional_policy(`
-	nis_use_ypbind(firstboot_t)
-')
-
 optional_policy(`
 	samba_rw_config(firstboot_t)
 ')
 
 optional_policy(`
-	unconfined_domtrans(firstboot_t)
-	unconfined_domain(firstboot_t)
+	# The big hammer
+	unconfined_domain_noaudit(firstboot_t)
 ')
 
 optional_policy(`
-	gnome_manage_generic_home_content(firstboot_t)
+	gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+	gnome_manage_config(firstboot_t)
 ')
 
 optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index 92a6479a28..66f574fc97 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -8,6 +8,7 @@ policy_module(fprintd, 1.2.0)
 type fprintd_t;
 type fprintd_exec_t;
 init_daemon_domain(fprintd_t, fprintd_exec_t)
+init_nnp_daemon_domain(fprintd_t)
 
 type fprintd_var_lib_t;
 files_type(fprintd_var_lib_t)
@@ -18,25 +19,29 @@ files_type(fprintd_var_lib_t)
 #
 
 allow fprintd_t self:capability sys_nice;
+allow fprintd_t self:capability2 wake_alarm;
 allow fprintd_t self:process { getsched setsched signal sigkill };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
 
 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 
 kernel_read_system_state(fprintd_t)
 
+corecmd_exec_bin(fprintd_t)
+
 dev_list_usbfs(fprintd_t)
 dev_read_sysfs(fprintd_t)
+dev_read_urand(fprintd_t)
 dev_rw_generic_usb_dev(fprintd_t)
 
-files_read_usr_files(fprintd_t)
-
 fs_getattr_all_fs(fprintd_t)
 
 auth_use_nsswitch(fprintd_t)
 
-miscfiles_read_localization(fprintd_t)
+logging_send_syslog_msg(fprintd_t)
 
 userdom_use_user_ptys(fprintd_t)
 userdom_read_all_users_state(fprintd_t)
@@ -54,8 +59,17 @@ optional_policy(`
 	')
 ')
 
+
 optional_policy(`
-	policykit_domtrans_auth(fprintd_t)
 	policykit_read_reload(fprintd_t)
 	policykit_read_lib(fprintd_t)
+	policykit_domtrans_auth(fprintd_t)
+')
+
+optional_policy(`
+	udev_read_db(fprintd_t)
+')
+
+optional_policy(`
+	xserver_read_state_xdm(fprintd_t)
 ')
diff --git a/freeipmi.fc b/freeipmi.fc
new file mode 100644
index 0000000000..0942a2e397
--- /dev/null
+++ b/freeipmi.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/bmc-watchdog.*		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
+/usr/lib/systemd/system/ipmidetectd.*		--	gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
+/usr/lib/systemd/system/ipmiseld.*        --  gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
+
+/usr/sbin/bmc-watchdog		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
+/usr/sbin/ipmidetectd			--	gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
+/usr/sbin/ipmiseld		--	gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
+
+/var/cache/ipmiseld(/.*)?       			gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+/var/cache/ipmimonitoringsdrcache(/.*)?		gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+
+/var/lib/freeipmi(/.*)?     gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
+
+
+/var/run/ipmidetectd\.pid	--	gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
+/var/run/ipmiseld\.pid	--	gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
+/var/run/bmc-watchdog\.pid	--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
index 0000000000..dc94853095
--- /dev/null
+++ b/freeipmi.if
@@ -0,0 +1,71 @@
+## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  freeipmi init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`freeipmi_domain_template',`
+    gen_require(`
+        attribute freeipmi_domain, freeipmi_pid;
+    ')
+
+    #############################
+    #
+    # Declarations
+    #
+
+    type freeipmi_$1_t, freeipmi_domain;
+    type freeipmi_$1_exec_t;
+    init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
+    role system_r types freeipmi_$1_t;
+
+	type freeipmi_$1_unit_file_t;
+	systemd_unit_file(freeipmi_$1_unit_file_t)
+
+	type freeipmi_$1_var_run_t, freeipmi_pid;
+	files_pid_file(freeipmi_$1_var_run_t)
+
+    #############################
+    #
+    # Local policy
+    #
+
+	manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
+
+	kernel_read_system_state(freeipmi_$1_t)
+
+	corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+	corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
+    auth_use_nsswitch(freeipmi_$1_t)
+
+    logging_send_syslog_msg(freeipmi_$1_t)
+')
+
+####################################
+## <summary>
+##	Connect to cluster domains over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`freeipmi_stream_connect',`
+	gen_require(`
+		attribute freeipmi_domain, freeipmi_pid;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
+')
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
index 0000000000..b7f52674ca
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,81 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute freeipmi_domain;
+attribute freeipmi_pid;
+
+freeipmi_domain_template(ipmidetectd)
+freeipmi_domain_template(ipmiseld)
+freeipmi_domain_template(bmc_watchdog)
+
+type freeipmi_var_lib_t;
+files_type(freeipmi_var_lib_t)
+
+type freeipmi_var_cache_t;
+files_type(freeipmi_var_cache_t)
+
+########################################
+#
+# freeipmi_domain local policy
+#
+
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
+dev_read_rand(freeipmi_domain)
+dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
+dev_read_sysfs(freeipmi_domain)
+dev_map_sysfs(freeipmi_domain)
+
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
+#
+# bmc-watchdog local policy
+#
+
+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
+# ipmidetectd local policy
+#
+
+allow freeipmi_ipmidetectd_t self:tcp_socket listen;
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
+
+#######################################
+#
+# ipmiseld local policy
+#
+
+allow freeipmi_ipmiseld_t self:capability sys_rawio;
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
+dev_read_raw_memory(freeipmi_ipmiseld_t)
+
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 0000000000..3cd9c38fd0
--- /dev/null
+++ b/freqset.fc
@@ -0,0 +1 @@
+/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset		--	gen_context(system_u:object_r:freqset_exec_t,s0)
diff --git a/freqset.if b/freqset.if
new file mode 100644
index 0000000000..190ccc0358
--- /dev/null
+++ b/freqset.if
@@ -0,0 +1,76 @@
+
+## <summary>policy for freqset</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the freqset domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`freqset_domtrans',`
+	gen_require(`
+		type freqset_t, freqset_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, freqset_exec_t, freqset_t)
+')
+
+########################################
+## <summary>
+##	Execute freqset in the freqset domain, and
+##	allow the specified role the freqset domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the freqset domain.
+##	</summary>
+## </param>
+#
+interface(`freqset_run',`
+	gen_require(`
+		type freqset_t;
+		attribute_role freqset_roles;
+	')
+
+	freqset_domtrans($1)
+	roleattribute $2 freqset_roles;
+')
+
+########################################
+## <summary>
+##	Role access for freqset
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`freqset_role',`
+	gen_require(`
+		type freqset_t;
+		attribute_role freqset_roles;
+	')
+
+	roleattribute $1 freqset_roles;
+
+	freqset_domtrans($2)
+
+	ps_process_pattern($2, freqset_t)
+	allow $2 freqset_t:process { signull signal sigkill };
+')
diff --git a/freqset.te b/freqset.te
new file mode 100644
index 0000000000..0d09fbd62a
--- /dev/null
+++ b/freqset.te
@@ -0,0 +1,34 @@
+policy_module(freqset, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role freqset_roles;
+roleattribute system_r freqset_roles;
+
+type freqset_t;
+type freqset_exec_t;
+application_domain(freqset_t, freqset_exec_t)
+
+role freqset_roles types freqset_t;
+
+########################################
+#
+# freqset local policy
+#
+allow freqset_t self:capability { setuid };
+
+allow freqset_t self:fifo_file manage_fifo_file_perms;
+allow freqset_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_rw_sysfs(freqset_t)
+
+domain_use_interactive_fds(freqset_t)
+
+files_read_etc_files(freqset_t)
+
+miscfiles_read_localization(freqset_t)
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c12c8..44f74e62fe 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
 
+/usr/lib/systemd/system/vsftpd.* 	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.*	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
 /etc/rc\.d/init\.d/vsftpd	--	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
index 44981434b9..84a4858b6f 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,67 @@
 ## <summary>File transfer protocol service.</summary>
 
+######################################
+## <summary>
+##      Execute a domain transition to run ftpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans',`
+        gen_require(`
+                type ftpd_t, ftpd_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+## <summary>
+##  Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The type of the process performing this action.
+##  </summary>
+## </param>
+#
+interface(`ftp_initrc_domtrans',`
+    gen_require(`
+        type ftpd_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ftp_systemctl',`
+	gen_require(`
+		type ftpd_unit_file_t;
+		type ftpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 ftpd_unit_file_t:file read_file_perms;
+	allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ftpd_t)
+')
+
 #######################################
 ## <summary>
 ##	Execute a dyntransition to run anon sftpd.
@@ -179,8 +241,11 @@ interface(`ftp_admin',`
 		type ftpd_keytab_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 ftpd_t:process signal_perms;
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -204,5 +269,9 @@ interface(`ftp_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, xferlog_t)
 
+	ftp_systemctl($1)
+	admin_pattern($1, ftpd_unit_file_t)
+	allow $1 ftpd_unit_file_t:service all_service_perms;
+
 	ftp_run_ftpdctl($1, $2)
 ')
diff --git a/ftp.te b/ftp.te
index 36838c2027..d8066fbd48 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
 ##	be labeled public_content_rw_t.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_anon_write, false)
+gen_tunable(ftpd_anon_write, false)
 
 ## <desc>
 ##	<p>
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
 ##	all files on the system, governed by DAC.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_full_access, false)
+gen_tunable(ftpd_full_access, false)
 
 ## <desc>
 ##	<p>
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
 ##	used for public file transfer services.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow ftpd to use ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(ftpd_use_fusefs, false)
 
 ## <desc>
 ##	<p>
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
 ##	used for public file transfer services.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_use_nfs, false)
 
 ## <desc>
 ##	<p>
@@ -49,11 +56,11 @@ gen_tunable(allow_ftpd_use_nfs, false)
 gen_tunable(ftpd_connect_db, false)
 
 ## <desc>
-##	<p>
-##	Determine whether ftpd can bind to all
-##	unreserved ports for passive mode.
-##	</p>
-##	</desc>
+##  <p>
+##  Determine whether ftpd can bind to all
+##  unreserved ports for passive mode.
+##  </p>
+##  </desc>
 gen_tunable(ftpd_use_passive_mode, false)
 
 ## <desc>
@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false)
 ## </desc>
 gen_tunable(ftpd_connect_all_unreserved, false)
 
-## <desc>
-##	<p>
-##	Determine whether ftpd can read and write
-##	files in user home directories.
-##	</p>
-## </desc>
-gen_tunable(ftp_home_dir, false)
-
-## <desc>
-##	<p>
-##	Determine whether sftpd can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
-## </desc>
-gen_tunable(sftpd_anon_write, false)
-
-## <desc>
-##	<p>
-##	Determine whether sftpd-can read and write
-##	files in user home directories.
-##	</p>
-## </desc>
-gen_tunable(sftpd_enable_homedirs, false)
-
-## <desc>
-##	<p>
-##	Determine whether sftpd-can login to
-##	local users and read and write all
-##	files on the system, governed by DAC.
-##	</p>
-## </desc>
-gen_tunable(sftpd_full_access, false)
-
-## <desc>
-##	<p>
-##	Determine whether sftpd can read and write
-##	files in user ssh home directories.
-##	</p>
-## </desc>
-gen_tunable(sftpd_write_ssh_home, false)
-
 attribute_role ftpdctl_roles;
 
 type anon_sftpd_t;
@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t)
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
 
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
 type ftpd_keytab_t;
 files_type(ftpd_keytab_t)
 
@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
 allow ftpd_t ftpd_lock_t:file manage_file_perms;
 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 
 allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
-allow ftpd_t xferlog_t:dir setattr_dir_perms;
-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-logging_log_filetrans(ftpd_t, xferlog_t, file)
+manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
 
 kernel_read_kernel_sysctls(ftpd_t)
 kernel_read_system_state(ftpd_t)
-kernel_search_network_state(ftpd_t)
+kernel_read_network_state(ftpd_t)
 
 dev_read_sysfs(ftpd_t)
 dev_read_urand(ftpd_t)
 
 corecmd_exec_bin(ftpd_t)
 
-corenet_all_recvfrom_unlabeled(ftpd_t)
 corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_generic_if(ftpd_t)
 corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_sendrecv_ftp_data_server_packets(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+
 domain_use_interactive_fds(ftpd_t)
 
-files_read_etc_files(ftpd_t)
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
 
@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
 logging_set_loginuid(ftpd_t)
 
-miscfiles_read_localization(ftpd_t)
 miscfiles_read_public_files(ftpd_t)
 
 seutil_dontaudit_search_config(ftpd_t)
@@ -259,37 +228,60 @@ sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
+userdom_manage_user_home_content_dirs(ftpd_t)
+userdom_manage_user_home_content_files(ftpd_t)
+userdom_manage_user_tmp_dirs(ftpd_t)
+userdom_manage_user_tmp_files(ftpd_t)
+
 
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_cifs',`
+tunable_policy(`ftpd_use_cifs',`
 	fs_read_cifs_files(ftpd_t)
 	fs_read_cifs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
 	fs_manage_cifs_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+        fs_manage_fusefs_dirs(ftpd_t)
+        fs_manage_fusefs_files(ftpd_t)
+        fs_manage_fusefs_symlinks(ftpd_t)
+',`
+        fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',`
 	fs_read_nfs_files(ftpd_t)
 	fs_read_nfs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
 	fs_manage_nfs_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_full_access',`
+tunable_policy(`ftpd_full_access',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
-	files_manage_non_auth_files(ftpd_t)
+	files_manage_non_security_dirs(ftpd_t)
+	files_manage_non_security_files(ftpd_t)
 ')
 
 tunable_policy(`ftpd_use_passive_mode',`
-	corenet_sendrecv_all_server_packets(ftpd_t)
-	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+    corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+	corenet_tcp_connect_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_passive_mode',`
+    corenet_sendrecv_all_server_packets(ftpd_t)
+    corenet_tcp_bind_all_unreserved_ports(ftpd_t)
 ')
 
 tunable_policy(`ftpd_connect_all_unreserved',`
@@ -304,43 +296,23 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
-	corenet_sendrecv_oracledb_client_packets(ftpd_t)
-	corenet_tcp_connect_oracledb_port(ftpd_t)
-	corenet_tcp_sendrecv_oracledb_port(ftpd_t)
+	corenet_sendrecv_oracle_client_packets(ftpd_t)
+	corenet_tcp_connect_oracle_port(ftpd_t)
+	corenet_tcp_sendrecv_oracle_port(ftpd_t)
 ')
 
-tunable_policy(`ftp_home_dir',`
-	allow ftpd_t self:capability { dac_override dac_read_search };
-
-	userdom_manage_user_home_content_dirs(ftpd_t)
-	userdom_manage_user_home_content_files(ftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
-	userdom_manage_user_tmp_dirs(ftpd_t)
-	userdom_manage_user_tmp_files(ftpd_t)
-	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-',`
-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
-	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-')
-
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(ftpd_t)
 	fs_manage_nfs_files(ftpd_t)
 	fs_manage_nfs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_dirs(ftpd_t)
 	fs_manage_cifs_files(ftpd_t)
 	fs_manage_cifs_symlinks(ftpd_t)
 ')
 
-optional_policy(`
-	tunable_policy(`ftp_home_dir',`
-		apache_search_sys_content(ftpd_t)
-	')
-')
-
 optional_policy(`
 	corecmd_exec_shell(ftpd_t)
 
@@ -363,9 +335,8 @@ optional_policy(`
 
 optional_policy(`
 	selinux_validate_context(ftpd_t)
-
 	kerberos_read_keytab(ftpd_t)
-	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
 	kerberos_use(ftpd_t)
 ')
 
@@ -410,92 +381,49 @@ optional_policy(`
 	udev_read_db(ftpd_t)
 ')
 
+optional_policy(`
+	apache_manage_user_content(ftpd_t)
+')
+
 ########################################
 #
 # Ctl local policy
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
 
 allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 
-files_read_etc_files(ftpdctl_t)
 files_search_pids(ftpdctl_t)
 
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
 
 ########################################
 #
 # Anon sftpd local policy
 #
 
-files_read_etc_files(anon_sftpd_t)
-
 miscfiles_read_public_files(anon_sftpd_t)
 
-tunable_policy(`sftpd_anon_write',`
-	miscfiles_manage_public_files(anon_sftpd_t)
-')
-
 ########################################
 #
 # Sftpd local policy
 #
 
-files_read_etc_files(sftpd_t)
 
 userdom_read_user_home_content_files(sftpd_t)
 userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
 
-tunable_policy(`sftpd_enable_homedirs',`
-	allow sftpd_t self:capability { dac_override dac_read_search };
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
 
 	userdom_manage_user_home_content_dirs(sftpd_t)
 	userdom_manage_user_home_content_files(sftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
 	userdom_manage_user_tmp_dirs(sftpd_t)
 	userdom_manage_user_tmp_files(sftpd_t)
-	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-',`
-	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
-	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(sftpd_t)
-	fs_manage_nfs_files(sftpd_t)
-	fs_manage_nfs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
-	fs_manage_cifs_dirs(sftpd_t)
-	fs_manage_cifs_files(sftpd_t)
-	fs_manage_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`sftpd_anon_write',`
-	miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_full_access',`
-	allow sftpd_t self:capability { dac_override dac_read_search };
-	fs_read_noxattr_fs_files(sftpd_t)
-	files_manage_non_auth_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_write_ssh_home',`
-	ssh_manage_home_files(sftpd_t)
-')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_list_cifs(sftpd_t)
-	fs_read_cifs_files(sftpd_t)
-	fs_read_cifs_symlinks(sftpd_t)
-')
+userdom_home_reader(sftpd_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_list_nfs(sftpd_t)
-	fs_read_nfs_files(sftpd_t)
-	fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/games.if b/games.if
index e2a3e0dbaa..50ebd4080b 100644
--- a/games.if
+++ b/games.if
@@ -58,3 +58,23 @@ interface(`games_rw_data',`
 	files_search_var_lib($1)
 	rw_files_pattern($1, games_data_t, games_data_t)
 ')
+
+########################################
+## <summary>
+##	Manage games data files.
+##	games data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_manage_data_files',`
+	gen_require(`
+		type games_data_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
index e5b15fb7ef..220622e848 100644
--- a/games.te
+++ b/games.te
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
 
 logging_send_syslog_msg(games_srv_t)
 
-miscfiles_read_localization(games_srv_t)
-
 userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
 
 userdom_dontaudit_search_user_home_dirs(games_srv_t)
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
 
-corenet_all_recvfrom_unlabeled(games_t)
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
 corenet_tcp_sendrecv_generic_node(games_t)
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
 files_list_var(games_t)
 files_search_var_lib(games_t)
 files_dontaudit_search_var(games_t)
-files_read_etc_files(games_t)
-files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
 init_dontaudit_rw_utmp(games_t)
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
 logging_dontaudit_search_logs(games_t)
 
 miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
 
 sysnet_dns_name_resolve(games_t)
 
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
 userdom_manage_user_tmp_sockets(games_t)
 userdom_dontaudit_read_user_home_content_files(games_t)
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`', `
 	allow games_t self:process execmem;
 ')
 
diff --git a/ganesha.fc b/ganesha.fc
new file mode 100644
index 0000000000..6105051204
--- /dev/null
+++ b/ganesha.fc
@@ -0,0 +1,14 @@
+/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
+
+/var/log/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+/var/log/ganesha-gfapi.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
+
+/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
diff --git a/ganesha.if b/ganesha.if
new file mode 100644
index 0000000000..d9ba5fa271
--- /dev/null
+++ b/ganesha.if
@@ -0,0 +1,147 @@
+
+## <summary>policy for ganesha</summary>
+
+########################################
+## <summary>
+##	Execute ganesha_exec_t in the ganesha domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ganesha_domtrans',`
+	gen_require(`
+		type ganesha_t, ganesha_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ganesha_exec_t, ganesha_t)
+')
+
+######################################
+## <summary>
+##	Execute ganesha in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_exec',`
+	gen_require(`
+		type ganesha_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ganesha_exec_t)
+')
+########################################
+## <summary>
+##	Read ganesha PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_read_pid_files',`
+	gen_require(`
+		type ganesha_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute ganesha server in the ganesha domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ganesha_systemctl',`
+	gen_require(`
+		type ganesha_t;
+		type ganesha_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 ganesha_unit_file_t:file read_file_perms;
+	allow $1 ganesha_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ganesha_t)
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	ganesha over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ganesha_dbus_chat',`
+	gen_require(`
+		type ganesha_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ganesha_t:dbus send_msg;
+	allow ganesha_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ganesha environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ganesha_admin',`
+	gen_require(`
+		type ganesha_t;
+		type ganesha_var_run_t;
+	type ganesha_unit_file_t;
+	')
+
+	allow $1 ganesha_t:process { signal_perms };
+	ps_process_pattern($1, ganesha_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ganesha_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, ganesha_var_run_t)
+
+	ganesha_systemctl($1)
+	admin_pattern($1, ganesha_unit_file_t)
+	allow $1 ganesha_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/ganesha.te b/ganesha.te
new file mode 100644
index 0000000000..591cb272b7
--- /dev/null
+++ b/ganesha.te
@@ -0,0 +1,114 @@
+policy_module(ganesha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ganesha to read/write fuse files
+## </p>
+## </desc>
+gen_tunable(ganesha_use_fusefs, false)
+
+type ganesha_t;
+type ganesha_exec_t;
+init_daemon_domain(ganesha_t, ganesha_exec_t)
+
+type ganesha_var_log_t;
+logging_log_file(ganesha_var_log_t)
+
+type ganesha_var_run_t;
+files_pid_file(ganesha_var_run_t)
+
+type ganesha_tmp_t;
+files_tmp_file(ganesha_tmp_t)
+
+type ganesha_unit_file_t;
+systemd_unit_file(ganesha_unit_file_t)
+
+########################################
+#
+# ganesha local policy
+#
+dontaudit ganesha_t self:capability net_admin;
+
+allow ganesha_t self:capability { dac_read_search dac_override };
+allow ganesha_t self:capability2 block_suspend;
+allow ganesha_t self:process { setcap setrlimit };
+allow ganesha_t self:fifo_file rw_fifo_file_perms;
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
+allow ganesha_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
+
+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
+
+kernel_read_system_state(ganesha_t)
+kernel_read_network_state(ganesha_t)
+kernel_search_network_sysctl(ganesha_t)
+kernel_read_net_sysctls(ganesha_t)
+
+auth_use_nsswitch(ganesha_t)
+
+corenet_tcp_bind_nfs_port(ganesha_t)
+corenet_tcp_connect_generic_port(ganesha_t)
+corenet_tcp_connect_gluster_port(ganesha_t)
+corenet_udp_bind_dey_keyneg_port(ganesha_t)
+corenet_tcp_bind_dey_keyneg_port(ganesha_t)
+corenet_udp_bind_nfs_port(ganesha_t)
+corenet_udp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_all_rpc_ports(ganesha_t)
+corenet_tcp_bind_mountd_port(ganesha_t)
+corenet_udp_bind_mountd_port(ganesha_t)
+corenet_tcp_connect_virt_migration_port(ganesha_t)
+corenet_tcp_connect_all_rpc_ports(ganesha_t)
+corenet_tcp_connect_portmap_port(ganesha_t)
+corenet_tcp_connect_cyphesis_port(ganesha_t)
+
+dev_rw_infiniband_dev(ganesha_t)
+dev_read_gpfs(ganesha_t)
+dev_read_rand(ganesha_t)
+
+logging_send_syslog_msg(ganesha_t)
+
+sysnet_dns_name_resolve(ganesha_t)
+
+optional_policy(`
+	dbus_system_bus_client(ganesha_t)
+	dbus_connect_system_bus(ganesha_t)
+    unconfined_dbus_chat(ganesha_t)
+')
+
+optional_policy(`
+    glusterd_read_conf(ganesha_t)
+    glusterd_read_lib_files(ganesha_t)
+    glusterd_manage_pid(ganesha_t)
+')
+
+optional_policy(`
+    kerberos_read_keytab(ganesha_t)
+')
+
+optional_policy(`
+	rpc_manage_nfs_state_data_dir(ganesha_t)
+    rpc_read_nfs_state_data(ganesha_t)
+	rpcbind_stream_connect(ganesha_t)
+')
+
+tunable_policy(`ganesha_use_fusefs',`
+    fs_manage_fusefs_dirs(ganesha_t)
+    fs_manage_fusefs_files(ganesha_t)
+    fs_read_fusefs_symlinks(ganesha_t)
+    fs_getattr_fusefs(ganesha_t)
+')
diff --git a/gatekeeper.te b/gatekeeper.te
index 28203689c8..88c98f4818 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
 
 corecmd_list_bin(gatekeeper_t)
 
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
 corenet_all_recvfrom_netlabel(gatekeeper_t)
 corenet_tcp_sendrecv_generic_if(gatekeeper_t)
 corenet_udp_sendrecv_generic_if(gatekeeper_t)
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
 
 domain_use_interactive_fds(gatekeeper_t)
 
-files_read_etc_files(gatekeeper_t)
-
 fs_getattr_all_fs(gatekeeper_t)
 fs_search_auto_mountpoints(gatekeeper_t)
 
 logging_send_syslog_msg(gatekeeper_t)
 
-miscfiles_read_localization(gatekeeper_t)
-
 sysnet_read_config(gatekeeper_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gdomap.te b/gdomap.te
index db7b56c2d3..3c23579653 100644
--- a/gdomap.te
+++ b/gdomap.te
@@ -32,6 +32,7 @@ files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
 corenet_tcp_bind_generic_node(gdomap_t)
 corenet_tcp_bind_gdomap_port(gdomap_t)
+corenet_tcp_connect_gdomap_port(gdomap_t)
 corenet_tcp_sendrecv_gdomap_port(gdomap_t)
 corenet_udp_bind_generic_node(gdomap_t)
 corenet_udp_bind_gdomap_port(gdomap_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 0000000000..4d7dc99912
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,6 @@
+/usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
+
+/usr/lib/systemd/system/gear.service	--	gen_context(system_u:object_r:gear_unit_file_t,s0)
+
+/var/lib/containers/units(/.*)?			gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
index 0000000000..2c08004bfe
--- /dev/null
+++ b/gear.if
@@ -0,0 +1,288 @@
+
+## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
+##	Execute gear in the gear domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gear_domtrans',`
+	gen_require(`
+		type gear_t, gear_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gear_exec_t, gear_t)
+')
+
+########################################
+## <summary>
+##	Search gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_search_lib',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	allow $1 gear_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Execute gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_exec_lib',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	allow $1 gear_var_lib_t:dir search_dir_perms;
+	can_exec($1, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read gear lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_read_lib_files',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gear lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_manage_lib_files',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+	manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_manage_lib_dirs',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create objects in a gear var lib directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`gear_lib_filetrans',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read gear PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_read_pid_files',`
+	gen_require(`
+		type gear_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, gear_var_run_t, gear_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute gear server in the gear domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`gear_systemctl',`
+	gen_require(`
+		type gear_t;
+		type gear_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 gear_unit_file_t:file read_file_perms;
+	allow $1 gear_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, gear_t)
+')
+
+########################################
+## <summary>
+##	Read and write gear shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_rw_sem',`
+	gen_require(`
+		type gear_t;
+	')
+
+	allow $1 gear_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write the gear pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gear_use_ptys',`
+    gen_require(`
+        type gear_devpts_t;
+    ')
+
+    allow $1 gear_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow domain to create gear content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gear_filetrans_named_content',`
+    gen_require(`
+            type gear_var_lib_t;
+	    type gear_var_run_t;
+    ')
+
+    files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
+    files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gear environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_admin',`
+	gen_require(`
+		type gear_t;
+		type gear_var_lib_t, gear_var_run_t;
+		type gear_unit_file_t;
+		type gear_log_t;
+	')
+
+	allow $1 gear_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gear_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, gear_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gear_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, gear_log_t)
+
+	gear_systemctl($1)
+	admin_pattern($1, gear_unit_file_t)
+	allow $1 gear_unit_file_t:service all_service_perms;
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000000..33dbdf7ece
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,136 @@
+policy_module(gear, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gear_t;
+type gear_exec_t;
+init_daemon_domain(gear_t, gear_exec_t)
+
+type gear_var_lib_t;
+files_type(gear_var_lib_t)
+
+type gear_log_t;
+logging_log_file(gear_log_t)
+
+type gear_var_run_t;
+files_pid_file(gear_var_run_t)
+
+type gear_unit_file_t;
+systemd_unit_file(gear_unit_file_t)
+
+########################################
+#
+# gear local policy
+#
+allow gear_t self:capability { chown net_admin fowner dac_read_search dac_override };
+dontaudit gear_t self:capability sys_ptrace;
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+allow gear_t gear_unit_file_t:file read_file_perms;
+allow gear_t gear_unit_file_t:service manage_service_perms;
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t)
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
+logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
+
+gear_filetrans_named_content(gear_t)
+
+manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
+
+manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(gear_t)
+kernel_read_network_state(gear_t)
+kernel_read_all_sysctls(gear_t)
+kernel_rw_net_sysctls(gear_t)
+
+domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
+
+corecmd_exec_bin(gear_t)
+corecmd_exec_shell(gear_t)
+
+corenet_tcp_bind_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_if(gear_t)
+corenet_tcp_sendrecv_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_port(gear_t)
+corenet_tcp_bind_gear_port(gear_t)
+
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_list_cgroup_dirs(gear_t)
+fs_read_cgroup_files(gear_t)
+fs_read_tmpfs_symlinks(gear_t)
+fs_getattr_all_fs(gear_t)
+
+auth_use_nsswitch(gear_t)
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+logging_read_generic_logs(gear_t)
+
+miscfiles_read_localization(gear_t)
+
+mount_domtrans(gear_t)
+
+selinux_validate_context(gear_t)
+
+seutil_read_default_contexts(gear_t)
+seutil_read_config(gear_t)
+
+sysnet_dns_name_resolve(gear_t)
+
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+systemd_exec_systemctl(gear_t)
+
+usermanage_domtrans_useradd(gear_t)
+usermanage_domtrans_passwd(gear_t)
+
+optional_policy(`
+	hostname_exec(gear_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
+	openshift_manage_lib_dirs(gear_t)
+	openshift_manage_lib_files(gear_t)
+	openshift_relabelfrom_lib(gear_t)
+')
diff --git a/geoclue.fc b/geoclue.fc
new file mode 100644
index 0000000000..a97f14fd90
--- /dev/null
+++ b/geoclue.fc
@@ -0,0 +1,4 @@
+
+/usr/libexec/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)?		gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/geoclue.if b/geoclue.if
new file mode 100644
index 0000000000..cf9f7bfca9
--- /dev/null
+++ b/geoclue.if
@@ -0,0 +1,153 @@
+
+## <summary>Geoclue is a D-Bus service that provides location information</summary>
+
+########################################
+## <summary>
+##	Execute geoclue in the geoclue domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`geoclue_domtrans',`
+	gen_require(`
+		type geoclue_t, geoclue_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, geoclue_exec_t, geoclue_t)
+')
+
+########################################
+## <summary>
+##	Search geoclue lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_search_lib',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	allow $1 geoclue_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read geoclue lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_read_lib_files',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage geoclue lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_manage_lib_files',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage geoclue lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_manage_lib_dirs',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+##  Send and receive messages from
+##  geoclue over dbus.
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`geoclue_dbus_chat',`
+        gen_require(`
+                type geoclue_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 geoclue_t:dbus send_msg;
+        allow geoclue_t $1:dbus send_msg;
+	    ps_process_pattern(geoclue_t, $1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an geoclue environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`geoclue_admin',`
+	gen_require(`
+		type geoclue_t;
+		type geoclue_var_lib_t;
+	')
+
+	allow $1 geoclue_t:process { signal_perms };
+	ps_process_pattern($1, geoclue_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 geoclue_t:process ptrace;
+    ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, geoclue_var_lib_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 0000000000..efd838f74d
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,71 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type geoclue_t;
+type geoclue_exec_t;
+application_domain(geoclue_t, geoclue_exec_t)
+role system_r types geoclue_t;
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+type geoclue_tmp_t;
+files_tmp_file(geoclue_tmp_t)
+
+########################################
+#
+# geoclue local policy
+#
+allow geoclue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
+
+manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
+kernel_read_network_state(geoclue_t)
+
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+corenet_tcp_connect_http_cache_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+logging_send_syslog_msg(geoclue_t)
+
+miscfiles_read_certs(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+	kerberos_use(geoclue_t)
+')
+
+optional_policy(`
+	dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+	optional_policy(`
+		avahi_dbus_chat(geoclue_t)
+	')
+	optional_policy(`
+		modemmanager_dbus_chat(geoclue_t)
+	')
+	optional_policy(`
+		networkmanager_dbus_chat(geoclue_t)
+	')
+')
+
+optional_policy(`
+	pcscd_stream_connect(geoclue_t)
+')
diff --git a/gift.te b/gift.te
index 8a820face3..996b30c161 100644
--- a/gift.te
+++ b/gift.te
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
 
 userdom_dontaudit_read_user_home_content_files(gift_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gift_t)
-	fs_manage_nfs_files(gift_t)
-	fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gift_t)
-	fs_manage_cifs_files(gift_t)
-	fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
 
 optional_policy(`
 	xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
 corenet_tcp_connect_all_ports(giftd_t)
 
 files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
 
 sysnet_dns_name_resolve(giftd_t)
 
-userdom_use_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(giftd_t)
-	fs_manage_nfs_files(giftd_t)
-	fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(giftd_t)
-	fs_manage_cifs_files(giftd_t)
-	fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.fc b/git.fc
index 24700f84ba..6561d568ed 100644
--- a/git.fc
+++ b/git.fc
@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
 
 /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
 
-/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/cache/gitweb-caching(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)?	gen_context(system_u:object_r:git_rw_content_t,s0)
+/var/cache/gitweb-caching(/.*)?	gen_context(system_u:object_r:git_rw_content_t,s0)
 
 /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
 
-/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/gitweb-caching/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/git(/.*)?	gen_context(system_u:object_r:git_content_t,s0)
+/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi	--	gen_context(system_u:object_r:git_script_exec_t,s0)
diff --git a/git.if b/git.if
index 1e29af1968..6c64f55c36 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
 	allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
 	userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
 
-	allow $2 git_session_t:process { ptrace signal_perms };
+	allow $2 git_session_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 git_session_t:process ptrace;
+	')
 	ps_process_pattern($2, git_session_t)
 
 	tunable_policy(`git_session_users',`
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
 
 	list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
 	read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+    read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
 
 	files_search_var_lib($1)
 
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
 		fs_read_nfs_files($1)
 	')
 ')
+
+#######################################
+## <summary>
+##      Create Git user content with a
+##      named file transition.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`git_filetrans_user_content',`
+		gen_require(`
+			type git_user_content_t;
+		')
+		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index dc49c715ed..43f79d6de9 100644
--- a/git.te
+++ b/git.te
@@ -47,14 +47,6 @@ gen_tunable(git_session_bind_all_unreserved_ports, false)
 ## </desc>
 gen_tunable(git_session_users, false)
 
-## <desc>
-##	<p>
-##	Determine whether Git session daemons
-##	can send syslog messages.
-##	</p>
-## </desc>
-gen_tunable(git_session_send_syslog_msg, false)
-
 ## <desc>
 ##	<p>
 ##	Determine whether Git system daemon
@@ -83,6 +75,7 @@ attribute git_daemon;
 attribute_role git_session_roles;
 
 apache_content_template(git)
+apache_content_alias_template(git, git)
 
 type git_system_t, git_daemon;
 type gitd_exec_t;
@@ -93,12 +86,15 @@ type git_session_t, git_daemon;
 userdom_user_application_domain(git_session_t, gitd_exec_t)
 role git_session_roles types git_session_t;
 
-type git_sys_content_t;
+type git_sys_content_t alias git_system_content_t;
 files_type(git_sys_content_t)
 
-type git_user_content_t;
+type git_user_content_t alias git_session_content_t;
 userdom_user_home_content(git_user_content_t)
 
+type git_script_tmp_t;
+files_tmp_file(git_script_tmp_t)
+
 ########################################
 #
 # Session policy
@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
 read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
 userdom_search_user_home_dirs(git_session_t)
 
+kernel_read_system_state(git_session_t)
+
 corenet_all_recvfrom_netlabel(git_session_t)
 corenet_all_recvfrom_unlabeled(git_session_t)
 corenet_tcp_bind_generic_node(git_session_t)
@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
 	corenet_tcp_sendrecv_all_ports(git_session_t)
 ')
 
-tunable_policy(`git_session_send_syslog_msg',`
-	logging_send_syslog_msg(git_session_t)
-')
+logging_send_syslog_msg(git_session_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_getattr_nfs(git_session_t)
@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',`
 list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
 corenet_all_recvfrom_unlabeled(git_system_t)
 corenet_all_recvfrom_netlabel(git_system_t)
 corenet_tcp_sendrecv_generic_if(git_system_t)
@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs',`
 	userdom_search_user_home_dirs(git_system_t)
+	list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
+	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -215,48 +218,54 @@ tunable_policy(`git_system_use_nfs',`
 # CGI policy
 #
 
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-files_search_var_lib(httpd_git_script_t)
+manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })
 
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(git_script_t)
+allow git_script_t git_sys_content_t:file map;
+allow git_script_t git_user_content_t:file map;
 
-auth_use_nsswitch(httpd_git_script_t)
+auth_use_nsswitch(git_script_t)
 
 tunable_policy(`git_cgi_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_git_script_t)
+	userdom_search_user_home_dirs(git_script_t)
 ')
 
+fs_getattr_tmpfs(git_script_t)
 tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
-	fs_getattr_nfs(httpd_git_script_t)
-	fs_list_nfs(httpd_git_script_t)
-	fs_read_nfs_files(httpd_git_script_t)
+	fs_getattr_nfs(git_script_t)
+	fs_list_nfs(git_script_t)
+	fs_read_nfs_files(git_script_t)
 ',`
-	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+	fs_dontaudit_read_nfs_files(git_script_t)
 ')
 
 tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
-	fs_getattr_cifs(httpd_git_script_t)
-	fs_list_cifs(httpd_git_script_t)
-	fs_read_cifs_files(httpd_git_script_t)
+	fs_getattr_cifs(git_script_t)
+	fs_list_cifs(git_script_t)
+	fs_read_cifs_files(git_script_t)
 ',`
-	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+	fs_dontaudit_read_cifs_files(git_script_t)
 ')
 
 tunable_policy(`git_cgi_use_cifs',`
-	fs_getattr_cifs(httpd_git_script_t)
-	fs_list_cifs(httpd_git_script_t)
-	fs_read_cifs_files(httpd_git_script_t)
+	fs_getattr_cifs(git_script_t)
+	fs_list_cifs(git_script_t)
+	fs_read_cifs_files(git_script_t)
 ',`
-	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+	fs_dontaudit_read_cifs_files(git_script_t)
 ')
 
 tunable_policy(`git_cgi_use_nfs',`
-	fs_getattr_nfs(httpd_git_script_t)
-	fs_list_nfs(httpd_git_script_t)
-	fs_read_nfs_files(httpd_git_script_t)
+	fs_getattr_nfs(git_script_t)
+	fs_list_nfs(git_script_t)
+	fs_read_nfs_files(git_script_t)
 ',`
-	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+	fs_dontaudit_read_nfs_files(git_script_t)
 ')
 
 ########################################
@@ -266,12 +275,9 @@ tunable_policy(`git_cgi_use_nfs',`
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
 
-kernel_read_system_state(git_daemon)
+#kernel_read_system_state(git_daemon)
 
 corecmd_exec_bin(git_daemon)
 
-files_read_usr_files(git_daemon)
-
 fs_search_auto_mountpoints(git_daemon)
 
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
index 582db0a2e4..d77a1a5492 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
 
 dev_read_urand(gitosis_t)
 
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
 files_search_var_lib(gitosis_t)
 
-miscfiles_read_localization(gitosis_t)
-
 sysnet_read_config(gitosis_t)
 
 tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.fc b/glance.fc
index c21a528b58..a746a2b16e 100644
--- a/glance.fc
+++ b/glance.fc
@@ -1,8 +1,14 @@
 /etc/rc\.d/init\.d/openstack-glance-api	--	gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/openstack-glance-registry	--	gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-scrubber	--	gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
 
-/usr/bin/glance-api	--	gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/lib/systemd/system/openstack-glance-api.*              --  gen_context(system_u:object_r:glance_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-registry.*         --  gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-scrubber.*         --  gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
+
+/usr/bin/glance-api	        --	gen_context(system_u:object_r:glance_api_exec_t,s0)
 /usr/bin/glance-registry	--	gen_context(system_u:object_r:glance_registry_exec_t,s0)
+/usr/bin/glance-scrubber    --  gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
 
 /var/lib/glance(/.*)?	gen_context(system_u:object_r:glance_var_lib_t,s0)
 
diff --git a/glance.if b/glance.if
index 9eacb2c9c5..7b19ad2db2 100644
--- a/glance.if
+++ b/glance.if
@@ -1,5 +1,38 @@
 ## <summary>OpenStack image registry and delivery service.</summary>
 
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  glance daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`glance_basic_types_template',`
+    gen_require(`
+		attribute glance_domain;
+    ')
+
+	type $1_t, glance_domain;
+	type $1_exec_t;
+
+    type $1_unit_file_t;
+    systemd_unit_file($1_unit_file_t)
+
+	kernel_read_system_state($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+
+    logging_send_syslog_msg($1_t)
+
+    auth_use_nsswitch($1_t)
+
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to
@@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
 ##	run glance api.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`glance_domtrans_api',`
@@ -242,8 +275,13 @@ interface(`glance_admin',`
 		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
 	')
 
-	allow $1 { glance_api_t glance_registry_t }:process signal_perms;
-	ps_process_pattern($1, { glance_api_t glance_registry_t })
+	allow $1 glance_registry_t:process signal_perms;
+	ps_process_pattern($1, glance_registry_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 glance_registry_t:process ptrace;
+		allow $1 glance_api_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
 	domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 5cd09096a8..bd3c3d21be 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
 # Declarations
 #
 
+## <desc>
+##  <p>
+##	Determine whether glance-api can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(glance_api_can_network, false)
+
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow glance domain to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(glance_use_execmem, false)
+
 attribute glance_domain;
 
-type glance_registry_t, glance_domain;
-type glance_registry_exec_t;
+glance_basic_types_template(glance_registry)
 init_daemon_domain(glance_registry_t, glance_registry_exec_t)
 
 type glance_registry_initrc_exec_t;
@@ -17,13 +38,21 @@ init_script_file(glance_registry_initrc_exec_t)
 type glance_registry_tmp_t;
 files_tmp_file(glance_registry_tmp_t)
 
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
+type glance_registry_tmpfs_t;
+files_tmpfs_file(glance_registry_tmpfs_t)
+
+glance_basic_types_template(glance_api)
 init_daemon_domain(glance_api_t, glance_api_exec_t)
 
 type glance_api_initrc_exec_t;
 init_script_file(glance_api_initrc_exec_t)
 
+glance_basic_types_template(glance_scrubber)
+init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
+
+type glance_scrubber_initrc_exec_t;
+init_script_file(glance_scrubber_initrc_exec_t)
+
 type glance_log_t;
 logging_log_file(glance_log_t)
 
@@ -41,6 +70,7 @@ files_pid_file(glance_var_run_t)
 # Common local policy
 #
 
+allow glance_domain self:process signal_perms;
 allow glance_domain self:fifo_file rw_fifo_file_perms;
 allow glance_domain self:unix_stream_socket create_stream_socket_perms;
 allow glance_domain self:tcp_socket { accept listen };
@@ -56,29 +86,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
 manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 
-kernel_read_system_state(glance_domain)
-
-corenet_all_recvfrom_unlabeled(glance_domain)
-corenet_all_recvfrom_netlabel(glance_domain)
 corenet_tcp_sendrecv_generic_if(glance_domain)
 corenet_tcp_sendrecv_generic_node(glance_domain)
 corenet_tcp_sendrecv_all_ports(glance_domain)
 corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
+corenet_tcp_connect_http_port(glance_domain)
 
 corecmd_exec_bin(glance_domain)
 corecmd_exec_shell(glance_domain)
 
 dev_read_urand(glance_domain)
+dev_read_sysfs(glance_domain)
 
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
+auth_read_passwd(glance_domain)
 
 libs_exec_ldconfig(glance_domain)
 
-miscfiles_read_localization(glance_domain)
-
 sysnet_dns_name_resolve(glance_domain)
 
+tunable_policy(`glance_use_fusefs',`
+	fs_manage_fusefs_dirs(glance_domain)
+	fs_manage_fusefs_files(glance_domain)
+	fs_read_fusefs_symlinks(glance_domain)
+	fs_getattr_fusefs(glance_domain)
+')
+
+tunable_policy(`glance_use_execmem',`
+    allow glance_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+    mysql_read_db_lnk_files(glance_domain)
+')
+
 ########################################
 #
 # Registry local policy
@@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
 manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
 files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
 
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
 corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
 corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+corenet_tcp_connect_keystone_port(glance_registry_t)
 
 logging_send_syslog_msg(glance_registry_t)
 
@@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
 files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
 can_exec(glance_api_t, glance_tmp_t)
 
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-
-corenet_sendrecv_hplip_server_packets(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_bind_generic_node(glance_api_t)
 
+corenet_tcp_bind_glance_port(glance_api_t)
 corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
 corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_mysqld_port(glance_api_t)
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
 
 fs_getattr_xattr_fs(glance_api_t)
+
+tunable_policy(`glance_api_can_network',`
+	corenet_sendrecv_all_client_packets(glance_api_t)
+	corenet_tcp_connect_all_ports(glance_api_t)
+	corenet_tcp_sendrecv_all_ports(glance_api_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(glance_api_t)
+')
+
+########################################
+#
+# Scrubber local policy
+#
+
+corenet_tcp_connect_commplex_main_port(glance_scrubber_t)
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000000..9806f50ae1
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,25 @@
+/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/usr/sbin/glustereventsd   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/sbin/gluster-eventsapi   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+
+/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
+/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/gluster(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000000..4501460189
--- /dev/null
+++ b/glusterd.if
@@ -0,0 +1,302 @@
+
+## <summary>policy for glusterd</summary>
+
+
+########################################
+## <summary>
+##	Transition to glusterd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glusterd_domtrans',`
+	gen_require(`
+		type glusterd_t, glusterd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute glusterd server in the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_initrc_domtrans',`
+	gen_require(`
+		type glusterd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read glusterd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_read_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to glusterd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_append_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+#######################################
+## <summary>
+##  Transition content labels to glusterd named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_filetrans_named_pid',`
+    gen_require(`
+        type glusterd_var_run_t;
+    ')
+    files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
+')
+
+########################################
+## <summary>
+##	Manage glusterd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_manage_pid',`
+	gen_require(`
+		type glusterd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
+	manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage glusterd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_manage_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+######################################
+## <summary>
+##  Allow the specified domain to execute gluster's lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gluster_execute_lib',`
+    gen_require(`
+        type glusterd_var_lib_t;
+    ')
+
+    files_list_var_lib($1)
+    allow $1 glusterd_var_lib_t:dir search_dir_perms;
+    can_exec($1, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+##  Read glusterd's config files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_read_conf',`
+       gen_require(`
+               type glusterd_conf_t;
+       ')
+
+    files_search_etc($1)
+    read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
+')
+
+######################################
+## <summary>
+##  Dontaudit Read  /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_dontaudit_read_lib_dirs',`
+       gen_require(`
+               type glusterd_var_lib_t;
+       ')
+
+    dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
+')
+
+######################################
+## <summary>
+##  Read and write /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_rw_lib',`
+       gen_require(`
+               type glusterd_var_lib_t;
+       ')
+
+    files_search_var_lib($1)
+    rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`glusterd_read_lib_files',`
+       gen_require(`
+               type glusterd_var_lib_t;
+       ')
+
+    files_search_var_lib($1)
+	allow $1 glusterd_var_lib_t:dir search_dir_perms;
+    read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read and write /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`glusterd_manage_lib_files',`
+       gen_require(`
+               type glusterd_var_lib_t;
+       ')
+
+    files_search_var_lib($1)
+	allow $1 glusterd_var_lib_t:dir search_dir_perms;
+    manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate
+##	an glusterd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_admin',`
+	gen_require(`
+		type glusterd_t;
+		type glusterd_initrc_exec_t;
+		type glusterd_log_t;
+		type glusterd_tmp_t;
+		type glusterd_conf_t; 
+	')
+
+	allow $1 glusterd_t:process { signal_perms };
+	ps_process_pattern($1, glusterd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 glusterd_t:process ptrace;
+    ')
+
+	glusterd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 glusterd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, glusterd_log_t)
+
+	admin_pattern($1, glusterd_tmp_t)
+
+	admin_pattern($1, glusterd_conf_t)
+
+')
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 0000000000..382d67a996
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,333 @@
+policy_module(glusterd, 1.1.2)
+
+## <desc>
+## <p>
+## Allow glusterfsd to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(gluster_anon_write, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_rw, true)
+
+## <desc>
+## <p>
+## Allow glusterd_t domain to use executable memory 
+## </p>
+## </desc>
+gen_tunable(gluster_use_execmem, false)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+domain_obj_id_change_exemption(glusterd_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_tmpfs_t;
+files_tmpfs_file(glusterd_tmpfs_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setpgid setrlimit signal_perms setsched getsched setfscreate};
+allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
+allow glusterd_t self:rawip_socket create_socket_perms;
+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+kernel_read_network_state(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+corenet_raw_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
+corenet_udp_bind_gluster_port(glusterd_t)
+
+# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_mountd_port(glusterd_t)
+corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+corenet_tcp_connect_all_rpc_ports(glusterd_t)
+corenet_tcp_connect_all_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+dev_read_rand(glusterd_t)
+dev_rw_infiniband_dev(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+domain_getattr_all_sockets(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+fs_getattr_all_dirs(glusterd_t)
+
+files_mounton_non_security(glusterd_t)
+
+files_dontaudit_read_security_files(glusterd_t)
+files_dontaudit_list_security_dirs(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+#needed by /usr/sbin/xfs_db
+storage_raw_read_fixed_disk(glusterd_t)
+storage_raw_write_fixed_disk(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
+init_domtrans_script(glusterd_t)
+init_initrc_domain(glusterd_t)
+init_read_script_state(glusterd_t)
+init_rw_script_tmp_files(glusterd_t)
+init_manage_script_status_files(glusterd_t)
+init_status(glusterd_t)
+init_stop_transient_unit(glusterd_t)
+
+systemd_config_systemd_services(glusterd_t)
+systemd_signal_passwd_agent(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+logging_dontaudit_search_audit_logs(glusterd_t)
+
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+userdom_read_user_tmp_files(glusterd_t)
+userdom_delete_user_tmp_files(glusterd_t)
+userdom_rw_user_tmp_files(glusterd_t)
+userdom_map_tmp_files(glusterd_t)
+userdom_kill_all_users(glusterd_t)
+userdom_signal_unpriv_users(glusterd_t)
+
+mount_domtrans(glusterd_t)
+
+fstools_domtrans(glusterd_t)
+
+tunable_policy(`gluster_anon_write',`
+	miscfiles_manage_public_files(glusterd_t)
+') 
+
+tunable_policy(`gluster_export_all_ro',`
+	fs_read_noxattr_fs_files(glusterd_t) 
+	files_read_non_security_files(glusterd_t) 
+    files_getattr_all_pipes(glusterd_t)
+    files_getattr_all_sockets(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_rw',`
+	fs_manage_noxattr_fs_files(glusterd_t) 
+	files_manage_non_security_dirs(glusterd_t)
+	files_manage_non_security_files(glusterd_t)
+    files_relabel_base_file_types(glusterd_t)
+    files_getattr_all_pipes(glusterd_t)
+    files_getattr_all_sockets(glusterd_t)
+    files_map_non_security_files(glusterd_t)
+')
+
+tunable_policy(`gluster_use_execmem',`
+	allow glusterd_t self:process { execmem };
+')
+
+optional_policy(`
+    ctdbd_domtrans(glusterd_t)
+    ctdbd_signal(glusterd_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(glusterd_t)
+    dbus_connect_system_bus(glusterd_t)
+	unconfined_dbus_chat(glusterd_t)
+
+    optional_policy(`
+        policykit_dbus_chat(glusterd_t)
+    ')
+')
+
+optional_policy(`
+    ganesha_systemctl(glusterd_t)
+    ganesha_dbus_chat(glusterd_t)
+')
+
+optional_policy(`
+    hostname_exec(glusterd_t)
+')
+
+
+optional_policy(`
+    kerberos_read_keytab(glusterd_t)
+')
+
+optional_policy(`
+    lvm_domtrans(glusterd_t)
+')
+
+optional_policy(`
+    mount_domtrans_showmount(glusterd_t)
+')
+
+optional_policy(`
+    samba_domtrans_smbd(glusterd_t)
+    samba_systemctl(glusterd_t)
+    samba_signal_smbd(glusterd_t)
+    samba_manage_config(glusterd_t)
+')
+
+optional_policy(`
+    ssh_exec_keygen(glusterd_t)
+')
+
+optional_policy(`
+    rpc_domtrans_rpcd(glusterd_t)
+    rpc_kill_rpcd(glusterd_t)
+')
+
+optional_policy(`
+	rsync_exec(glusterd_t)
+')
+
+optional_policy(`
+    rpc_systemctl_nfsd(glusterd_t)
+    rpc_systemctl_rpcd(glusterd_t)
+
+    rpc_domtrans_nfsd(glusterd_t)
+    rpc_domtrans_rpcd(glusterd_t)
+    rpc_manage_nfs_state_data(glusterd_t)
+	rpc_manage_nfs_state_data_dir(glusterd_t)
+	rpcbind_stream_connect(glusterd_t)
+')
+
+optional_policy(`
+    rhcs_dbus_chat_cluster(glusterd_t)
+    rhcs_domtrans_cluster(glusterd_t)
+    rhcs_systemctl_cluster(glusterd_t)
+    rhcs_stream_connect_cluster(glusterd_t)
+')
+
+optional_policy(`
+	ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade465..0000000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c86ed..0000000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## <summary>Cluster File System binary, daemon and command line.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterd_admin',`
-	refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
-	glusterfs_admin($1, $2)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterfs_admin',`
-	gen_require(`
-		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
-		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_var_run_t;
-	')
-
-	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 glusterd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	allow $1 glusterd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, glusterd_t)
-
-	files_search_etc($1)
-	admin_pattern($1, glusterd_conf_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, glusterd_log_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, glusterd_tmp_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, glusterd_var_lib_t)
-
-	files_search_pids($1)
-	admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index 4e95c7e2f4..0000000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,105 +0,0 @@
-policy_module(glusterfs, 1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_read_all_domains_state(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index e39de436a2..5edcb8330a 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,15 +1,60 @@
-HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)?  gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.nv/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-metadata-store		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults		gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
 
-/etc/gconf(/.*)?	gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.*	gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.cache/gstreamer-.*        gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.*			gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults		gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
 /tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
+/usr/share/config(/.*)? 	gen_context(system_u:object_r:config_usr_t,s0)
+
 /usr/bin/gnome-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 --	gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
 
-/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d61950..898f4262a2 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
 
-########################################
+#######################################
 ## <summary>
-##	Role access for gnome.  (Deprecated)
+##  Role access for gnome.  (Deprecated)
 ## </summary>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 ## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
+##  <summary>
+##  User domain for the role.
+##  </summary>
 ## </param>
 #
 interface(`gnome_role',`
-	refpolicywarn(`$0($*) has been deprecated')
+    refpolicywarn(`$0($*) has been deprecated')
+    ')
+
+######################################
+## <summary>
+##      The role template for the gnome-keyring-daemon.
+## </summary>
+## <param name="user_prefix">
+##      <summary>
+##      The user prefix.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The user role.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The user domain associated with the role.
+##      </summary>
+## </param>
+#
+interface(`gnome_role_gkeyringd',`
+    refpolicywarn(`$0($*) has been deprecated')
 ')
 
-#######################################
+######################################
 ## <summary>
-##	The role template for gnome.
+##  The role template for gnome.
 ## </summary>
 ## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
+##  <summary>
+##  The prefix of the user domain (e.g., user
+##  is the prefix for user_t).
+##  </summary>
 ## </param>
 ## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
-##	</summary>
+##  <summary>
+##  The role associated with the user domain.
+##  </summary>
 ## </param>
 ## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
+##  <summary>
+##  The type of the user domain.
+##  </summary>
 ## </param>
 #
 template(`gnome_role_template',`
-	gen_require(`
-		attribute gnomedomain, gkeyringd_domain;
+    gen_require(`
+		attribute gnomedomain, gkeyringd_domain, gnome_home_type;
 		attribute_role gconfd_roles;
-		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+		type gkeyringd_exec_t, gkeyringd_tmp_t;
 		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
-		type gconf_home_t;
+		class dbus all_dbus_perms;
 	')
 
 	########################################
@@ -74,52 +98,112 @@ template(`gnome_role_template',`
 
 	domtrans_pattern($3, gconfd_exec_t, gconfd_t)
 
-	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
-	allow $3 gconfd_t:process { ptrace signal_perms };
+	allow $3 gconfd_t:process { signal_perms };
+	allow $3 gconfd_t:unix_stream_socket connectto;
 	ps_process_pattern($3, gconfd_t)
 
+
 	########################################
 	#
 	# Gkeyringd policy
 	#
 
+    allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms };
+
 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 
-	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
-	allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+	allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+	allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
 
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-	
-	gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+	userdom_home_manager($1_gkeyringd_t)
 
-	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
 
 	ps_process_pattern($3, $1_gkeyringd_t)
-	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+	allow $3 $1_gkeyringd_t:process signal_perms;
+	dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+	allow $1_gkeyringd_t $3:process sigkill;
+	allow $3 $1_gkeyringd_t:fd use;
+	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+
+	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+	kernel_read_system_state($1_gkeyringd_t)
 
 	corecmd_bin_domtrans($1_gkeyringd_t, $3)
 	corecmd_shell_domtrans($1_gkeyringd_t, $3)
 
-	gnome_stream_connect_gkeyringd($1, $3)
+	gnome_stream_connect_gkeyringd($3)
+
+	ps_process_pattern($1_gkeyringd_t, $3)
+
+	auth_use_nsswitch($1_gkeyringd_t)
+
+	logging_send_syslog_msg($1_gkeyringd_t)
+
+    userdom_rw_user_tmp_sock_files($1_gkeyringd_t)
+
+	allow $1_gkeyringd_t $3:dbus { acquire_svc send_msg };
+	allow $3 $1_gkeyringd_t:dbus send_msg;
+	allow $3 $3:dbus acquire_svc;
+
+    optional_policy(`
+        systemd_dbus_chat_logind($1_gkeyringd_t)
+    ')
+
+    optional_policy(`
+        dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+        dbus_stream_connect_system_dbusd($1_gkeyringd_t)
+        dbus_send_system_bus($1_gkeyringd_t)
+    ')
+
+	optional_policy(`
+		gnome_manage_generic_home_dirs($1_gkeyringd_t)
+		gnome_read_generic_data_home_files($1_gkeyringd_t)
+		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
+	')
 
 	optional_policy(`
-		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+		telepathy_mission_control_read_state($1_gkeyringd_t)
+        telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
+	')
+')
 
-		optional_policy(`
-			gnome_dbus_chat_gkeyringd($1, $3)
-		')
+#######################################
+## <summary>
+##  Allow domain to run gkeyring in the $1_gkeyringd_t domain.
+## </summary>
+## <param name="user_prefix">
+##      <summary>
+##      The user prefix.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The user role.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##	Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_run_gkeyringd',`
+    gen_require(`
+		type $1_gkeyringd_t;
+		type gkeyringd_exec_t;
 	')
+	role $2 types $1_gkeyringd_t;
+	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute gconf in the caller domain.
+##	gconf connection template.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -127,18 +211,18 @@ template(`gnome_role_template',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
 	gen_require(`
-		type gconfd_exec_t;
+		type gconfd_t, gconf_tmp_t;
 	')
 
-	corecmd_search_bin($1)
-	can_exec($1, gconfd_exec_t)
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Read gconf configuration content.
+##	Connect to gkeyringd with a unix stream socket. 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -146,119 +230,114 @@ interface(`gnome_exec_gconf',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
 	gen_require(`
-		type gconf_etc_t;
+			attribute gkeyringd_domain;
+			type gkeyringd_tmp_t;
+			type gconf_tmp_t;
+			type cache_home_t;
 	')
 
-	files_search_etc($1)
-	allow $1 gconf_etc_t:dir list_dir_perms;
-	allow $1 gconf_etc_t:file read_file_perms;
-	allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+	allow $1 gconf_tmp_t:dir search_dir_perms;
+	userdom_search_user_tmp_dirs($1)
+	stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+	stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	inherited gconf configuration files.
+##	Run gconfd in gconfd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconfd_exec_t;
 	')
 
-	dontaudit $1 gconf_etc_t:file read;
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete
-##	gconf configuration content.
+##	Dontaudit read gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
 	gen_require(`
-		type gconf_etc_t;
+		attribute gnome_home_type;
 	')
 
-	files_search_etc($1)
-	allow $1 gconf_etc_t:dir manage_dir_perms;
-	allow $1 gconf_etc_t:file manage_file_perms;
-	allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+	dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Connect to gconf using a unix
-##	domain stream socket.
+##	Dontaudit search gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
 	gen_require(`
-		type gconfd_t, gconf_tmp_t;
+		attribute gnome_home_type;
 	')
 
-	files_search_tmp($1)
-	stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+	dontaudit $1 gnome_home_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Run gconfd in gconfd domain.
+##	Dontaudit write gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_append_config_files',`
 	gen_require(`
-		type gconfd_t, gconfd_exec_t;
+		attribute gnome_home_type;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+	dontaudit $1 gnome_home_type:file append;
 ')
 
+
 ########################################
 ## <summary>
-##	Create generic gnome home directories.
+##	Dontaudit write gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;
 	')
 
-	allow $1 gnome_home_t:dir create_dir_perms;
+	dontaudit $1 gnome_home_type:file write;
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of generic gnome
-##	user home directories.  (Deprecated)
+##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -266,15 +345,21 @@ interface(`gnome_create_generic_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_setattr_config_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
-	gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	allow $1 gnome_home_type:dir manage_dir_perms;
+	allow $1 gnome_home_type:file { manage_file_perms map };
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+	allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of generic gnome
-##	user home directories.
+##	Send general signals to all gconf domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -282,57 +367,89 @@ interface(`gnome_setattr_config_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnomedomain;
 	')
 
-	userdom_search_user_home_dirs($1)
-	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	allow $1 gnomedomain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Read generic gnome user home content.  (Deprecated)
+##	Create objects in a Gnome cache home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_read_config',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
-	gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	filetrans_pattern($1, cache_home_t, $2, $3, $4)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read generic gnome home content.
+##	Create objects in a Gnome cache home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
 	gen_require(`
-		type gnome_home_t;
+		type config_home_t;
 	')
 
+	filetrans_pattern($1, config_home_t, $2, $3, $4)
 	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir list_dir_perms;
-	allow $1 gnome_home_t:file read_file_perms;
-	allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
-	allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
-	allow $1 gnome_home_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gnome user home content.  (Deprecated)
+##	Read generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -340,15 +457,18 @@ interface(`gnome_read_generic_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_config',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
-	gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	read_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gnome home content.
+##	Create generic cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -356,22 +476,18 @@ interface(`gnome_manage_config',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_create_generic_cache_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir manage_dir_perms;
-	allow $1 gnome_home_t:file manage_file_perms;
-	allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+	allow $1 cache_home_t:dir create_dir_perms;
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
 ')
 
 ########################################
 ## <summary>
-##	Search generic gnome home directories.
+##	Set attributes of cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -379,53 +495,37 @@ interface(`gnome_manage_generic_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_search_generic_home',`
+interface(`gnome_setattr_cache_home_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
+	setattr_dirs_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in gnome user home
-##	directories with a private type.
+##	Manage cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private_type">
-##	<summary>
-##	Private file type.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`gnome_home_filetrans',`
+interface(`gnome_manage_cache_home_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
+	manage_dirs_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	filetrans_pattern($1, gnome_home_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Create generic gconf home directories.
+##	append to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -433,17 +533,18 @@ interface(`gnome_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_append_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
-	allow $1 gconf_home_t:dir create_dir_perms;
+	append_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read generic gconf home content.
+##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -451,23 +552,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
+	write_files_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir list_dir_perms;
-	allow $1 gconf_home_t:file read_file_perms;
-	allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
-	allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
-	allow $1 gconf_home_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gconf home content.
+##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -475,22 +571,18 @@ interface(`gnome_read_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
+	manage_files_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir manage_dir_perms;
-	allow $1 gconf_home_t:file manage_file_perms;
-	allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 gconf_home_t:sock_file manage_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search generic gconf home directories.
+##	Manage a sock_file in the generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -498,79 +590,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_manage_generic_cache_sockets',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir search_dir_perms;
+	manage_sock_files_pattern($1, cache_home_t, cache_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic gconf
-##	home type.
+##	Dontaudit read/write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+	dontaudit $1 cache_home_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic gnome
-##	home type.
+##	read gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;
 	')
 
-	userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+	read_files_pattern($1, gnome_home_type, gnome_home_type)
+	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+	gnome_read_usr_config($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in gnome gconf home
-##	directories with a private type.
+##	Create objects in a Gnome gconf home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -579,12 +651,12 @@ interface(`gnome_home_filetrans_gnome_home',`
 ## </param>
 ## <param name="private_type">
 ##	<summary>
-##	Private file type.
+##	The type of the object to create.
 ##	</summary>
 ## </param>
 ## <param name="object_class">
 ##	<summary>
-##	Class of the object being created.
+##	The class of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
@@ -593,18 +665,18 @@ interface(`gnome_home_filetrans_gnome_home',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
 	gen_require(`
-		type gconf_home_t;
+		type data_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+	filetrans_pattern($1, data_home_t, $2, $3, $4)
+	gnome_search_gconf($1)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Read generic gnome keyring home files.
+##	Read generic data home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -612,46 +684,58 @@ interface(`gnome_gconf_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
 	gen_require(`
-		type gnome_home_t, gnome_keyring_home_t;
+		type data_home_t, gconf_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+	read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+	read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Send and receive messages from
-##	gnome keyring daemon over dbus.
+##  Read generic data home dirs.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
+#
+interface(`gnome_read_generic_data_home_dirs',`
+    gen_require(`
+        type data_home_t, gconf_home_t;
+    ')
+
+    list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+## <summary>
+##	Manage gconf data home files
+## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_manage_data',`
 	gen_require(`
-		type $1_gkeyringd_t;
-		class dbus send_msg;
+		type data_home_t;
+		type gconf_home_t;
 	')
 
-	allow $2 $1_gkeyringd_t:dbus send_msg;
-	allow $1_gkeyringd_t $2:dbus send_msg;
+	allow $1 gconf_home_t:dir search_dir_perms;
+	manage_dirs_pattern($1, data_home_t, data_home_t)
+	manage_files_pattern($1, data_home_t, data_home_t)
+	manage_lnk_files_pattern($1, data_home_t, data_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Send and receive messages from all
-##	gnome keyring daemon over dbus.
+##	Read icc data home content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -659,59 +743,1073 @@ interface(`gnome_dbus_chat_gkeyringd',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
 	gen_require(`
-		attribute gkeyringd_domain;
-		class dbus send_msg;
+		type icc_data_home_t, gconf_home_t, data_home_t;
 	')
 
-	allow $1 gkeyringd_domain:dbus send_msg;
-	allow gkeyringd_domain $1:dbus send_msg;
+	userdom_search_user_home_dirs($1)
+	allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+	allow $1 icc_data_home_t:file map;
+	list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+	read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+	read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to gnome keyring daemon
-##	with a unix stream socket.
+##	Read inherited icc data home files.
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+	gen_require(`
+		type icc_data_home_t;
+	')
+
+	allow $1 icc_data_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Create gconf_home_t objects in the /root directory
+## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_admin_home_gconf_filetrans',`
 	gen_require(`
-		type $1_gkeyringd_t, gnome_keyring_tmp_t;
+		type gconf_home_t;
 	')
 
-	files_search_tmp($2)
-	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
 ')
 
 ########################################
 ## <summary>
-##	Connect to all gnome keyring daemon
-##	with a unix stream socket.
+##	Do not audit attempts to read
+##	inherited gconf config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
 	gen_require(`
-		attribute gkeyringd_domain;
-		type gnome_keyring_tmp_t;
+		type gconf_etc_t;
 	')
 
-	files_search_tmp($1)
-	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	read gconf config files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_gconf_config',`
+	gen_require(`
+		type gconf_etc_t;
+	')
+
+	allow $1 gconf_etc_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
+')
+
+#######################################
+## <summary>
+##      Manage gconf config files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+        gen_require(`
+                type gconf_etc_t;
+        ')
+
+        allow $1 gconf_etc_t:dir list_dir_perms;
+        manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+##	Execute gconf programs in 
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+	gen_require(`
+		type gconfd_exec_t;
+	')
+
+	can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+	gen_require(`
+		type gkeyringd_exec_t;
+	')
+
+	can_exec($1, gkeyringd_exec_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Search gconf home data dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_search_gconf_data_dir',`
+	gen_require(`
+		type gconf_home_t;
+		type data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 gconf_home_t:dir list_dir_perms;
+	allow $1 data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+		type data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 gconf_home_t:dir list_dir_perms;
+	allow $1 data_home_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_home_t, gconf_home_t)
+	read_files_pattern($1, data_home_t, data_home_t)
+	read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+	read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+##	Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+	gen_require(`
+		type gkeyringd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+	gen_require(`
+		type gkeyringd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Delete gkeyringd temporary
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_delete_gkeyringd_tmp_content',`
+    gen_require(`
+        type gkeyringd_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+    delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+    delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+#######################################
+## <summary>
+##  Manage gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_manage_gkeyringd_tmp_dirs',`
+    gen_require(`
+        type gkeyringd_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
+## <summary>
+##	search gconf homedir (.local)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_search_gconf',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	allow $1 gconf_home_t:dir search_dir_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage generic gnome home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_files',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+##	Manage generic gnome home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Append gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_append_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+##	manage gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	allow $1 gconf_home_t:dir list_dir_perms;
+	manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+##	Connect to gnome over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	# Connect to pulseaudit server
+	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+##	list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_list_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Set attributes of gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	setattr_dirs_pattern($1, config_home_t, config_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	list_dirs_pattern($1, config_home_t, config_home_t)
+	read_files_pattern($1, config_home_t, config_home_t)
+	read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+#######################################
+## <summary>
+##  append gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_append_home_config',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    append_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+##  delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_delete_home_config',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	Create gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_create_home_config_dirs',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	allow $1 config_home_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
+##  setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_setattr_home_config_dirs',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+##  delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_delete_home_config_dirs',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_home_config_dirs',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_files',`
+	gen_require(`
+		type gstreamer_home_t;
+	')
+
+	manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+	manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+	gnome_filetrans_gstreamer_home_content($1)
+')
+
+######################################
+## <summary>
+##      Allow to execute gstreamer home content files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_exec_gstreamer_home_files',`
+        gen_require(`
+                type gstreamer_home_t;
+        ')
+
+        can_exec($1, gstreamer_home_t)
+')
+
+######################################
+## <summary>
+##      Allow to execute config home content files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_exec_config_home_files',`
+        gen_require(`
+                type config_home_t;
+        ')
+
+        can_exec($1, config_home_t)
+')
+
+#######################################
+## <summary>
+##  file name transition gstreamer home content files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_filetrans_gstreamer_home_content',`
+    gen_require(`
+        type gstreamer_home_t;
+    ')
+
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+    userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
+')
+
+#######################################
+## <summary>
+##  manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_dirs',`
+    gen_require(`
+        type gstreamer_home_t;
+    ')
+
+    manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+')
+
+########################################
+## <summary>
+##	Read/Write all inherited gnome home config 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit Read/Write all inherited gnome home config 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`gnome_dontaudit_rw_inherited_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	gconf system service over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+	gen_require(`
+		type gconfdefaultsm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 gconfdefaultsm_t:dbus send_msg;
+	allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	gkeyringd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+	gen_require(`
+		attribute gkeyringd_domain;
+		class dbus send_msg;
+	')
+
+	allow $1 gkeyringd_domain:dbus send_msg;
+	allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send signull signal to gkeyringd processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_signull_gkeyringd',`
+	gen_require(`
+		attribute gkeyringd_domain;
+	')
+
+	allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+## <summary>
+##	Allow the domain to read gkeyringd state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_gkeyringd_state',`
+	gen_require(`
+		attribute gkeyringd_domain;
+	')
+
+	ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+##	Create directories in user home directories
+##	with the gnome home file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Check whether sendmail executable
+##	files are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_access_check_usr_config',`
+	gen_require(`
+		type config_usr_t;
+	')
+
+	allow $1 config_usr_t:dir_file_class_set audit_access;;
+')
+
+######################################
+## <summary>
+##      Allow read kde config content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_read_usr_config',`
+        gen_require(`
+                type config_usr_t;
+        ')
+
+        files_search_usr($1)
+		list_dirs_pattern($1, config_usr_t, config_usr_t)
+		read_files_pattern($1, config_usr_t, config_usr_t)
+		read_lnk_files_pattern($1, config_usr_t, config_usr_t)	
+')
+
+#######################################
+## <summary>
+##      Allow manage kde config content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_manage_usr_config',`
+        gen_require(`
+                type config_usr_t;
+        ')
+
+        files_search_usr($1)
+		manage_dirs_pattern($1, config_usr_t, config_usr_t)
+		manage_files_pattern($1, config_usr_t, config_usr_t)
+		manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+## <summary>
+##	Execute gnome-keyring in the user gkeyring domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`gnome_transition_gkeyringd',`
+	gen_require(`
+		attribute gkeyringd_domain;
+	')
+
+	allow $1 gkeyringd_domain:process transition;
+	dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+	allow gkeyringd_domain $1:process { sigchld signull };
+	allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Create gnome content in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+	type config_home_t;
+	type cache_home_t;
+	type dbus_home_t;
+	type gconf_home_t;
+	type gnome_home_t;
+	type data_home_t, icc_data_home_t;
+	type gkeyringd_gnome_home_t;
+')
+
+	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+	userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+	userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+	userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+
+	# ~/.color/icc: legacy
+	userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+	filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+	filetrans_pattern($1, data_home_t,  gkeyringd_gnome_home_t, dir, "keyrings")
+	filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+	filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+	filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+	userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+	gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+	gnome_filetrans_gstreamer_home_content($1)
+')
+
+########################################
+## <summary>
+##	Create gnome dconf dir in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_filetrans_config_home_content',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
+## <summary>
+##	Create gnome directory in the /root directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+	type config_home_t;
+	type cache_home_t;
+	type dbus_home_t;
+	type gstreamer_home_t;
+	type gconf_home_t;
+	type gnome_home_t;
+	type icc_data_home_t;
+')
+
+	userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
+	userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+	userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+	userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+	userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+	userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+	userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+	gnome_filetrans_gstreamer_home_content($1)
+	# /root/.color/icc: legacy
+	userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+#####################################
+## <summary>
+##  Execute gnome-keyring executable
+##  in the specified domain.
+## </summary>
+## <desc>
+##  <p>
+##  Execute a telepathy executable
+##  in the specified domain.  This allows
+##  the specified domain to execute any file
+##  on these filesystems in the specified
+##  domain. 
+##  </p>
+##  <p>
+##  No interprocess communication (signals, pipes,
+##  etc.) is provided by this interface since
+##  the domains are not owned by this module.
+##  </p>
+##  <p>
+##  This interface was added to handle
+##  the ssh-agent policy.
+##  </p>
+## </desc>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="target_domain">
+##  <summary>
+##  The type of the new process.
+##  </summary>
+## </param>
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+    gen_require(`
+        type gkeyringd_exec_t;
+    ')
+
+    allow $2 gkeyringd_exec_t:file entrypoint;
+    domain_transition_pattern($1, gkeyringd_exec_t, $2)
+    type_transition $1 gkeyringd_exec_t:process $2;
 ')
diff --git a/gnome.te b/gnome.te
index 63893eb2d0..61dd9e336d 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
 # Declarations
 #
 
-attribute gkeyringd_domain;
 attribute gnomedomain;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
 attribute_role gconfd_roles;
 
 type gconf_etc_t;
 files_config_file(gconf_etc_t)
 
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type dbus_home_t, gnome_home_type;
+userdom_user_home_content(dbus_home_t)
+
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
+type gconf_home_t, gnome_home_type;
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
 typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
 userdom_user_application_domain(gconfd_t, gconfd_exec_t)
 role gconfd_roles types gconfd_t;
 
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
 typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
 typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
 typealias gnome_home_t alias unconfined_gnome_home_t;
 userdom_user_home_content(gnome_home_t)
 
+# type KDE /usr/share/config files
+type config_usr_t;
+files_type(config_usr_t)
+
 type gkeyringd_exec_t;
-application_executable_file(gkeyringd_exec_t)
+corecmd_executable_file(gkeyringd_exec_t)
 
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
+type gkeyringd_gnome_home_t, gnome_home_type;
+userdom_user_home_content(gkeyringd_gnome_home_t)
 
-type gnome_keyring_tmp_t;
-userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
 
 ##############################
 #
-# Common local Policy
+# Local Policy
 #
 
-allow gnomedomain self:process { getsched signal };
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
 
-dev_read_urand(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
 
-domain_use_interactive_fds(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
 
-files_read_etc_files(gnomedomain)
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
 
-miscfiles_read_localization(gnomedomain)
 
-logging_send_syslog_msg(gnomedomain)
 
-userdom_use_user_terminals(gnomedomain)
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
 
 optional_policy(`
-	xserver_rw_xdm_pipes(gnomedomain)
-	xserver_use_xdm_fds(gnomedomain)
+	nscd_dontaudit_search_pid(gconfd_t)
 ')
 
-##############################
+optional_policy(`
+	xserver_use_xdm_fds(gconfd_t)
+	xserver_rw_xdm_pipes(gconfd_t)
+')
+
+#######################################
 #
-# Conf daemon local Policy
+# gconf-defaults-mechanisms local policy
 #
 
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
 
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+corecmd_search_bin(gconfdefaultsm_t)
 
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+auth_read_passwd(gconfdefaultsm_t)
 
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
 
 optional_policy(`
-	nscd_dontaudit_search_pid(gconfd_t)
+	consolekit_dbus_chat(gconfdefaultsm_t)
 ')
 
-##############################
+optional_policy(`
+	dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+	policykit_domtrans_auth(gconfdefaultsm_t)
+	policykit_dbus_chat(gconfdefaultsm_t)
+	policykit_read_lib(gconfdefaultsm_t)
+	policykit_read_reload(gconfdefaultsm_t)
+')
+
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_admin sys_nice };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
+
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
+
+logging_send_syslog_msg(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+	consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+	dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+')
+
+optional_policy(`
+ 	gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(gnomesystemmm_t)
+	policykit_domtrans_auth(gnomesystemmm_t)
+	policykit_read_lib(gnomesystemmm_t)
+	policykit_read_reload(gnomesystemmm_t)
+')
+
+######################################
 #
-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
 #
 
 allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
 allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
 
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
 
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+allow gkeyringd_domain data_home_t:dir create_dir_perms;
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
 
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
 
-kernel_read_system_state(gkeyringd_domain)
 kernel_read_crypto_sysctls(gkeyringd_domain)
 
+corecmd_search_bin(gkeyringd_domain)
+
 dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
 dev_read_sysfs(gkeyringd_domain)
 
-files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
 
-fs_getattr_all_fs(gkeyringd_domain)
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
 
-selinux_getattr_fs(gkeyringd_domain)
+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
 
 optional_policy(`
-	ssh_read_user_home_files(gkeyringd_domain)
+	xserver_append_xdm_home_files(gkeyringd_domain)
+	xserver_read_xdm_home_files(gkeyringd_domain)
+	xserver_use_xdm_fds(gkeyringd_domain)
 ')
 
 optional_policy(`
-	telepathy_mission_control_read_state(gkeyringd_domain)
+    gnome_create_home_config_dirs(gkeyringd_domain)
+	gnome_read_home_config(gkeyringd_domain)
+    gnome_manage_generic_cache_files(gkeyringd_domain)
+	gnome_manage_cache_home_dir(gkeyringd_domain)
+	gnome_manage_generic_cache_sockets(gkeyringd_domain)
 ')
+
+optional_policy(`
+	ssh_read_user_home_files(gkeyringd_domain)
+')
+
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
index f9ba8cd993..690630113f 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
@@ -1,7 +1,10 @@
+/usr/lib/systemd/systemd-timedated		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
 /usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
-/usr/libexec/gsd-datetime-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
-/usr/libexec/kde(3|4)/kcmdatetimehelper	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde3/kcmdatetimehelper		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper     --  gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
 /usr/lib/gnome-settings-daemon/gsd-datetime-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702fb6..25c7ab82cd 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
@@ -2,8 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run gnomeclock.
+##	Execute a domain transition to run gnomeclock.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
 		type gnomeclock_t, gnomeclock_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute gnomeclock in the gnomeclock
-##	domain, and allow the specified
-##	role the gnomeclock domain.
+##	Execute gnomeclock in the gnomeclock domain, and
+##	allow the specified role the gnomeclock domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
 #
 interface(`gnomeclock_run',`
 	gen_require(`
-		attribute_role gnomeclock_roles;
+		type gnomeclock_t;
 	')
 
 	gnomeclock_domtrans($1)
-	roleattribute $2 gnomeclock_roles;
+	role $2 types gnomeclock_t;
 ')
 
 ########################################
@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and
-##	receive messages from gnomeclock
-##	over dbus.
+##	Do not audit send and receive messages from
+##	gnomeclock over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/gnomeclock.te b/gnomeclock.te
index 7cd7435e65..8f26e9862c 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
 # Declarations
 #
 
-attribute_role gnomeclock_roles;
-
 type gnomeclock_t;
 type gnomeclock_exec_t;
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
-role gnomeclock_roles types gnomeclock_t;
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+type gnomeclock_tmp_t;
+files_tmp_file(gnomeclock_tmp_t)
 
 ########################################
 #
-# Local policy
+# gnomeclock local policy
 #
 
-allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override };
 allow gnomeclock_t self:process { getattr getsched signal };
 allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
 
 kernel_read_system_state(gnomeclock_t)
 
 corecmd_exec_bin(gnomeclock_t)
 corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
 
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
-corenet_all_recvfrom_netlabel(gnomeclock_t)
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
 
-# tcp:37 (time)
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
-
-dev_read_sysfs(gnomeclock_t)
-dev_read_urand(gnomeclock_t)
 dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
 
-files_read_usr_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
 
 fs_getattr_xattr_fs(gnomeclock_t)
 
 auth_use_nsswitch(gnomeclock_t)
 
+init_dbus_chat(gnomeclock_t)
+
+logging_stream_connect_syslog(gnomeclock_t)
 logging_send_syslog_msg(gnomeclock_t)
 
-miscfiles_etc_filetrans_localization(gnomeclock_t)
 miscfiles_manage_localization(gnomeclock_t)
-miscfiles_read_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
 
 userdom_read_all_users_state(gnomeclock_t)
 
 optional_policy(`
-	chronyd_initrc_domtrans(gnomeclock_t)
+	chronyd_systemctl(gnomeclock_t)
 ')
 
 optional_policy(`
+	clock_read_adjtime(gnomeclock_t)
 	clock_domtrans(gnomeclock_t)
 ')
 
 optional_policy(`
-	dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+	consolekit_dbus_chat(gnomeclock_t)
+')
 
-	optional_policy(`
-		consolekit_dbus_chat(gnomeclock_t)
-	')
+optional_policy(`
+    consoletype_exec(gnomeclock_t)
+')
 
-	optional_policy(`
-		policykit_dbus_chat(gnomeclock_t)
-	')
+optional_policy(`
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+')
+
+optional_policy(`
+	gnome_manage_usr_config(gnomeclock_t)
+	gnome_manage_home_config(gnomeclock_t)
+	gnome_filetrans_admin_home_content(gnomeclock_t)
 ')
 
 optional_policy(`
 	ntp_domtrans_ntpdate(gnomeclock_t)
 	ntp_initrc_domtrans(gnomeclock_t)
+	init_dontaudit_getattr_all_script_files(gnomeclock_t)
+	init_dontaudit_getattr_exec(gnomeclock_t)
+	ntp_systemctl(gnomeclock_t)
 ')
 
 optional_policy(`
+	policykit_dbus_chat(gnomeclock_t)
 	policykit_domtrans_auth(gnomeclock_t)
 	policykit_read_lib(gnomeclock_t)
 	policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
index 888cd2c68b..c02fa56941 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,10 +1,14 @@
-HOME_DIR/\.gnupg(/.+)?	gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/etc/mail/spamassassin/sa-update-keys(/.*)?	gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/root/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
 
 /usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.*	--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 180f1b7cc7..60be406a9f 100644
--- a/gpg.if
+++ b/gpg.if
@@ -2,57 +2,79 @@
 
 ############################################################
 ## <summary>
-##	Role access for gpg.
+##	Role access for gpg
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`gpg_role',`
 	gen_require(`
-		attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
-		type gpg_t, gpg_exec_t, gpg_agent_t;
-		type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
-		type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+        attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+		type gpg_t, gpg_exec_t;
+		type gpg_agent_t, gpg_agent_exec_t;
+		type gpg_agent_tmp_t;
+		type gpg_helper_t, gpg_pinentry_t;
+		type gpg_pinentry_tmp_t;
 	')
 
-	roleattribute $1 gpg_roles;
-	roleattribute $1 gpg_agent_roles;
-	roleattribute $1 gpg_helper_roles;
-	roleattribute $1 gpg_pinentry_roles;
+    roleattribute $1 gpg_roles;
+    roleattribute $1 gpg_agent_roles;
+    roleattribute $1 gpg_helper_roles;
+    roleattribute $1 gpg_pinentry_roles;
 
+	# transition from the userdomain to the derived domain
 	domtrans_pattern($2, gpg_exec_t, gpg_t)
-	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
 
-	allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
-	ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+	# allow ps to show gpg
+	ps_process_pattern($2, gpg_t)
+	allow $2 gpg_t:process { signull sigstop signal sigkill };
 
-	allow gpg_pinentry_t $2:process signull;
+	# communicate with the user
 	allow gpg_helper_t $2:fd use;
-	allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+	allow gpg_helper_t $2:fifo_file write;
+
+	# allow ps to show gpg-agent
+	ps_process_pattern($2, gpg_agent_t)
+
+	# Allow the user shell to signal the gpg-agent program.
+	allow $2 gpg_agent_t:process { signal sigkill };
+
+	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+	# Transition from the user domain to the agent domain.
+	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 
-	allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-	userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+	allow gpg_pinentry_t $2:fifo_file { read write };
 
 	optional_policy(`
 		gpg_pinentry_dbus_chat($2)
 	')
+
+	allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+	ifdef(`hide_broken_symptoms',`
+		#Leaked File Descriptors
+		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+		dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+	')
 ')
 
 ########################################
 ## <summary>
-##	Execute the gpg in the gpg domain.
+##	Transition to a user gpg domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -65,13 +87,12 @@ interface(`gpg_domtrans',`
 		type gpg_t, gpg_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, gpg_exec_t, gpg_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute the gpg in the caller domain.
+##	Execute gpg in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,76 +109,46 @@ interface(`gpg_exec',`
 	can_exec($1, gpg_exec_t)
 ')
 
-########################################
-## <summary>
-##	Execute gpg in a specified domain.
-## </summary>
-## <desc>
-##	<p>
-##	Execute gpg in a specified domain.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-## </desc>
-## <param name="source_domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="target_domain">
-##	<summary>
-##	Domain to transition to.
-##	</summary>
-## </param>
-#
-interface(`gpg_spec_domtrans',`
-	gen_require(`
-		type gpg_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domain_auto_trans($1, gpg_exec_t, $2)
-')
-
 ######################################
 ## <summary>
-##	Execute gpg in the gpg web domain.  (Deprecated)
+##  Transition to a gpg web domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`gpg_domtrans_web',`
-	refpolicywarn(`$0($*) has been deprecated.')
+    gen_require(`
+        type gpg_web_t, gpg_exec_t;
+    ')
+
+    domtrans_pattern($1, gpg_exec_t, gpg_web_t)
 ')
 
 ######################################
 ## <summary>
-##	Make gpg executable files an
-##	entrypoint for the specified domain.
+##  Make gpg an entrypoint for
+##  the specified domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	The domain for which gpg_exec_t is an entrypoint.
-##	</summary>
+##  <summary>
+##  The domain for which cifs_t is an entrypoint.
+##  </summary>
 ## </param>
 #
 interface(`gpg_entry_type',`
-	gen_require(`
-		type gpg_exec_t;
-	')
+    gen_require(`
+        type gpg_exec_t;
+    ')
 
-	domain_entry_file($1, gpg_exec_t)
+    domain_entry_file($1, gpg_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to gpg.
+##	Send generic signals to user gpg processes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -175,7 +166,7 @@ interface(`gpg_signal',`
 
 ########################################
 ## <summary>
-##	Read and write gpg agent pipes.
+##	Read and write GPG agent pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,6 +175,7 @@ interface(`gpg_signal',`
 ## </param>
 #
 interface(`gpg_rw_agent_pipes',`
+	# Just wants read/write could this be a leak?
 	gen_require(`
 		type gpg_agent_t;
 	')
@@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',`
 
 ########################################
 ## <summary>
-##	Send messages to and from gpg
-##	pinentry over DBUS.
+##	Send messages to and from GPG
+##	Pinentry over DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',`
 
 ########################################
 ## <summary>
-##	List gpg user secrets.
+##	List Gnu Privacy Guard user secrets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -230,3 +222,75 @@ interface(`gpg_list_user_secrets',`
 	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
 	userdom_search_user_home_dirs($1)
 ')
+###########################
+## <summary>
+##	Allow to manage gpg named home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_manage_home_content',`
+	gen_require(`
+		type gpg_secret_t;
+	')
+
+	manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
+	manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+########################################
+## <summary>
+##	Transition to gpg named home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_filetrans_home_content',`
+	gen_require(`
+		type gpg_secret_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+
+########################################
+## <summary>
+##	Connected to gpg_agent_t unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_agent_stream_connect',`
+	gen_require(`
+		type gpg_agent_t;
+	')
+
+	allow $1 gpg_agent_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Connected to gpg_agent_t unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_noatsecure',`
+	gen_require(`
+		type gpg_t;
+	')
+
+    allow $1 gpg_t:process { noatsecure rlimitinh siginh };
+')
diff --git a/gpg.te b/gpg.te
index 0e97e82f14..0e6cf4a073 100644
--- a/gpg.te
+++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
 #
 # Declarations
 #
-
-## <desc>
-##	<p>
-##	Determine whether GPG agent can manage
-##	generic user home content files. This is
-##	required by the --write-env-file option.
-##	</p>
-## </desc>
-gen_tunable(gpg_agent_env_file, false)
+attribute gpgdomain;
 
 attribute_role gpg_roles;
 roleattribute system_r gpg_roles;
@@ -24,7 +16,15 @@ roleattribute system_r gpg_helper_roles;
 
 attribute_role gpg_pinentry_roles;
 
-type gpg_t;
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
 type gpg_exec_t;
 typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@@ -69,95 +69,109 @@ type gpg_pinentry_tmpfs_t;
 userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
 
 optional_policy(`
-	pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+    pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
 ')
 
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
+type gpg_tmpfs_t;
+files_tmpfs_file(gpg_tmpfs_t)
+
 ########################################
 #
-# Local policy
+# GPG local policy
 #
 
-allow gpg_t self:capability { ipc_lock setuid };
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket { accept listen };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow gpgdomain self:netlink_kobject_uevent_socket create_socket_perms;
+allow gpgdomain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
 
 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
 
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+allow gpg_t gpg_secret_t:dir create_dir_perms;
 manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
 
 kernel_read_sysctl(gpg_t)
+kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
 
 corecmd_exec_shell(gpg_t)
 corecmd_exec_bin(gpg_t)
 
-corenet_all_recvfrom_unlabeled(gpg_t)
 corenet_all_recvfrom_netlabel(gpg_t)
 corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
 corenet_tcp_sendrecv_generic_node(gpg_t)
-
-corenet_sendrecv_all_client_packets(gpg_t)
-corenet_tcp_connect_all_ports(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
 corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
 
-dev_read_generic_usb_dev(gpg_t)
 dev_read_rand(gpg_t)
 dev_read_urand(gpg_t)
-
-files_read_usr_files(gpg_t)
-files_dontaudit_search_var(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+dev_dontaudit_getattr_all(gpg_t)
+dev_list_sysfs(gpg_t)
+dev_read_sysfs(gpg_t)
+dev_rw_generic_usb_dev(gpg_t)
 
 fs_getattr_xattr_fs(gpg_t)
 fs_list_inotifyfs(gpg_t)
 
 domain_use_interactive_fds(gpg_t)
 
+files_dontaudit_search_var(gpg_t)
+
 auth_use_nsswitch(gpg_t)
 
-logging_send_syslog_msg(gpg_t)
+init_dontaudit_getattr_initctl(gpg_t)
 
-miscfiles_read_localization(gpg_t)
+logging_send_syslog_msg(gpg_t)
 
-userdom_use_user_terminals(gpg_t)
+term_search_ptys(gpg_t)
 
-userdom_manage_user_tmp_files(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_manage_user_home_content_dirs(gpg_t)
+userdom_filetrans_home_content(gpg_t)
+userdom_stream_connect(gpg_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gpg_t)
-	fs_manage_nfs_files(gpg_t)
-')
+mta_manage_config(gpg_t)
+mta_read_spool(gpg_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gpg_t)
-	fs_manage_cifs_files(gpg_t)
-')
+userdom_home_manager(gpg_t)
 
 optional_policy(`
-	gnome_read_generic_home_content(gpg_t)
-	gnome_stream_connect_all_gkeyringd(gpg_t)
+	gpm_dontaudit_getattr_gpmctl(gpg_t)
 ')
 
 optional_policy(`
-	mozilla_dontaudit_rw_user_home_files(gpg_t)
+	gnome_manage_config(gpg_t)
+	gnome_stream_connect_gkeyringd(gpg_t)
 ')
 
 optional_policy(`
-	mta_read_spool_files(gpg_t)
-	mta_write_config(gpg_t)
+	mozilla_read_user_home_files(gpg_t)
+	mozilla_write_user_home_files(gpg_t)
 ')
 
 optional_policy(`
@@ -165,37 +179,55 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_system_entry(gpg_t, gpg_exec_t)
-	cron_read_system_job_tmp_files(gpg_t)
+	xserver_use_xdm_fds(gpg_t)
+	xserver_rw_xdm_pipes(gpg_t)
 ')
 
 optional_policy(`
-	xserver_use_xdm_fds(gpg_t)
-	xserver_rw_xdm_pipes(gpg_t)
+    udev_read_db(gpg_t)
 ')
 
+#optional_policy(`
+#	cron_system_entry(gpg_t, gpg_exec_t)
+#	cron_read_system_job_tmp_files(gpg_t)
+#')
+
 ########################################
 #
-# Helper local policy
+# GPG helper local policy
 #
 
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
 allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
 allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
 
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+dontaudit gpg_helper_t gpg_secret_t:file read;
 
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
 corenet_all_recvfrom_netlabel(gpg_helper_t)
 corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
 corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
 corenet_tcp_sendrecv_all_ports(gpg_helper_t)
-
-corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
 corenet_tcp_connect_all_ports(gpg_helper_t)
 
+
 auth_use_nsswitch(gpg_helper_t)
 
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -207,67 +239,97 @@ tunable_policy(`use_samba_home_dirs',`
 
 ########################################
 #
-# Agent local policy
+# GPG agent local policy
 #
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process { setrlimit signal_perms };
 
-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
 allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+allow gpg_agent_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 
+# Allow the gpg-agent to manage its tmp files (socket)
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+manage_dirs_pattern(gpg_t, gpg_tmpfs_t, gpg_tmpfs_t)
+manage_files_pattern(gpg_t, gpg_tmpfs_t, gpg_tmpfs_t)
+manage_sock_files_pattern(gpg_t, gpg_tmpfs_t, gpg_tmpfs_t)
+fs_tmpfs_filetrans(gpg_t, gpg_tmpfs_t, { dir file sock_file })
 
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
 
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
 
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_exec_bin(gpg_agent_t)
 corecmd_exec_shell(gpg_agent_t)
 
 dev_read_rand(gpg_agent_t)
 dev_read_urand(gpg_agent_t)
+dev_rw_generic_usb_dev(gpg_agent_t)
+dev_list_sysfs(gpg_agent_t)
+dev_read_sysfs(gpg_agent_t)
+dev_dontaudit_getattr_all_chr_files(gpg_agent_t)
+dev_dontaudit_getattr_all_blk_files(gpg_agent_t)
 
 domain_use_interactive_fds(gpg_agent_t)
 
 fs_dontaudit_list_inotifyfs(gpg_agent_t)
 
-miscfiles_read_localization(gpg_agent_t)
+init_getattr_initctl(gpg_agent_t)
+
+logging_send_syslog_msg(gpg_agent_t)
 
-userdom_use_user_terminals(gpg_agent_t)
+miscfiles_read_certs(gpg_agent_t)
+
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 userdom_search_user_home_dirs(gpg_agent_t)
+userdom_filetrans_home_content(gpg_agent_t)
+
+userdom_manage_user_home_content_dirs(gpg_agent_t)
+userdom_manage_user_home_content_files(gpg_agent_t)
+userdom_manage_all_user_tmp_content(gpg_agent_t)
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+	userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
 ')
 
-tunable_policy(`gpg_agent_env_file',`
-	userdom_manage_user_home_content_dirs(gpg_agent_t)
-	userdom_manage_user_home_content_files(gpg_agent_t)
-	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+userdom_home_manager(gpg_agent_t)
+
+optional_policy(`
+	gnome_manage_config(gpg_agent_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gpg_agent_t)
-	fs_manage_nfs_files(gpg_agent_t)
-	fs_manage_nfs_symlinks(gpg_agent_t)
+optional_policy(`
+	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gpg_agent_t)
-	fs_manage_cifs_files(gpg_agent_t)
-	fs_manage_cifs_symlinks(gpg_agent_t)
+optional_policy(`
+	pcscd_stream_connect(gpg_agent_t)
 ')
 
 optional_policy(`
-	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+    gpm_getattr_gpmctl(gpg_agent_t)
+')
+
+optional_policy(`
+    udev_read_db(gpg_agent_t)
 ')
 
 ##############################
@@ -277,63 +339,121 @@ optional_policy(`
 
 allow gpg_pinentry_t self:process { getcap getsched setsched signal };
 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
 allow gpg_pinentry_t self:shm create_shm_perms;
-allow gpg_pinentry_t self:tcp_socket { accept listen };
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+allow gpg_agent_t gpg_pinentry_t:process { siginh noatsecure rlimitinh };
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
 
 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
 
+manage_dirs_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_pinentry_t, gpg_agent_tmp_t, { dir sock_file file })
+
 manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
 
-can_exec(gpg_pinentry_t, pinentry_exec_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+manage_sock_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t)
 
+# read /proc/meminfo
 kernel_read_system_state(gpg_pinentry_t)
 
 corecmd_exec_shell(gpg_pinentry_t)
 corecmd_exec_bin(gpg_pinentry_t)
 
 corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
 corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
 corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
 
 dev_read_urand(gpg_pinentry_t)
 dev_read_rand(gpg_pinentry_t)
 
-domain_use_interactive_fds(gpg_pinentry_t)
-
-files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
 
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_all_fs(gpg_pinentry_t)
 
 auth_use_nsswitch(gpg_pinentry_t)
 
 logging_send_syslog_msg(gpg_pinentry_t)
 
 miscfiles_read_fonts(gpg_pinentry_t)
-miscfiles_read_localization(gpg_pinentry_t)
 
+term_search_ptys(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmp_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmp_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
 userdom_use_user_terminals(gpg_pinentry_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(gpg_pinentry_t)
-')
+userdom_home_reader(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
+userdom_map_tmp_files(gpg_pinentry_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(gpg_pinentry_t)
+optional_policy(`
+	gnome_manage_home_config(gpg_pinentry_t)
 ')
 
 optional_policy(`
-	dbus_all_session_bus_client(gpg_pinentry_t)
+	dbus_session_bus_client(gpg_pinentry_t)
 	dbus_system_bus_client(gpg_pinentry_t)
 ')
 
 optional_policy(`
-	pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+	gnome_write_generic_cache_files(gpg_pinentry_t)
+	gnome_read_generic_cache_files(gpg_pinentry_t)
+	gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+    pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+	pulseaudio_stream_connect(gpg_pinentry_t)
 ')
 
 optional_policy(`
 	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+    miscfiles_manage_public_files(gpg_web_t)
 ')
diff --git a/gpm.te b/gpm.te
index 69734fd157..a659808d09 100644
--- a/gpm.te
+++ b/gpm.te
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
 init_script_file(gpm_initrc_exec_t)
 
 type gpm_conf_t;
-files_type(gpm_conf_t)
+files_config_file(gpm_conf_t)
 
 type gpm_tmp_t;
 files_tmp_file(gpm_tmp_t)
@@ -29,7 +29,7 @@ files_type(gpmctl_t)
 # Local policy
 #
 
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config };
 allow gpm_t self:process { signal signull getcap setcap };
 allow gpm_t self:unix_stream_socket { accept listen };
 
@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
 dev_rw_input_dev(gpm_t)
 dev_rw_mouse(gpm_t)
 
-files_read_etc_files(gpm_t)
 
 fs_getattr_all_fs(gpm_t)
 fs_search_auto_mountpoints(gpm_t)
@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
 
 logging_send_syslog_msg(gpm_t)
 
-miscfiles_read_localization(gpm_t)
-
-userdom_use_user_terminals(gpm_t)
 userdom_dontaudit_use_unpriv_user_fds(gpm_t)
 userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.if b/gpsd.if
index 92eb564186..8aa8f66986 100644
--- a/gpsd.if
+++ b/gpsd.if
@@ -63,6 +63,7 @@ interface(`gpsd_rw_shm',`
 	allow $1 gpsd_tmpfs_t:dir list_dir_perms;
 	rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
 	read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+	allow $1 gpsd_tmpfs_t:file map;
 	fs_search_tmpfs($1)
 ')
 
diff --git a/gpsd.te b/gpsd.te
index fe3895ece7..ce48f6c496 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -28,15 +28,17 @@ files_pid_file(gpsd_var_run_t)
 #
 
 allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
-allow gpsd_t self:process { setsched signal_perms };
+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
+allow gpsd_t self:process { setsched signal_perms getsession };
 allow gpsd_t self:shm create_shm_perms;
 allow gpsd_t self:unix_dgram_socket sendto;
 allow gpsd_t self:tcp_socket { accept listen };
+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
 manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
 fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+allow gpsd_t gpsd_tmpfs_t:file map;
 
 manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
 manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
@@ -62,13 +64,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
 
 term_use_unallocated_ttys(gpsd_t)
 term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
+term_setattr_usb_ttys(gpsd_t)
 
 auth_use_nsswitch(gpsd_t)
 
 logging_send_syslog_msg(gpsd_t)
 
-miscfiles_read_localization(gpsd_t)
-
 optional_policy(`
 	chronyd_rw_shm(gpsd_t)
 	chronyd_stream_connect(gpsd_t)
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 0000000000..f4659d1252
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service		--	gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
+
+/usr/sbin/gssproxy		--	gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?		gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/var/run/gssproxy\.pid		--	gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+/var/run/gssproxy\.sock		-s	gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 0000000000..8a2013af9b
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,217 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+	gen_require(`
+		type gssproxy_t, gssproxy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+##	Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+	gen_require(`
+		type gssproxy_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+	gen_require(`
+		type gssproxy_t;
+		type gssproxy_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 gssproxy_unit_file_t:file read_file_perms;
+	allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+##	Connect to gssproxy over an unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+	gen_require(`
+		type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
+	stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gssproxy environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+	gen_require(`
+		type gssproxy_t;
+		type gssproxy_var_lib_t;
+		type gssproxy_var_run_t;
+		type gssproxy_unit_file_t;
+	')
+
+	allow $1 gssproxy_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gssproxy_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, gssproxy_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gssproxy_var_run_t)
+
+	gssproxy_systemctl($1)
+	admin_pattern($1, gssproxy_unit_file_t)
+	allow $1 gssproxy_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_noatsecure',`
+	gen_require(`
+		type gssproxy_t;
+	')
+
+    allow $1 gssproxy_t:process { noatsecure rlimitinh };
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 0000000000..79e22c58a6
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,74 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_var_run_t;
+files_pid_file(gssproxy_var_run_t)
+
+type gssproxy_unit_file_t;
+systemd_unit_file(gssproxy_unit_file_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid dac_read_search dac_override };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+    ipa_read_lib(gssproxy_t)
+')
+
+optional_policy(`
+	kerberos_use(gssproxy_t)
+	kerberos_filetrans_named_content(gssproxy_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(gssproxy, gssproxy_t)
+	kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.if b/guest.if
index ad1653f9ad..ff424b8e7f 100644
--- a/guest.if
+++ b/guest.if
@@ -1,4 +1,4 @@
-## <summary>Least privledge terminal user role.</summary>
+## <summary>Least privileged terminal user role.</summary>
 
 ########################################
 ## <summary>
diff --git a/guest.te b/guest.te
index 19cdbe1d74..0605776333 100644
--- a/guest.te
+++ b/guest.te
@@ -20,4 +20,4 @@ optional_policy(`
 	apache_role(guest_r, guest_t)
 ')
 
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
index e151378405..04d173d1d0 100644
--- a/hadoop.te
+++ b/hadoop.te
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
 domain_use_interactive_fds(hadoop_t)
 
 files_dontaudit_search_spool(hadoop_t)
-files_read_usr_files(hadoop_t)
 
 fs_getattr_xattr_fs(hadoop_t)
 
@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
 corecmd_exec_bin(hadoop_initrc_domain)
 corecmd_exec_shell(hadoop_initrc_domain)
 
-files_read_etc_files(hadoop_initrc_domain)
-files_read_usr_files(hadoop_initrc_domain)
 files_search_locks(hadoop_initrc_domain)
 files_search_pids(hadoop_initrc_domain)
 
@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
 
 domain_use_interactive_fds(zookeeper_t)
 
-files_read_usr_files(zookeeper_t)
 
 auth_use_nsswitch(zookeeper_t)
 
@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
 dev_read_sysfs(zookeeper_server_t)
 dev_read_urand(zookeeper_server_t)
 
-files_read_usr_files(zookeeper_server_t)
 
 fs_getattr_xattr_fs(zookeeper_server_t)
 
diff --git a/hal.te b/hal.te
index bbccc79f16..b02720214b 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
 # Common local policy
 #
 
-files_read_usr_files(hald_domain)
 
 miscfiles_read_localization(hald_domain)
 
@@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 kernel_rw_net_sysctls(hald_t)
-kernel_setsched(hald_t)
+kernel_dontaudit_setsched(hald_t)
 kernel_request_load_module(hald_t)
 
 corecmd_exec_all_executables(hald_t)
@@ -339,7 +338,7 @@ optional_policy(`
 # ACL local policy
 #
 
-allow hald_acl_t self:capability { dac_override fowner sys_resource };
+allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource };
 allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file rw_fifo_file_perms;
 
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
 
 dev_rw_input_dev(hald_keymap_t)
 
-files_read_etc_files(hald_keymap_t)
 
 logging_search_logs(hald_keymap_t)
 
diff --git a/hddtemp.if b/hddtemp.if
index 1728071d0e..6e2d333d9b 100644
--- a/hddtemp.if
+++ b/hddtemp.if
@@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',`
 	domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
 ')
 
+########################################
+## <summary>
+##	Execute hddtemp in the hddtemp domain, and
+##	allow the specified role the hddtemp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`hddtemp_run',`
+	gen_require(`
+		type hddtemp_t;
+		attribute_role hddtemp_roles;
+	')
+
+    hddtemp_domtrans($1)
+    roleattribute $2 hddtemp_roles;
+')
+
 ######################################
 ## <summary>
 ##	Execute hddtemp in the caller domain.
@@ -60,9 +86,13 @@ interface(`hddtemp_admin',`
 		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
 	')
 
-	allow $1 hddtemp_t:process { ptrace signal_perms };
+	allow $1 hddtemp_t:process signal_perms;
 	ps_process_pattern($1, hddtemp_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 hddtemp_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
index 9e11b98222..6338ea7611 100644
--- a/hddtemp.te
+++ b/hddtemp.te
@@ -4,10 +4,12 @@ policy_module(hddtemp, 1.2.0)
 #
 # Declarations
 #
+attribute_role hddtemp_roles;
 
 type hddtemp_t;
 type hddtemp_exec_t;
 init_daemon_domain(hddtemp_t, hddtemp_exec_t)
+role hddtemp_roles types hddtemp_t;
 
 type hddtemp_initrc_exec_t;
 init_script_file(hddtemp_initrc_exec_t)
@@ -26,7 +28,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
 
 allow hddtemp_t hddtemp_etc_t:file read_file_perms;
 
-corenet_all_recvfrom_unlabeled(hddtemp_t)
 corenet_all_recvfrom_netlabel(hddtemp_t)
 corenet_tcp_sendrecv_generic_if(hddtemp_t)
 corenet_tcp_sendrecv_generic_node(hddtemp_t)
@@ -36,9 +37,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
 corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
 corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
 
-files_search_etc(hddtemp_t)
-files_read_usr_files(hddtemp_t)
-
 storage_raw_read_fixed_disk(hddtemp_t)
 storage_raw_read_removable_device(hddtemp_t)
 
@@ -46,4 +44,3 @@ auth_use_nsswitch(hddtemp_t)
 
 logging_send_syslog_msg(hddtemp_t)
 
-miscfiles_read_localization(hddtemp_t)
diff --git a/hostapd.fc b/hostapd.fc
new file mode 100644
index 0000000000..0ca97b84b1
--- /dev/null
+++ b/hostapd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/hostapd.service		--	gen_context(system_u:object_r:hostapd_unit_file_t,s0)
+
+/usr/sbin/hostapd		--	gen_context(system_u:object_r:hostapd_exec_t,s0)
+
+/var/run/hostapd(/.*)?		gen_context(system_u:object_r:hostapd_var_run_t,s0)
\ No newline at end of file
diff --git a/hostapd.if b/hostapd.if
new file mode 100644
index 0000000000..d0016da914
--- /dev/null
+++ b/hostapd.if
@@ -0,0 +1,101 @@
+
+## <summary>policy for hostapd</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the hostapd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hostapd_domtrans',`
+	gen_require(`
+		type hostapd_t, hostapd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, hostapd_exec_t, hostapd_t)
+')
+########################################
+## <summary>
+##	Execute hostapd server in the hostapd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hostapd_systemctl',`
+	gen_require(`
+		type hostapd_t;
+		type hostapd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 hostapd_unit_file_t:file read_file_perms;
+	allow $1 hostapd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, hostapd_t)
+')
+
+
+########################################
+## <summary>
+##	Read hostapd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hostapd_read_pid_files',`
+	gen_require(`
+		type hostapd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, hostapd_var_run_t, hostapd_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an hostapd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hostapd_admin',`
+	gen_require(`
+		type hostapd_t;
+		type hostapd_unit_file_t;
+		type hostapd_var_run_t;
+	')
+
+	allow $1 hostapd_t:process { signal_perms };
+	ps_process_pattern($1, hostapd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 hostapd_t:process ptrace;
+	')
+
+	hostapd_systemctl($1)
+	admin_pattern($1, hostapd_unit_file_t)
+	allow $1 hostapd_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+
+	admin_pattern($1, hostapd_var_run_t)
+')
diff --git a/hostapd.te b/hostapd.te
new file mode 100644
index 0000000000..ef3f6a9390
--- /dev/null
+++ b/hostapd.te
@@ -0,0 +1,51 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostapd_t;
+type hostapd_exec_t;
+init_daemon_domain(hostapd_t, hostapd_exec_t)
+
+type hostapd_var_run_t;
+files_pid_file(hostapd_var_run_t)
+
+type hostapd_unit_file_t;
+systemd_unit_file(hostapd_unit_file_t)
+
+########################################
+#
+# hostapd local policy
+#
+allow hostapd_t self:capability { chown net_admin };
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file })
+
+kernel_read_system_state(hostapd_t)
+kernel_read_network_state(hostapd_t)
+kernel_request_load_module(hostapd_t)
+
+dev_read_rand(hostapd_t)
+dev_read_urand(hostapd_t)
+dev_read_sysfs(hostapd_t)
+dev_rw_wireless(hostapd_t)
+
+domain_use_interactive_fds(hostapd_t)
+
+files_read_etc_files(hostapd_t)
+
+auth_use_nsswitch(hostapd_t)
+
+logging_send_syslog_msg(hostapd_t)
+
+miscfiles_read_localization(hostapd_t)
diff --git a/howl.te b/howl.te
index b9e60ecfbd..0477728a06 100644
--- a/howl.te
+++ b/howl.te
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
 kernel_list_proc(howl_t)
 kernel_read_proc_symlinks(howl_t)
 
-corenet_all_recvfrom_unlabeled(howl_t)
 corenet_all_recvfrom_netlabel(howl_t)
 corenet_tcp_sendrecv_generic_if(howl_t)
 corenet_udp_sendrecv_generic_if(howl_t)
@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
 
 logging_send_syslog_msg(howl_t)
 
-miscfiles_read_localization(howl_t)
-
 userdom_dontaudit_use_unpriv_user_fds(howl_t)
 userdom_dontaudit_search_user_home_dirs(howl_t)
 
diff --git a/hsqldb.fc b/hsqldb.fc
new file mode 100644
index 0000000000..aa92d7118e
--- /dev/null
+++ b/hsqldb.fc
@@ -0,0 +1,7 @@
+/usr/lib/hsqldb/hsqldb-post		--	gen_context(system_u:object_r:hsqldb_exec_t,s0)
+/usr/lib/hsqldb/hsqldb-stop		--	gen_context(system_u:object_r:hsqldb_exec_t,s0)
+/usr/lib/hsqldb/hsqldb-wrapper		--	gen_context(system_u:object_r:hsqldb_exec_t,s0)
+
+/usr/lib/systemd/system/hsqldb.*	--	gen_context(system_u:object_r:hsqldb_unit_file_t,s0)
+
+/var/lib/hsqldb(/.*)?				gen_context(system_u:object_r:hsqldb_var_lib_t,s0)
diff --git a/hsqldb.if b/hsqldb.if
new file mode 100644
index 0000000000..f43f7489f6
--- /dev/null
+++ b/hsqldb.if
@@ -0,0 +1,241 @@
+
+## <summary>Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.</summary>
+
+########################################
+## <summary>
+##	Execute hsqldb_exec_t in the hsqldb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hsqldb_domtrans',`
+	gen_require(`
+		type hsqldb_t, hsqldb_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, hsqldb_exec_t, hsqldb_t)
+')
+
+######################################
+## <summary>
+##	Execute hsqldb in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_exec',`
+	gen_require(`
+		type hsqldb_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, hsqldb_exec_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read,
+##	hsqldb tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_dontaudit_read_tmp_files',`
+	gen_require(`
+		type hsqldb_tmp_t;
+	')
+
+	dontaudit $1 hsqldb_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read hsqldb tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_read_tmp_files',`
+	gen_require(`
+		type hsqldb_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage hsqldb tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_manage_tmp',`
+	gen_require(`
+		type hsqldb_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_dirs_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+	manage_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+	manage_lnk_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
+')
+
+########################################
+## <summary>
+##	Search hsqldb lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_search_lib',`
+	gen_require(`
+		type hsqldb_var_lib_t;
+	')
+
+	allow $1 hsqldb_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read hsqldb lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_read_lib_files',`
+	gen_require(`
+		type hsqldb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage hsqldb lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_manage_lib_files',`
+	gen_require(`
+		type hsqldb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage hsqldb lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_manage_lib_dirs',`
+	gen_require(`
+		type hsqldb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute hsqldb server in the hsqldb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_systemctl',`
+	gen_require(`
+		type hsqldb_t;
+		type hsqldb_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 hsqldb_unit_file_t:file read_file_perms;
+	allow $1 hsqldb_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, hsqldb_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an hsqldb environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hsqldb_admin',`
+	gen_require(`
+		type hsqldb_t;
+		type hsqldb_tmp_t;
+		type hsqldb_var_lib_t;
+	type hsqldb_unit_file_t;
+	')
+
+	allow $1 hsqldb_t:process { signal_perms };
+	ps_process_pattern($1, hsqldb_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 hsqldb_t:process ptrace;
+    ')
+
+	files_search_tmp($1)
+	admin_pattern($1, hsqldb_tmp_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, hsqldb_var_lib_t)
+
+	hsqldb_systemctl($1)
+	admin_pattern($1, hsqldb_unit_file_t)
+	allow $1 hsqldb_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/hsqldb.te b/hsqldb.te
new file mode 100644
index 0000000000..8035eaf537
--- /dev/null
+++ b/hsqldb.te
@@ -0,0 +1,61 @@
+policy_module(hsqldb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hsqldb_t;
+type hsqldb_exec_t;
+init_daemon_domain(hsqldb_t, hsqldb_exec_t)
+
+type hsqldb_tmp_t;
+files_tmp_file(hsqldb_tmp_t)
+
+type hsqldb_var_lib_t;
+files_type(hsqldb_var_lib_t)
+
+type hsqldb_unit_file_t;
+systemd_unit_file(hsqldb_unit_file_t)
+
+########################################
+#
+# hsqldb local policy 
+# 
+
+allow hsqldb_t self:process execmem;
+
+allow hsqldb_t self:fifo_file rw_fifo_file_perms;
+allow hsqldb_t self:stream_socket_class_set create_stream_socket_perms;
+
+manage_dirs_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
+manage_files_pattern(hsqldb_t, hsqldb_tmp_t, hsqldb_tmp_t)
+files_tmp_filetrans(hsqldb_t, hsqldb_tmp_t, { dir file })
+allow hsqldb_t hsqldb_tmp_t:file map;
+
+manage_dirs_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_lnk_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+manage_sock_files_pattern(hsqldb_t, hsqldb_var_lib_t, hsqldb_var_lib_t)
+files_var_lib_filetrans(hsqldb_t, hsqldb_var_lib_t, { dir })
+
+kernel_read_system_state(hsqldb_t)
+kernel_read_network_state(hsqldb_t)
+
+corecmd_exec_bin(hsqldb_t)
+
+corenet_tcp_bind_generic_node(hsqldb_t)
+corenet_tcp_bind_tor_port(hsqldb_t)
+corenet_tcp_connect_tor_port(hsqldb_t)
+
+dev_list_sysfs(hsqldb_t)
+
+dev_read_urand(hsqldb_t)
+dev_read_rand(hsqldb_t)
+
+fs_read_cgroup_files(hsqldb_t)
+fs_search_cgroup_dirs(hsqldb_t)
+
+auth_use_nsswitch(hsqldb_t)
+
+sysnet_read_config(hsqldb_t)
diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 0000000000..d0c5a15020
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata	--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.*	--	gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)?	gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 0000000000..f98e166126
--- /dev/null
+++ b/hwloc.if
@@ -0,0 +1,110 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hwloc_domtrans_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+	')
+
+	domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain, and
+##	allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_dhwd',`
+	gen_require(`
+		attribute_role hwloc_dhwd_roles;
+	')
+
+	hwloc_domtrans_dhwd($1)
+	roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_exec_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_exec_t;
+	')
+
+	can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an hwloc environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_admin',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_var_run_t;
+	')
+
+	allow $1 hwloc_dhwd_t:process { signal_perms };
+	ps_process_pattern($1, hwloc_dhwd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 hwloc_dhwd_t:process ptrace;
+	')
+
+	admin_pattern($1, hwloc_var_run_t)
+	files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 0000000000..0f45fd50e3
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+systemd_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
index b46130ef50..e2ae3b22b8 100644
--- a/hypervkvp.fc
+++ b/hypervkvp.fc
@@ -1,3 +1,10 @@
-/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
 
-/usr/sbin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervvssd.*      --  gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+
+/usr/sbin/hypervvssd        --  gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
index 6517fadbb3..f1837481b0 100644
--- a/hypervkvp.if
+++ b/hypervkvp.if
@@ -1,32 +1,135 @@
-## <summary>HyperV key value pair (KVP).</summary>
+
+## <summary>policy for hypervkvp</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the hypervkvp domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_domtrans',`
+	gen_require(`
+		type hypervkvp_t, hypervkvp_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
+
+########################################
+## <summary>
+##	Search hypervkvp lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hypervkvp_search_lib',`
+	gen_require(`
+		type hypervkvp_var_lib_t;
+	')
+
+	allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read hypervkvp lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hypervkvp_read_lib_files',`
+	gen_require(`
+		type hypervkvp_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an hypervkvp environment.
+##	Create, read, write, and delete
+##	hypervkvp lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`hypervkvp_manage_lib_files',`
+	gen_require(`
+		type hypervkvp_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Execute hypervkvp server in the hypervkvp domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`hypervkvp_systemctl',`
+    gen_require(`
+        type hypervkvp_t;
+        type hypervkvp_unit_file_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 hypervkvp_unit_file_t:file read_file_perms;
+    allow $1 hypervkvp_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, hypervkvp_t)
+    ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an hypervkvp environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`hypervkvp_admin',`
 	gen_require(`
-		type hypervkvpd_t, hypervkvpd_initrc_exec_t;
+		type hypervkvp_t;
+		type hypervkvp_unit_file_t;
+	')
+
+	allow $1 hypervkvp_t:process signal_perms;
+	ps_process_pattern($1, hypervkvp_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 hypervkvp_t:process ptrace;
 	')
 
-	allow $1 hypervkvpd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, hypervkvpd_t)
+	hypervkvp_manage_lib_files($1)
 
-	init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 hypervkvpd_initrc_exec_t system_r;
-	allow $2 system_r;
+	hypervkvp_systemctl($1)
+	admin_pattern($1, hypervkvp_unit_file_t)
+	allow $1 hypervkvp_unit_file_t:service all_service_perms;
 ')
diff --git a/hypervkvp.te b/hypervkvp.te
index 4eb7041ef3..bce3f60a92 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
@@ -5,24 +5,161 @@ policy_module(hypervkvp, 1.0.0)
 # Declarations
 #
 
-type hypervkvpd_t;
-type hypervkvpd_exec_t;
-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+attribute hyperv_domain;
 
-type hypervkvpd_initrc_exec_t;
-init_script_file(hypervkvpd_initrc_exec_t)
+type hypervkvp_t, hyperv_domain;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
+
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
+type hypervkvp_unit_file_t;
+systemd_unit_file(hypervkvp_unit_file_t)
+
+type hypervkvp_var_lib_t;
+files_type(hypervkvp_var_lib_t)
+
+type hypervkvp_tmp_t;
+files_tmpfs_file(hypervkvp_tmp_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_file_t;
+systemd_unit_file(hypervvssd_unit_file_t)
 
 ########################################
 #
-# Local policy
+# hyperv domain local policy
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
+corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
+
+########################################
 #
+# hypervkvp local policy
 #
 
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
+
+manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
+manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
+files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })
+
+kernel_read_system_state(hypervkvp_t)
+kernel_read_network_state(hypervkvp_t)
+kernel_rw_net_sysctls(hypervkvp_t)
+
+corecmd_getattr_all_executables(hypervkvp_t)
+
+dev_rw_hypervkvp(hypervkvp_t)
+
+domain_read_all_domains_state(hypervkvp_t)
+
+seutil_exec_setfiles(hypervkvp_t)
+seutil_read_file_contexts(hypervkvp_t)
+
+domain_read_all_domains_state(hypervkvp_t)
+
+dev_read_urand(hypervkvp_t)
+
+files_dontaudit_search_home(hypervkvp_t)
+files_dontaudit_getattr_non_security_files(hypervkvp_t)
+
+fs_getattr_all_fs(hypervkvp_t)
+fs_read_hugetlbfs_files(hypervkvp_t)
+fs_list_hugetlbfs(hypervkvp_t)
+
+auth_use_nsswitch(hypervkvp_t)
+
+logging_send_syslog_msg(hypervkvp_t)
+logging_read_syslog_config(hypervkvp_t)
+
+libs_exec_ldconfig(hypervkvp_t)
+
+modutils_domtrans_insmod(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_domtrans_dhcpc(hypervkvp_t)
+sysnet_domtrans_ifconfig(hypervkvp_t)
+
+sysnet_manage_dhcpc_pid(hypervkvp_t)
+sysnet_signal_dhcpc(hypervkvp_t)
+
+sysnet_manage_config(hypervkvp_t)
+sysnet_read_dhcpc_state(hypervkvp_t)
+sysnet_read_dhcp_config(hypervkvp_t)
+sysnet_etc_filetrans_config(hypervkvp_t)
+
+systemd_exec_systemctl(hypervkvp_t)
+
+userdom_dontaudit_search_admin_dir(hypervkvp_t)
+
+optional_policy(`
+    dbus_read_pid_files(hypervkvp_t)
+    dbus_system_bus_client(hypervkvp_t)
+')
+
+optional_policy(`
+    brctl_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
+    hostname_exec(hypervkvp_t)
+')
+
+optional_policy(`
+    firewalld_dbus_chat(hypervkvp_t)
+')
+
+optional_policy(`
+    netutils_domtrans_ping(hypervkvp_t)
+    netutils_domtrans(hypervkvp_t)
+')
+
+optional_policy(`
+    networkmanager_read_pid_files(hypervkvp_t)
+    networkmanager_dbus_chat(hypervkvp_t)
+')
+
+optional_policy(`
+    sysnet_exec_ifconfig(hypervkvp_t)
+')
+
+optional_policy(`
+    rpm_exec(hypervkvp_t)
+')
+
+########################################
+#
+# hypervvssd local policy
+#
+
+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
+
+dev_rw_hypervvssd(hypervvssd_t)
 
-logging_send_syslog_msg(hypervkvpd_t)
+files_list_all_mountpoints(hypervvssd_t)
+files_list_boot(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
 
-miscfiles_read_localization(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
 
-sysnet_dns_name_resolve(hypervkvpd_t)
+storage_raw_read_fixed_disk(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
index 369a0566b0..65fde93d9e 100644
--- a/i18n_input.te
+++ b/i18n_input.te
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
 kernel_read_kernel_sysctls(i18n_input_t)
 kernel_read_system_state(i18n_input_t)
 
-corenet_all_recvfrom_unlabeled(i18n_input_t)
 corenet_all_recvfrom_netlabel(i18n_input_t)
 corenet_tcp_sendrecv_generic_if(i18n_input_t)
 corenet_tcp_sendrecv_generic_node(i18n_input_t)
@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
 fs_search_auto_mountpoints(i18n_input_t)
 
 files_read_etc_runtime_files(i18n_input_t)
-files_read_usr_files(i18n_input_t)
 
 auth_use_nsswitch(i18n_input_t)
 
@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t)
 
 logging_send_syslog_msg(i18n_input_t)
 
-miscfiles_read_localization(i18n_input_t)
-
 userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
 userdom_read_user_home_content_files(i18n_input_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(i18n_input_t)
-	fs_read_nfs_symlinks(i18n_input_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(i18n_input_t)
-	fs_read_cifs_symlinks(i18n_input_t)
-')
+userdom_home_reader(i18n_input_t)
 
 optional_policy(`
 	canna_stream_connect(i18n_input_t)
diff --git a/icecast.if b/icecast.if
index 580b533ce7..c267cea588 100644
--- a/icecast.if
+++ b/icecast.if
@@ -176,6 +176,14 @@ interface(`icecast_admin',`
 		type icecast_var_run_t;
 	')
 
+	allow $1 icecast_t:process signal_perms;
+	ps_process_pattern($1, icecast_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 icecast_t:process ptrace;
+	')
+
+	# Allow icecast_t to restart the apache service
 	icecast_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
index a9e573a501..9a9245f49a 100644
--- a/icecast.te
+++ b/icecast.te
@@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t)
 # Local policy
 #
 
-allow icecast_t self:capability { dac_override setgid setuid sys_nice };
+allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice };
 allow icecast_t self:process { getsched setsched signal };
 allow icecast_t self:fifo_file rw_fifo_file_perms;
 allow icecast_t self:unix_stream_socket create_stream_socket_perms;
@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t)
 dev_read_urand(icecast_t)
 dev_read_rand(icecast_t)
 
-domain_use_interactive_fds(icecast_t)
-
 auth_use_nsswitch(icecast_t)
 
-miscfiles_read_localization(icecast_t)
+files_dontaudit_list_tmp(icecast_t)
 
 tunable_policy(`icecast_use_any_tcp_ports',`
 	corenet_tcp_connect_all_ports(icecast_t)
diff --git a/ifplugd.if b/ifplugd.if
index 8999899962..96909ae6ae 100644
--- a/ifplugd.if
+++ b/ifplugd.if
@@ -119,7 +119,7 @@ interface(`ifplugd_admin',`
 		type ifplugd_initrc_exec_t;
 	')
 
-	allow $1 ifplugd_t:process { ptrace signal_perms };
+	allow $1 ifplugd_t:process signal_perms;
 	ps_process_pattern($1, ifplugd_t)
 
 	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
index b0546b43b1..98d7326a8f 100644
--- a/ifplugd.te
+++ b/ifplugd.te
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
 init_daemon_domain(ifplugd_t, ifplugd_exec_t)
 
 type ifplugd_etc_t;
-files_type(ifplugd_etc_t)
+files_config_file(ifplugd_etc_t)
 
 type ifplugd_initrc_exec_t;
 init_script_file(ifplugd_initrc_exec_t)
@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t)
 dev_read_sysfs(ifplugd_t)
 
 domain_read_confined_domains_state(ifplugd_t)
-domain_dontaudit_read_all_domains_state(ifplugd_t)
 
 auth_use_nsswitch(ifplugd_t)
 
 logging_send_syslog_msg(ifplugd_t)
 
-miscfiles_read_localization(ifplugd_t)
-
 netutils_domtrans(ifplugd_t)
 
 sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
index 1eb24d8c89..b320d51ae4 100644
--- a/imaze.te
+++ b/imaze.te
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
 kernel_read_kernel_sysctls(imazesrv_t)
 kernel_read_proc_symlinks(imazesrv_t)
 
-corenet_all_recvfrom_unlabeled(imazesrv_t)
 corenet_all_recvfrom_netlabel(imazesrv_t)
 corenet_tcp_sendrecv_generic_if(imazesrv_t)
 corenet_udp_sendrecv_generic_if(imazesrv_t)
@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t)
 
 logging_send_syslog_msg(imazesrv_t)
 
-miscfiles_read_localization(imazesrv_t)
-
 userdom_use_unpriv_users_fds(imazesrv_t)
 userdom_dontaudit_search_user_home_dirs(imazesrv_t)
 
diff --git a/inetd.if b/inetd.if
index fbb54e7d8d..05c3777686 100644
--- a/inetd.if
+++ b/inetd.if
@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
 
 	domtrans_pattern(inetd_t, $2, $1)
 	allow inetd_t $1:process { siginh sigkill };
+
+    init_domain($1, $2)
+
+	optional_policy(`
+		abrt_stream_connect($1)
+	')
 ')
 
 ########################################
diff --git a/inetd.te b/inetd.te
index c6450df8ae..0c88e1cf70 100644
--- a/inetd.te
+++ b/inetd.te
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
 # Local policy
 #
 
-allow inetd_t self:capability { setuid setgid sys_resource };
+allow inetd_t self:capability { setuid setgid };
 dontaudit inetd_t self:capability sys_tty_config;
-allow inetd_t self:process { setsched setexec setrlimit };
+allow inetd_t self:process { setsched setexec };
 allow inetd_t self:fifo_file rw_fifo_file_perms;
 allow inetd_t self:tcp_socket { accept listen };
 allow inetd_t self:fd use;
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
 kernel_tcp_recvfrom_unlabeled(inetd_t)
 
 corecmd_bin_domtrans(inetd_t, inetd_child_t)
+corecmd_exec_shell(inetd_t)
 
 corenet_all_recvfrom_unlabeled(inetd_t)
 corenet_all_recvfrom_netlabel(inetd_t)
@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_inetd_child_port(inetd_t)
 
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
+corenet_tcp_bind_time_port(inetd_t)
+corenet_udp_bind_time_port(inetd_t)
+
 corenet_sendrecv_ircd_server_packets(inetd_t)
 corenet_tcp_bind_ircd_port(inetd_t)
 
@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t)
 corenet_tcp_bind_git_port(inetd_t)
 corenet_udp_bind_git_port(inetd_t)
 
+dev_read_urand(inetd_t)
+dev_read_rand(inetd_t)
+
 dev_read_sysfs(inetd_t)
 
 domain_use_interactive_fds(inetd_t)
@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t)
 
 logging_send_syslog_msg(inetd_t)
 
-miscfiles_read_localization(inetd_t)
-
 mls_fd_share_all_levels(inetd_t)
 mls_socket_read_to_clearance(inetd_t)
 mls_socket_write_to_clearance(inetd_t)
@@ -188,17 +195,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	tftp_read_config_files(inetd_t)
+	tftp_read_config(inetd_t)
 ')
 
 optional_policy(`
 	udev_read_db(inetd_t)
 ')
 
-optional_policy(`
-	unconfined_domtrans(inetd_t)
-')
-
 ########################################
 #
 # Child local policy
@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t)
 kernel_read_network_state(inetd_child_t)
 kernel_read_system_state(inetd_child_t)
 
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+corecmd_bin_entry_type(inetd_child_t)
+
 dev_read_urand(inetd_child_t)
 
 fs_getattr_xattr_fs(inetd_child_t)
@@ -230,7 +243,23 @@ auth_use_nsswitch(inetd_child_t)
 
 logging_send_syslog_msg(inetd_child_t)
 
-miscfiles_read_localization(inetd_child_t)
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+    abrt_dbus_chat(inetd_child_t)
+')
+
+optional_policy(`
+    chronyd_run_chronyc(inetd_child_t,system_r)
+')
+
+optional_policy(`
+	kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+        systemd_dbus_chat_logind(inetd_child_t)
+')
 
 optional_policy(`
 	unconfined_domain(inetd_child_t)
diff --git a/inn.fc b/inn.fc
index 8c0a48b1d1..b9eabf1455 100644
--- a/inn.fc
+++ b/inn.fc
@@ -3,6 +3,8 @@
 
 /etc/rc\.d/init\.d/innd	--	gen_context(system_u:object_r:innd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/innd.*	--	gen_context(system_u:object_r:innd_unit_file_t,s0)
+
 /usr/bin/inews	--	gen_context(system_u:object_r:innd_exec_t,s0)
 /usr/bin/rnews	--	gen_context(system_u:object_r:innd_exec_t,s0)
 /usr/bin/rpost	--	gen_context(system_u:object_r:innd_exec_t,s0)
@@ -13,42 +15,43 @@
 
 /var/lib/news(/.*)?	gen_context(system_u:object_r:innd_var_lib_t,s0)
 
-/usr/lib/news/bin/actsync	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/archive	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/batcher	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/buffchan	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/convdate	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/ctlinnd	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/cvtbatch	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/expire	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/expireover	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/fastrm	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/filechan	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/getlist	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/grephistory	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inews	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innconfval	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innd	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inndf	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/inndstart	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innfeed	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innxbatch	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/innxmit	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/makedbz	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/makehistory	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/newsrequeue	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/nnrpd	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/nntpget	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/ovdb_recover	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/overchan	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/prunehistory	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/rnews	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/shlock	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/shrinkfile	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/sm	--	gen_context(system_u:object_r:innd_exec_t,s0)
-/usr/lib/news/bin/startinnfeed	--	gen_context(system_u:object_r:innd_exec_t,s0)
-
-/var/log/news.*	--	gen_context(system_u:object_r:innd_log_t,s0)
+/usr/libexec/news/actsync	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/archive	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/batcher	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/buffchan	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/convdate	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/ctlinnd	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/cvtbatch	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/expire	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/expireover	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/fastrm	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/filechan	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/getlist	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/grephistory	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inews	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/newsinnconfval	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innd	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inndf	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/inndstart	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innfeed	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innxbatch	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/innxmit	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/makedbz	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/makehistory	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/newsrequeue	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/nnrpd	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/nntpget	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/ovdb_recover	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/overchan	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/prunehistory	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/rnews	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/shlock	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/shrinkfile	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/sm	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/startinnfeed	--	gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/libexec/news/rc.news	--	gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)?		gen_context(system_u:object_r:innd_log_t,s0)
 
 /var/run/innd(/.*)?	gen_context(system_u:object_r:innd_var_run_t,s0)
 /var/run/innd\.pid	--	gen_context(system_u:object_r:innd_var_run_t,s0)
diff --git a/inn.if b/inn.if
index eb87f23416..d3d32c3ad7 100644
--- a/inn.if
+++ b/inn.if
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
 		type innd_etc_t;
 	')
 
+	files_search_etc($1)
 	allow $1 innd_etc_t:dir list_dir_perms;
 	allow $1 innd_etc_t:file read_file_perms;
 	allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
@@ -144,10 +145,29 @@ interface(`inn_read_news_lib',`
 		type innd_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 innd_var_lib_t:dir list_dir_perms;
 	allow $1 innd_var_lib_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Write innd inherited news library content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inn_write_inherited_news_lib',`
+	gen_require(`
+		type innd_var_lib_t;
+	')
+
+	allow $1 innd_var_lib_t:file write_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read innd news spool content.
@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
 		type news_spool_t;
 	')
 
+	files_search_spool($1)
 	allow $1 news_spool_t:dir list_dir_perms;
 	allow $1 news_spool_t:file read_file_perms;
 	allow $1 news_spool_t:lnk_file read_lnk_file_perms;
@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
 interface(`inn_admin',`
 	gen_require(`
 		type innd_t, innd_etc_t, innd_log_t;
-		type news_spool_t, innd_var_lib_t;
-		type innd_var_run_t, innd_initrc_exec_t;
+		type news_spool_t, innd_var_lib_t, innd_var_run_t;
+		type innd_initrc_exec_t;
+	')
+
+	allow $1 innd_t:process signal_perms;
+	ps_process_pattern($1, innd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 innd_t:process ptrace;
 	')
 
 	init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
index d39f0cc51e..fc0bd082b3 100644
--- a/inn.te
+++ b/inn.te
@@ -15,6 +15,9 @@ files_config_file(innd_etc_t)
 type innd_initrc_exec_t;
 init_script_file(innd_initrc_exec_t)
 
+type innd_unit_file_t;
+systemd_unit_file(innd_unit_file_t)
+
 type innd_log_t;
 logging_log_file(innd_log_t)
 
@@ -26,13 +29,14 @@ files_pid_file(innd_var_run_t)
 
 type news_spool_t;
 files_mountpoint(news_spool_t)
+files_spool_file(news_spool_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow innd_t self:capability { dac_override kill setgid setuid };
+allow innd_t self:capability { dac_read_search dac_override kill setgid setuid };
 dontaudit innd_t self:capability sys_tty_config;
 allow innd_t self:process { setsched signal_perms };
 allow innd_t self:fifo_file rw_fifo_file_perms;
@@ -43,29 +47,29 @@ allow innd_t self:tcp_socket { accept listen };
 read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
 read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
 
-allow innd_t innd_log_t:dir setattr_dir_perms;
-append_files_pattern(innd_t, innd_log_t, innd_log_t)
-create_files_pattern(innd_t, innd_log_t, innd_log_t)
-setattr_files_pattern(innd_t, innd_log_t, innd_log_t)
+manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+manage_dirs_pattern(innd_t, innd_log_t, innd_log_t)
+logging_log_filetrans(innd_t, innd_log_t, { dir file })
 
 manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
 manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+allow innd_t innd_var_lib_t:file map;
 
 manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
 manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
 manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
-files_pid_filetrans(innd_t, innd_var_run_t, file)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
 
 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
 manage_files_pattern(innd_t, news_spool_t, news_spool_t)
 manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+allow innd_t news_spool_t:file map;
 
 can_exec(innd_t, innd_exec_t)
 
 kernel_read_kernel_sysctls(innd_t)
 kernel_read_system_state(innd_t)
 
-corenet_all_recvfrom_unlabeled(innd_t)
 corenet_all_recvfrom_netlabel(innd_t)
 corenet_tcp_sendrecv_generic_if(innd_t)
 corenet_tcp_sendrecv_generic_node(innd_t)
@@ -91,18 +95,18 @@ fs_search_auto_mountpoints(innd_t)
 
 files_list_spool(innd_t)
 files_read_etc_runtime_files(innd_t)
-files_read_usr_files(innd_t)
+
+inn_exec_config(innd_t)
 
 auth_use_nsswitch(innd_t)
 
 logging_send_syslog_msg(innd_t)
 
-miscfiles_read_localization(innd_t)
-
 seutil_dontaudit_search_config(innd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(innd_t)
 userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
 
 mta_send_mail(innd_t)
 
diff --git a/iodine.fc b/iodine.fc
index ca07a8744e..6ea129cf63 100644
--- a/iodine.fc
+++ b/iodine.fc
@@ -1,3 +1,5 @@
 /etc/rc\.d/init\.d/((iodined)|(iodine-server))	--	gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/iodine-server.*     --  gen_context(system_u:object_r:iodined_unit_file_t,s0)
+
 /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
diff --git a/iodine.if b/iodine.if
index a0bfbd04f1..8dc7c3e31e 100644
--- a/iodine.if
+++ b/iodine.if
@@ -1,5 +1,49 @@
 ## <summary>IP over DNS tunneling daemon.</summary>
 
+########################################
+## <summary>
+##	Execute NetworkManager with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`iodined_domtrans',`
+	gen_require(`
+		type iodined_t, iodined_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, iodined_exec_t, iodined_t)
+')
+
+########################################
+## <summary>
+##  Execute iodined server in the iodined domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`iodined_systemctl',`
+    gen_require(`
+        type iodined_t;
+        type iodined_unit_file_t;
+    ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 iodined_unit_file_t:file read_file_perms;
+        allow $1 iodined_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, iodined_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/iodine.te b/iodine.te
index d443feee45..6cbbf7d847 100644
--- a/iodine.te
+++ b/iodine.te
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
 type iodined_initrc_exec_t;
 init_script_file(iodined_initrc_exec_t)
 
+type iodined_unit_file_t;
+systemd_unit_file(iodined_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t)
 
 corecmd_exec_shell(iodined_t)
 
-files_read_etc_files(iodined_t)
+auth_use_nsswitch(iodined_t)
 
 logging_send_syslog_msg(iodined_t)
 
diff --git a/iotop.fc b/iotop.fc
new file mode 100644
index 0000000000..c8d2deac26
--- /dev/null
+++ b/iotop.fc
@@ -0,0 +1 @@
+/usr/sbin/iotop		--	gen_context(system_u:object_r:iotop_exec_t,s0)
diff --git a/iotop.if b/iotop.if
new file mode 100644
index 0000000000..7fc3464e60
--- /dev/null
+++ b/iotop.if
@@ -0,0 +1,46 @@
+## <summary>Simple top-like I/O monitor</summary>
+
+########################################
+## <summary>
+##	Allow execution of iotop in the iotop domain from the target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition to iotop.
+## </summary>
+## </param>
+#
+interface(`iotop_domtrans',`
+	gen_require(`
+		type iotop_t, iotop_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, iotop_exec_t, iotop_t)
+')
+
+########################################
+## <summary>
+##	Execute iotop in the iotop domain, and
+##	allow the specified role to access the iotop domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed into the iotop domain.
+##	</summary>
+## </param>
+#
+interface(`iotop_run',`
+	gen_require(`
+		type iotop_t;
+		attribute_role iotop_roles;
+	')
+
+	iotop_domtrans($1)
+	roleattribute $2 iotop_roles;
+')
diff --git a/iotop.te b/iotop.te
new file mode 100644
index 0000000000..61f2003c8e
--- /dev/null
+++ b/iotop.te
@@ -0,0 +1,39 @@
+policy_module(iotop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role iotop_roles;
+roleattribute system_r iotop_roles;
+
+type iotop_t;
+type iotop_exec_t;
+application_domain(iotop_t, iotop_exec_t)
+
+role iotop_roles types iotop_t;
+
+########################################
+#
+# iotop local policy
+#
+
+allow iotop_t self:capability net_admin;
+allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
+allow iotop_t self:netlink_socket create_socket_perms;
+
+kernel_read_system_state(iotop_t)
+
+auth_use_nsswitch(iotop_t)
+
+dev_read_urand(iotop_t)
+
+domain_getsched_all_domains(iotop_t)
+domain_read_all_domains_state(iotop_t)
+
+corecmd_exec_bin(iotop_t)
+
+miscfiles_read_localization(iotop_t)
+
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000000..4cd9ef1324
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,25 @@
+/etc/httpd/alias/ipasession.key     --     gen_context(system_u:object_r:ipa_cert_t,s0)
+
+/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/lib/systemd/system/ipa-dnskeysyncd.*		--	gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+/usr/libexec/ipa/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+
+/usr/libexec/ipa/ipa-dnskeysyncd		--	gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+/usr/libexec/ipa/ipa-dnskeysync-replica		--	gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains --   gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.trust-enable-agent  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
+/var/log/ipa(/.*)?              gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/log/ipareplica-conncheck.log.*	--	gen_context(system_u:object_r:ipa_log_t,s0)
+
+/var/run/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_run_t,s0)
diff --git a/ipa.if b/ipa.if
new file mode 100644
index 0000000000..c54d3d4922
--- /dev/null
+++ b/ipa.if
@@ -0,0 +1,293 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
+## <summary>
+##	Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipa_domtrans_otpd',`
+	gen_require(`
+		type ipa_otpd_t, ipa_otpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
+')
+
+########################################
+## <summary>
+##	Connect to ipa-otpd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_stream_connect_otpd',`
+	gen_require(`
+		type ipa_otpd_t;
+	')
+    allow $1 ipa_otpd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Execute ipa-helper in the ipa_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipa_domtrans_helper',`
+	gen_require(`
+		type ipa_helper_t, ipa_helper_exec_t;
+	')
+
+	domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute ipa-helper in the ipa_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_run_helper',`
+	gen_require(`
+		type ipa_helper_t;
+        attribute_role ipa_helper_roles;
+	')
+
+    ipa_domtrans_helper($1)
+    roleattribute $2 ipa_helper_roles;
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_search_lib',`
+	gen_require(`
+		type ipa_var_lib_t;
+	')
+
+    search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_manage_lib',`
+	gen_require(`
+		type ipa_var_lib_t;
+	')
+
+    manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+    manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa log files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_manage_log',`
+	gen_require(`
+		type ipa_log_t;
+	')
+
+    manage_files_pattern($1, ipa_log_t, ipa_log_t)
+    manage_dirs_pattern($1, ipa_log_t, ipa_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa lib files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_read_lib',`
+	gen_require(`
+		type ipa_var_lib_t;
+	')
+
+    read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+    list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa run files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_manage_pid_files',`
+	gen_require(`
+		type ipa_var_run_t;
+	')
+    manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t)
+    manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create specified objects in generic
+##	pid directories with the ipa pid file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`ipa_filetrans_pid',`
+	gen_require(`
+		type ipa_var_run_t;
+	')
+
+	files_pid_filetrans($1, ipa_var_run_t, file, $2)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_delete_tmp',`
+	gen_require(`
+		type ipa_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 ipa_tmp_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Create log files with a named file
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_named_filetrans_log_dir',`
+	gen_require(`
+		type ipa_log_t;
+	')
+
+	logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
+')
+
+#######################################
+## <summary>
+##      Allow domain to create /tmp/ca.p12
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ipa_filetrans_named_content',`
+
+    gen_require(`
+        type ipa_tmp_t;
+    ')
+    
+    files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
+')
+
+########################################
+## <summary>
+##	Create file ipasession.key in cert_t dir
+##  with ipa_cert_t type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_cert_filetrans_named_content',`
+	gen_require(`
+		type ipa_cert_t;
+        type cert_t;
+	')
+
+	filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key")
+    manage_files_pattern($1, ipa_cert_t, ipa_cert_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read ipa tmp files/dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_read_tmp',`
+	gen_require(`
+		type ipa_tmp_t;
+	')
+
+    read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
index 0000000000..c2b0e4438d
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,230 @@
+policy_module(ipa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute ipa_domain;
+
+attribute_role ipa_helper_roles;
+roleattribute system_r ipa_helper_roles;
+
+type ipa_otpd_t, ipa_domain;
+type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
+
+type ipa_dnskey_t, ipa_domain;
+type ipa_dnskey_exec_t;
+init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
+
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
+type ipa_dnskey_unit_file_t;
+systemd_unit_file(ipa_dnskey_unit_file_t)
+
+type ipa_log_t;
+logging_log_file(ipa_log_t)
+
+type ipa_var_lib_t;
+files_type(ipa_var_lib_t)
+
+type ipa_var_run_t;
+files_pid_file(ipa_var_run_t)
+
+type ipa_helper_t;
+type ipa_helper_exec_t;
+domain_type(ipa_helper_t)
+domain_obj_id_change_exemption(ipa_helper_t)
+init_system_domain(ipa_helper_t, ipa_helper_exec_t)
+role ipa_helper_roles types ipa_helper_t;
+
+type ipa_cert_t;
+miscfiles_cert_type(ipa_cert_t)
+
+type ipa_tmp_t;
+files_tmp_file(ipa_tmp_t)
+
+########################################
+#
+# ipa_otpd local policy
+#
+
+allow ipa_otpd_t self:capability2 block_suspend;
+
+allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
+allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
+read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
+
+manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
+
+corenet_tcp_connect_radius_port(ipa_otpd_t)
+
+dev_read_urand(ipa_otpd_t)
+dev_read_rand(ipa_otpd_t)
+
+sysnet_dns_name_resolve(ipa_otpd_t)
+
+optional_policy(`
+    dirsrv_stream_connect(ipa_otpd_t)
+')
+
+optional_policy(`
+	kerberos_use(ipa_otpd_t)
+')
+
+########################################
+#
+# ipa-helper local policy
+#
+
+
+allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
+
+#kernel bug
+dontaudit ipa_helper_t self:capability2  block_suspend;
+
+allow ipa_helper_t self:process setfscreate;
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
+allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
+logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
+
+manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
+manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
+files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
+
+kernel_read_system_state(ipa_helper_t)
+kernel_read_network_state(ipa_helper_t)
+
+corenet_tcp_connect_ldap_port(ipa_helper_t)
+corenet_tcp_connect_smbd_port(ipa_helper_t)
+corenet_tcp_connect_http_port(ipa_helper_t)
+corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
+
+corecmd_exec_bin(ipa_helper_t)
+corecmd_exec_shell(ipa_helper_t)
+
+dev_read_urand(ipa_helper_t)
+
+auth_use_nsswitch(ipa_helper_t)
+
+files_list_tmp(ipa_helper_t)
+
+init_read_state(ipa_helper_t)
+init_stream_connect(ipa_helper_t)
+
+ipa_manage_pid_files(ipa_helper_t)
+ipa_read_lib(ipa_helper_t)
+
+logging_send_syslog_msg(ipa_helper_t)
+
+optional_policy(`
+    dirsrv_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+    ldap_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+    libs_exec_ldconfig(ipa_helper_t)
+')
+
+optional_policy(`
+    memcached_stream_connect(ipa_helper_t)
+')
+
+optional_policy(`
+    oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
+')
+
+optional_policy(`
+    rpm_read_db(ipa_helper_t)
+')
+
+optional_policy(`
+    samba_read_config(ipa_helper_t)
+')
+
+optional_policy(`
+    sssd_manage_lib_files(ipa_helper_t)
+    sssd_systemctl(ipa_helper_t)
+')
+
+optional_policy(`
+    systemd_config_generic_services(ipa_helper_t)
+')
+
+########################################
+#
+# ipa-dnskey local policy
+#
+allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms;
+allow ipa_dnskey_t self:udp_socket create_socket_perms;
+allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
+allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
+
+read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
+read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
+
+manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
+
+manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t)
+files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file })
+
+kernel_dgram_send(ipa_dnskey_t)
+kernel_read_system_state(ipa_dnskey_t)
+kernel_read_network_state(ipa_dnskey_t)
+
+auth_use_nsswitch(ipa_dnskey_t)
+
+corecmd_exec_bin(ipa_dnskey_t)
+corecmd_exec_shell(ipa_dnskey_t)
+
+corenet_tcp_bind_generic_node(ipa_dnskey_t)
+corenet_tcp_connect_kerberos_port(ipa_dnskey_t)
+corenet_tcp_connect_rndc_port(ipa_dnskey_t)
+
+dev_read_rand(ipa_dnskey_t)
+
+can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
+
+libs_exec_ldconfig(ipa_dnskey_t)
+
+logging_send_syslog_msg(ipa_dnskey_t)
+
+miscfiles_read_certs(ipa_dnskey_t)
+
+sysnet_read_config(ipa_dnskey_t)
+
+optional_policy(`
+    apache_search_config(ipa_dnskey_t)
+')
+
+optional_policy(`
+	bind_domtrans_ndc(ipa_dnskey_t)
+	bind_read_dnssec_keys(ipa_dnskey_t)
+	bind_manage_zone(ipa_dnskey_t)
+	bind_manage_zone_dirs(ipa_dnskey_t)
+	bind_search_cache(ipa_dnskey_t)
+')
+
+optional_policy(`
+	dirsrv_stream_connect(ipa_dnskey_t)
+')
+
+optional_policy(`
+	opendnssec_domtrans(ipa_dnskey_t)
+	opendnssec_manage_config(ipa_dnskey_t)
+	opendnssec_manage_var_files(ipa_dnskey_t)
+	opendnssec_filetrans_etc_content(ipa_dnskey_t)
+')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
index 0000000000..0f598ca9fb
--- /dev/null
+++ b/ipmievd.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ipmievd\.service	--	gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
+
+/usr/sbin/ipmievd				--	gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/usr/libexec/openipmi-helper	--	gen_context(system_u:object_r:ipmievd_exec_t,s0)
+
+/var/run/ipmievd\.pid				--	gen_context(system_u:object_r:ipmievd_var_run_t,s0)
+
+/var/lock/subsys/ipmi	--	gen_context(system_u:object_r:ipmievd_lock_t,s0)
diff --git a/ipmievd.if b/ipmievd.if
new file mode 100644
index 0000000000..e86db54188
--- /dev/null
+++ b/ipmievd.if
@@ -0,0 +1,120 @@
+## <summary>IPMI event daemon for sending events to syslog.</summary>
+
+########################################
+## <summary>
+##	Execute ipmievd_exec_t in the ipmievd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipmievd_domtrans',`
+	gen_require(`
+		type ipmievd_t, ipmievd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ipmievd_exec_t, ipmievd_t)
+')
+
+######################################
+## <summary>
+##	Execute ipmievd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipmievd_exec',`
+	gen_require(`
+		type ipmievd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ipmievd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read ipmievd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipmievd_read_pid_files',`
+	gen_require(`
+		type ipmievd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute ipmievd server in the ipmievd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ipmievd_systemctl',`
+	gen_require(`
+		type ipmievd_t;
+		type ipmievd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 ipmievd_unit_file_t:file read_file_perms;
+	allow $1 ipmievd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ipmievd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ipmievd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipmievd_admin',`
+	gen_require(`
+		type ipmievd_t;
+		type ipmievd_var_run_t;
+	type ipmievd_unit_file_t;
+	')
+
+	allow $1 ipmievd_t:process { signal_perms };
+	ps_process_pattern($1, ipmievd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ipmievd_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, ipmievd_var_run_t)
+
+	ipmievd_systemctl($1)
+	admin_pattern($1, ipmievd_unit_file_t)
+	allow $1 ipmievd_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/ipmievd.te b/ipmievd.te
new file mode 100644
index 0000000000..272487e096
--- /dev/null
+++ b/ipmievd.te
@@ -0,0 +1,55 @@
+policy_module(ipmievd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ipmievd_t;
+type ipmievd_exec_t;
+init_daemon_domain(ipmievd_t, ipmievd_exec_t)
+
+type ipmievd_var_run_t;
+files_pid_file(ipmievd_var_run_t)
+
+type ipmievd_lock_t;
+files_lock_file(ipmievd_lock_t)
+
+type ipmievd_unit_file_t;
+systemd_unit_file(ipmievd_unit_file_t)
+
+########################################
+#
+# ipmievd local policy
+#
+
+allow ipmievd_t self:process { fork setpgid };
+allow ipmievd_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
+files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
+
+manage_files_pattern(ipmievd_t, ipmievd_lock_t, ipmievd_lock_t)
+files_lock_filetrans(ipmievd_t, ipmievd_lock_t, file)
+
+kernel_read_system_state(ipmievd_t)
+kernel_load_module(ipmievd_t)
+
+auth_use_nsswitch(ipmievd_t)
+
+corecmd_exec_bin(ipmievd_t)
+
+dev_manage_ipmi_dev(ipmievd_t)
+dev_filetrans_ipmi(ipmievd_t)
+dev_read_sysfs(ipmievd_t)
+dev_rw_watchdog(ipmievd_t)
+
+files_read_kernel_modules(ipmievd_t)
+files_map_kernel_modules(ipmievd_t)
+
+logging_send_syslog_msg(ipmievd_t)
+
+miscfiles_read_certs(ipmievd_t)
+
+modutils_exec_insmod(ipmievd_t)
+modutils_read_module_config(ipmievd_t)
diff --git a/irc.fc b/irc.fc
index 48e7739f94..1bf0326cdc 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,6 +1,6 @@
 HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
 HOME_DIR/\.irssi(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)?	gen_context(system_u:object_r:irc_log_home_t,s0)
+HOME_DIR/irclog(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
 
 /etc/irssi\.conf	--	gen_context(system_u:object_r:irc_conf_t,s0)
 
diff --git a/irc.if b/irc.if
index ac00fb0fbc..36ef2e59cb 100644
--- a/irc.if
+++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
 		attribute_role irc_roles;
 		type irc_t, irc_exec_t, irc_home_t;
 		type irc_tmp_t, irc_log_home_t;
+		type irssi_t, irssi_exec_t, irssi_home_t;
 	')
 
 	########################################
@@ -37,12 +38,42 @@ interface(`irc_role',`
 	domtrans_pattern($2, irc_exec_t, irc_t)
 
 	ps_process_pattern($2, irc_t)
-	allow $2 irc_t:process { ptrace signal_perms };
-
-	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
-	userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
-	userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+	allow $2 irc_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 irc_t:process ptrace;
+	')
+
+	domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+	allow $2 irssi_t:process signal_perms;
+	ps_process_pattern($2, irssi_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 irssi_t:process ptrace;
+	')
+
+	allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
+	allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	irc_filetrans_home_content($2)
+')
+
+#######################################
+## <summary>
+##      Transition to alsa named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`irc_filetrans_home_content',`
+		gen_require(`
+			type irc_home_t;
+			type irssi_home_t;
+		')
+		userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
+		userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
+		userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
 ')
diff --git a/irc.te b/irc.te
index 2636503679..5910c59315 100644
--- a/irc.te
+++ b/irc.te
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
 typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
 userdom_user_home_content(irc_home_t)
 
-type irc_log_home_t;
-userdom_user_home_content(irc_log_home_t)
-
 type irc_tmp_t;
 typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
 typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_tmp_file(irc_tmp_t)
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+role irc_roles types irssi_t;
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t alias irc_log_home_t;
+userdom_user_home_content(irssi_home_t)
 
 ########################################
 #
@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
 manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
 manage_files_pattern(irc_t, irc_home_t, irc_home_t)
 manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
-
-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
+irc_filetrans_home_content(irc_t)
 
 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
 kernel_read_system_state(irc_t)
 
-corenet_all_recvfrom_unlabeled(irc_t)
+corecmd_exec_shell(irc_t)
+corecmd_exec_bin(irc_t)
+
 corenet_all_recvfrom_netlabel(irc_t)
 corenet_tcp_sendrecv_generic_if(irc_t)
 corenet_tcp_sendrecv_generic_node(irc_t)
@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
 
 domain_use_interactive_fds(irc_t)
 
-files_read_usr_files(irc_t)
-
 fs_getattr_all_fs(irc_t)
 fs_search_auto_mountpoints(irc_t)
 
@@ -106,14 +122,16 @@ auth_use_nsswitch(irc_t)
 init_read_utmp(irc_t)
 init_dontaudit_lock_utmp(irc_t)
 
-miscfiles_read_generic_certs(irc_t)
-miscfiles_read_localization(irc_t)
-
-userdom_use_user_terminals(irc_t)
+userdom_use_inherited_user_terminals(irc_t)
 
 userdom_manage_user_home_content_dirs(irc_t)
 userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+userdom_filetrans_home_content(irc_t)
+
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(irc_t)
+
+userdom_home_manager(irc_t)
 
 tunable_policy(`irc_use_any_tcp_ports',`
 	allow irc_t self:tcp_socket { accept listen };
@@ -124,18 +142,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
 	corenet_tcp_sendrecv_all_ports(irc_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(irc_t)
-	fs_manage_nfs_files(irc_t)
-	fs_manage_nfs_symlinks(irc_t)
+optional_policy(`
+	nis_use_ypbind(irc_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(irc_t)
-	fs_manage_cifs_files(irc_t)
-	fs_manage_cifs_symlinks(irc_t)
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+irc_filetrans_home_content(irssi_t)
+userdom_search_user_home_dirs(irssi_t)
+
+kernel_read_system_state(irssi_t)
+
+corecmd_exec_shell(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# tcp:7000 is often used for SSL irc
+corenet_tcp_connect_gatekeeper_port(irssi_t)
+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_tcp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+
+fs_search_auto_mountpoints(irssi_t)
+
+auth_use_nsswitch(irssi_t)
+
+
+userdom_use_inherited_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+	corenet_tcp_bind_all_unreserved_ports(irssi_t)
+	corenet_tcp_connect_all_ports(irssi_t)
+	corenet_sendrecv_generic_server_packets(irssi_t)
+	corenet_sendrecv_all_client_packets(irssi_t)
 ')
 
+userdom_home_manager(irssi_t)
+
 optional_policy(`
 	seutil_use_newrole_fds(irc_t)
 ')
diff --git a/ircd.if b/ircd.if
index ade9803231..3620c9a674 100644
--- a/ircd.if
+++ b/ircd.if
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
 
 	files_search_etc($1)
 	admin_pattern($1, ircd_etc_t)
-
-	logging_search_log($1)
+ 
+	logging_search_logs($1)
 	admin_pattern($1, ircd_log_t)
 
 	files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te
index efaf4b10ad..bd1a132acd 100644
--- a/ircd.te
+++ b/ircd.te
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
 
 corecmd_exec_bin(ircd_t)
 
-corenet_all_recvfrom_unlabeled(ircd_t)
 corenet_all_recvfrom_netlabel(ircd_t)
 corenet_tcp_sendrecv_generic_if(ircd_t)
 corenet_tcp_sendrecv_generic_node(ircd_t)
@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t)
 
 logging_send_syslog_msg(ircd_t)
 
-miscfiles_read_localization(ircd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(ircd_t)
 userdom_dontaudit_search_user_home_dirs(ircd_t)
 
diff --git a/irqbalance.te b/irqbalance.te
index e1f302ddb6..1e5418a2e0 100644
--- a/irqbalance.te
+++ b/irqbalance.te
@@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
 
 dev_read_sysfs(irqbalance_t)
 
-files_read_etc_files(irqbalance_t)
 files_read_etc_runtime_files(irqbalance_t)
 
 fs_getattr_all_fs(irqbalance_t)
@@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t)
 
 logging_send_syslog_msg(irqbalance_t)
 
-miscfiles_read_localization(irqbalance_t)
-
 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
 userdom_dontaudit_search_user_home_dirs(irqbalance_t)
 
diff --git a/iscsi.fc b/iscsi.fc
index 08b7560479..417e630049 100644
--- a/iscsi.fc
+++ b/iscsi.fc
@@ -1,19 +1,18 @@
-/etc/rc\.d/init\.d/((iscsi)|(iscsid))	--	gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
-
 /sbin/iscsid	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
-/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 /sbin/iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
 /usr/sbin/iscsid	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
-/usr/sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 /usr/sbin/iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiadm  --  gen_context(system_u:object_r:iscsid_exec_t,s0)
 
 /var/lib/iscsi(/.*)?	gen_context(system_u:object_r:iscsi_var_lib_t,s0)
 
 /var/lock/iscsi(/.*)?	gen_context(system_u:object_r:iscsi_lock_t,s0)
 
-/var/log/brcm-iscsi\.log.*	--	gen_context(system_u:object_r:iscsi_log_t,s0)
 /var/log/iscsiuio\.log.*	--	gen_context(system_u:object_r:iscsi_log_t,s0)
 
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
 /var/run/iscsiuio\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
index 1a354203e8..77004ecad1 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -17,6 +17,53 @@ interface(`iscsid_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
+    allow $1 iscsid_exec_t:file map;
+')
+
+########################################
+## <summary>
+##	Execute iscsid programs in the iscsid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to allow the iscsid domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`iscsid_run',`
+	gen_require(`
+		attribute_role iscsid_roles;
+	')
+
+    iscsid_domtrans($1)
+    roleattribute $2 iscsid_roles;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	iscsid lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iscsi_manage_lock',`
+	gen_require(`
+		type iscsi_lock_t;
+	')
+
+    files_search_locks($1)
+    manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
+    manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
 ')
 
 ########################################
@@ -80,17 +127,54 @@ interface(`iscsi_read_lib_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an iscsi environment.
+##	Transition to iscsi named content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`iscsi_filetrans_named_content',`
+    gen_require(`
+        type iscsi_lock_t;
+    ')
+
+    files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+')
+
+########################################
+## <summary>
+##     Execute iscsi server in the iscsi domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`iscsi_systemctl',`
+       gen_require(`
+               type iscsid_t;
+               type iscsi_unit_file_t;
+       ')
+
+       systemd_exec_systemctl($1)
+	init_reload_services($1)
+       allow $1 iscsi_unit_file_t:file read_file_perms;
+       allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+       ps_process_pattern($1, iscsid_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an iscsi environment.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -99,16 +183,16 @@ interface(`iscsi_admin',`
 	gen_require(`
 		type iscsid_t, iscsi_lock_t, iscsi_log_t;
 		type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
-		type iscsi_initrc_exec_t;
+		type iscsi_unit_file_t;
 	')
 
 	allow $1 iscsid_t:process { ptrace signal_perms };
 	ps_process_pattern($1, iscsid_t)
 
-	init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 iscsi_initrc_exec_t system_r;
-	allow $2 system_r;
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 iscsi_unit_file_t:file manage_file_perms;
+	allow $1 iscsi_unit_file_t:service manage_service_perms;
 
 	logging_search_logs($1)
 	admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
index ca020faa98..5b3ff1668c 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
 # Declarations
 #
 
+attribute_role iscsid_roles;
+
 type iscsid_t;
 type iscsid_exec_t;
 init_daemon_domain(iscsid_t, iscsid_exec_t)
+role iscsid_roles types iscsid_t;
 
-type iscsi_initrc_exec_t;
-init_script_file(iscsi_initrc_exec_t)
+type iscsi_unit_file_t;
+systemd_unit_file(iscsi_unit_file_t)
 
 type iscsi_lock_t;
 files_lock_file(iscsi_lock_t)
@@ -32,17 +35,18 @@ files_pid_file(iscsi_var_run_t)
 # Local policy
 #
 
-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
+allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
 allow iscsid_t self:process { setrlimit setsched signal };
 allow iscsid_t self:fifo_file rw_fifo_file_perms;
 allow iscsid_t self:unix_stream_socket { accept connectto listen };
 allow iscsid_t self:sem create_sem_perms;
 allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_iscsi_socket create_socket_perms;
 allow iscsid_t self:netlink_socket create_socket_perms;
 allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow iscsid_t self:netlink_route_socket nlmsg_write;
 allow iscsid_t self:tcp_socket { listen accept };
+allow iscsid_t self:system module_load;
 
 manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
 manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
@@ -54,21 +58,24 @@ logging_log_filetrans(iscsid_t, iscsi_log_t, file)
 manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
 manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
 fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
+allow iscsid_t iscsi_tmp_t:file map;
 
-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
 
 manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
 files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
 
 can_exec(iscsid_t, iscsid_exec_t)
 
+kernel_load_module(iscsid_t)
 kernel_read_network_state(iscsid_t)
 kernel_read_system_state(iscsid_t)
-kernel_setsched(iscsid_t)
+kernel_dontaudit_setsched(iscsid_t)
+kernel_request_load_module(iscsid_t)
 
-corenet_all_recvfrom_unlabeled(iscsid_t)
 corenet_all_recvfrom_netlabel(iscsid_t)
 corenet_tcp_sendrecv_generic_if(iscsid_t)
 corenet_tcp_sendrecv_generic_node(iscsid_t)
@@ -85,22 +92,43 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
 corenet_tcp_connect_isns_port(iscsid_t)
 corenet_tcp_sendrecv_isns_port(iscsid_t)
 
-dev_read_raw_memory(iscsid_t)
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
+corecmd_exec_bin(iscsid_t)
+corecmd_exec_shell(iscsid_t)
+
+dev_read_urand(iscsid_t)
 dev_rw_sysfs(iscsid_t)
+dev_map_sysfs(iscsid_t)
 dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
+dev_map_userio_dev(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
 domain_dontaudit_read_all_domains_state(iscsid_t)
 
+files_read_kernel_modules(iscsid_t)
+files_map_kernel_modules(iscsid_t)
+
 auth_use_nsswitch(iscsid_t)
 
 init_stream_connect_script(iscsid_t)
 
 logging_send_syslog_msg(iscsid_t)
 
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
+
+mount_read_pid_files(iscsid_t)
+
+optional_policy(`
+    iscsi_systemctl(iscsid_t)
+')
 
 optional_policy(`
 	tgtd_manage_semaphores(iscsid_t)
 ')
+
+optional_policy(`
+	kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
+')
diff --git a/isns.te b/isns.te
index bc11034932..5a8ae798fa 100644
--- a/isns.te
+++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
 allow isnsd_t self:capability kill;
 allow isnsd_t self:process signal;
 allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen accept };
 allow isnsd_t self:udp_socket { accept listen };
 allow isnsd_t self:unix_stream_socket { accept listen };
 
@@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
 manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
 files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file })
 
+kernel_read_system_state(isnsd_t)
+kernel_read_network_state(isnsd_t)
+
 corenet_all_recvfrom_unlabeled(isnsd_t)
 corenet_all_recvfrom_netlabel(isnsd_t)
 corenet_tcp_sendrecv_generic_if(isnsd_t)
@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
 corenet_sendrecv_isns_server_packets(isnsd_t)
 corenet_tcp_bind_isns_port(isnsd_t)
 
-files_read_etc_files(isnsd_t)
+auth_use_nsswitch(isnsd_t)
 
 logging_send_syslog_msg(isnsd_t)
-
-miscfiles_read_localization(isnsd_t)
-
-sysnet_dns_name_resolve(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
index 59ad3b3c4d..bd02cc87d8 100644
--- a/jabber.fc
+++ b/jabber.fc
@@ -1,25 +1,18 @@
-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd))	--	gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/jabberd --	gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
 
-/usr/bin/router	--	gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/c2s	--	gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-/usr/bin/s2s	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/bin/sm	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router         --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
 
-/usr/sbin/ejabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/ejabberdctl	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
-/usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+/var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 
-/var/lock/ejabberdctl(/.*)	gen_context(system_u:object_r:jabberd_lock_t,s0)
+# pyicq-t
 
-/var/log/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/log/jabber(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
+/usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)
 
-/var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/ejabberd/spool(/.*)?	gen_context(system_u:object_r:jabberd_spool_t,s0)
-/var/lib/jabber(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd(/.*)?	gen_context(system_u:object_r:jabberd_var_lib_t,s0)
-/var/lib/jabberd/log(/.*)?	gen_context(system_u:object_r:jabberd_log_t,s0)
-/var/lib/jabberd/pid(/.*)?	gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/log/pyicq-t\.log.*				gen_context(system_u:object_r:pyicqt_log_t,s0)
 
-/var/run/ejabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
-/var/run/jabber\.pid	--	gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/run/pyicq-t(/.*)?				gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
index 7eb3811219..8075ba5f00 100644
--- a/jabber.if
+++ b/jabber.if
@@ -1,29 +1,76 @@
-## <summary>Jabber instant messaging servers.</summary>
+## <summary>Jabber instant messaging server</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  jabber init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`jabber_domain_template',`
+    gen_require(`
+        attribute jabberd_domain;
+    ')
+
+    ##############################
+    #   
+    #  $1_t declarations
+    # 
+
+    type $1_t, jabberd_domain;
+    type $1_exec_t;
+    init_daemon_domain($1_t, $1_exec_t)
+
+	kernel_read_system_state($1_t)
+
+    corenet_all_recvfrom_netlabel($1_t)
+
+    logging_send_syslog_msg($1_t)
+')
 
 #######################################
 ## <summary>
-##	The template to define a jabber domain.
+##	Execute a domain transition to run jabberd services
 ## </summary>
-## <param name="domain_prefix">
+## <param name="domain">
 ##	<summary>
-##	Domain prefix to be used.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-template(`jabber_domain_template',`
+interface(`jabber_domtrans_jabberd',`
 	gen_require(`
-		attribute jabberd_domain;
+		type jabberd_t, jabberd_exec_t;
 	')
 
-	type $1_t, jabberd_domain;
-	type $1_exec_t;
-	init_daemon_domain($1_t, $1_exec_t)
+	domtrans_pattern($1, jabberd_exec_t, jabberd_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Create, read, write, and delete
-##	jabber lib files.
+##	Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd_router',`
+	gen_require(`
+		type jabberd_router_t, jabberd_router_exec_t;
+	')
+
+	domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+## <summary>
+##	Read jabberd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,18 +78,37 @@ template(`jabber_domain_template',`
 ##	</summary>
 ## </param>
 #
-interface(`jabber_manage_lib_files',`
+interface(`jabberd_read_lib_files',`
 	gen_require(`
 		type jabberd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+	read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
 ')
 
-########################################
+#######################################
+## <summary>
+##	Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+	gen_require(`
+		type jabberd_var_lib_t;
+	')
+
+	dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
 ## <summary>
-##	Connect to jabber over a TCP socket  (Deprecated)
+##	Create, read, write, and delete
+##	jabberd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`jabber_tcp_connect',`
-	refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_manage_lib_files',`
+	gen_require(`
+		type jabberd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an jabber environment.
+##	All of the rules required to administrate 
+##	an jabber environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -66,20 +137,28 @@ interface(`jabber_tcp_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the jabber domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`jabber_admin',`
 	gen_require(`
-		attribute jabberd_domain;
-		type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
-		type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
+		type jabberd_t, jabberd_var_lib_t;
+		type jabberd_initrc_exec_t, jabberd_router_t;
+        type jabberd_lock_t;
+		type jabberd_var_spool_t;
 	')
 
-	allow $1 jabberd_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, jabberd_domain)
+	allow $1 jabberd_t:process signal_perms;
+	ps_process_pattern($1, jabberd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 jabberd_t:process ptrace;
+		allow $1 jabberd_router_t:process ptrace;
+	')
+
+	allow $1 jabberd_router_t:process signal_perms;
+	ps_process_pattern($1, jabberd_router_t)
 
 	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -89,15 +168,9 @@ interface(`jabber_admin',`
 	files_search_locks($1)
 	admin_pattern($1, jabberd_lock_t)
 
-	logging_search_logs($1)
-	admin_pattern($1, jabberd_log_t)
-
 	files_search_spool($1)
-	admin_pattern($1, jabberd_spool_t)
+	admin_pattern($1, jabberd_var_spool_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, jabberd_var_lib_t)
-
-	files_search_pids($1)
-	admin_pattern($1, jabberd_var_run_t)
 ')
diff --git a/jabber.te b/jabber.te
index af67c36ee9..4755e0af81 100644
--- a/jabber.te
+++ b/jabber.te
@@ -9,129 +9,137 @@ attribute jabberd_domain;
 
 jabber_domain_template(jabberd)
 jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
 
 type jabberd_initrc_exec_t;
 init_script_file(jabberd_initrc_exec_t)
 
-type jabberd_lock_t;
-files_lock_file(jabberd_lock_t)
-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
-type jabberd_spool_t;
-files_type(jabberd_spool_t)
-
+# type which includes log/pid files pro jabberd components
 type jabberd_var_lib_t;
 files_type(jabberd_var_lib_t)
 
-type jabberd_var_run_t;
-files_pid_file(jabberd_var_run_t)
+# pyicq-t types
+type pyicqt_log_t;
+logging_log_file(pyicqt_log_t);
 
-########################################
-#
-# Common local policy
-#
+type pyicqt_var_spool_t;
+files_spool_file(pyicqt_var_spool_t)
 
-allow jabberd_domain self:process signal_perms;
-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
-allow jabberd_domain self:tcp_socket { accept listen };
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
 
-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
 
-kernel_read_system_state(jabberd_domain)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
 
-corenet_all_recvfrom_unlabeled(jabberd_domain)
-corenet_all_recvfrom_netlabel(jabberd_domain)
-corenet_tcp_sendrecv_generic_if(jabberd_domain)
-corenet_tcp_sendrecv_generic_node(jabberd_domain)
-corenet_tcp_bind_generic_node(jabberd_domain)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
 
-dev_read_urand(jabberd_domain)
-dev_read_sysfs(jabberd_domain)
+kernel_read_network_state(jabberd_router_t)
 
-fs_getattr_all_fs(jabberd_domain)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+corenet_tcp_connect_postgresql_port(jabberd_router_t)
 
-logging_send_syslog_msg(jabberd_domain)
+fs_getattr_all_fs(jabberd_router_t)
 
-miscfiles_read_localization(jabberd_domain)
+miscfiles_read_generic_certs(jabberd_router_t)
 
 optional_policy(`
-	nis_use_ypbind(jabberd_domain)
+	kerberos_use(jabberd_router_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(jabberd_domain)
+	nis_use_ypbind(jabberd_router_t)
 ')
 
-########################################
+#####################################
 #
-# Local policy
+# Local policy for other jabberd components
 #
 
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:tcp_socket create_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+corenet_tcp_connect_postgresql_port(jabberd_t)
 
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
 
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+miscfiles_read_certs(jabberd_t)
 
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
+optional_policy(`
+	seutil_sigchld_newrole(jabberd_t)
+')
 
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+optional_policy(`
+	udev_read_db(jabberd_t)
+')
 
-kernel_read_kernel_sysctls(jabberd_t)
+######################################
+#
+# Local policy for pyicq-t
+#
 
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_client_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
 
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
 
-dev_read_rand(jabberd_t)
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
 
-domain_use_interactive_fds(jabberd_t)
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
 
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
+corecmd_exec_bin(pyicqt_t)
 
-fs_search_auto_mountpoints(jabberd_t)
+dev_read_urand(pyicqt_t)
 
-sysnet_read_config(jabberd_t)
+auth_use_nsswitch(pyicqt_t)
 
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
+# needed for pyicq-t-mysql
+optional_policy(`
+	corenet_tcp_connect_mysqld_port(pyicqt_t)
+')
 
 optional_policy(`
-	udev_read_db(jabberd_t)
+	sysnet_use_ldap(pyicqt_t)
 ')
 
-########################################
+#######################################
 #
-# Router local policy
+# Local policy for jabberd domains
 #
 
-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
 
-kernel_read_network_state(jabberd_router_t)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
 
-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
+dev_read_sysfs(jabberd_domain)
+dev_read_urand(jabberd_domain)
 
-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
+files_read_etc_runtime_files(jabberd_domain)
 
-auth_use_nsswitch(jabberd_router_t)
+sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
index a7ae1531b3..6341e31199 100644
--- a/java.te
+++ b/java.te
@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
 ##	its stack executable.
 ##	</p>
 ## </desc>
-gen_tunable(allow_java_execstack, false)
+gen_tunable(java_execstack, false)
 
 attribute java_domain;
 
@@ -90,7 +90,6 @@ dev_read_urand(java_domain)
 dev_read_rand(java_domain)
 dev_dontaudit_append_rand(java_domain)
 
-files_read_usr_files(java_domain)
 files_read_etc_runtime_files(java_domain)
 
 fs_getattr_all_fs(java_domain)
@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain)
 userdom_manage_user_home_content_symlinks(java_domain)
 userdom_manage_user_home_content_pipes(java_domain)
 userdom_manage_user_home_content_sockets(java_domain)
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+userdom_filetrans_home_content(java_domain_t)
 
 userdom_write_user_tmp_sockets(java_domain)
 
-tunable_policy(`allow_java_execstack',`
+tunable_policy(`java_execstack',`
 	allow java_domain self:process { execmem execstack };
 
 	libs_legacy_use_shared_libs(java_domain)
diff --git a/jetty.fc b/jetty.fc
new file mode 100644
index 0000000000..1725b7e692
--- /dev/null
+++ b/jetty.fc
@@ -0,0 +1,9 @@
+
+/var/cache/jetty(/.*)?		gen_context(system_u:object_r:jetty_cache_t,s0)
+
+/var/lib/jetty(/.*)?		gen_context(system_u:object_r:jetty_var_lib_t,s0)
+
+/var/log/jetty(/.*)?		gen_context(system_u:object_r:jetty_log_t,s0)
+
+/var/run/jetty(/.*)?		gen_context(system_u:object_r:jetty_var_run_t,s0)
+
diff --git a/jetty.if b/jetty.if
new file mode 100644
index 0000000000..2abc285a75
--- /dev/null
+++ b/jetty.if
@@ -0,0 +1,268 @@
+
+## <summary>policy for jetty</summary>
+
+########################################
+## <summary>
+##	Search jetty cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_search_cache',`
+	gen_require(`
+		type jetty_cache_t;
+	')
+
+	allow $1 jetty_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read jetty cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_read_cache_files',`
+	gen_require(`
+		type jetty_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	jetty cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_manage_cache_files',`
+	gen_require(`
+		type jetty_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage jetty cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_manage_cache_dirs',`
+	gen_require(`
+		type jetty_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
+')
+
+########################################
+## <summary>
+##	Read jetty's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`jetty_read_log',`
+	gen_require(`
+		type jetty_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+## <summary>
+##	Append to jetty log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_append_log',`
+	gen_require(`
+		type jetty_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+## <summary>
+##	Manage jetty log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_manage_log',`
+	gen_require(`
+		type jetty_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
+	manage_files_pattern($1, jetty_log_t, jetty_log_t)
+	manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
+')
+
+########################################
+## <summary>
+##	Search jetty lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_search_lib',`
+	gen_require(`
+		type jetty_var_lib_t;
+	')
+
+	allow $1 jetty_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read jetty lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_read_lib_files',`
+	gen_require(`
+		type jetty_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage jetty lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_manage_lib_files',`
+	gen_require(`
+		type jetty_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage jetty lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_manage_lib_dirs',`
+	gen_require(`
+		type jetty_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read jetty PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jetty_read_pid_files',`
+	gen_require(`
+		type jetty_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 jetty_var_run_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an jetty environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`jetty_admin',`
+	gen_require(`
+		type jetty_cache_t;
+		type jetty_log_t;
+		type jetty_var_lib_t;
+		type jetty_var_run_t;
+	')
+
+	files_search_var($1)
+	admin_pattern($1, jetty_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, jetty_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, jetty_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, jetty_var_run_t)
+')
diff --git a/jetty.te b/jetty.te
new file mode 100644
index 0000000000..af510eac64
--- /dev/null
+++ b/jetty.te
@@ -0,0 +1,25 @@
+policy_module(jetty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type jetty_cache_t;
+files_type(jetty_cache_t)
+
+type jetty_log_t;
+logging_log_file(jetty_log_t)
+
+type jetty_var_lib_t;
+files_type(jetty_var_lib_t)
+
+type jetty_var_run_t;
+files_pid_file(jetty_var_run_t)
+
+########################################
+#
+# jetty local policy
+#
+
+# No local policy. This module just contains type definitions
diff --git a/jockey.if b/jockey.if
index 2fb7a20fad..c6ba007988 100644
--- a/jockey.if
+++ b/jockey.if
@@ -1 +1,131 @@
-## <summary>Jockey driver manager.</summary>
+
+## <summary>policy for jockey</summary>
+
+########################################
+## <summary>
+##	Transition to jockey.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jockey_domtrans',`
+	gen_require(`
+		type jockey_t, jockey_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, jockey_exec_t, jockey_t)
+')
+
+########################################
+## <summary>
+##	Search jockey cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jockey_search_cache',`
+	gen_require(`
+		type jockey_cache_t;
+	')
+
+	allow $1 jockey_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read jockey cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jockey_read_cache_files',`
+	gen_require(`
+		type jockey_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	jockey cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jockey_manage_cache_files',`
+	gen_require(`
+		type jockey_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage jockey cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jockey_manage_cache_dirs',`
+	gen_require(`
+		type jockey_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an jockey environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`jockey_admin',`
+	gen_require(`
+		type jockey_t;
+		type jockey_cache_t;
+		type jockey_var_log_t;
+	')
+
+	allow $1 jockey_t:process { ptrace signal_perms };
+	ps_process_pattern($1, jockey_t)
+
+	files_search_var($1)
+	admin_pattern($1, jockey_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, jockey_var_log_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/jockey.te b/jockey.te
index d59ec10a21..a46018d042 100644
--- a/jockey.te
+++ b/jockey.te
@@ -15,6 +15,9 @@ files_type(jockey_cache_t)
 type jockey_var_log_t;
 logging_log_file(jockey_var_log_t)
 
+type jockey_tmpfs_t;
+files_tmpfs_file(jockey_tmpfs_t)
+
 ########################################
 #
 # Local policy
@@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
 setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
 logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
 
+manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
+manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t)
+fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file })
+
 kernel_read_system_state(jockey_t)
 
 corecmd_exec_bin(jockey_t)
@@ -44,16 +51,19 @@ dev_read_urand(jockey_t)
 
 domain_use_interactive_fds(jockey_t)
 
-files_read_etc_files(jockey_t)
-files_read_usr_files(jockey_t)
 
-miscfiles_read_localization(jockey_t)
+auth_read_passwd(jockey_t)
 
 optional_policy(`
 	dbus_system_domain(jockey_t, jockey_exec_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(jockey_t)
+')
+
 optional_policy(`
 	modutils_domtrans_insmod(jockey_t)
 	modutils_read_module_config(jockey_t)
+	modutils_list_module_config(jockey_t)
 ')
diff --git a/journalctl.fc b/journalctl.fc
new file mode 100644
index 0000000000..f270652865
--- /dev/null
+++ b/journalctl.fc
@@ -0,0 +1 @@
+/usr/bin/journalctl		--	gen_context(system_u:object_r:journalctl_exec_t,s0)
diff --git a/journalctl.if b/journalctl.if
new file mode 100644
index 0000000000..17126b64c0
--- /dev/null
+++ b/journalctl.if
@@ -0,0 +1,95 @@
+
+## <summary>policy for journalctl</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the journalctl domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`journalctl_domtrans',`
+	gen_require(`
+		type journalctl_t, journalctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
+######################################
+## <summary>
+##	Execute journalctl in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`journalctl_exec',`
+	gen_require(`
+		type journalctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, journalctl_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute journalctl in the journalctl domain, and
+##	allow the specified role the journalctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the journalctl domain.
+##	</summary>
+## </param>
+#
+interface(`journalctl_run',`
+	gen_require(`
+		type journalctl_t;
+		attribute_role journalctl_roles;
+	')
+
+	journalctl_domtrans($1)
+	roleattribute $2 journalctl_roles;
+')
+
+########################################
+## <summary>
+##	Role access for journalctl
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`journalctl_role',`
+	gen_require(`
+		type journalctl_t;
+		attribute_role journalctl_roles;
+	')
+
+	roleattribute $1 journalctl_roles;
+
+	journalctl_domtrans($2)
+
+	ps_process_pattern($2, journalctl_t)
+	allow $2 journalctl_t:process { signull signal sigkill };
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
index 0000000000..68dd2b7d6f
--- /dev/null
+++ b/journalctl.te
@@ -0,0 +1,47 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role journalctl_roles;
+roleattribute system_r journalctl_roles;
+
+type journalctl_t;
+type journalctl_exec_t;
+application_domain(journalctl_t, journalctl_exec_t)
+
+role journalctl_roles types journalctl_t;
+
+########################################
+#
+# journalctl local policy
+#
+allow journalctl_t self:process { fork signal_perms };
+
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(journalctl_t)
+
+corecmd_exec_bin(journalctl_t)
+
+domain_use_interactive_fds(journalctl_t)
+
+files_read_etc_files(journalctl_t)
+
+fs_getattr_all_fs(journalctl_t)
+
+auth_use_nsswitch(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+
+logging_read_generic_logs(journalctl_t)
+logging_read_syslog_pid(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
+userdom_rw_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 0000000000..25e4b6817e
--- /dev/null
+++ b/kde.fc
@@ -0,0 +1 @@
+#/usr/libexec/kde(3|4)/backlighthelper	--	gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
diff --git a/kde.if b/kde.if
new file mode 100644
index 0000000000..cf6557769d
--- /dev/null
+++ b/kde.if
@@ -0,0 +1,22 @@
+## <summary> Policy for KDE components </summary>
+
+#######################################
+## <summary>
+##      Send and receive messages from
+##      firewallgui over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kde_dbus_chat_backlighthelper',`
+        gen_require(`
+                type kdebacklighthelper_t;
+                class dbus send_msg;
+        ')
+
+	allow $1 kdebacklighthelper_t:dbus send_msg;
+        allow kdebacklighthelper_t $1:dbus send_msg;
+')
diff --git a/kde.te b/kde.te
new file mode 100644
index 0000000000..dbe3f038d5
--- /dev/null
+++ b/kde.te
@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
+# backlighthelper local policy
+#
+
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
+
+# r/w brightness values
+dev_rw_sysfs(kdebacklighthelper_t)
+
+files_read_etc_runtime_files(kdebacklighthelper_t)
+
+fs_getattr_all_fs(kdebacklighthelper_t)
+
+logging_send_syslog_msg(kdebacklighthelper_t)
+
+optional_policy(`
+	dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+')
+
+optional_policy(`
+	consolekit_dbus_chat(kdebacklighthelper_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(kdebacklighthelper_t)
+')
+
diff --git a/kdump.fc b/kdump.fc
index a49ae4e918..0c0e987a8b 100644
--- a/kdump.fc
+++ b/kdump.fc
@@ -1,13 +1,16 @@
 /etc/kdump\.conf	--	gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump --	gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
 
-/etc/rc\.d/init\.d/kdump	--	gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+/sbin/kdump		--	gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec		--	gen_context(system_u:object_r:kdump_exec_t,s0)
 
-/bin/kdumpctl	--	gen_context(system_u:object_r:kdumpctl_exec_t,s0)
 
-/usr/bin/kdumpctl	--	gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump\.service           --      gen_context(system_u:object_r:kdump_unit_file_t,s0)
 
-/sbin/kdump	--	gen_context(system_u:object_r:kdump_exec_t,s0)
-/sbin/kexec	--	gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/bin/kdumpctl               --      gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump		--	gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec		--	gen_context(system_u:object_r:kdump_exec_t,s0)
 
-/usr/sbin/kdump	--	gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kexec	--	gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)?		gen_context(system_u:object_r:kdump_crash_t,s0)
+
+/var/lock/kdump(/.*)?   gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
index 3a00b3a138..15c709f08b 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
-## <summary>Kernel crash dumping mechanism.</summary>
+## <summary>Kernel crash dumping mechanism</summary>
 
 ######################################
 ## <summary>
@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
 	domtrans_pattern($1, kdump_exec_t, kdump_t)
 ')
 
+######################################
+## <summary>
+##	Execute kdumpctl in the kdumpctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kdumpctl_domtrans',`
+	gen_require(`
+		type kdumpctl_t, kdumpctl_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
+')
+
+
 #######################################
 ## <summary>
 ##	Execute kdump in the kdump domain.
@@ -37,9 +57,34 @@ interface(`kdump_initrc_domtrans',`
 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute kdump server in the kdump domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`kdump_systemctl',`
+	gen_require(`
+		type kdump_unit_file_t;
+		type kdump_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_search_unit_dirs($1)
+	allow $1 kdump_unit_file_t:file read_file_perms;
+	allow $1 kdump_unit_file_t:service all_service_perms;
+
+	ps_process_pattern($1, kdump_t)
+')
+
 #####################################
 ## <summary>
-##	Read kdump configuration files.
+##	Read kdump configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -56,10 +101,67 @@ interface(`kdump_read_config',`
 	allow $1 kdump_etc_t:file read_file_perms;
 ')
 
+#####################################
+## <summary>
+##	Read kdump crash files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_read_crash',`
+	gen_require(`
+		type kdump_crash_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, kdump_crash_t, kdump_crash_t)
+	list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+## <summary>
+##	Read kdump crash files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_manage_crash',`
+	gen_require(`
+		type kdump_crash_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
+	manage_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+#####################################
+## <summary>
+##	Dontaudit read kdump configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kdump_dontaudit_read_config',`
+	gen_require(`
+		type kdump_etc_t;
+	')
+
+	dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
+')
+
 ####################################
 ## <summary>
-##	Create, read, write, and delete
-##	kdmup configuration files.
+##	Manage kdump configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -76,10 +178,89 @@ interface(`kdump_manage_config',`
 	allow $1 kdump_etc_t:file manage_file_perms;
 ')
 
+#####################################
+## <summary>
+##	Read and write kdump lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdump_rw_lock',`
+	gen_require(`
+		type kdump_lock_t;
+	')
+
+	files_search_locks($1)
+    rw_files_pattern($1, kdump_lock_t, kdump_lock_t)
+')
+
+###################################
+## <summary>
+##      Read/write inherited kdump /var/tmp named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',`
+        gen_require(`
+                type kdumpctl_tmp_t;
+        ')
+
+    files_search_tmp($1)
+    allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+###################################
+## <summary>
+##      Manage kdump /var/tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kdump_manage_kdumpctl_tmp_files',`
+        gen_require(`
+                type kdumpctl_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+	manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+	manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+	manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+    allow $1 kdumpctl_tmp_t:file map;
+')
+
+#######################################
+## <summary>
+##  Transition content labels to kdump named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`kdump_filetrans_named_content',`
+    gen_require(`
+        type kdump_lock_t;
+    ')
+
+    files_lock_filetrans($1, kdump_lock_t, file, "kdump")
+')
+
 ######################################
 ## <summary>
-##	All of the rules required to
-##	administrate an kdump environment.
+##	All of the rules required to administrate 
+##	an kdump environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,19 +269,24 @@ interface(`kdump_manage_config',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the kdump domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`kdump_admin',`
 	gen_require(`
-		type kdump_t, kdump_etc_t, kdumpctl_tmp_t;
-		type kdump_initrc_exec_t, kdumpctl_t;
+		type kdump_t, kdump_etc_t;
+		type kdump_initrc_exec_t;
+		type kdump_unit_file_t;
+		type kdump_crash_t;
 	')
 
-	allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { kdump_t kdumpctl_t })
+	allow $1 kdump_t:process signal_perms;
+	ps_process_pattern($1, kdump_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 kdump_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -110,6 +296,29 @@ interface(`kdump_admin',`
 	files_search_etc($1)
 	admin_pattern($1, kdump_etc_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, kdumpctl_tmp_t)
+	files_search_var($1)
+	admin_pattern($1, kdump_crash_t)
+
+	kdump_systemctl($1)
+	admin_pattern($1, kdump_unit_file_t)
+	allow $1 kdump_unit_file_t:service all_service_perms;
 ')
+
+###################################
+## <summary>
+##     Dontaudit Read/write inherited kdump /var/tmp named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`kdump_dontaudit_inherited_kdumpctl_tmp_pipes',`
+        gen_require(`
+                type kdumpctl_tmp_t;
+        ')
+
+        dontaudit $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
diff --git a/kdump.te b/kdump.te
index 715fc211cc..41e1154aea 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,34 +12,59 @@ init_system_domain(kdump_t, kdump_exec_t)
 type kdump_etc_t;
 files_config_file(kdump_etc_t)
 
+type kdump_crash_t;
+files_type(kdump_crash_t)
+
 type kdump_initrc_exec_t;
 init_script_file(kdump_initrc_exec_t)
 
+type kdump_unit_file_t alias kdumpctl_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
+type kdump_lock_t;
+files_lock_file(kdump_lock_t)
+
 type kdumpctl_t;
 type kdumpctl_exec_t;
 init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
-application_executable_file(kdumpctl_exec_t)
+init_initrc_domain(kdumpctl_t)
 
 type kdumpctl_tmp_t;
 files_tmp_file(kdumpctl_tmp_t)
 
 #####################################
 #
-# Local policy
+# kdump local policy
 #
 
-allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override };
+allow kdump_t self:capability2 compromise_kernel;
 
-allow kdump_t kdump_etc_t:file read_file_perms;
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
 
-files_read_etc_files(kdump_t)
 files_read_etc_runtime_files(kdump_t)
+files_read_kernel_symbol_table(kdump_t)
+files_read_kernel_modules(kdump_t)
 files_read_kernel_img(kdump_t)
+files_map_boot_files(kdump_t)
 
+kernel_read_system_state(kdump_t)
 kernel_read_core_if(kdump_t)
 kernel_read_debugfs(kdump_t)
-kernel_read_system_state(kdump_t)
 kernel_request_load_module(kdump_t)
+kernel_read_ring_buffer(kdump_t)
+
+mls_file_read_all_levels(kdump_t)
 
 dev_read_framebuffer(kdump_t)
 dev_read_sysfs(kdump_t)
@@ -48,69 +73,105 @@ term_use_console(kdump_t)
 
 #######################################
 #
-# Ctl local policy
+# kdumpctl local policy
 #
 
-allow kdumpctl_t self:capability { dac_override sys_chroot };
+#cjp:almost all rules are needed by dracut
+
+kdump_domtrans(kdumpctl_t)
+
+allow kdumpctl_t self:capability { dac_read_search dac_override sys_chroot };
 allow kdumpctl_t self:process setfscreate;
+
 allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
 
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
+manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
+files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
 
 manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
 manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
 manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_fifo_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
 files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
 
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
+manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
+
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
 
 kernel_read_system_state(kdumpctl_t)
+kernel_stream_connect(kdumpctl_t)
+
+mls_file_read_all_levels(kdumpctl_t)
 
 corecmd_exec_bin(kdumpctl_t)
 corecmd_exec_shell(kdumpctl_t)
 
 dev_read_sysfs(kdumpctl_t)
+# dracut
 dev_manage_all_dev_nodes(kdumpctl_t)
 
 domain_use_interactive_fds(kdumpctl_t)
 
 files_create_kernel_img(kdumpctl_t)
-files_read_etc_files(kdumpctl_t)
 files_read_etc_runtime_files(kdumpctl_t)
-files_read_usr_files(kdumpctl_t)
 files_read_kernel_modules(kdumpctl_t)
 files_getattr_all_dirs(kdumpctl_t)
+files_delete_kernel(kdumpctl_t)
 
 fs_getattr_all_fs(kdumpctl_t)
 fs_search_all(kdumpctl_t)
 
-init_domtrans_script(kdumpctl_t)
+application_executable_ioctl(kdumpctl_t)
+
+auth_read_passwd(kdumpctl_t)
+
 init_exec(kdumpctl_t)
+systemd_exec_systemctl(kdumpctl_t)
+systemd_read_unit_files(kdumpctl_t)
 
 libs_exec_ld_so(kdumpctl_t)
 
 logging_send_syslog_msg(kdumpctl_t)
+# Need log file from /var/log/dracut.log
+logging_write_generic_logs(kdumpctl_t)
+
+selinux_get_enforce_mode(kdumpctl_t)
+
+storage_raw_read_fixed_disk(kdumpctl_t)
+storage_getattr_fixed_disk_dev(kdumpctl_t)
 
-miscfiles_read_localization(kdumpctl_t)
+optional_policy(`
+	networkmanager_dbus_chat(kdumpctl_t)
+')
+
+optional_policy(`
+        gpg_exec(kdumpctl_t)
+')
 
 optional_policy(`
-	gpg_exec(kdumpctl_t)
+        lvm_read_config(kdumpctl_t)
 ')
 
 optional_policy(`
-	lvm_read_config(kdumpctl_t)
+        modutils_domtrans_insmod(kdumpctl_t)
+        modutils_list_module_config(kdumpctl_t)
+        modutils_read_module_config(kdumpctl_t)
 ')
 
 optional_policy(`
-	modutils_domtrans_insmod(kdumpctl_t)
-	modutils_read_module_config(kdumpctl_t)
+        plymouthd_domtrans_plymouth(kdumpctl_t)
 ')
 
 optional_policy(`
-	plymouthd_domtrans_plymouth(kdumpctl_t)
+        ssh_exec(kdumpctl_t)
 ')
 
 optional_policy(`
-	ssh_exec(kdumpctl_t)
+	unconfined_domain(kdumpctl_t)
 ')
diff --git a/kdumpgui.if b/kdumpgui.if
index 182ab8b585..8b1d9c23cb 100644
--- a/kdumpgui.if
+++ b/kdumpgui.if
@@ -1 +1,23 @@
-## <summary>System-config-kdump GUI.</summary>
+## <summary>system-config-kdump GUI</summary>
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	kdumpgui over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kdumpgui_dbus_chat',`
+	gen_require(`
+		type kdumpgui_t;
+		class dbus send_msg;
+	')
+
+	allow $1 kdumpgui_t:dbus send_msg;
+	allow kdumpgui_t $1:dbus send_msg;
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
index 2990962b6a..abd217f1d6 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow s-c-kdump to run bootloader in bootloader_t.
+## </p>
+## </desc>
+gen_tunable(kdumpgui_run_bootloader, false)
+
 type kdumpgui_t;
 type kdumpgui_exec_t;
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
 
 type kdumpgui_tmp_t;
 files_tmp_file(kdumpgui_tmp_t)
 
 ######################################
 #
-# Local policy
+# system-config-kdump local policy
 #
 
 allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
-allow kdumpgui_t self:process { setsched sigkill };
 allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
 allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdumpgui_t self:process { setsched sigkill };
 
 manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
 manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
 files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
 
-kernel_getattr_core_if(kdumpgui_t)
 kernel_read_system_state(kdumpgui_t)
 kernel_read_network_state(kdumpgui_t)
+kernel_getattr_core_if(kdumpgui_t)
 
 corecmd_exec_bin(kdumpgui_t)
 corecmd_exec_shell(kdumpgui_t)
 
-dev_getattr_all_blk_files(kdumpgui_t)
 dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
 dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t)
+dev_getattr_all_blk_files(kdumpgui_t)
+dev_read_nvme(kdumpgui_t)
 
 files_manage_boot_files(kdumpgui_t)
 files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
 files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
 files_manage_etc_runtime_files(kdumpgui_t)
 files_etc_filetrans_etc_runtime(kdumpgui_t, file)
-files_read_usr_files(kdumpgui_t)
 
+fs_manage_dos_files(kdumpgui_t)
 fs_getattr_all_fs(kdumpgui_t)
 fs_list_hugetlbfs(kdumpgui_t)
-fs_read_dos_files(kdumpgui_t)
 
 storage_raw_read_fixed_disk(kdumpgui_t)
 storage_raw_write_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
 
 auth_use_nsswitch(kdumpgui_t)
 
+logging_send_syslog_msg(kdumpgui_t)
 logging_list_logs(kdumpgui_t)
 logging_read_generic_logs(kdumpgui_t)
-logging_send_syslog_msg(kdumpgui_t)
-
-miscfiles_read_localization(kdumpgui_t)
 
 mount_exec(kdumpgui_t)
 
 init_dontaudit_read_all_script_files(kdumpgui_t)
+init_access_check(kdumpgui_t)
 
-optional_policy(`
-	bootloader_exec(kdumpgui_t)
-	bootloader_rw_config(kdumpgui_t)
-')
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
 
 optional_policy(`
-	consoletype_exec(kdumpgui_t)
+    tunable_policy(`kdumpgui_run_bootloader',`
+        bootloader_domtrans(kdumpgui_t)
+        #if s-c-kdump is involved
+        bootloader_manage_config(kdumpgui_t)
+    ',`
+        bootloader_exec(kdumpgui_t)
+        bootloader_manage_config(kdumpgui_t)
+    ')
 ')
 
 optional_policy(`
 	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
-	optional_policy(`
-		policykit_dbus_chat(kdumpgui_t)
-	')
 ')
 
 optional_policy(`
@@ -87,4 +97,10 @@ optional_policy(`
 optional_policy(`
 	kdump_manage_config(kdumpgui_t)
 	kdump_initrc_domtrans(kdumpgui_t)
+	kdump_systemctl(kdumpgui_t)
+	kdumpctl_domtrans(kdumpgui_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(kdumpgui_t)
 ')
diff --git a/keepalived.fc b/keepalived.fc
new file mode 100644
index 0000000000..9a19f91f3a
--- /dev/null
+++ b/keepalived.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/keepalived.*		--	gen_context(system_u:object_r:keepalived_unit_file_t,s0)
+
+/usr/sbin/keepalived		--	gen_context(system_u:object_r:keepalived_exec_t,s0)
+
+/usr/libexec/keepalived(/.*)?   gen_context(system_u:object_r:keepalived_unconfined_script_exec_t,s0)
+
+/var/run/keepalived.*		--	gen_context(system_u:object_r:keepalived_var_run_t,s0)
diff --git a/keepalived.if b/keepalived.if
new file mode 100644
index 0000000000..bd7e7fa17d
--- /dev/null
+++ b/keepalived.if
@@ -0,0 +1,80 @@
+
+## <summary> keepalived - load-balancing and high-availability service</summary>
+
+########################################
+## <summary>
+##	Execute keepalived in the keepalived domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`keepalived_domtrans',`
+	gen_require(`
+		type keepalived_t, keepalived_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, keepalived_exec_t, keepalived_t)
+')
+########################################
+## <summary>
+##	Execute keepalived server in the keepalived domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`keepalived_systemctl',`
+	gen_require(`
+		type keepalived_t;
+		type keepalived_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 keepalived_unit_file_t:file read_file_perms;
+	allow $1 keepalived_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, keepalived_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an keepalived environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`keepalived_admin',`
+	gen_require(`
+		type keepalived_t;
+	    type keepalived_unit_file_t;
+	')
+
+	allow $1 keepalived_t:process { signal_perms };
+	ps_process_pattern($1, keepalived_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 keepalived_t:process ptrace;
+    ')
+
+	keepalived_systemctl($1)
+	admin_pattern($1, keepalived_unit_file_t)
+	allow $1 keepalived_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
index 0000000000..eb1bb07eb8
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,119 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether keepalived can
+##	connect to all TCP ports.
+##	</p>
+## </desc>
+gen_tunable(keepalived_connect_any, false)
+
+type keepalived_t;
+type keepalived_exec_t;
+init_daemon_domain(keepalived_t, keepalived_exec_t)
+
+type keepalived_unit_file_t;
+systemd_unit_file(keepalived_unit_file_t)
+
+type keepalived_var_run_t;
+files_pid_file(keepalived_var_run_t)
+
+type keepalived_unconfined_script_exec_t;
+application_executable_file(keepalived_unconfined_script_exec_t)
+
+########################################
+#
+# keepalived local policy
+#
+
+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace };
+allow keepalived_t self:process { signal_perms setpgid };
+allow keepalived_t self:netlink_socket create_socket_perms;
+allow keepalived_t self:netlink_generic_socket create_socket_perms;
+allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
+allow keepalived_t self:netlink_route_socket nlmsg_write;
+allow keepalived_t self:packet_socket create_socket_perms;
+allow keepalived_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
+files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
+
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+kernel_request_load_module(keepalived_t)
+kernel_read_usermodehelper_state(keepalived_t)
+kernel_search_network_sysctl(keepalived_t)
+kernel_read_net_sysctls(keepalived_t)
+kernel_getattr_proc(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
+corecmd_exec_bin(keepalived_t)
+corecmd_exec_shell(keepalived_t)
+
+corenet_tcp_connect_connlcli_port(keepalived_t)
+corenet_tcp_connect_http_port(keepalived_t)
+corenet_tcp_connect_mysqld_port(keepalived_t)
+corenet_tcp_connect_smtp_port(keepalived_t)
+corenet_tcp_connect_snmp_port(keepalived_t)
+corenet_tcp_connect_agentx_port(keepalived_t)
+corenet_tcp_connect_squid_port(keepalived_t)
+
+domain_read_all_domains_state(keepalived_t)
+domain_getattr_all_domains(keepalived_t)
+
+dev_read_urand(keepalived_t)
+
+modutils_domtrans_insmod(keepalived_t)
+
+logging_send_syslog_msg(keepalived_t)
+
+optional_policy(`
+    iptables_domtrans(keepalived_t)
+')
+
+optional_policy(`
+    rhcs_signull_haproxy(keepalived_t)
+')
+
+optional_policy(`
+    snmp_manage_var_lib_files(keepalived_t)
+    snmp_manage_var_lib_sock_files(keepalived_t)
+    snmp_manage_var_lib_dirs(keepalived_t)
+    snmp_stream_connect(keepalived_t)
+')
+
+tunable_policy(`keepalived_connect_any',`
+	corenet_tcp_connect_all_ports(keepalived_t)
+	corenet_tcp_bind_all_ports(keepalived_t)
+	corenet_sendrecv_all_packets(keepalived_t)
+	corenet_tcp_sendrecv_all_ports(keepalived_t)
+')
+
+########################################
+#
+# keepalived_unconfined_script_script_t local policy
+#
+
+optional_policy(`
+	type keepalived_unconfined_script_t;
+	domain_type(keepalived_unconfined_script_t)
+
+	domain_entry_file(keepalived_unconfined_script_t, keepalived_unconfined_script_exec_t)
+	role system_r types keepalived_unconfined_script_t;
+
+	domtrans_pattern(keepalived_t, keepalived_unconfined_script_exec_t, keepalived_unconfined_script_t)
+
+	allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms;
+	allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms;
+	allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl;
+
+	optional_policy(`
+		unconfined_domain(keepalived_unconfined_script_t)
+	')
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd63e..3504a9bf74 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -1,52 +1,54 @@
-HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
-/root/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+HOME_DIR/\.k5users		--	gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login			--	gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5users			--	gen_context(system_u:object_r:krb5_home_t,s0)
 
-/etc/krb5\.conf	--	gen_context(system_u:object_r:krb5_conf_t,s0)
-/etc/krb5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5\.conf			--	gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab			gen_context(system_u:object_r:krb5_keytab_t,s0)
 
-/etc/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/etc/krb5kdc/kadm5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
-/etc/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/etc/krb5kdc(/.*)?			gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
-/usr/kerberos/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/kerberos/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
-/usr/kerberos/sbin/kadmin\.local	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/\_kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/\_kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
 
-/usr/local/kerberos/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/local/kerberos/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
-/usr/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
+/var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 
-/usr/local/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/lib/kdcproxy(/.*)?         gen_context(system_u:object_r:krb5kdc_var_lib_t,s0)
 
-/usr/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/log/krb5kdc\.log.*			gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.*		gen_context(system_u:object_r:kadmind_log_t,s0)
 
-/var/cache/krb5rcache(/.*)?	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 
-/var/kerberos/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-/var/kerberos/krb5kdc/kadm5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
-/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/var/kerberos/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
-/var/log/krb5kdc\.log.*	--	gen_context(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmin\.log.*	--	gen_context(system_u:object_r:kadmind_log_t,s0)
-/var/log/kadmind\.log.*	--	gen_context(system_u:object_r:kadmind_log_t,s0)
-
-/var/tmp/host_0	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_23	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/HTTP_48	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/imap_0	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/nfs_0	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldapmap1_0	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_487	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-/var/tmp/ldap_55	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/run/krb5kdc(/.*)?          gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+
+/var/tmp/DNS_25			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/kadmin_0       --  gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/kiprop_0       --  gen_context(system_u:object_r:kadmind_tmp_t,s0)
+/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/imap_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/nfs_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
index f6c00d8e60..79ea4d8d28 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
-## <summary>MIT Kerberos admin and KDC.</summary>
+## <summary>MIT Kerberos admin and KDC</summary>
+## <desc>
+##	<p>
+##	This policy supports:
+##	</p>
+##	<p>
+##	Servers:
+##	<ul>
+##		<li>kadmind</li>
+##		<li>krb5kdc</li>
+##	</ul>
+##	</p>
+##	<p>
+##	Clients:
+##	<ul>
+##		<li>kinit</li>
+##		<li>kdestroy</li>
+##		<li>klist</li>
+##		<li>ksu (incomplete)</li>
+##	</ul>
+##	</p>
+## </desc>
 
 ########################################
 ## <summary>
-##	Role access for kerberos.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-template(`kerberos_role',`
-	refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-##	Execute kadmind in the caller domain.
+##	Execute kadmind in the current domain
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',`
 		type kadmind_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, kadmind_exec_t)
 ')
 
@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',`
 		type kpropd_t, kpropd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, kpropd_exec_t, kpropd_t)
 ')
 
 ########################################
 ## <summary>
-##	Support kerberos services.
+##	Use kerberos services
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',`
 #
 interface(`kerberos_use',`
 	gen_require(`
-		type krb5kdc_conf_t, krb5_host_rcache_t;
+		type krb5_conf_t, krb5kdc_conf_t;
+		type krb5_host_rcache_t;
 	')
 
-	kerberos_read_config($1)
-
-	dontaudit $1 krb5_conf_t:file write_file_perms;
+	files_search_etc($1)
+	read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+	list_dirs_pattern($1, krb5_conf_t, krb5_conf_t)
+	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
 
+	#kerberos libraries are attempting to set the correct file context
 	dontaudit $1 self:process setfscreate;
-
 	selinux_dontaudit_validate_context($1)
-	seutil_dontaudit_read_file_contexts($1)
+	seutil_read_file_contexts($1)
 
-	tunable_policy(`allow_kerberos',`
+	tunable_policy(`kerberos_enabled',`
 		allow $1 self:tcp_socket create_socket_perms;
 		allow $1 self:udp_socket create_socket_perms;
 
-		corenet_all_recvfrom_unlabeled($1)
-		corenet_all_recvfrom_netlabel($1)
 		corenet_tcp_sendrecv_generic_if($1)
 		corenet_udp_sendrecv_generic_if($1)
 		corenet_tcp_sendrecv_generic_node($1)
 		corenet_udp_sendrecv_generic_node($1)
-
-		corenet_sendrecv_kerberos_client_packets($1)
-		corenet_tcp_connect_kerberos_port($1)
 		corenet_tcp_sendrecv_kerberos_port($1)
 		corenet_udp_sendrecv_kerberos_port($1)
-
-		corenet_sendrecv_ocsp_client_packets($1)
+		corenet_tcp_bind_generic_node($1)
+		corenet_udp_bind_generic_node($1)
+		corenet_tcp_connect_kerberos_port($1)
 		corenet_tcp_connect_ocsp_port($1)
-		corenet_tcp_sendrecv_ocsp_port($1)
+		corenet_sendrecv_kerberos_client_packets($1)
+		corenet_sendrecv_ocsp_client_packets($1)
 
+		allow $1 krb5_host_rcache_t:dir search_dir_perms;
 		allow $1 krb5_host_rcache_t:file getattr_file_perms;
 	')
 
 	optional_policy(`
-		tunable_policy(`allow_kerberos',`
+		tunable_policy(`kerberos_enabled',`
 			pcscd_stream_connect($1)
 		')
 	')
@@ -119,7 +119,7 @@ interface(`kerberos_use',`
 
 ########################################
 ## <summary>
-##	Read kerberos configuration files.
+##	Read the kerberos configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -135,15 +135,13 @@ interface(`kerberos_read_config',`
 
 	files_search_etc($1)
 	allow $1 krb5_conf_t:file read_file_perms;
-
-	userdom_search_user_home_dirs($1)
 	allow $1 krb5_home_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	kerberos configuration files.
+##	Do not audit attempts to write the kerberos
+##	configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',`
 		type krb5_conf_t;
 	')
 
-	dontaudit $1 krb5_conf_t:file write_file_perms;
+	dontaudit $1 krb5_conf_t:file write;
 ')
 
 ########################################
 ## <summary>
-##	Read and write kerberos
-##	configuration files.
+##	Read and write the kerberos configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -182,27 +179,27 @@ interface(`kerberos_rw_config',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	kerberos home files.
+##	Read the kerberos key table.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`kerberos_manage_krb5_home_files',`
+interface(`kerberos_read_keytab',`
 	gen_require(`
-		type krb5_home_t;
+		type krb5_keytab_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 krb5_home_t:file manage_file_perms;
+	files_search_etc($1)
+	allow $1 krb5_keytab_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel kerberos home files.
+##	Read/Write the kerberos key table.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -210,220 +207,252 @@ interface(`kerberos_manage_krb5_home_files',`
 ##	</summary>
 ## </param>
 #
-interface(`kerberos_relabel_krb5_home_files',`
+interface(`kerberos_rw_keytab',`
 	gen_require(`
-		type krb5_home_t;
+		type krb5_keytab_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 krb5_home_t:file relabel_file_perms;
+	files_search_etc($1)
+	allow $1 krb5_keytab_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the krb5 home type.
+##	Create keytab file in /etc
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
 ## <param name="name" optional="true">
 ##	<summary>
 ##	The name of the object being created.
 ##	</summary>
 ## </param>
 #
-interface(`kerberos_home_filetrans_krb5_home',`
+interface(`kerberos_etc_filetrans_keytab',`
 	gen_require(`
-		type krb5_home_t;
+		type krb5_keytab_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+	allow $1 krb5_keytab_t:file manage_file_perms;
+	files_etc_filetrans($1, krb5_keytab_t, file, $2)
 ')
 
 ########################################
 ## <summary>
-##	Read kerberos key table files.
+##	Create a derived type for kerberos keytab
 ## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`kerberos_read_keytab',`
-	gen_require(`
-		type krb5_keytab_t;
-	')
-
-	files_search_etc($1)
-	allow $1 krb5_keytab_t:file read_file_perms;
+template(`kerberos_keytab_template',`
+	refpolicywarn(`$0($*) has been deprecated.')
+	kerberos_read_keytab($2)
+	kerberos_use($2)
 ')
 
 ########################################
 ## <summary>
-##	Read and write kerberos key table files.
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`kerberos_rw_keytab',`
+interface(`kerberos_read_kdc_config',`
 	gen_require(`
-		type krb5_keytab_t;
+		type krb5kdc_conf_t;
 	')
 
 	files_search_etc($1)
-	allow $1 krb5_keytab_t:file rw_file_perms;
+	read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	kerberos key table files.
+##	Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`kerberos_manage_keytab_files',`
+interface(`kerberos_manage_kdc_config',`
 	gen_require(`
-		type krb5_keytab_t;
+		type krb5kdc_conf_t;
 	')
 
 	files_search_etc($1)
-	allow $1 krb5_keytab_t:file manage_file_perms;
+	manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+	manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	etc directories with the kerberos
-##	keytab file type.
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_read_host_rcache',`
 	gen_require(`
-		type krb5_keytab_t;
+		type krb5_host_rcache_t;
 	')
-
-	files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+    read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
 ')
 
 ########################################
 ## <summary>
-##	Create a derived type for kerberos
-##	keytab files.
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
 ## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix to be used for deriving type names.
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-template(`kerberos_keytab_template',`
-	refpolicywarn(`$0($*) has been deprecated.')
-	kerberos_read_keytab($2)
-	kerberos_use($2)
+interface(`kerberos_manage_host_rcache',`
+	gen_require(`
+		type krb5_host_rcache_t;
+	')
+
+	# creates files as system_u no matter what the selinux user
+	# cjp: should be in the below tunable but typeattribute
+	# does not work in conditionals
+	domain_obj_id_change_exemption($1)
+
+	tunable_policy(`kerberos_enabled',`
+		allow $1 self:process setfscreate;
+
+		selinux_validate_context($1)
+
+		seutil_read_file_contexts($1)
+
+		files_rw_generic_tmp_dir($1)
+		manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+		files_search_tmp($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Read kerberos kdc configuration files.
+##	All of the rules required to administrate 
+##	an kerberos environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the kerberos domain.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_admin',`
 	gen_require(`
-		type krb5kdc_conf_t;
+		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+		type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+		type krb5kdc_var_run_t, krb5_host_rcache_t;
 	')
 
-	files_search_etc($1)
-	read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+	allow $1 kadmind_t:process signal_perms;
+	ps_process_pattern($1, kadmind_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 kadmind_t:process ptrace;
+		allow $1 krb5kdc_t:process ptrace;
+		allow $1 kpropd_t:process ptrace;
+	')
+
+	allow $1 krb5kdc_t:process signal_perms;
+	ps_process_pattern($1, krb5kdc_t)
+
+	allow $1 kpropd_t:process signal_perms;
+	ps_process_pattern($1, kpropd_t)
+
+	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 kerberos_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, kadmind_log_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, kadmind_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, kadmind_var_run_t)
+
+	admin_pattern($1, krb5_conf_t)
+
+	admin_pattern($1, krb5_host_rcache_t)
+
+	admin_pattern($1, krb5_keytab_t)
+
+	admin_pattern($1, krb5kdc_principal_t)
+
+	admin_pattern($1, krb5kdc_tmp_t)
+
+	admin_pattern($1, krb5kdc_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	kerberos host rcache files.
+##	Type transition files created in /tmp
+##	to the krb5_host_rcache type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`kerberos_manage_host_rcache',`
+interface(`kerberos_tmp_filetrans_host_rcache',`
 	gen_require(`
 		type krb5_host_rcache_t;
 	')
 
-	domain_obj_id_change_exemption($1)
-
-	tunable_policy(`allow_kerberos',`
-		allow $1 self:process setfscreate;
-
-		selinux_validate_context($1)
-
-		seutil_read_file_contexts($1)
-
-		files_search_tmp($1)
-		allow $1 krb5_host_rcache_t:file manage_file_perms;
-	')
+	manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+	files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in generic temporary
-##	directories with the kerberos host
-##	rcache type.
+##	Type transition files created in /tmp
+##	to the kadmind_tmp type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
@@ -432,17 +461,18 @@ interface(`kerberos_manage_host_rcache',`
 ##	</summary>
 ## </param>
 #
-interface(`kerberos_tmp_filetrans_host_rcache',`
+interface(`kerberos_tmp_filetrans_kadmin',`
 	gen_require(`
-		type krb5_host_rcache_t;
+		type kadmind_tmp_t;
 	')
 
-	files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
+	manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
+	files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
 ')
 
 ########################################
 ## <summary>
-##	Connect to krb524 service.
+##	read kerberos homedir content (.k5login)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -450,82 +480,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
 ##	</summary>
 ## </param>
 #
-interface(`kerberos_connect_524',`
-	tunable_policy(`allow_kerberos',`
-		allow $1 self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled($1)
-		corenet_all_recvfrom_netlabel($1)
-		corenet_udp_sendrecv_generic_if($1)
-		corenet_udp_sendrecv_generic_node($1)
-
-		corenet_sendrecv_kerberos_master_client_packets($1)
-		corenet_udp_sendrecv_kerberos_master_port($1)
+interface(`kerberos_read_home_content',`
+	gen_require(`
+		type krb5_home_t;
 	')
+
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, krb5_home_t, krb5_home_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an kerberos environment.
+##	Manage the kerberos kdc /var/lib files
+##  and directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
-interface(`kerberos_admin',`
+interface(`kerberos_manage_kdc_var_lib',`
 	gen_require(`
-		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
-		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
-		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-		type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
-		type krb5kdc_var_run_t, krb5_host_rcache_t;
+		type krb5kdc_var_lib_t;
 	')
 
-	allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
-	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
-
-	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 kerberos_initrc_exec_t system_r;
-	allow $2 system_r;
+	files_search_etc($1)
+	manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+    manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+')
 
-	logging_list_logs($1)
-	admin_pattern($1, kadmind_log_t)
+########################################
+## <summary>
+##	create kerberos content in the  in the /root directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_filetrans_admin_home_content',`
+	gen_require(`
+		type krb5_home_t;
+	')
 
-	files_list_tmp($1)
-	admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
+	userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+	userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
 
-	kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
-	kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
-	kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
-	kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
-	kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
-	kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
-	kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
-	kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+########################################
+## <summary>
+##	Transition to kerberos named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_filetrans_home_content',`
+	gen_require(`
+		type krb5_home_t;
+	')
 
-	files_list_pids($1)
-	admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
+	userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+	userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
+')
 
-	files_list_etc($1)
-	admin_pattern($1, krb5_conf_t)
+########################################
+## <summary>
+##	Transition to kerberos named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+	gen_require(`
+		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+		type krb5kdc_principal_t;
+	')
 
 	files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
-	admin_pattern($1, { krb5_keytab_t  krb5kdc_principal_t })
-
+	filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
 	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
 	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
 	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
-
-	kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab")
+	#filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+	kerberos_etc_filetrans_keytab($1, "krb5.keytab")
+	kerberos_filetrans_admin_home_content($1)
+
+	kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
+	kerberos_tmp_filetrans_host_rcache($1, "host_0")
+	kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+	kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
+	kerberos_tmp_filetrans_host_rcache($1, "imap_0")
+	kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
+	kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+	kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
+	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
 ')
diff --git a/kerberos.te b/kerberos.te
index 8833d596d0..3519d8b7b8 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether kerberos is supported.
-##	</p>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
 ## </desc>
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
 
 type kadmind_t;
 type kadmind_exec_t;
@@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
 domain_obj_id_change_exemption(kpropd_t)
 
 type krb5_conf_t;
-files_type(krb5_conf_t)
+files_config_file(krb5_conf_t)
 
 type krb5_home_t;
 userdom_user_home_content(krb5_home_t)
 
-type krb5_host_rcache_t;
+type krb5_host_rcache_t alias saslauthd_tmp_t;
 files_tmp_file(krb5_host_rcache_t)
 
+# types for general configuration files in /etc
 type krb5_keytab_t;
 files_security_file(krb5_keytab_t)
 
+# types for KDC configs and principal file(s)
 type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
+files_config_file(krb5kdc_conf_t)
 
 type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
 
+type krb5kdc_var_lib_t;
+files_type(krb5kdc_var_lib_t)
+
+# types for KDC principal file(s)
 type krb5kdc_principal_t;
 files_type(krb5kdc_principal_t)
 
@@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t)
 # kadmind local policy
 #
 
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-dontaudit kadmind_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search dac_override sys_nice };
 allow kadmind_t self:capability2 block_suspend;
+dontaudit kadmind_t self:capability sys_tty_config;
 allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
 allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:tcp_socket { accept listen };
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
 allow kadmind_t self:udp_socket create_socket_perms;
 
-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow kadmind_t kadmind_log_t:file manage_file_perms;
 logging_log_filetrans(kadmind_t, kadmind_log_t, file)
 
 allow kadmind_t krb5_conf_t:file read_file_perms;
-dontaudit kadmind_t krb5_conf_t:file write_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
 
-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
 
 allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
 
-allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+allow kadmind_t krb5kdc_principal_t:file { manage_file_perms map };
 filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
 
+allow kadmind_t krb5_keytab_t:file read_file_perms;
+
+can_exec(kadmind_t, kadmind_exec_t)
+
 manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
 manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
 files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
@@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
 manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
 files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
 
-can_exec(kadmind_t, kadmind_exec_t)
-
 kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
 kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
 kernel_read_system_state(kadmind_t)
 
-corenet_all_recvfrom_unlabeled(kadmind_t)
+corecmd_exec_bin(kadmind_t)
+corecmd_exec_shell(kadmind_t)
+
 corenet_all_recvfrom_netlabel(kadmind_t)
 corenet_tcp_sendrecv_generic_if(kadmind_t)
 corenet_udp_sendrecv_generic_if(kadmind_t)
@@ -119,31 +132,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
 corenet_udp_sendrecv_all_ports(kadmind_t)
 corenet_tcp_bind_generic_node(kadmind_t)
 corenet_udp_bind_generic_node(kadmind_t)
-
-corenet_sendrecv_all_server_packets(kadmind_t)
 corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
 corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
 corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+corenet_tcp_bind_kprop_port(kadmind_t)
+corenet_tcp_connect_kprop_port(kadmind_t)
 
 dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
 
 fs_getattr_all_fs(kadmind_t)
 fs_search_auto_mountpoints(kadmind_t)
+fs_rw_anon_inodefs_files(kadmind_t)
 
 domain_use_interactive_fds(kadmind_t)
 
 files_read_etc_files(kadmind_t)
-files_read_usr_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
 files_read_var_files(kadmind_t)
 
 selinux_validate_context(kadmind_t)
 
+auth_read_passwd(kadmind_t)
+
 logging_send_syslog_msg(kadmind_t)
 
+miscfiles_read_generic_certs(kadmind_t)
 miscfiles_read_localization(kadmind_t)
 
+seutil_read_config(kadmind_t)
 seutil_read_file_contexts(kadmind_t)
 
+sysnet_read_config(kadmind_t)
 sysnet_use_ldap(kadmind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
@@ -153,12 +179,17 @@ optional_policy(`
 	ldap_stream_connect(kadmind_t)
 ')
 
+optional_policy(`
+	dirsrv_stream_connect(kadmind_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(kadmind_t)
 ')
 
 optional_policy(`
 	sssd_read_public_files(kadmind_t)
+    sssd_stream_connect(kadmind_t)
 ')
 
 optional_policy(`
@@ -174,24 +205,28 @@ optional_policy(`
 # Krb5kdc local policy
 #
 
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-dontaudit krb5kdc_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search dac_override sys_nice };
 allow krb5kdc_t self:capability2 block_suspend;
+dontaudit krb5kdc_t self:capability sys_tty_config;
 allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket { accept listen };
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
 allow krb5kdc_t self:udp_socket create_socket_perms;
 allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
 
 allow krb5kdc_t krb5_conf_t:file read_file_perms;
 dontaudit krb5kdc_t krb5_conf_t:file write;
 
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
 read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
 
 allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
 
-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
 
 allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
@@ -201,77 +236,93 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
 
 manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
 
-can_exec(krb5kdc_t, krb5kdc_exec_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
+manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
 
 kernel_read_system_state(krb5kdc_t)
 kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
 kernel_read_network_state(krb5kdc_t)
 kernel_search_network_sysctl(krb5kdc_t)
 
 corecmd_exec_bin(krb5kdc_t)
 
-corenet_all_recvfrom_unlabeled(krb5kdc_t)
 corenet_all_recvfrom_netlabel(krb5kdc_t)
 corenet_tcp_sendrecv_generic_if(krb5kdc_t)
 corenet_udp_sendrecv_generic_if(krb5kdc_t)
 corenet_tcp_sendrecv_generic_node(krb5kdc_t)
 corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
 corenet_tcp_bind_generic_node(krb5kdc_t)
 corenet_udp_bind_generic_node(krb5kdc_t)
-
-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
 corenet_tcp_bind_kerberos_port(krb5kdc_t)
 corenet_udp_bind_kerberos_port(krb5kdc_t)
-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t)
-corenet_udp_sendrecv_kerberos_port(krb5kdc_t)
-
-corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
 corenet_tcp_connect_ocsp_port(krb5kdc_t)
-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
 
 dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
 
 fs_getattr_all_fs(krb5kdc_t)
 fs_search_auto_mountpoints(krb5kdc_t)
+fs_rw_anon_inodefs_files(krb5kdc_t)
 
 domain_use_interactive_fds(krb5kdc_t)
 
-files_read_etc_files(krb5kdc_t)
 files_read_usr_symlinks(krb5kdc_t)
 files_read_var_files(krb5kdc_t)
 
 selinux_validate_context(krb5kdc_t)
 
+auth_use_nsswitch(krb5kdc_t)
+
 logging_send_syslog_msg(krb5kdc_t)
 
 miscfiles_read_generic_certs(krb5kdc_t)
-miscfiles_read_localization(krb5kdc_t)
 
 seutil_read_file_contexts(krb5kdc_t)
 
+sysnet_read_config(krb5kdc_t)
 sysnet_use_ldap(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
 userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
 
+optional_policy(`
+    ipa_stream_connect_otpd(krb5kdc_t)
+')
+
 optional_policy(`
 	ldap_stream_connect(krb5kdc_t)
 ')
 
+optional_policy(`
+	dirsrv_stream_connect(krb5kdc_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(krb5kdc_t)
 ')
 
 optional_policy(`
-	sssd_read_public_files(krb5kdc_t)
+	realmd_read_var_lib(krb5kdc_t)
 ')
 
 optional_policy(`
 	seutil_sigchld_newrole(krb5kdc_t)
 ')
 
+optional_policy(`
+	sssd_read_public_files(krb5kdc_t)
+')
+
 optional_policy(`
 	udev_read_db(krb5kdc_t)
 ')
@@ -281,10 +332,12 @@ optional_policy(`
 # kpropd local policy
 #
 
+allow kpropd_t self:capability net_bind_service;
 allow kpropd_t self:process setfscreate;
-allow kpropd_t self:fifo_file rw_fifo_file_perms;
-allow kpropd_t self:unix_stream_socket { accept listen };
-allow kpropd_t self:tcp_socket { accept listen };
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
 
 allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
 
@@ -296,32 +349,35 @@ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
 
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+allow kpropd_t krb5kdc_principal_t:file map;
 
 manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
 
+kernel_read_system_state(kpropd_t)
+kernel_read_network_state(kpropd_t)
+
+can_exec(kpropd_t,kpropd_exec_t)
+
 corecmd_exec_bin(kpropd_t)
 
-corenet_all_recvfrom_unlabeled(kpropd_t)
 corenet_tcp_sendrecv_generic_if(kpropd_t)
 corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
 corenet_tcp_bind_generic_node(kpropd_t)
-
-corenet_sendrecv_kprop_server_packets(kpropd_t)
 corenet_tcp_bind_kprop_port(kpropd_t)
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
+corenet_tcp_connect_kprop_port(kpropd_t)
 
 dev_read_urand(kpropd_t)
 
-files_read_etc_files(kpropd_t)
 files_search_tmp(kpropd_t)
 
 selinux_validate_context(kpropd_t)
 
-logging_send_syslog_msg(kpropd_t)
+auth_use_nsswitch(kpropd_t)
 
-miscfiles_read_localization(kpropd_t)
+logging_send_syslog_msg(kpropd_t)
 
 seutil_read_file_contexts(kpropd_t)
 
diff --git a/kerneloops.if b/kerneloops.if
index 714448f8d9..fa0c994e50 100644
--- a/kerneloops.if
+++ b/kerneloops.if
@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
 #
 interface(`kerneloops_admin',`
 	gen_require(`
-		type kerneloops_t, kerneloops_initrc_exec_t;
-		type kerneloops_tmp_t;
+		type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
 	')
 
-	allow $1 kerneloops_t:process { ptrace signal_perms };
+	allow $1 kerneloops_t:process signal_perms;
 	ps_process_pattern($1, kerneloops_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 kerneloops_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 kerneloops_initrc_exec_t system_r;
diff --git a/kerneloops.te b/kerneloops.te
index bcdb29599b..f6e3736dd3 100644
--- a/kerneloops.te
+++ b/kerneloops.te
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
-corenet_all_recvfrom_unlabeled(kerneloops_t)
 corenet_all_recvfrom_netlabel(kerneloops_t)
 corenet_tcp_sendrecv_generic_if(kerneloops_t)
 corenet_tcp_sendrecv_generic_node(kerneloops_t)
@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t)
 logging_send_syslog_msg(kerneloops_t)
 logging_read_generic_logs(kerneloops_t)
 
-miscfiles_read_localization(kerneloops_t)
-
 optional_policy(`
 	dbus_system_domain(kerneloops_t, kerneloops_exec_t)
 ')
diff --git a/keyboardd.if b/keyboardd.if
index 8982b9106c..6134ef2584 100644
--- a/keyboardd.if
+++ b/keyboardd.if
@@ -1,19 +1,39 @@
-## <summary>Xorg.conf keyboard layout callout.</summary>
 
-######################################
+## <summary>policy for system-setup-keyboard daemon</summary>
+
+########################################
 ## <summary>
-##	Read keyboardd unnamed pipes.
+##	Execute a domain transition to run keyboard setup daemon.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
-interface(`keyboardd_read_pipes',`
+interface(`keyboardd_domtrans',`
 	gen_require(`
-		type keyboardd_t;
+		type keyboardd_t, keyboardd_exec_t;
+	')
+
+	domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
+######################################
+## <summary>
+##  Allow attempts to read  to
+##  keyboardd unnamed pipes.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`keyboardd_read_pipes',`
+    gen_require(`
+            type keyboardd_t;
 	')
 
-	allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
+    allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
 ')
diff --git a/keyboardd.te b/keyboardd.te
index 628b78b4b8..fe656175e2 100644
--- a/keyboardd.te
+++ b/keyboardd.te
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
 
 files_manage_etc_runtime_files(keyboardd_t)
 files_etc_filetrans_etc_runtime(keyboardd_t, file)
-files_read_etc_files(keyboardd_t)
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
index b273d803c2..6b2b50d699 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,7 +1,13 @@
+/usr/lib/systemd/system/openstack-keystone.*		--	gen_context(system_u:object_r:keystone_unit_file_t,s0)
+
 /etc/rc\.d/init\.d/openstack-keystone	--	gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
 
 /usr/bin/keystone-all	--	gen_context(system_u:object_r:keystone_exec_t,s0)
 
+/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+
 /var/lib/keystone(/.*)?	gen_context(system_u:object_r:keystone_var_lib_t,s0)
 
 /var/log/keystone(/.*)?	gen_context(system_u:object_r:keystone_log_t,s0)
+
+/var/run/keystone(/.*)?	gen_context(system_u:object_r:keystone_var_run_t,s0)
diff --git a/keystone.if b/keystone.if
index e88fb16e06..ec6121a5c8 100644
--- a/keystone.if
+++ b/keystone.if
@@ -1,42 +1,219 @@
-## <summary>Python implementation of the OpenStack identity service API.</summary>
+
+## <summary>policy for keystone</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an keystone environment.
+##	Transition to keystone.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`keystone_domtrans',`
+	gen_require(`
+		type keystone_t, keystone_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, keystone_exec_t, keystone_t)
+')
+########################################
+## <summary>
+##	Read keystone's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <rolecap/>
+#
+interface(`keystone_read_log',`
+	gen_require(`
+		type keystone_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+## <summary>
+##	Append to keystone log files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`keystone_append_log',`
+	gen_require(`
+		type keystone_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+## <summary>
+##	Manage keystone log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`keystone_manage_log',`
+	gen_require(`
+		type keystone_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
+	manage_files_pattern($1, keystone_log_t, keystone_log_t)
+	manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
+')
+
+########################################
+## <summary>
+##	Search keystone lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`keystone_search_lib',`
+	gen_require(`
+		type keystone_var_lib_t;
+	')
+
+	allow $1 keystone_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read keystone lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`keystone_read_lib_files',`
+	gen_require(`
+		type keystone_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage keystone lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`keystone_manage_lib_files',`
+	gen_require(`
+		type keystone_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage keystone lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`keystone_manage_lib_dirs',`
+	gen_require(`
+		type keystone_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute keystone server in the keystone domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`keystone_systemctl',`
+	gen_require(`
+		type keystone_t;
+		type keystone_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 keystone_unit_file_t:file read_file_perms;
+	allow $1 keystone_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, keystone_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an keystone environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`keystone_admin',`
 	gen_require(`
-		type keystone_t, keystone_initrc_exec_t, keystone_log_t;
-		type keystone_var_lib_t, keystone_tmp_t;
+		type keystone_t;
+		type keystone_log_t;
+		type keystone_var_lib_t;
+		type keystone_unit_file_t;
 	')
 
 	allow $1 keystone_t:process { ptrace signal_perms };
 	ps_process_pattern($1, keystone_t)
 
-	init_labeled_script_domtrans($1, keystone_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 keystone_initrc_exec_t system_r;
-	allow $2 system_r;
-
 	logging_search_logs($1)
 	admin_pattern($1, keystone_log_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, keystone_var_lib_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, keystone_tmp_t)
+	keystone_systemctl($1)
+	admin_pattern($1, keystone_unit_file_t)
+	allow $1 keystone_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/keystone.te b/keystone.te
index 9929647749..c573d0ed53 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
 type keystone_var_lib_t;
 files_type(keystone_var_lib_t)
 
+type keystone_var_run_t;
+files_pid_file(keystone_var_run_t)
+
 type keystone_tmp_t;
 files_tmp_file(keystone_tmp_t)
 
+type keystone_unit_file_t;
+systemd_unit_file(keystone_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
+allow keystone_t self:process { getsched setsched signal };
 
 allow keystone_t self:fifo_file rw_fifo_file_perms;
 allow keystone_t self:unix_stream_socket { accept listen };
@@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
 manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
 files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir)
 
+manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
+manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t)
+files_pid_filetrans(keystone_t, keystone_var_run_t, { dir })
+
 can_exec(keystone_t, keystone_tmp_t)
 
 kernel_read_system_state(keystone_t)
@@ -57,20 +68,53 @@ corenet_all_recvfrom_netlabel(keystone_t)
 corenet_tcp_sendrecv_generic_if(keystone_t)
 corenet_tcp_sendrecv_generic_node(keystone_t)
 corenet_tcp_bind_generic_node(keystone_t)
+corenet_tcp_connect_mysqld_port(keystone_t)
+corenet_tcp_connect_ldap_port(keystone_t)
+corenet_tcp_connect_keystone_port(keystone_t)
+corenet_tcp_connect_amqp_port(keystone_t)
+corenet_tcp_connect_osapi_compute_port(keystone_t)
 
 corenet_sendrecv_commplex_main_server_packets(keystone_t)
 corenet_tcp_bind_commplex_main_port(keystone_t)
 corenet_tcp_sendrecv_commplex_main_port(keystone_t)
 
-files_read_usr_files(keystone_t)
+corenet_tcp_bind_keystone_port(keystone_t)
 
 auth_use_pam(keystone_t)
 
 libs_exec_ldconfig(keystone_t)
 
-miscfiles_read_localization(keystone_t)
+optional_policy(`
+	ldap_stream_connect(keystone_t)
+')
 
 optional_policy(`
 	mysql_stream_connect(keystone_t)
 	mysql_tcp_connect(keystone_t)
+	mysql_read_db_lnk_files(keystone_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(keystone_t)
+')
+
+optional_policy(`
+    rpm_exec(keystone_t)
+')
+
+#######################################
+#
+# Cgi local policy
+#
+
+optional_policy(`
+	apache_content_template(keystone_cgi)
+	apache_content_alias_template(keystone_cgi, keystone_cgi)
+
+	getattr_dirs_pattern(keystone_cgi_script_t, keystone_var_lib_t, keystone_var_lib_t)
+
+	read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t)
+
+    corenet_tcp_bind_commplex_main_port(keystone_cgi_script_t)
+    corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t)
 ')
diff --git a/kismet.if b/kismet.if
index aa2a3379be..7ff229f325 100644
--- a/kismet.if
+++ b/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
 interface(`kismet_admin',`
 	gen_require(`
 		type kismet_t, kismet_var_lib_t, kismet_var_run_t;
-		type kismet_log_t, kismet_tmp_t;
+		type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
 	')
 
 	init_labeled_script_domtrans($1, kismet_initrc_exec_t)
@@ -292,7 +292,11 @@ interface(`kismet_admin',`
 	allow $2 system_r;
 
 	ps_process_pattern($1, kismet_t)
-	allow $1 kismet_t:process { ptrace signal_perms };
+	allow $1 kismet_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 kismet_t:process ptrace;
+	')
 
 	files_search_var_lib($1)
 	admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
index 8ad0d4d507..01e5037909 100644
--- a/kismet.te
+++ b/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
 # Local policy
 #
 
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid };
 allow kismet_t self:process signal_perms;
 allow kismet_t self:fifo_file rw_fifo_file_perms;
 allow kismet_t self:packet_socket create_socket_perms;
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
 
 corecmd_exec_bin(kismet_t)
 
-corenet_all_recvfrom_unlabeled(kismet_t)
 corenet_all_recvfrom_netlabel(kismet_t)
 corenet_tcp_sendrecv_generic_if(kismet_t)
 corenet_tcp_sendrecv_generic_node(kismet_t)
 corenet_tcp_bind_generic_node(kismet_t)
 
-corenet_sendrecv_kismet_server_packets(kismet_t)
-corenet_tcp_bind_kismet_port(kismet_t)
-corenet_sendrecv_kismet_client_packets(kismet_t)
-corenet_tcp_connect_kismet_port(kismet_t)
-corenet_tcp_sendrecv_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
 
-auth_use_nsswitch(kismet_t)
-
-files_read_usr_files(kismet_t)
+corenet_sendrecv_rtsclient_server_packets(kismet_t)
+corenet_tcp_bind_rtsclient_port(kismet_t)
+corenet_sendrecv_rtsclient_client_packets(kismet_t)
+corenet_tcp_connect_rtsclient_port(kismet_t)
 
-miscfiles_read_localization(kismet_t)
+auth_use_nsswitch(kismet_t)
 
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
+userdom_read_user_tmp_files(kismet_t)
 
 optional_policy(`
 	dbus_system_bus_client(kismet_t)
diff --git a/kmscon.fc b/kmscon.fc
new file mode 100644
index 0000000000..ccd29c0791
--- /dev/null
+++ b/kmscon.fc
@@ -0,0 +1,3 @@
+/usr/bin/kmscon              --      gen_context(system_u:object_r:kmscon_exec_t,s0)
+/usr/lib/systemd/system/kmscon.*\.*      --      gen_context(system_u:object_r:kmscon_unit_file_t,s0)
+/etc/kmscon(/.*)?                                      gen_context(system_u:object_r:kmscon_conf_t,s0)
diff --git a/kmscon.if b/kmscon.if
new file mode 100644
index 0000000000..b9347faa95
--- /dev/null
+++ b/kmscon.if
@@ -0,0 +1,25 @@
+## <summary>Terminal emulator for Linux graphical console</summary>
+
+########################################
+## <summary>
+##     Execute kmscon in the kmscon domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`kmscon_systemctl',`
+       gen_require(`
+               type kmscon_unit_file_t;
+               type kmscon_t;
+       ')
+
+       systemd_exec_systemctl($1)
+	init_reload_services($1)
+       allow $1 kmscon_unit_file_t:file read_file_perms;
+       allow $1 kmscon_unit_file_t:service manage_service_perms;
+
+       ps_process_pattern($1, kmscon_t)
+')
diff --git a/kmscon.te b/kmscon.te
new file mode 100644
index 0000000000..32a9e13562
--- /dev/null
+++ b/kmscon.te
@@ -0,0 +1,88 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel <lkundrak@v3.sk>
+
+########################################
+#
+# Declarations
+#
+policy_module(kmscon, 1.0)
+
+type kmscon_t;
+type kmscon_exec_t;
+init_daemon_domain(kmscon_t, kmscon_exec_t)
+
+type kmscon_conf_t;
+files_config_file(kmscon_conf_t)
+
+type kmscon_unit_file_t;
+systemd_unit_file(kmscon_unit_file_t)
+
+type kmscon_devpts_t;
+term_pty(kmscon_devpts_t)
+# Label this as t, so that login_t can read our terminal with use_all_ttys()
+term_tty(kmscon_devpts_t)
+
+########################################
+#
+# zoneminder local policy
+#
+
+# Switch the VT into a graphics mode ; Set DRM master
+allow kmscon_t self:capability {sys_admin sys_tty_config};
+
+dontaudit kmscon_t self:capability2 block_suspend;
+
+# Create an udev monitor
+allow kmscon_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
+
+allow kmscon_t kmscon_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(kmscon_t, kmscon_devpts_t)
+
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
+kernel_read_system_state(kmscon_t)
+
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
+dev_read_sysfs(kmscon_t)
+dev_read_framebuffer(kmscon_t)
+dev_write_framebuffer(kmscon_t)
+dev_rw_input_dev(kmscon_t)
+
+# Get allowed path length for directory with modules
+fs_getattr_xattr_fs(kmscon_t)
+
+locallogin_domtrans(kmscon_t)
+
+miscfiles_read_fonts(kmscon_t)
+miscfiles_manage_fonts_cache(kmscon_t)
+
+# Open the tty, so that it can be handed over to the seat manager
+term_use_unallocated_ttys(kmscon_t)
+
+optional_policy(`
+    # Learn about the input devices
+    udev_read_db(kmscon_t)
+')
+
+optional_policy(`
+    # Fontconfig and Pango configuration
+    gnome_read_home_config(kmscon_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(kmscon_t)
+    init_dbus_chat(kmscon_t)
+
+    optional_policy(`
+        systemd_dbus_chat_logind(kmscon_t)
+
+        # List seats
+        systemd_login_list_pid_dirs(kmscon_t)
+        systemd_login_read_pid_files(kmscon_t)
+
+        kmscon_systemctl(systemd_logind_t)
+    ')
+')
diff --git a/kpatch.fc b/kpatch.fc
new file mode 100644
index 0000000000..43aaa8a789
--- /dev/null
+++ b/kpatch.fc
@@ -0,0 +1,3 @@
+/usr/sbin/kpatch		--	gen_context(system_u:object_r:kpatch_exec_t,s0)
+
+/var/lib/kpatch(/.*)?			gen_context(system_u:object_r:kpatch_var_lib_t,s0)
diff --git a/kpatch.if b/kpatch.if
new file mode 100644
index 0000000000..7ca0e4c87a
--- /dev/null
+++ b/kpatch.if
@@ -0,0 +1,75 @@
+## <summary>Policy for kpatch</summary>
+
+########################################
+## <summary>
+##	Transition to kpatch.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kpatch_domtrans',`
+	gen_require(`
+		type kpatch_t, kpatch_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kpatch_exec_t, kpatch_t)
+	dontaudit kpatch_t $1:unix_stream_socket { getattr read write };
+')
+
+########################################
+## <summary>
+##	NNP Transition to kpatch.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kpatch_nnp_domtrans',`
+	gen_require(`
+		type kpatch_t;
+	')
+
+	allow $1 kpatch_t:process2 { nnp_transition nosuid_transition };
+
+')
+
+########################################
+## <summary>
+##	Execute kpatch in the kpatch domain, and
+##	allow the specified role the kpatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the kpatch domain.
+##	</summary>
+## </param>
+#
+interface(`kpatch_run',`
+	gen_require(`
+		type kpatch_t;
+	')
+
+	kpatch_domtrans($1)
+	kpatch_nnp_domtrans($1)
+	role $2 types kpatch_t;
+
+	allow $1 kpatch_t:process signal_perms;
+
+	dontaudit kpatch_t $1:dir list_dir_perms;
+	dontaudit kpatch_t $1:file read_file_perms;
+	dontaudit kpatch_t $1:unix_stream_socket rw_socket_perms;
+    
+    allow kpatch_t $1:shm create_shm_perms;
+	allow kpatch_t $1:sem create_sem_perms;
+')
diff --git a/kpatch.te b/kpatch.te
new file mode 100644
index 0000000000..9209849272
--- /dev/null
+++ b/kpatch.te
@@ -0,0 +1,40 @@
+policy_module(kpatch, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kpatch_t;
+type kpatch_exec_t;
+application_domain(kpatch_t, kpatch_exec_t)
+init_daemon_domain(kpatch_t, kpatch_exec_t)
+
+type kpatch_var_lib_t;
+files_type(kpatch_var_lib_t)
+
+########################################
+#
+# kpatch local policy
+#
+
+manage_dirs_pattern(kpatch_t, kpatch_var_lib_t, kpatch_var_lib_t)
+manage_files_pattern(kpatch_t, kpatch_var_lib_t, kpatch_var_lib_t)
+files_var_lib_filetrans(kpatch_t, kpatch_var_lib_t, { dir file })
+allow kpatch_t kpatch_var_lib_t:system module_load;
+
+auth_use_nsswitch(kpatch_t)
+
+corecmd_exec_bin(kpatch_t)
+corecmd_mmap_bin_files(kpatch_t)
+
+dev_list_sysfs(kpatch_t)
+
+optional_policy(`
+    policykit_dbus_chat(kpatch_t)
+')
+
+optional_policy(`
+    unconfined_domain(kpatch_t)
+')
+
diff --git a/ksmtuned.fc b/ksmtuned.fc
index e736c450c0..4b1e1e4536 100644
--- a/ksmtuned.fc
+++ b/ksmtuned.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/ksmtuned.*  --     gen_context(system_u:object_r:ksmtuned_unit_file_t,s0)
+
 /usr/sbin/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_exec_t,s0)
 
 /var/log/ksmtuned.*	gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
index 93a64bc506..af6d741d6b 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',`
 	init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
 ')
 
+#######################################
+## <summary>
+##  Execute ksmtuned server in the ksmtunedd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`ksmtuned_systemctl',`
+    gen_require(`
+        type ksmtuned_unit_file_t;
+        type ksmtuned_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 ksmtuned_unit_file_t:file read_file_perms;
+    allow $1 ksmtuned_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, ksmtuned_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -48,30 +72,28 @@ interface(`ksmtuned_initrc_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ksmtuned_admin',`
 	gen_require(`
-		type ksmtuned_t, ksmtuned_var_run_t;
-		type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+		type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
+		type ksmtuned_log_t;
 	')
 
-	ksmtuned_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 ksmtuned_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	allow $1 ksmtuned_t:process { ptrace signal_perms };
+	allow $1 ksmtuned_t:process signal_perms;
 	ps_process_pattern($1, ksmtuned_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ksmtuned_t:process ptrace;
+	')
+
 	files_list_pids($1)
 	admin_pattern($1, ksmtuned_var_run_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, ksmtuned_log_t)
+
+	ksmtuned_systemctl($1)
+	admin_pattern($1, ksmtuned_unit_file_t)
+	allow $1 ksmtuned_unit_file_t:service all_service_perms;
 ')
diff --git a/ksmtuned.te b/ksmtuned.te
index 8eef134acd..9636a5343c 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow ksmtuned to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(ksmtuned_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow ksmtuned to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(ksmtuned_use_cifs, false)
+
 type ksmtuned_t;
 type ksmtuned_exec_t;
 init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
 
+type ksmtuned_unit_file_t;
+systemd_unit_file(ksmtuned_unit_file_t)
+
 type ksmtuned_initrc_exec_t;
 init_script_file(ksmtuned_initrc_exec_t)
 
@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t)
 corecmd_exec_bin(ksmtuned_t)
 corecmd_exec_shell(ksmtuned_t)
 
-dev_rw_sysfs(ksmtuned_t)
+dev_manage_sysfs(ksmtuned_t)
 
 domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
 
 mls_file_read_to_clearance(ksmtuned_t)
 
@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t)
 
 logging_send_syslog_msg(ksmtuned_t)
 
-miscfiles_read_localization(ksmtuned_t)
+tunable_policy(`ksmtuned_use_nfs',`
+    fs_read_nfs_files(ksmtuned_t)
+')
+
+tunable_policy(`ksmtuned_use_cifs',`
+    fs_read_cifs_files(ksmtuned_t)
+	samba_read_share_files(ksmtuned_t)
+')
diff --git a/ktalk.fc b/ktalk.fc
index 38ecb07d15..451067ebdf 100644
--- a/ktalk.fc
+++ b/ktalk.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/ntalk.*  --  gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
+
 /usr/bin/ktalkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
 
 /usr/sbin/in\.talkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
diff --git a/ktalk.if b/ktalk.if
index 19777b8062..cd721fd6b6 100644
--- a/ktalk.if
+++ b/ktalk.if
@@ -1 +1,77 @@
-## <summary>KDE Talk daemon.</summary>
+
+## <summary>talk-server - daemon programs for the Internet talk </summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the ktalkd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ktalk_domtrans',`
+	gen_require(`
+		type ktalkd_t, ktalkd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
+')
+########################################
+## <summary>
+##	Execute ktalkd server in the ktalkd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ktalk_systemctl',`
+	gen_require(`
+		type ktalkd_t;
+		type ktalkd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 ktalkd_unit_file_t:file read_file_perms;
+	allow $1 ktalkd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ktalkd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ktalkd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ktalk_admin',`
+	gen_require(`
+		type ktalkd_t;
+	    type ktalkd_unit_file_t;
+	')
+
+	allow $1 ktalkd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ktalkd_t)
+
+	ktalk_systemctl($1)
+	admin_pattern($1, ktalkd_unit_file_t)
+	allow $1 ktalkd_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/ktalk.te b/ktalk.te
index c5548c5edc..1356fcbd27 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
 type ktalkd_log_t;
 logging_log_file(ktalkd_log_t)
 
+type ktalkd_unit_file_t;
+systemd_unit_file(ktalkd_unit_file_t)
+
 type ktalkd_tmp_t;
 files_tmp_file(ktalkd_tmp_t)
 
@@ -50,7 +53,8 @@ dev_read_urand(ktalkd_t)
 
 fs_getattr_xattr_fs(ktalkd_t)
 
-term_use_all_terms(ktalkd_t)
+term_search_ptys(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
 
 auth_use_nsswitch(ktalkd_t)
 
@@ -58,4 +62,5 @@ init_read_utmp(ktalkd_t)
 
 logging_send_syslog_msg(ktalkd_t)
 
-miscfiles_read_localization(ktalkd_t)
+userdom_use_user_ptys(ktalkd_t)
+userdom_use_user_ttys(ktalkd_t)
diff --git a/kubernetes.fc b/kubernetes.fc
new file mode 100644
index 0000000000..6ab641c51e
--- /dev/null
+++ b/kubernetes.fc
@@ -0,0 +1,13 @@
+/usr/lib/systemd/system/kubelet.*                   --  gen_context(system_u:object_r:kubelet_unit_file_t,s0)
+/usr/lib/systemd/system/kube-apiserver.*            --  gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0)
+/usr/lib/systemd/system/kube-controller-manager.*   --  gen_context(system_u:object_r:kube_controller_manager_unit_file_t,s0)
+/usr/lib/systemd/system/kube-proxy.*                --  gen_context(system_u:object_r:kube_proxy_unit_file_t,s0)
+
+/usr/bin/kubelet	                --	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/bin/kube-apiserver		        --	gen_context(system_u:object_r:kube_apiserver_exec_t,s0)
+/usr/bin/kube-controller-manager	--	gen_context(system_u:object_r:kube_controller_manager_exec_t,s0)
+/usr/bin/kube-proxy		            --	gen_context(system_u:object_r:kube_proxy_exec_t,s0)
+
+/var/lib/kubelet(/.*)?                  gen_context(system_u:object_r:kubelet_var_lib_t,s0)
+
+
diff --git a/kubernetes.if b/kubernetes.if
new file mode 100644
index 0000000000..b2841e526f
--- /dev/null
+++ b/kubernetes.if
@@ -0,0 +1,87 @@
+## <summary>SELinux policy for Kubernetes container management</summary>
+
+######################################
+## <summary>
+##	Creates types and rules for a basic
+##	kube init daemon domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`kubernetes_domain_template',`
+    gen_require(`
+	    attribute kubernetes_domain;
+    ')
+
+    ##############################
+    #
+    # $1_t declarations
+    #
+
+    type $1_t, kubernetes_domain;
+    type $1_exec_t;
+    init_daemon_domain($1_t, $1_exec_t)
+
+    type $1_unit_file_t;
+    systemd_unit_file($1_unit_file_t)
+')
+
+########################################
+## <summary>
+##	Search kubernetes lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_search_lib_kubelet',`
+	gen_require(`
+		type kubelet_var_lib_t;
+	')
+
+	allow $1 kubelet_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read kubernetes lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_read_lib_files_kubelet',`
+	gen_require(`
+		type kubelet_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, kubelet_var_lib_t, kubelet_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage kubernetes lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_lib_files_kubelet',`
+	gen_require(`
+		type kubelet_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, kubelet_var_lib_t, kubelet_var_lib_t)
+')
diff --git a/kubernetes.te b/kubernetes.te
new file mode 100644
index 0000000000..b625b5343a
--- /dev/null
+++ b/kubernetes.te
@@ -0,0 +1,76 @@
+policy_module(kubernetes, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute kubernetes_domain;
+
+kubernetes_domain_template(kube_apiserver)
+kubernetes_domain_template(kube_controller_manager)
+kubernetes_domain_template(kube_proxy)
+kubernetes_domain_template(kubelet)
+
+permissive kube_apiserver_t;
+permissive kube_controller_manager_t;
+permissive kube_proxy_t;
+permissive kubelet_t;
+
+type kubelet_var_lib_t;
+files_type(kubelet_var_lib_t)
+
+########################################
+#
+# kubernetes domain local policy
+#
+
+# this is kernel bug which is going to be fixed
+# needs to be removed then
+dontaudit kubernetes_domain self:capability2 block_suspend;
+
+allow kubernetes_domain self:tcp_socket create_stream_socket_perms;
+
+kernel_read_unix_sysctls(kubernetes_domain)
+kernel_read_net_sysctls(kubernetes_domain)
+
+auth_read_passwd(kubernetes_domain)
+
+corenet_tcp_bind_generic_node(kubernetes_domain)
+
+corenet_tcp_connect_http_cache_port(kubernetes_domain)
+corenet_tcp_connect_kubernetes_port(kubernetes_domain)
+
+########################################
+#
+# kubelet local policy
+#
+
+allow kubelet_t self:capability net_admin;
+
+manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
+files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)
+
+corenet_tcp_bind_kubernetes_port(kubelet_t)
+
+########################################
+#
+# kube_controller local policy
+#
+
+
+########################################
+#
+# kube_apiserver local policy
+#
+
+corenet_tcp_bind_http_cache_port(kube_apiserver_t)
+
+########################################
+#
+# kube_proxy local policy
+#
+
+allow kube_proxy_t self:capability net_admin;
diff --git a/kudzu.if b/kudzu.if
index 52970645ff..6ba8108342 100644
--- a/kudzu.if
+++ b/kudzu.if
@@ -86,9 +86,13 @@ interface(`kudzu_admin',`
 		type kudzu_tmp_t;
 	')
 
-	allow $1 kudzu_t:process { ptrace signal_perms };
+	allow $1 kudzu_t:process { signal_perms };
 	ps_process_pattern($1, kudzu_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 kudzu_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
index 16640364be..ee7a9a1d55 100644
--- a/kudzu.te
+++ b/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
 # Local policy
 #
 
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t)
 kernel_read_kernel_sysctls(kudzu_t)
 kernel_read_network_state(kudzu_t)
 kernel_read_system_state(kudzu_t)
-kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_usermodehelper_state(kudzu_t)
 kernel_rw_kernel_sysctl(kudzu_t)
 
 corecmd_exec_all_executables(kudzu_t)
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
 domain_use_interactive_fds(kudzu_t)
 
 files_read_kernel_modules(kudzu_t)
-files_read_usr_files(kudzu_t)
 files_search_locks(kudzu_t)
 files_manage_etc_files(kudzu_t)
 files_manage_etc_runtime_files(kudzu_t)
@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t)
 logging_send_syslog_msg(kudzu_t)
 
 miscfiles_read_hwdata(kudzu_t)
-miscfiles_read_localization(kudzu_t)
 
 sysnet_read_config(kudzu_t)
 
-userdom_use_user_terminals(kudzu_t)
+userdom_use_inherited_user_terminals(kudzu_t)
 userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
 userdom_search_user_home_dirs(kudzu_t)
 
@@ -121,10 +119,6 @@ optional_policy(`
 	modutils_domtrans_insmod(kudzu_t)
 ')
 
-optional_policy(`
-	nscd_use(kudzu_t)
-')
-
 optional_policy(`
 	seutil_sigchld_newrole(kudzu_t)
 ')
@@ -132,7 +126,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(kudzu_t)
 ')
-
-optional_policy(`
-	unconfined_domtrans(kudzu_t)
-')
diff --git a/l2tp.fc b/l2tp.fc
index d5d1572b1c..ddc6ef210e 100644
--- a/l2tp.fc
+++ b/l2tp.fc
@@ -5,7 +5,9 @@
 /etc/sysconfig/.*l2tpd	--	gen_context(system_u:object_r:l2tp_conf_t,s0)
 
 /usr/sbin/.*l2tpd	--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
+/usr/libexec/nm-l2tp-service    --  gen_context(system_u:object_r:l2tpd_exec_t,s0)
 
 /var/run/.*l2tpd(/.*)?	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
 /var/run/prol2tpd\.ctl	-s	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
 /var/run/.*l2tpd\.pid	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
+/var/run/*.xl2tpd.*	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
index 73e2803eef..34ca3aa22b 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
-## <summary>Layer 2 Tunneling Protocol.</summary>
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
 
 ########################################
 ## <summary>
-##	Send to l2tpd with a unix
-##	domain dgram socket.
+##	Transition to l2tpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`l2tpd_domtrans',`
+	gen_require(`
+		type l2tpd_t, l2tpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
+')
+
+########################################
+## <summary>
+##	Execute l2tpd server in the l2tpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_initrc_domtrans',`
+	gen_require(`
+		type l2tpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Send to l2tpd via a unix dgram socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',`
 		type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
 	')
 
-	files_search_pids($1)
 	files_search_tmp($1)
 	dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
 ')
@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',`
 	allow $1 l2tpd_t:socket rw_socket_perms;
 ')
 
+########################################
+## <summary>
+##	Read l2tpd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_read_pid_files',`
+	gen_require(`
+		type l2tpd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
 #####################################
 ## <summary>
-##	Connect to l2tpd with a unix
-##	domain stream socket.
+##	Connect to l2tpd over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
 	')
 
 	files_search_pids($1)
-	files_search_tmp($1)
-	stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
+	stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
+	stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an l2tp environment.
+##	Read and write l2tpd unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_rw_pipes',`
+	gen_require(`
+		type l2tpd_t;
+	')
+
+	allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow send a signal to l2tpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_signal',`
+	gen_require(`
+		type l2tpd_t;
+	')
+
+	allow $1 l2tpd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allow send signull to l2tpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_signull',`
+	gen_require(`
+		type l2tpd_t;
+	')
+
+	allow $1 l2tpd_t:process signull;
+')
+
+########################################
+## <summary>
+##	Allow send sigkill to l2tpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_sigkill',`
+	gen_require(`
+		type l2tpd_t;
+	')
+
+	allow $1 l2tpd_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	l2tpd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`l2tpd_dbus_chat',`
+	gen_require(`
+		type l2tpd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 l2tpd_t:dbus send_msg;
+	allow l2tpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an l2tpd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
-interface(`l2tp_admin',`
+interface(`l2tpd_admin',`
 	gen_require(`
 		type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
 		type l2tp_conf_t, l2tpd_tmp_t;
 	')
 
-	allow $1 l2tpd_t:process { ptrace signal_perms };
+	allow $1 l2tpd_t:process signal_perms;
 	ps_process_pattern($1, l2tpd_t)
 
-	init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 l2tpd_t:process ptrace;
+	')
+
+	l2tpd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 l2tpd_initrc_exec_t system_r;
 	allow $2 system_r;
diff --git a/l2tp.te b/l2tp.te
index bb06a7fee9..01e784bf59 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
 #
 
 allow l2tpd_t self:capability net_admin;
-allow l2tpd_t self:process signal;
+allow l2tpd_t self:process signal_perms;
 allow l2tpd_t self:fifo_file rw_fifo_file_perms;
 allow l2tpd_t self:netlink_socket create_socket_perms;
 allow l2tpd_t self:rawip_socket create_socket_perms;
@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
 manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
 manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
 manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
 
 manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
 files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
 
+can_exec(l2tpd_t, l2tpd_exec_t)
+
 corenet_all_recvfrom_unlabeled(l2tpd_t)
 corenet_all_recvfrom_netlabel(l2tpd_t)
 corenet_raw_sendrecv_generic_if(l2tpd_t)
@@ -75,18 +77,36 @@ corecmd_exec_bin(l2tpd_t)
 
 dev_read_urand(l2tpd_t)
 
-files_read_etc_files(l2tpd_t)
-
 term_setattr_generic_ptys(l2tpd_t)
 term_use_generic_ptys(l2tpd_t)
 term_use_ptmx(l2tpd_t)
 
-logging_send_syslog_msg(l2tpd_t)
+auth_read_passwd(l2tpd_t)
 
-miscfiles_read_localization(l2tpd_t)
+logging_send_syslog_msg(l2tpd_t)
 
 sysnet_dns_name_resolve(l2tpd_t)
 
+optional_policy(`
+    dbus_system_bus_client(l2tpd_t)
+    dbus_connect_system_bus(l2tpd_t)
+    
+    optional_policy(`
+        networkmanager_dbus_chat(l2tpd_t)
+    ')
+')
+
+optional_policy(`
+    ipsec_domtrans_mgmt(l2tpd_t)
+    ipsec_mgmt_read_pid(l2tpd_t)
+    ipsec_filetrans_key_file(l2tpd_t)
+    ipsec_manage_key_file(l2tpd_t)
+')
+
+optional_policy(`
+	networkmanager_manage_pid_files(l2tpd_t)
+')
+
 optional_policy(`
 	ppp_domtrans(l2tpd_t)
 	ppp_signal(l2tpd_t)
diff --git a/ldap.fc b/ldap.fc
index b7e5679167..c93db3316a 100644
--- a/ldap.fc
+++ b/ldap.fc
@@ -1,8 +1,11 @@
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/openldap/certs(/.*)?	gen_context(system_u:object_r:slapd_cert_t,s0)
+
+/etc/openldap/certs(/.*)?   gen_context(system_u:object_r:slapd_cert_t,s0)
 /etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
 
-/etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/slapd	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/slapd.*	--	gen_context(system_u:object_r:slapd_unit_file_t,s0)
 
 /usr/sbin/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
@@ -22,8 +25,7 @@
 /var/log/ldap.*	gen_context(system_u:object_r:slapd_log_t,s0)
 /var/log/slapd.*	gen_context(system_u:object_r:slapd_log_t,s0)
 
-/var/run/ldapi	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/openldap(/.*)?	gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
-/var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/ldapi          -s      gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)?         gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args    --      gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid     --      gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
index 3602712d06..af83a5b6b9 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,8 +1,69 @@
-## <summary>OpenLDAP directory server.</summary>
+## <summary>OpenLDAP directory server</summary>
+
+#######################################
+## <summary>
+##	Execute OpenLDAP in the ldap domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_domtrans',`
+	gen_require(`
+		type slapd_t, slapd_exec_t;
+	')
+
+	domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+## <summary>
+##	Execute OpenLDAP server in the ldap domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_initrc_domtrans',`
+	gen_require(`
+		type slapd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute slapd server in the slapd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ldap_systemctl',`
+	gen_require(`
+		type slapd_unit_file_t;
+		type slapd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 slapd_unit_file_t:file read_file_perms;
+	allow $1 slapd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, slapd_t)
+')
 
 ########################################
 ## <summary>
-##	List ldap database directories.
+##	Read the contents of the OpenLDAP
+##	database directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,13 +76,31 @@ interface(`ldap_list_db',`
 		type slapd_db_t;
 	')
 
-	files_search_etc($1)
 	allow $1 slapd_db_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read ldap configuration files.
+##	Read the contents of the OpenLDAP
+##	database files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ldap_read_db_files',`
+	gen_require(`
+		type slapd_db_t;
+	')
+
+	read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
+########################################
+## <summary>
+##	Read the OpenLDAP configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,22 +120,29 @@ interface(`ldap_read_config',`
 
 ########################################
 ## <summary>
-##	Use LDAP over TCP connection.  (Deprecated)
+##	Read the OpenLDAP cert files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`ldap_use',`
-	refpolicywarn(`$0($*) has been deprecated.')
+interface(`ldap_read_certs',`
+	gen_require(`
+		type slapd_cert_t;
+	')
+
+	files_search_etc($1)
+    allow $1 slapd_cert_t:dir list_dir_perms;
+    read_files_pattern($1, slapd_cert_t, slapd_cert_t)
+    read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to slapd over an unix
-##	stream socket.
+##	Use LDAP over TCP connection.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -64,18 +150,13 @@ interface(`ldap_use',`
 ##	</summary>
 ## </param>
 #
-interface(`ldap_stream_connect',`
-	gen_require(`
-		type slapd_t, slapd_var_run_t;
-	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+interface(`ldap_use',`
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
 ## <summary>
-## 	Connect to ldap over the network.
+##	Connect to slapd over an unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -83,21 +164,19 @@ interface(`ldap_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`ldap_tcp_connect',`
+interface(`ldap_stream_connect',`
 	gen_require(`
-		type slapd_t;
+		type slapd_t, slapd_var_run_t;
 	')
 
-	corenet_sendrecv_ldap_client_packets($1)
-	corenet_tcp_connect_ldap_port($1)
-	corenet_tcp_recvfrom_labeled($1, slapd_t)
-	corenet_tcp_sendrecv_ldap_port($1)
+	files_search_pids($1)
+	stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ldap environment.
+##	All of the rules required to administrate
+##	an ldap environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,7 +185,7 @@ interface(`ldap_tcp_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the ldap domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -117,11 +196,16 @@ interface(`ldap_admin',`
 		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
 		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
 		type slapd_db_t, slapd_keytab_t;
+		type slapd_unit_file_t;
 	')
 
-	allow $1 slapd_t:process { ptrace signal_perms };
+	allow $1 slapd_t:process signal_perms;
 	ps_process_pattern($1, slapd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 slapd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 slapd_initrc_exec_t system_r;
@@ -130,13 +214,9 @@ interface(`ldap_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
 
-	files_list_locks($1)
 	admin_pattern($1, slapd_lock_t)
 
-	logging_list_logs($1)
-	admin_pattern($1, slapd_log_t)
-
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, slapd_replog_t)
 
 	files_list_tmp($1)
@@ -144,4 +224,8 @@ interface(`ldap_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, slapd_var_run_t)
+
+	ldap_systemctl($1)
+	admin_pattern($1, slapd_unit_file_t)
+	allow $1 slapd_unit_file_t:service all_service_perms;
 ')
diff --git a/ldap.te b/ldap.te
index 4c2b1110ed..1c922b3402 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
 type slapd_initrc_exec_t;
 init_script_file(slapd_initrc_exec_t)
 
+type slapd_unit_file_t;
+systemd_unit_file(slapd_unit_file_t)
+
 type slapd_keytab_t;
 files_type(slapd_keytab_t)
 
@@ -49,7 +52,8 @@ files_pid_file(slapd_var_run_t)
 
 allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
 dontaudit slapd_t self:capability sys_tty_config;
-allow slapd_t self:process setsched;
+dontaudit slapd_t self:capability2 block_suspend;
+allow slapd_t self:process { setsched signal } ;
 allow slapd_t self:fifo_file rw_fifo_file_perms;
 allow slapd_t self:tcp_socket { accept listen };
 
@@ -60,6 +64,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
 manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
 manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
 manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+allow slapd_t slapd_db_t:file map;
 
 allow slapd_t slapd_etc_t:file read_file_perms;
 
@@ -69,9 +74,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
 files_lock_filetrans(slapd_t, slapd_lock_t, file)
 
 manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
 logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
 
 manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -80,7 +83,8 @@ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
 
 manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
 manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
-files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+manage_lnk_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file lnk_file dir })
 
 manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
 fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
@@ -89,11 +93,11 @@ manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
 manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
 manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
 files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+allow slapd_t slapd_var_run_t:file map;
 
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)
 
-corenet_all_recvfrom_unlabeled(slapd_t)
 corenet_all_recvfrom_netlabel(slapd_t)
 corenet_tcp_sendrecv_generic_if(slapd_t)
 corenet_tcp_sendrecv_generic_node(slapd_t)
@@ -115,25 +119,27 @@ fs_getattr_all_fs(slapd_t)
 fs_search_auto_mountpoints(slapd_t)
 
 files_read_etc_runtime_files(slapd_t)
-files_read_usr_files(slapd_t)
 files_list_var_lib(slapd_t)
 
 auth_use_nsswitch(slapd_t)
+auth_rw_cache(slapd_t)
 
 logging_send_syslog_msg(slapd_t)
 
 miscfiles_read_generic_certs(slapd_t)
-miscfiles_read_localization(slapd_t)
+miscfiles_map_generic_certs(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)
 userdom_dontaudit_search_user_home_dirs(slapd_t)
 
+usermanage_read_crack_db(slapd_t)
+
 optional_policy(`
 	kerberos_manage_host_rcache(slapd_t)
 	kerberos_read_keytab(slapd_t)
-	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
-	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
-	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
 	kerberos_use(slapd_t)
 ')
 
diff --git a/lightsquid.fc b/lightsquid.fc
index 044390c6e2..63e205863c 100644
--- a/lightsquid.fc
+++ b/lightsquid.fc
@@ -1,11 +1,11 @@
 /etc/cron\.daily/lightsquid	--	gen_context(system_u:object_r:lightsquid_exec_t,s0)
 
-/usr/lib/cgi-bin/lightsquid/.*\.cfg	--	gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
-/usr/lib/cgi-bin/lightsquid/.*\.cgi	--	gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cfg	--	gen_context(system_u:object_r:lightsquid_content_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cgi	--	gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
 
-/usr/share/lightsquid/cgi/.*\.cgi	--	gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+/usr/share/lightsquid/cgi/.*\.cgi	--	gen_context(system_u:object_r:lightsquid_script_exec_t,s0)
 
 /var/lightsquid(/.*)?	gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
 
-/var/www/html/lightsquid(/.*)?	gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
-/var/www/html/lightsquid/report(/.*)?	gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+/var/www/html/lightsquid(/.*)?	gen_context(system_u:object_r:lightsquid_content_t,s0)
+/var/www/html/lightsquid/report(/.*)?	gen_context(system_u:object_r:lightsquid_report_content_t,s0)
diff --git a/lightsquid.if b/lightsquid.if
index 33a28b9ad6..33ffe2484b 100644
--- a/lightsquid.if
+++ b/lightsquid.if
@@ -76,5 +76,7 @@ interface(`lightsquid_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, lightsquid_rw_content_t)
 
-	apache_list_sys_content($1)
+	optional_policy(`
+		apache_list_sys_content($1)
+	')
 ')
diff --git a/lightsquid.te b/lightsquid.te
index 09c4f27bad..6c7855e4e1 100644
--- a/lightsquid.te
+++ b/lightsquid.te
@@ -13,38 +13,34 @@ type lightsquid_exec_t;
 application_domain(lightsquid_t, lightsquid_exec_t)
 role lightsquid_roles types lightsquid_t;
 
-type lightsquid_rw_content_t;
-files_type(lightsquid_rw_content_t)
+type lightsquid_report_content_t;
+files_type(lightsquid_report_content_t)
 
 ########################################
 #
 # Local policy
 #
 
-manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
+manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t)
+files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir)
 
 corecmd_exec_bin(lightsquid_t)
 corecmd_exec_shell(lightsquid_t)
 
 dev_read_urand(lightsquid_t)
 
-files_read_etc_files(lightsquid_t)
-files_read_usr_files(lightsquid_t)
-
-miscfiles_read_localization(lightsquid_t)
-
 squid_read_config(lightsquid_t)
 squid_read_log(lightsquid_t)
 
 optional_policy(`
 	apache_content_template(lightsquid)
+	apache_content_alias_template(lightsquid, lightsquid)
 
-	list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-	read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
-	read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+	list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+	read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
+	read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t)
 ')
 
 optional_policy(`
diff --git a/likewise.if b/likewise.if
index bd20e8cc92..3393a01e61 100644
--- a/likewise.if
+++ b/likewise.if
@@ -1,9 +1,22 @@
 ## <summary>Likewise Active Directory support for UNIX.</summary>
+## <desc>
+##	<p>
+##	Likewise Open is a free, open source application that joins Linux, Unix,
+##	and Mac machines to Microsoft Active Directory to securely authenticate
+##	users with their domain credentials.
+##	</p>
+## </desc>
 
 #######################################
 ## <summary>
 ##	The template to define a likewise domain.
 ## </summary>
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new likewise daemon.
+##	</p>
+## </desc>
 ## <param name="userdomain_prefix">
 ##	<summary>
 ##	The type of daemon to be used.
@@ -11,6 +24,7 @@
 ## </param>
 #
 template(`likewise_domain_template',`
+
 	gen_require(`
 		attribute likewise_domains;
 		type likewise_var_lib_t;
@@ -24,6 +38,7 @@ template(`likewise_domain_template',`
 	type $1_t;
 	type $1_exec_t;
 	init_daemon_domain($1_t, $1_exec_t)
+	domain_use_interactive_fds($1_t)
 
 	typeattribute $1_t likewise_domains;
 
@@ -38,15 +53,18 @@ template(`likewise_domain_template',`
 
 	####################################
 	#
-	# Policy
+	# Local Policy
 	#
 
 	allow $1_t self:process { signal_perms getsched setsched };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
-	allow $1_t self:unix_stream_socket { accept listen };
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 
+	allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
 	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
 	files_pid_filetrans($1_t, $1_var_run_t, file)
 
@@ -55,12 +73,15 @@ template(`likewise_domain_template',`
 
 	manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
 	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+	kernel_read_system_state($1_t)
+
+	logging_send_syslog_msg($1_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to lsassd with a unix domain
-##	stream socket.
+##	Connect to lsassd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',`
 	files_search_pids($1)
 	stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
 ')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an likewise environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`likewise_admin',`
-	gen_require(`
-		attribute likewise_domains;
-		type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
-		type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
-		type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
-		type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
-		type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
-		type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
-		type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
-		type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
-	')
-
-	allow $1 likewise_domains:process { ptrace signal_perms };
-	ps_process_pattern($1, likewise_domains)
-
-	init_labeled_script_domtrans($1, likewise_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 likewise_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_list_etc($1)
-	admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
-
-	files_search_var_lib($1)
-	admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
-	admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
-	admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
-	admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
-	admin_pattern($1, dcerpcd_var_lib_t)
-
-	files_list_tmp($1)
-	admin_pattern($1, lsassd_tmp_t)
-
-	files_list_pids($1)
-	admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
-	admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
index d8c2442a80..f5dff31732 100644
--- a/likewise.te
+++ b/likewise.te
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
 files_type(likewise_var_lib_t)
 
 type likewise_pstore_lock_t;
-files_type(likewise_pstore_lock_t)
+files_lock_file(likewise_pstore_lock_t)
 
 type likewise_krb5_ad_t;
 files_type(likewise_krb5_ad_t)
@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t)
 
 allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms;
 
-kernel_read_system_state(likewise_domains)
-
 dev_read_rand(likewise_domains)
 dev_read_urand(likewise_domains)
 
 domain_use_interactive_fds(likewise_domains)
 
-files_read_etc_files(likewise_domains)
 files_search_var_lib(likewise_domains)
 
-logging_send_syslog_msg(likewise_domains)
-
-miscfiles_read_localization(likewise_domains)
-
 #################################
 #
 # dcerpcd local policy
@@ -102,7 +95,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t)
 # lsassd local policy
 #
 
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time };
 allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
 
@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
 corecmd_exec_shell(lsassd_t)
 
 corenet_all_recvfrom_netlabel(lsassd_t)
-corenet_all_recvfrom_unlabeled(lsassd_t)
 corenet_tcp_sendrecv_generic_if(lsassd_t)
 corenet_tcp_sendrecv_generic_node(lsassd_t)
 
@@ -165,7 +157,7 @@ optional_policy(`
 # lwiod local policy
 #
 
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
+allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource };
 allow lwiod_t self:process setrlimit;
 allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
 
@@ -221,7 +213,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
 # netlogond local policy
 #
 
-allow netlogond_t self:capability dac_override;
+allow netlogond_t self:capability { dac_read_search dac_override };
 
 manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
 
@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
 stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
 
 corenet_all_recvfrom_netlabel(srvsvcd_t)
-corenet_all_recvfrom_unlabeled(srvsvcd_t)
 corenet_sendrecv_generic_server_packets(srvsvcd_t)
 corenet_tcp_sendrecv_generic_if(srvsvcd_t)
 corenet_tcp_sendrecv_generic_node(srvsvcd_t)
diff --git a/linuxptp.fc b/linuxptp.fc
new file mode 100644
index 0000000000..d2061a9e4c
--- /dev/null
+++ b/linuxptp.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/phc2sys.*		--	gen_context(system_u:object_r:phc2sys_unit_file_t,s0)
+
+/usr/lib/systemd/system/ptp4l.*			--	gen_context(system_u:object_r:ptp4l_unit_file_t,s0)
+
+/usr/lib/systemd/system/timemaster.*		--	gen_context(system_u:object_r:timemaster_unit_file_t,s0)
+
+/usr/sbin/ptp4l					--	gen_context(system_u:object_r:ptp4l_exec_t,s0)
+/usr/sbin/phc2sys				--	gen_context(system_u:object_r:phc2sys_exec_t,s0)
+/usr/sbin/timemaster				--	gen_context(system_u:object_r:timemaster_exec_t,s0)
+
+/var/run/timemaster(/.*)?				gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
index 0000000000..e2c96f4a80
--- /dev/null
+++ b/linuxptp.if
@@ -0,0 +1,142 @@
+## <summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
+
+########################################
+## <summary>
+##	Execute domain in the phc2sys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`linuxptp_domtrans_phc2sys',`
+	gen_require(`
+		type phc2sys_t, phc2sys_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
+')
+
+########################################
+## <summary>
+##	Execute domain in the phc2sys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`linuxptp_domtrans_ptp4l',`
+	gen_require(`
+		type ptp4l_t, ptp4l_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
+')
+######################################
+## <summary>
+##  Connect to timemaster using a unix
+##  domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`timemaster_stream_connect',`
+	gen_require(`
+        	type timemaster_t, timemaster_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
+')
+
+########################################
+## <summary>
+## Read timemaster conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_read_pid_files',`
+	gen_require(`
+		type timemaster_var_run_t;
+	')
+
+    read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
+')
+
+########################################
+## <summary>
+## Read and write timemaster shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`timemaster_rw_shm',`
+	gen_require(`
+		type timemaster_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 timemaster_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read and write ptp4l_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ptp4l_rw_shm',`
+	gen_require(`
+		type ptp4l_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 ptp4l_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read and write phc2sys_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`phc2sys_rw_shm',`
+	gen_require(`
+		type phc2sys_t, timemaster_tmpfs_t;
+	')
+
+	allow $1 phc2sys_t:shm rw_shm_perms;
+	list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
+	fs_search_tmpfs($1)
+')
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
index 0000000000..75611d3e88
--- /dev/null
+++ b/linuxptp.te
@@ -0,0 +1,188 @@
+policy_module(linuxptp, 1.0.0)
+
+
+########################################
+#
+# Declarations
+#
+
+type timemaster_t;
+type timemaster_exec_t;
+init_daemon_domain(timemaster_t, timemaster_exec_t)
+
+type timemaster_var_run_t;
+files_pid_file(timemaster_var_run_t)
+
+type timemaster_tmpfs_t;
+files_tmpfs_file(timemaster_tmpfs_t)
+
+type timemaster_unit_file_t;
+systemd_unit_file(timemaster_unit_file_t)
+
+type phc2sys_t;
+type phc2sys_exec_t;
+init_daemon_domain(phc2sys_t, phc2sys_exec_t)
+
+type phc2sys_unit_file_t;
+systemd_unit_file(phc2sys_unit_file_t)
+
+type ptp4l_t;
+type ptp4l_exec_t;
+init_daemon_domain(ptp4l_t, ptp4l_exec_t)
+
+type ptp4l_unit_file_t;
+systemd_unit_file(ptp4l_unit_file_t)
+
+########################################
+#
+# timemaster local policy
+#
+
+allow timemaster_t self:process { signal_perms setcap};
+allow timemaster_t self:fifo_file rw_fifo_file_perms;
+allow timemaster_t self:capability { setuid sys_time kill setgid };
+allow timemaster_t self:unix_stream_socket create_stream_socket_perms;
+allow timemaster_t self:shm create_shm_perms;
+allow timemaster_t self:udp_socket create_socket_perms;
+
+allow timemaster_t ptp4l_t:process signal;
+allow timemaster_t phc2sys_t:process signal;
+
+allow timemaster_t ptp4l_t:shm rw_shm_perms;
+
+manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
+
+kernel_read_network_state(timemaster_t)
+
+auth_use_nsswitch(timemaster_t)
+
+corenet_udp_bind_generic_node(timemaster_t)
+corenet_udp_bind_ntp_port(timemaster_t)
+
+dev_read_urand(timemaster_t)
+
+logging_send_syslog_msg(timemaster_t)
+
+sysnet_read_config(timemaster_t)
+
+optional_policy(`
+	ntp_domtrans(timemaster_t)
+    ntp_signal(timemaster_t)
+')
+
+optional_policy(`
+	chronyd_domtrans(timemaster_t)
+	chronyd_rw_shm(timemaster_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(timemaster_t)
+')
+
+
+optional_policy(`
+	chronyd_signal(timemaster_t)
+')
+
+
+optional_policy(`
+	linuxptp_domtrans_ptp4l(timemaster_t)
+')
+
+optional_policy(`
+	linuxptp_domtrans_phc2sys(timemaster_t)
+')
+
+########################################
+#
+# phc2sys local policy
+#
+
+allow phc2sys_t self:capability sys_time;
+allow phc2sys_t self:fifo_file rw_fifo_file_perms;
+allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
+allow phc2sys_t self:shm create_shm_perms;
+allow phc2sys_t self:udp_socket create_socket_perms;
+
+allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
+
+allow phc2sys_t timemaster_t:shm rw_shm_perms;
+
+manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
+
+dev_rw_realtime_clock(phc2sys_t)
+
+logging_send_syslog_msg(phc2sys_t)
+
+optional_policy(`
+	chronyd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+	ntp_rw_shm(phc2sys_t)
+')
+
+optional_policy(`
+	ptp4l_rw_shm(phc2sys_t)
+')
+
+########################################
+#
+# ptp4l local policy
+#
+
+allow ptp4l_t self:fifo_file rw_fifo_file_perms;
+allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
+allow ptp4l_t self:shm create_shm_perms;
+allow ptp4l_t self:udp_socket create_socket_perms;
+allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability2 { wake_alarm };
+allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
+
+manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
+fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
+
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
+kernel_read_network_state(ptp4l_t)
+
+dev_rw_realtime_clock(ptp4l_t)
+
+logging_send_syslog_msg(ptp4l_t)
+
+userdom_dgram_send(ptp4l_t)
+
+optional_policy(`
+	chronyd_rw_shm(ptp4l_t)
+')
+
+optional_policy(`
+	gpsd_rw_shm(ptp4l_t)
+')
diff --git a/lircd.if b/lircd.if
index dff21a7c44..b6981c8465 100644
--- a/lircd.if
+++ b/lircd.if
@@ -81,8 +81,11 @@ interface(`lircd_admin',`
 		type lircd_initrc_exec_t, lircd_etc_t;
 	')
 
-	allow $1 lircd_t:process { ptrace signal_perms };
+	allow $1 lircd_t:process signal_perms;
 	ps_process_pattern($1, lircd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 lircd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
index 483c87bb64..f9d2e10b1d 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
 init_script_file(lircd_initrc_exec_t)
 
 type lircd_etc_t;
-files_type(lircd_etc_t)
+files_config_file(lircd_etc_t)
 
 type lircd_var_run_t alias lircd_sock_t;
 files_pid_file(lircd_var_run_t)
@@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t)
 # Local policy
 #
 
-allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:capability { chown kill setgid setuid sys_admin dac_read_search dac_override };
 allow lircd_t self:process signal;
 allow lircd_t self:fifo_file rw_fifo_file_perms;
 allow lircd_t self:tcp_socket { accept listen };
+allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
 
@@ -38,6 +39,12 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
 dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
 
 kernel_request_load_module(lircd_t)
+kernel_read_system_state(lircd_t)
+
+auth_read_passwd(lircd_t)
+
+corecmd_exec_shell(lircd_t)
+corecmd_exec_bin(lircd_t)
 
 corenet_all_recvfrom_unlabeled(lircd_t)
 corenet_all_recvfrom_netlabel(lircd_t)
@@ -64,9 +71,14 @@ files_manage_generic_locks(lircd_t)
 files_read_all_locks(lircd_t)
 
 term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
+term_use_unallocated_ttys(lircd_t)
 
+auth_use_nsswitch(lircd_t)
 logging_send_syslog_msg(lircd_t)
 
-miscfiles_read_localization(lircd_t)
-
 sysnet_dns_name_resolve(lircd_t)
+
+optional_policy(`
+    sssd_read_public_files(lircd_t)
+')
diff --git a/livecd.if b/livecd.if
index e3541811ac..fc614bac2b 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,11 +38,36 @@ interface(`livecd_domtrans',`
 #
 interface(`livecd_run',`
 	gen_require(`
+		type livecd_t;
+		type livecd_exec_t;
 		attribute_role livecd_roles;
 	')
 
 	livecd_domtrans($1)
 	roleattribute $2 livecd_roles;
+	role_transition $2 livecd_exec_t system_r;
+
+	optional_policy(`
+		rpm_transition_script(livecd_t, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Dontaudit read/write to a livecd leaks
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`livecd_dontaudit_leaks',`
+	gen_require(`
+		type livecd_t;
+	')
+
+	dontaudit $1 livecd_t:unix_dgram_socket { read write };
 ')
 
 ########################################
diff --git a/livecd.te b/livecd.te
index 2f974bf839..f6e97faaf2 100644
--- a/livecd.te
+++ b/livecd.te
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
 # Local policy
 #
 
-dontaudit livecd_t self:capability2 mac_admin;
+allow livecd_t self:capability2 mac_admin;
 
-domain_ptrace_all_domains(livecd_t)
+tunable_policy(`deny_ptrace',`',`
+	domain_ptrace_all_domains(livecd_t)
+')
 
 manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
 manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t)
 optional_policy(`
 	hal_dbus_chat(livecd_t)
 ')
+
 optional_policy(`
-	mount_run(livecd_t, livecd_roles)
+    mount_run(livecd_t, livecd_roles)
 ')
 
 optional_policy(`
-	rpm_domtrans(livecd_t)
+	seutil_run_setfiles_mac(livecd_t, livecd_roles)
 ')
 
 optional_policy(`
diff --git a/lldpad.fc b/lldpad.fc
index 8031a78eb8..72e56acc3a 100644
--- a/lldpad.fc
+++ b/lldpad.fc
@@ -5,3 +5,5 @@
 /var/lib/lldpad(/.*)?	gen_context(system_u:object_r:lldpad_var_lib_t,s0)
 
 /var/run/lldpad.*	gen_context(system_u:object_r:lldpad_var_run_t,s0)
+
+/dev/shm/lldpad.*   --  gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
diff --git a/lldpad.if b/lldpad.if
index d18c96023c..fb5b67416b 100644
--- a/lldpad.if
+++ b/lldpad.if
@@ -1,5 +1,24 @@
 ## <summary>Intel LLDP Agent.</summary>
 
+#######################################
+## <summary>
+##  Transition to lldpad.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpad_domtrans',`
+    gen_require(`
+        type lldpad_t, lldpad_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, lldpad_exec_t, lldpad_t)
+')
+
 #######################################
 ## <summary>
 ##	Send to lldpad with a unix dgram socket.
@@ -42,9 +61,13 @@ interface(`lldpad_admin',`
 		type lldpad_var_run_t;
 	')
 
-	allow $1 lldpad_t:process { ptrace signal_perms };
+	allow $1 lldpad_t:process { signal_perms };
 	ps_process_pattern($1, lldpad_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 lldpad_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
index 2a491d96c1..d909b408c3 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
 # Local policy
 #
 
-allow lldpad_t self:capability { net_admin net_raw };
+allow lldpad_t self:capability { net_admin net_raw sys_resource };
 allow lldpad_t self:shm create_shm_perms;
 allow lldpad_t self:fifo_file rw_fifo_file_perms;
 allow lldpad_t self:unix_stream_socket { accept listen };
@@ -36,6 +36,7 @@ allow lldpad_t self:udp_socket create_socket_perms;
 
 manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t)
 fs_tmpfs_filetrans(lldpad_t, lldpad_tmpfs_t, file)
+allow lldpad_t lldpad_tmpfs_t:file map;
 
 manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
 manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
@@ -51,12 +52,20 @@ kernel_request_load_module(lldpad_t)
 
 dev_read_sysfs(lldpad_t)
 
-files_read_etc_files(lldpad_t)
+fs_getattr_tmpfs(lldpad_t)
 
 logging_send_syslog_msg(lldpad_t)
 
-miscfiles_read_localization(lldpad_t)
+userdom_dgram_send(lldpad_t)
 
 optional_policy(`
 	fcoe_dgram_send_fcoemon(lldpad_t)
 ')
+
+optional_policy(`
+    networkmanager_dgram_send(lldpad_t)
+')
+
+optional_policy(`
+    virt_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
index d2f4643757..ecbfa88ffa 100644
--- a/loadkeys.te
+++ b/loadkeys.te
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
 corecmd_exec_bin(loadkeys_t)
 corecmd_exec_shell(loadkeys_t)
 
-files_read_etc_files(loadkeys_t)
 files_read_etc_runtime_files(loadkeys_t)
 
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)
 
+auth_read_passwd(loadkeys_t)
+
 init_dontaudit_use_fds(loadkeys_t)
 init_dontaudit_use_script_ptys(loadkeys_t)
 
 locallogin_use_fds(loadkeys_t)
 
-miscfiles_read_localization(loadkeys_t)
-
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
 
 ifdef(`hide_broken_symptoms',`
@@ -52,3 +51,8 @@ optional_policy(`
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
+
+optional_policy(`
+    sssd_read_public_files(loadkeys_t)
+    sssd_stream_connect(loadkeys_t)
+')
diff --git a/lockdev.if b/lockdev.if
index 4313b8bc0b..cd1435cdf2 100644
--- a/lockdev.if
+++ b/lockdev.if
@@ -1,5 +1,25 @@
 ## <summary>Library for locking devices.</summary>
 
+#######################################
+## <summary>
+##  Create, read, write, and delete
+##  lockdev lock files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`lockdev_manage_files',`
+    gen_require(`
+            type lockdev_lock_t;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
+')
+
 ########################################
 ## <summary>
 ##	Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
index 61db5a0a70..9d5d255241 100644
--- a/lockdev.te
+++ b/lockdev.te
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
 
 logging_send_syslog_msg(lockdev_t)
 
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.fc b/logrotate.fc
index a11d5be993..dc14626a90 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,6 +1,7 @@
-/etc/cron\.(daily|weekly)/sysklogd	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
 
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
 /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+/var/lib/logrotate\.status.* --	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+
diff --git a/logrotate.if b/logrotate.if
index dd8e01af35..9cd6b0b8e1 100644
--- a/logrotate.if
+++ b/logrotate.if
@@ -1,4 +1,4 @@
-## <summary>Rotates, compresses, removes and mails system log files.</summary>
+## <summary>Rotate and archive system logs</summary>
 
 ########################################
 ## <summary>
@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute logrotate in the logrotate
-##	domain, and allow the specified
-##	role the logrotate domain.
+##	Execute logrotate in the logrotate domain, and
+##	allow the specified role the logrotate domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',`
 #
 interface(`logrotate_run',`
 	gen_require(`
-		attribute_role logrotate_roles;
+		type logrotate_t;
 	')
 
 	logrotate_domtrans($1)
-	roleattribute $2 logrotate_roles;
+	role $2 types logrotate_t;
 ')
 
 ########################################
@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit
-##	logrotate file descriptors.
+##	Do not audit attempts to inherit logrotate file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Read logrotate temporary files.
+##	Read a logrotate temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/logrotate.te b/logrotate.te
index be0ab84b35..a283ea42cf 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
 # Declarations
 #
 
-attribute_role logrotate_roles;
-roleattribute system_r logrotate_roles;
+gen_require(`
+    class passwd passwd;
+')
+
+## <desc>
+## <p>
+## Allow logrotate to manage nfs files
+## </p>
+## </desc>
+gen_tunable(logrotate_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow logrotate to read logs inside 
+## </p>
+## </desc>
+gen_tunable(logrotate_read_inside_containers, false)
+
 
 type logrotate_t;
-type logrotate_exec_t;
 domain_type(logrotate_t)
 domain_obj_id_change_exemption(logrotate_t)
 domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
 domain_entry_file(logrotate_t, logrotate_exec_t)
-role logrotate_roles types logrotate_t;
 
 type logrotate_lock_t;
 files_lock_file(logrotate_lock_t)
@@ -25,21 +42,30 @@ files_tmp_file(logrotate_tmp_t)
 type logrotate_var_lib_t;
 files_type(logrotate_var_lib_t)
 
-mta_base_mail_template(logrotate)
-role system_r types logrotate_mail_t;
-
 ########################################
 #
 # Local policy
 #
 
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+allow logrotate_t self:passwd { passwd };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
 allow logrotate_t self:fd use;
 allow logrotate_t self:key manage_key_perms;
 allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
 allow logrotate_t self:unix_dgram_socket sendto;
-allow logrotate_t self:unix_stream_socket { accept connectto listen };
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:netlink_selinux_socket create_socket_perms;
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
@@ -48,36 +74,53 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
 
+can_exec(logrotate_t, logrotate_tmp_t)
+
 manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
 manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
 files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
 
+# for /var/lib/logrotate.status and /var/lib/logcheck
 create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
 
-can_exec(logrotate_t, logrotate_tmp_t)
-
 kernel_read_system_state(logrotate_t)
 kernel_read_kernel_sysctls(logrotate_t)
 
+dev_read_urand(logrotate_t)
+dev_read_sysfs(logrotate_t)
+dev_write_kmsg(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+mls_process_write_to_clearance(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+# Run helper programs.
 corecmd_exec_bin(logrotate_t)
 corecmd_exec_shell(logrotate_t)
 corecmd_getattr_all_executables(logrotate_t)
 
-dev_read_urand(logrotate_t)
-
 domain_signal_all_domains(logrotate_t)
 domain_use_interactive_fds(logrotate_t)
 domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
 domain_read_all_domains_state(logrotate_t)
 
-files_read_usr_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
 files_search_all(logrotate_t)
 files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
@@ -95,32 +138,58 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
 
+application_exec_all(logrotate_t)
+
+auth_domtrans_chk_passwd(logrotate_t)
 auth_manage_login_records(logrotate_t)
 auth_use_nsswitch(logrotate_t)
 
 init_all_labeled_script_domtrans(logrotate_t)
+init_reload_services(logrotate_t)
+init_reload_transient_unit(logrotate_t)
 
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
 logging_exec_all_logs(logrotate_t)
 
-miscfiles_read_localization(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
+systemd_getattr_unit_files(logrotate_t)
+systemd_start_all_unit_files(logrotate_t)
+systemd_reload_all_services(logrotate_t)
+systemd_status_all_unit_files(logrotate_t)
+systemd_dbus_chat_logind(logrotate_t)
+systemd_config_generic_services(logrotate_t)
+init_stream_connect(logrotate_t)
+init_reload_transient_unit(logrotate_t)
+
+miscfiles_read_hwdata(logrotate_t)
 
-seutil_dontaudit_read_config(logrotate_t)
+term_dontaudit_use_unallocated_ttys(logrotate_t)
 
-userdom_use_user_terminals(logrotate_t)
+userdom_use_inherited_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
+userdom_list_admin_dir(logrotate_t)
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
 
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+tunable_policy(`logrotate_use_nfs',`
+        fs_manage_nfs_files(logrotate_t)
+        fs_manage_nfs_dirs(logrotate_t)
+        fs_manage_nfs_symlinks(logrotate_t)
+')
 
-ifdef(`distro_debian',`
+ifdef(`distro_debian', `
 	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+	# for savelog
 	can_exec(logrotate_t, logrotate_exec_t)
 
-	logging_check_exec_syslog(logrotate_t)
+	# for syslogd-listfiles
 	logging_read_syslog_config(logrotate_t)
+
+	# for "test -x /sbin/syslogd"
+	logging_check_exec_syslog(logrotate_t)
 ')
 
 optional_policy(`
@@ -135,16 +204,17 @@ optional_policy(`
 
 optional_policy(`
 	apache_read_config(logrotate_t)
+    apache_read_sys_content_rw_dirs(logrotate_t)
 	apache_domtrans(logrotate_t)
 	apache_signull(logrotate_t)
 ')
 
 optional_policy(`
-	asterisk_domtrans(logrotate_t)
+	awstats_domtrans(logrotate_t)
 ')
 
 optional_policy(`
-	awstats_domtrans(logrotate_t)
+	asterisk_domtrans(logrotate_t)
 ')
 
 optional_policy(`
@@ -160,6 +230,10 @@ optional_policy(`
 	consoletype_exec(logrotate_t)
 ')
 
+optional_policy(`
+    collectd_manage_rw_content(logrotate_t)
+')
+
 optional_policy(`
 	cron_system_entry(logrotate_t, logrotate_exec_t)
 	cron_search_spool(logrotate_t)
@@ -170,6 +244,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+    dbus_system_bus_client(logrotate_t)
+')
+
+optional_policy(`
+    fail2ban_domtrans_client(logrotate_t)
 	fail2ban_stream_connect(logrotate_t)
 ')
 
@@ -178,7 +257,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	chronyd_read_key_files(logrotate_t)
+    chronyd_domtrans_chronyc(logrotate_t)
+	chronyd_read_keys(logrotate_t)
 ')
 
 optional_policy(`
@@ -198,23 +278,32 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_read_home_content(logrotate_t)
 	mysql_read_config(logrotate_t)
+	mysql_search_db(logrotate_t)
 	mysql_stream_connect(logrotate_t)
 ')
 
 optional_policy(`
-	openvswitch_read_pid_files(logrotate_t)
-	openvswitch_domtrans(logrotate_t)
+	polipo_named_filetrans_log_files(logrotate_t)
 ')
 
 optional_policy(`
-	polipo_log_filetrans_log(logrotate_t, file, "polipo")
+    prosody_stream_connect(logrotate_t)
 ')
 
 optional_policy(`
 	psad_domtrans(logrotate_t)
 ')
 
+optional_policy(`
+    rabbitmq_domtrans(logrotate_t)
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(logrotate_t)
+')
+
 optional_policy(`
 	samba_exec_log(logrotate_t)
 ')
@@ -227,27 +316,51 @@ optional_policy(`
 	slrnpull_manage_spool(logrotate_t)
 ')
 
+optional_policy(`
+	openshift_manage_lib_files(logrotate_t)
+')
+
+optional_policy(`
+	openvswitch_read_pid_files(logrotate_t)
+	openvswitch_domtrans(logrotate_t)
+')
+
 optional_policy(`
 	squid_domtrans(logrotate_t)
+    squid_read_config(logrotate_t)
 ')
 
 optional_policy(`
+	#Red Hat bug 564565
 	su_exec(logrotate_t)
 ')
 
+optional_policy(`
+    rpm_read_cache(logrotate_t)
+')
+
 optional_policy(`
 	varnishd_manage_log(logrotate_t)
 ')
 
+optional_policy(`
+	virt_manage_cache(logrotate_t)
+')
+
+
+optional_policy(`
+	tunable_policy(`logrotate_read_inside_containers',`
+		virt_read_sandbox_files(logrotate_t)
+	')
+')
+
 #######################################
 #
-# Mail local policy
+# logrotate_mail local policy
 #
 
-allow logrotate_mail_t logrotate_t:fd use;
-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
-allow logrotate_mail_t logrotate_t:process sigchld;
-
-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
-
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
 logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.if b/logwatch.if
index 06c3d36caa..37e71b3d7d 100644
--- a/logwatch.if
+++ b/logwatch.if
@@ -37,3 +37,42 @@ interface(`logwatch_search_cache_dir',`
 	files_search_var($1)
 	allow $1 logwatch_cache_t:dir search_dir_perms;
 ')
+
+#######################################
+## <summary>
+##  Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`logwatch_dontaudit_leaks',`
+    gen_require(`
+        type logwatch_t;
+    ')
+
+	dontaudit $1 logwatch_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	svirt cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logwatch_manage_cache',`
+	gen_require(`
+		type logwatch_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, logwatch_cache_t, logwatch_cache_t)
+	manage_dirs_pattern($1, logwatch_cache_t, logwatch_cache_t)
+')
diff --git a/logwatch.te b/logwatch.te
index ab650340c1..6d6816bb67 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
 
 type logwatch_t;
 type logwatch_exec_t;
-init_system_domain(logwatch_t, logwatch_exec_t)
+init_daemon_domain(logwatch_t, logwatch_exec_t)
+application_domain(logwatch_t, logwatch_exec_t)
 
 type logwatch_cache_t;
 files_type(logwatch_cache_t)
@@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
 manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
 manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
 
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
+manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
 files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
 
 manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@@ -61,6 +63,11 @@ kernel_read_system_state(logwatch_t)
 kernel_read_net_sysctls(logwatch_t)
 kernel_read_network_state(logwatch_t)
 
+corenet_all_recvfrom_unlabeled(logwatch_t)
+corenet_all_recvfrom_netlabel(logwatch_t)
+corenet_tcp_sendrecv_generic_if(logwatch_t)
+corenet_tcp_sendrecv_generic_node(logwatch_t)
+
 corecmd_exec_bin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
 
@@ -75,10 +82,11 @@ files_list_var(logwatch_t)
 files_search_all(logwatch_t)
 files_read_var_symlinks(logwatch_t)
 files_read_etc_runtime_files(logwatch_t)
-files_read_usr_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
 
 fs_getattr_all_dirs(logwatch_t)
 fs_getattr_all_fs(logwatch_t)
+fs_getattr_all_dirs(logwatch_t)
 fs_dontaudit_list_auto_mountpoints(logwatch_t)
 fs_list_inotifyfs(logwatch_t)
 
@@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t)
 logging_read_all_logs(logwatch_t)
 logging_send_syslog_msg(logwatch_t) 
 
-miscfiles_read_localization(logwatch_t)
+miscfiles_read_hwdata(logwatch_t)
 
 selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_exec_ifconfig(logwatch_t)
 
-userdom_dontaudit_search_user_home_dirs(logwatch_t)
-
 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
 mta_getattr_spool(logwatch_t)
 
 tunable_policy(`logwatch_can_network_connect_mail',`
-	corenet_all_recvfrom_unlabeled(logwatch_t)
-	corenet_all_recvfrom_netlabel(logwatch_t)
-	corenet_tcp_sendrecv_generic_if(logwatch_t)
-	corenet_tcp_sendrecv_generic_node(logwatch_t)
-
 	corenet_sendrecv_smtp_client_packets(logwatch_t)
 	corenet_tcp_connect_smtp_port(logwatch_t)
 	corenet_tcp_sendrecv_smtp_port(logwatch_t)
@@ -159,6 +160,16 @@ optional_policy(`
 	ntp_domtrans(logwatch_t)
 ')
 
+optional_policy(`
+	postfix_domtrans_postqueue(logwatch_t)
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(logwatch_t)
+	raid_access_check_mdadm(logwatch_t)
+    raid_read_conf_files(logwatch_t)
+')
+
 optional_policy(`
 	rpc_search_nfs_state_data(logwatch_t)
 ')
@@ -187,6 +198,19 @@ dev_read_sysfs(logwatch_mail_t)
 
 logging_read_all_logs(logwatch_mail_t)
 
+mta_read_home(logwatch_mail_t)
+mta_filetrans_home_content(logwatch_mail_t)
+mta_filetrans_admin_home_content(logwatch_mail_t)
+
 optional_policy(`
 	cron_use_system_job_fds(logwatch_mail_t)
 ')
+
+optional_policy(`
+	courier_stream_connect_authdaemon(logwatch_mail_t)
+')
+
+optional_policy(`
+	qmail_domtrans_inject(logwatch_mail_t)
+	qmail_domtrans_queue(logwatch_mail_t)
+')
diff --git a/lpd.fc b/lpd.fc
index 2fb9b2ec28..08974e3760 100644
--- a/lpd.fc
+++ b/lpd.fc
@@ -19,6 +19,7 @@
 /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/local/linuxprinter/bin/l?lpr	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
 /usr/share/printconf/.*	--	gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
index 62563717b4..ce2acb8815 100644
--- a/lpd.if
+++ b/lpd.if
@@ -1,44 +1,49 @@
-## <summary>Line printer daemon.</summary>
+## <summary>Line printer daemon</summary>
 
 ########################################
 ## <summary>
-##	Role access for lpd.
+##	Role access for lpd
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lpd_role',`
 	gen_require(`
 		attribute_role lpr_roles;
-		type lpr_t, lpr_exec_t;
+		type lpr_t, lpr_exec_t, print_spool_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
+    ########################################
+    # 
+    # Declarations
+    #            
 
 	roleattribute $1 lpr_roles;
 
-	########################################
-	#
-	# Policy
-	#
+    ########################################
+    #
+    # Policy
+    #            
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, lpr_exec_t, lpr_t)
+	dontaudit lpr_t $2:unix_stream_socket { read write };
 
-	allow $2 lpr_t:process { ptrace signal_perms };
 	ps_process_pattern($2, lpr_t)
+	allow $2 lpr_t:process signal_perms;
 
-	dontaudit lpr_t $2:unix_stream_socket { read write };
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 lpr_t:process ptrace;
+	')
 
 	optional_policy(`
 		cups_read_config($2)
@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',`
 		type checkpc_t, checkpc_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, checkpc_exec_t, checkpc_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute amrecover in the lpd
-##	domain, and allow the specified
-##	role the lpd domain.
+##	Execute amrecover in the lpd domain, and
+##	allow the specified role the lpd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',`
 #
 interface(`lpd_run_checkpc',`
 	gen_require(`
-		attribute_role checkpc_roles;
+		type checkpc_t;
 	')
 
 	lpd_domtrans_checkpc($1)
-	roleattribute $2 checkpc_roles;
+	role $2 types checkpc_t;
 ')
 
 ########################################
 ## <summary>
-##	List printer spool directories.
+##	List the contents of the printer spool directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112,7 +115,7 @@ interface(`lpd_list_spool',`
 
 ########################################
 ## <summary>
-##	Read printer spool files.
+##	Read the printer spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -131,8 +134,7 @@ interface(`lpd_read_spool',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	printer spool content.
+##	Create, read, write, and delete printer spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
 	manage_dirs_pattern($1, print_spool_t, print_spool_t)
 	manage_files_pattern($1, print_spool_t, print_spool_t)
 	manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+    manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Relabel spool files.
+##	Relabel from and to the spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
 
 ########################################
 ## <summary>
-##	Read printer configuration files.
+##	List the contents of the printer spool directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
 ##	</summary>
 ## </param>
 #
-template(`lpd_domtrans_lpr',`
+interface(`lpd_domtrans_lpr',`
 	gen_require(`
 		type lpr_t, lpr_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, lpr_exec_t, lpr_t)
 ')
 
@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
 
 ########################################
 ## <summary>
-##	Execute lpr in the caller domain.
+##	Allow the specified domain to execute lpr
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
 		type lpr_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, lpr_exec_t)
 ')
diff --git a/lpd.te b/lpd.te
index 39d31640ed..1ec2cd26eb 100644
--- a/lpd.te
+++ b/lpd.te
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
 type print_spool_t;
 typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
 typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
-files_type(print_spool_t)
+files_spool_file(print_spool_t)
 ubac_constrained(print_spool_t)
 
 type printer_t;
@@ -62,7 +62,7 @@ files_config_file(printconf_t)
 # Checkpc local policy
 #
 
-allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:capability { setgid setuid dac_read_search dac_override };
 allow checkpc_t self:process signal_perms;
 allow checkpc_t self:unix_stream_socket create_socket_perms;
 allow checkpc_t self:tcp_socket create_socket_perms;
@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
 
 kernel_read_system_state(checkpc_t)
 
-corenet_all_recvfrom_unlabeled(checkpc_t)
 corenet_all_recvfrom_netlabel(checkpc_t)
 corenet_tcp_sendrecv_generic_if(checkpc_t)
 corenet_tcp_sendrecv_generic_node(checkpc_t)
@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t)
 
 domain_use_interactive_fds(checkpc_t)
 
-files_read_etc_files(checkpc_t)
 files_read_etc_runtime_files(checkpc_t)
 files_search_pids(checkpc_t)
 files_search_spool(checkpc_t)
@@ -107,7 +105,7 @@ init_use_fds(checkpc_t)
 
 sysnet_read_config(checkpc_t)
 
-userdom_use_user_terminals(checkpc_t)
+userdom_use_inherited_user_terminals(checkpc_t)
 
 optional_policy(`
 	cron_system_entry(checkpc_t, checkpc_exec_t)
@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
 kernel_read_kernel_sysctls(lpd_t)
 kernel_read_system_state(lpd_t)
 
-corenet_all_recvfrom_unlabeled(lpd_t)
 corenet_all_recvfrom_netlabel(lpd_t)
 corenet_tcp_sendrecv_generic_if(lpd_t)
 corenet_tcp_sendrecv_generic_node(lpd_t)
@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t)
 domain_use_interactive_fds(lpd_t)
 
 files_read_etc_runtime_files(lpd_t)
-files_read_usr_files(lpd_t)
 files_list_world_readable(lpd_t)
 files_read_world_readable_files(lpd_t)
 files_read_world_readable_symlinks(lpd_t)
 files_list_var_lib(lpd_t)
 files_read_var_lib_files(lpd_t)
 files_read_var_lib_symlinks(lpd_t)
-files_read_etc_files(lpd_t)
 files_search_spool(lpd_t)
 
 fs_getattr_all_fs(lpd_t)
@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t)
 logging_send_syslog_msg(lpd_t)
 
 miscfiles_read_fonts(lpd_t)
-miscfiles_read_localization(lpd_t)
 
 sysnet_read_config(lpd_t)
 
@@ -214,7 +208,7 @@ optional_policy(`
 # Lpr local policy
 #
 
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown };
 allow lpr_t self:unix_stream_socket { accept listen };
 
 allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
 kernel_read_crypto_sysctls(lpr_t)
 kernel_read_kernel_sysctls(lpr_t)
 
-corenet_all_recvfrom_unlabeled(lpr_t)
 corenet_all_recvfrom_netlabel(lpr_t)
 corenet_tcp_sendrecv_generic_if(lpr_t)
 corenet_tcp_sendrecv_generic_node(lpr_t)
@@ -239,7 +232,6 @@ dev_read_urand(lpr_t)
 domain_use_interactive_fds(lpr_t)
 
 files_search_spool(lpr_t)
-files_read_usr_files(lpr_t)
 files_list_home(lpr_t)
 
 fs_getattr_all_fs(lpr_t)
@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t)
 
 auth_use_nsswitch(lpr_t)
 
-logging_send_syslog_msg(lpr_t)
-
 miscfiles_read_fonts(lpr_t)
-miscfiles_read_localization(lpr_t)
 
 userdom_read_user_tmp_symlinks(lpr_t)
-userdom_use_user_terminals(lpr_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(lpr_t)
 userdom_read_user_home_content_files(lpr_t)
 userdom_read_user_tmp_files(lpr_t)
+userdom_write_user_tmp_sockets(lpr_t)
+userdom_stream_connect(lpr_t)
 
 tunable_policy(`use_lpd_server',`
-	allow lpr_t lpd_t:process signal;
-
-	write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t)
+	# lpr can run in lightweight mode, without a local print spooler.
+	allow lpr_t lpd_var_run_t:dir search_dir_perms;
+	allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
 	files_read_var_files(lpr_t)
 
+	# Connect to lpd via a Unix domain socket.
+	allow lpr_t printer_t:sock_file read_sock_file_perms;
 	stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+	# Send SIGHUP to lpd.
+	allow lpr_t lpd_t:process signal;
 
 	manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
 	manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',`
 	allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(lpr_t)
-	fs_read_nfs_files(lpr_t)
-	fs_read_nfs_symlinks(lpr_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_list_auto_mountpoints(lpr_t)
-	fs_read_cifs_files(lpr_t)
-	fs_read_cifs_symlinks(lpr_t)
-')
+userdom_home_reader(lpr_t)
 
 optional_policy(`
 	cups_read_config(lpr_t)
@@ -298,5 +284,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_stream_connect_all_gkeyringd(lpr_t)
+	gnome_stream_connect_gkeyringd(lpr_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(lpr_t)
+')
+
+optional_policy(`
+	mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
 ')
diff --git a/lsm.fc b/lsm.fc
index c455730535..6e14667940 100644
--- a/lsm.fc
+++ b/lsm.fc
@@ -1,3 +1,7 @@
 /usr/bin/lsmd	--	gen_context(system_u:object_r:lsmd_exec_t,s0)
 
+/usr/bin/.*_lsmplugin    --  gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.*		--	gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
 /var/run/lsm(/.*)?	gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
index d3143334dd..27ede090c4 100644
--- a/lsm.if
+++ b/lsm.if
@@ -1,25 +1,86 @@
-## <summary>Storage array management library.</summary>
+
+## <summary>libStorageMgmt  plug-in  daemon </summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate
-##	an lsmd environment.
+##	Execute TEMPLATE in the lsmd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_domtrans',`
+	gen_require(`
+		type lsmd_t, lsmd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lsmd_exec_t, lsmd_t)
+')
+########################################
+## <summary>
+##	Read lsmd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`lsmd_read_pid_files',`
+	gen_require(`
+		type lsmd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute lsmd server in the lsmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`lsmd_systemctl',`
+	gen_require(`
+		type lsmd_t;
+		type lsmd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 lsmd_unit_file_t:file read_file_perms;
+	allow $1 lsmd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, lsmd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lsmd environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`lsmd_admin',`
 	gen_require(`
-		type lsmd_t, type lsmd_var_run_t;
+		type lsmd_t;
+		type lsmd_var_run_t;
+		type lsmd_unit_file_t;
 	')
 
 	allow $1 lsmd_t:process { ptrace signal_perms };
@@ -27,4 +88,13 @@ interface(`lsmd_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, lsmd_var_run_t)
+
+	lsmd_systemctl($1)
+	admin_pattern($1, lsmd_unit_file_t)
+	allow $1 lsmd_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/lsm.te b/lsm.te
index 4ec0eea306..45a3516462 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
 #
 # Declarations
 #
+## <desc>
+##	<p>
+##	Determine whether lsmd_plugin can
+##	connect to all TCP ports.
+##	</p>
+## </desc>
+gen_tunable(lsmd_plugin_connect_any, false)
 
 type lsmd_t;
 type lsmd_exec_t;
@@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
 type lsmd_var_run_t;
 files_pid_file(lsmd_var_run_t)
 
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
+type lsmd_plugin_t;
+type lsmd_plugin_exec_t;
+application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
+role system_r types lsmd_plugin_t;
+
+type lsmd_plugin_tmp_t;
+files_tmp_file(lsmd_plugin_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow lsmd_t self:capability setgid;
+allow lsmd_t self:capability { setuid setgid };
 allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
@@ -26,4 +44,76 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
 files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
 
+auth_use_nsswitch(lsmd_t)
+
+corecmd_exec_bin(lsmd_t)
+corecmd_getattr_all_executables(lsmd_t)
+
 logging_send_syslog_msg(lsmd_t)
+
+optional_policy(`
+    rpm_debuginfo_domtrans(lsmd_t)
+')
+
+########################################
+#
+# Local lsmd plugin policy
+#
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
+allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+allow lsmd_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow lsmd_plugin_t self:capability { sys_admin sys_rawio } ;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
+
+allow lsmd_t lsmd_plugin_exec_t:file { map read_file_perms };
+stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
+
+manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
+tunable_policy(`lsmd_plugin_connect_any',`
+	corenet_tcp_connect_all_ports(lsmd_plugin_t)
+	corenet_sendrecv_all_packets(lsmd_plugin_t)
+	corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
+')
+
+kernel_read_system_state(lsmd_plugin_t)
+
+auth_read_passwd(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+dev_read_sysfs(lsmd_plugin_t)
+dev_getattr_sysfs_fs(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
+corenet_tcp_connect_http_port(lsmd_plugin_t)
+corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
+corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t)
+corenet_tcp_connect_pegasus_https_port(lsmd_plugin_t)
+corenet_tcp_connect_pegasus_http_port(lsmd_plugin_t)
+corenet_tcp_connect_ssh_port(lsmd_plugin_t)
+
+auth_use_nsswitch(lsmd_plugin_t)
+
+init_stream_connect(lsmd_plugin_t)
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
+libs_exec_ldconfig(lsmd_plugin_t)
+
+logging_send_syslog_msg(lsmd_plugin_t)
+
+miscfiles_read_certs(lsmd_plugin_t)
+miscfiles_read_hwdata(lsmd_plugin_t)
+
+sysnet_read_config(lsmd_plugin_t)
+
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
+storage_create_fixed_disk_dev(lsmd_plugin_t)
+storage_read_scsi_generic(lsmd_plugin_t)
+storage_write_scsi_generic(lsmd_plugin_t)
+storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
diff --git a/lttng-tools.fc b/lttng-tools.fc
new file mode 100644
index 0000000000..bdd17ca85b
--- /dev/null
+++ b/lttng-tools.fc
@@ -0,0 +1,5 @@
+/usr/bin/lttng-sessiond		--	gen_context(system_u:object_r:lttng_sessiond_exec_t,s0)
+
+/usr/lib/systemd/system/lttng-sessiond.service		--	gen_context(system_u:object_r:lttng_sessiond_unit_file_t,s0)
+
+/var/run/lttng(/.*)?        gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
diff --git a/lttng-tools.if b/lttng-tools.if
new file mode 100644
index 0000000000..e86897d290
--- /dev/null
+++ b/lttng-tools.if
@@ -0,0 +1,117 @@
+
+## <summary>LTTng 2.x central tracing registry session daemon.</summary>
+
+########################################
+## <summary>
+##	Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lttng_sessiond_domtrans',`
+	gen_require(`
+		type lttng_sessiond_t, lttng_sessiond_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t)
+')
+
+######################################
+## <summary>
+##	Execute lttng_sessiond in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lttng_sessiond_exec',`
+	gen_require(`
+		type lttng_sessiond_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, lttng_sessiond_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute lttng_sessiond server in the lttng_sessiond domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`lttng_sessiond_systemctl',`
+	gen_require(`
+		type lttng_sessiond_t;
+		type lttng_sessiond_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 lttng_sessiond_unit_file_t:file read_file_perms;
+	allow $1 lttng_sessiond_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, lttng_sessiond_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lttng_sessiond environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lttng_sessiond_admin',`
+	gen_require(`
+		type lttng_sessiond_t;
+    	type lttng_sessiond_unit_file_t;
+	')
+
+	allow $1 lttng_sessiond_t:process { signal_perms };
+	ps_process_pattern($1, lttng_sessiond_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 lttng_sessiond_t:process ptrace;
+    ')
+
+	lttng_sessiond_systemctl($1)
+	admin_pattern($1, lttng_sessiond_unit_file_t)
+	allow $1 lttng_sessiond_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+## Read and write lttng-tools shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lttng_read_shm',`
+	gen_require(`
+		type lttng_sessiond_tmpfs_t;
+	')
+
+	read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+	fs_search_tmpfs($1)
+')
diff --git a/lttng-tools.te b/lttng-tools.te
new file mode 100644
index 0000000000..1d2ca22240
--- /dev/null
+++ b/lttng-tools.te
@@ -0,0 +1,60 @@
+policy_module(lttng-tools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lttng_sessiond_t;
+type lttng_sessiond_exec_t;
+init_daemon_domain(lttng_sessiond_t, lttng_sessiond_exec_t)
+
+type lttng_sessiond_tmpfs_t;
+files_tmpfs_file(lttng_sessiond_tmpfs_t)
+
+type lttng_sessiond_var_run_t;
+files_pid_file(lttng_sessiond_var_run_t)
+
+type lttng_sessiond_unit_file_t;
+systemd_unit_file(lttng_sessiond_unit_file_t)
+
+########################################
+#
+# lttng_sessiond local policy
+#
+
+allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource };
+allow lttng_sessiond_t self:capability2 block_suspend;
+allow lttng_sessiond_t self:process { setrlimit signal_perms };
+allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms;
+allow lttng_sessiond_t self:tcp_socket listen;
+allow lttng_sessiond_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_lnk_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+manage_sock_files_pattern(lttng_sessiond_t, lttng_sessiond_var_run_t, lttng_sessiond_var_run_t)
+files_pid_filetrans(lttng_sessiond_t, lttng_sessiond_var_run_t, { dir })
+
+manage_dirs_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+manage_files_pattern(lttng_sessiond_t, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
+fs_tmpfs_filetrans(lttng_sessiond_t, lttng_sessiond_tmpfs_t, { dir file })
+
+kernel_read_system_state(lttng_sessiond_t)
+kernel_read_net_sysctls(lttng_sessiond_t)
+kernel_read_fs_sysctls(lttng_sessiond_t)
+
+corecmd_exec_shell(lttng_sessiond_t)
+
+corenet_tcp_bind_generic_node(lttng_sessiond_t)
+corenet_tcp_bind_lltng_port(lttng_sessiond_t)
+
+dev_read_sysfs(lttng_sessiond_t)
+
+fs_getattr_tmpfs(lttng_sessiond_t)
+
+auth_use_nsswitch(lttng_sessiond_t)
+
+modutils_exec_insmod(lttng_sessiond_t)
+modutils_read_module_config(lttng_sessiond_t)
+files_read_kernel_modules(lttng_sessiond_t)
diff --git a/mailman.fc b/mailman.fc
index 995d0a5d34..3d40d59d2d 100644
--- a/mailman.fc
+++ b/mailman.fc
@@ -2,10 +2,12 @@
 
 /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
+/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman.*/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman.*/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman.*/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/var/lib/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman(/.*)?	gen_context(system_u:object_r:mailman_data_t,s0)
 /var/lib/mailman.*/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
 
 /var/lock/mailman.*	gen_context(system_u:object_r:mailman_lock_t,s0)
diff --git a/mailman.if b/mailman.if
index 108c0f1f55..a2485018e2 100644
--- a/mailman.if
+++ b/mailman.if
@@ -1,44 +1,70 @@
-## <summary>Manage electronic mail discussion and e-newsletter lists.</summary>
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
 
 #######################################
 ## <summary>
-##	The template to define a mailman domain.
+##	The template to define a mailmain domain.
 ## </summary>
-## <param name="domain_prefix">
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new mailman daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The type of daemon to be used eg, cgi would give mailman_cgi_
 ##	</summary>
 ## </param>
 #
-template(`mailman_domain_template',`
-	gen_require(`
-		attribute mailman_domain;
-	')
+template(`mailman_domain_template', `
 
-	########################################
-	#
-	# Declarations
-	#
+    ########################################
+    #    
+    # Declarations
+    #            
 
-	type mailman_$1_t;
-	type mailman_$1_exec_t;
+    gen_require(`
+        attribute mailman_domain;
+    ')
+
+	type mailman_$1_t, mailman_domain;
 	domain_type(mailman_$1_t)
+	type mailman_$1_exec_t;
 	domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
 	role system_r types mailman_$1_t;
 
 	type mailman_$1_tmp_t;
 	files_tmp_file(mailman_$1_tmp_t)
 
-	####################################
-	#
-	# Policy
-	#
+    ####################################
+    # 
+    # Policy
+    #            
 
 	manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
 	manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
 	files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
 
+	kernel_read_system_state(mailman_$1_t)
+
+	corenet_all_recvfrom_unlabeled(mailman_$1_t)
+	corenet_all_recvfrom_netlabel(mailman_$1_t)
+	corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+	corenet_udp_sendrecv_generic_if(mailman_$1_t)
+	corenet_raw_sendrecv_generic_if(mailman_$1_t)
+	corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+	corenet_udp_sendrecv_generic_node(mailman_$1_t)
+	corenet_raw_sendrecv_generic_node(mailman_$1_t)
+	corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+	corenet_udp_sendrecv_all_ports(mailman_$1_t)
+	corenet_tcp_bind_generic_node(mailman_$1_t)
+	corenet_udp_bind_generic_node(mailman_$1_t)
+	corenet_tcp_connect_smtp_port(mailman_$1_t)
+	corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
 	auth_use_nsswitch(mailman_$1_t)
+
+	logging_send_syslog_msg(mailman_$1_t)
 ')
 
 #######################################
@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
 		type mailman_mail_exec_t, mailman_mail_t;
 	')
 
-	libs_search_lib($1)
 	domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the mailman program in the
-##	mailman domain and allow the
-##	specified role the mailman domain.
+##	Execute the mailman program in the mailman domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the mailman domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`mailman_run',`
 	gen_require(`
-		attribute_role mailman_roles;
+		type mailman_mail_t;
 	')
 
 	mailman_domtrans($1)
-	roleattribute $2 mailman_roles;
+	role $2 types mailman_mail_t;
 ')
 
 #######################################
@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
 		type mailman_cgi_exec_t, mailman_cgi_t;
 	')
 
-	libs_search_lib($1)
 	domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
 ')
 
@@ -122,13 +144,12 @@ interface(`mailman_exec',`
 		type mailman_mail_exec_t;
 	')
 
-	libs_search_lib($1)
 	can_exec($1, mailman_mail_exec_t)
 ')
 
 #######################################
 ## <summary>
-##	Send generic signals to mailman cgi.
+##	Send generic signals to the mailman cgi domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
 
 #######################################
 ## <summary>
-##	Search mailman data directories.
+##	Allow domain to search data directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
 		type mailman_data_t;
 	')
 
-	files_search_spool($1)
 	allow $1 mailman_data_t:dir search_dir_perms;
 ')
 
 #######################################
 ## <summary>
-##	Read mailman data content.
+##	Allow domain to to read mailman data files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
 		type mailman_data_t;
 	')
 
-	files_search_spool($1)
 	list_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	read_files_pattern($1, mailman_data_t, mailman_data_t)
 	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
 
 #######################################
 ## <summary>
-##	Create, read, write, and delete
-##	mailman data files.
+##	Allow domain to to create mailman data files
+##	and write the directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
 		type mailman_data_t;
 	')
 
-	files_search_spool($1)
 	manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	manage_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
 #######################################
 ## <summary>
-##	List mailman data directories.
+##	List the contents of mailman data directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
 		type mailman_data_t;
 	')
 
-	files_search_spool($1)
 	allow $1 mailman_data_t:dir list_dir_perms;
 ')
 
 #######################################
 ## <summary>
-##	Read mailman data symbolic links.
+##	Allow read acces to mailman data symbolic links.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
 
 #######################################
 ## <summary>
-##	Read mailman log files.
+##	Read mailman logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
 		type mailman_log_t;
 	')
 
-	logging_search_logs($1)
 	read_files_pattern($1, mailman_log_t, mailman_log_t)
 ')
 
 #######################################
 ## <summary>
-##	Append mailman log files.
+##	Append to mailman logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
 		type mailman_log_t;
 	')
 
-	logging_search_logs($1)
 	append_files_pattern($1, mailman_log_t, mailman_log_t)
 ')
 
 #######################################
 ## <summary>
 ##	Create, read, write, and delete
-##	mailman log content.
+##	mailman logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
 		type mailman_log_t;
 	')
 
-	logging_search_logs($1)
 	manage_files_pattern($1, mailman_log_t, mailman_log_t)
 	manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
 ')
 
 #######################################
 ## <summary>
-##	Read mailman archive content.
+##	Allow domain to read mailman archive files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
 		type mailman_archive_t;
 	')
 
-	files_search_var_lib($1)
 	allow $1 mailman_archive_t:dir list_dir_perms;
 	read_files_pattern($1, mailman_archive_t, mailman_archive_t)
 	read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
 
 #######################################
 ## <summary>
-##	Execute mailman_queue in the
-##	mailman_queue domain.
+##	Execute mailman_queue in the mailman_queue domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
 		type mailman_queue_exec_t, mailman_queue_t;
 	')
 
-	libs_search_lib($1)
 	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
 ')
diff --git a/mailman.te b/mailman.te
index ac81c7fa9a..2bbde0b7c7 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
 #
 # Declarations
 #
+## <desc>
+##	<p>
+##	Allow mailman to access FUSE file systems
+##	</p>
+## </desc>
+gen_tunable(mailman_use_fusefs, false)
 
 attribute mailman_domain;
 
@@ -50,16 +56,12 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t)
 manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t)
 files_lock_filetrans(mailman_domain, mailman_lock_t, file)
 
-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
 logging_log_filetrans(mailman_domain, mailman_log_t, file)
 
 kernel_read_kernel_sysctls(mailman_domain)
-kernel_read_system_state(mailman_domain)
+kernel_read_network_state(mailman_domain)
 
-corenet_all_recvfrom_unlabeled(mailman_domain)
-corenet_all_recvfrom_netlabel(mailman_domain)
 corenet_tcp_sendrecv_generic_if(mailman_domain)
 corenet_tcp_sendrecv_generic_node(mailman_domain)
 
@@ -82,10 +84,6 @@ fs_getattr_all_fs(mailman_domain)
 libs_exec_ld_so(mailman_domain)
 libs_exec_lib_files(mailman_domain)
 
-logging_send_syslog_msg(mailman_domain)
-
-miscfiles_read_localization(mailman_domain)
-
 ########################################
 #
 # CGI local policy
@@ -103,7 +101,7 @@ optional_policy(`
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
 	apache_read_config(mailman_cgi_t)
-	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+	apache_rw_stream_sockets(mailman_cgi_t)
 ')
 
 optional_policy(`
@@ -115,20 +113,23 @@ optional_policy(`
 # Mail local policy
 #
 
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config };
+allow mailman_mail_t self:process { setsched signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
 
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
 corenet_sendrecv_innd_client_packets(mailman_mail_t)
 corenet_tcp_connect_innd_port(mailman_mail_t)
 corenet_tcp_sendrecv_innd_port(mailman_mail_t)
 
 corenet_sendrecv_spamd_client_packets(mailman_mail_t)
-corenet_tcp_connect_spamd_port(mailman_mail_t)
 corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
 
 dev_read_urand(mailman_mail_t)
 
@@ -137,10 +138,18 @@ fs_rw_anon_inodefs_files(mailman_mail_t)
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
 mta_dontaudit_rw_queue(mailman_mail_t)
 
+optional_policy(`
+    apache_search_config(mailman_mail_t)
+')
+
 optional_policy(`
 	courier_read_spool(mailman_mail_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(mailman_mail_t)
+')
+
 optional_policy(`
 	cron_read_pipes(mailman_mail_t)
 ')
@@ -182,3 +191,9 @@ optional_policy(`
 optional_policy(`
 	su_exec(mailman_queue_t)
 ')
+
+tunable_policy(`mailman_use_fusefs',`
+	fs_manage_fusefs_dirs(mailman_domain)
+	fs_manage_fusefs_files(mailman_domain)
+	fs_manage_fusefs_symlinks(mailman_domain)
+')
diff --git a/mailscanner.if b/mailscanner.if
index 214cb44983..bd1d48e4fb 100644
--- a/mailscanner.if
+++ b/mailscanner.if
@@ -2,29 +2,27 @@
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mscan spool content.
+##	Execute a domain transition to run
+## 	MailScanner.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`mscan_manage_spool_content',`
+interface(`mailscanner_initrc_domtrans',`
 	gen_require(`
-		type mscan_spool_t;
+		type mscan_initrc_exec_t;
 	')
 
-	files_search_spool($1)
-	manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
-	manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
+	init_labeled_script_domtrans($1, mscan_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an mscan environment
+##	All of the rules required to administrate
+##	an mailscanner environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',`
 ## </param>
 ## <rolecap/>
 #
-interface(`mscan_admin',`
+interface(`mailscanner_admin',`
 	gen_require(`
-		type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
-		type mscan_var_run_t, mscan_spool_t;
+		type mscan_t, mscan_var_run_t, mscan_etc_t;
+		type mscan_initrc_exec_t;
 	')
 
-	allow $1 mscan_t:process { ptrace signal_perms };
-	ps_process_pattern($1, mscan_t)
-
-	init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+	mailscanner_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 mscan_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	allow $1 mscan_t:process signal_perms;
+	ps_process_pattern($1, mscan_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 mscan_t:process ptrace;
+	')
+
 	admin_pattern($1, mscan_etc_t)
+	files_list_etc($1)
 
-	files_search_pids($1)
 	admin_pattern($1, mscan_var_run_t)
-
-	files_search_spool($1)
-	admin_pattern($1, mscan_spool_t)
+	files_list_pids($1)
 ')
diff --git a/mailscanner.te b/mailscanner.te
index 6b6e2e130b..3fb3393bad 100644
--- a/mailscanner.te
+++ b/mailscanner.te
@@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t)
 # Local policy
 #
 
-allow mscan_t self:capability { setuid chown setgid dac_override };
+allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override };
 allow mscan_t self:process signal;
 allow mscan_t self:fifo_file rw_fifo_file_perms;
 
 read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
 
 manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
 files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t)
 
 dev_read_urand(mscan_t)
 
-files_read_usr_files(mscan_t)
 
 fs_getattr_xattr_fs(mscan_t)
 
@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t)
 
 logging_send_syslog_msg(mscan_t)
 
-miscfiles_read_localization(mscan_t)
-
 optional_policy(`
-	clamav_domtrans_clamscan(mscan_t)
+	antivirus_domtrans(mscan_t)
+	antivirus_manage_pid(mscan_t)
 ')
 
 optional_policy(`
@@ -97,5 +96,6 @@ optional_policy(`
 ')
 
 optional_policy(`
+	spamassassin_read_home_client(mscan_t)
 	spamassassin_read_lib_files(mscan_t)
 ')
diff --git a/man2html.fc b/man2html.fc
index 82f6255512..3686732372 100644
--- a/man2html.fc
+++ b/man2html.fc
@@ -1,5 +1,5 @@
-/usr/lib/man2html/cgi-bin/man/man2html	--	gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/mansec	--	gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-/usr/lib/man2html/cgi-bin/man/manwhatis	--	gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/man2html	--	gen_context(system_u:object_r:man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/mansec	--	gen_context(system_u:object_r:man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/manwhatis	--	gen_context(system_u:object_r:man2html_script_exec_t,s0)
 
-/var/cache/man2html(/.*)?	gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+/var/cache/man2html(/.*)?	gen_context(system_u:object_r:man2html_rw_content_t,s0)
diff --git a/man2html.if b/man2html.if
index 54ec04d3b4..53eaf61d60 100644
--- a/man2html.if
+++ b/man2html.if
@@ -1 +1,137 @@
 ## <summary>A Unix manpage-to-HTML converter.</summary>
+
+########################################
+## <summary>
+##	Transition to man2html_script.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`man2html_script_domtrans',`
+	gen_require(`
+		type man2html_script_t, man2html_script_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
+')
+
+########################################
+## <summary>
+##	Search man2html_script content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`man2html_search_content',`
+	gen_require(`
+		type man2html_content_t;
+		type man2html_rw_content_t;
+	')
+
+	allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read man2html cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`man2html_read_content_files',`
+	gen_require(`
+		type man2html_content_t;
+		type man2html_rw_content_t;
+	')
+
+	files_search_var($1)
+	allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
+	read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+	read_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	man2html content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`man2html_manage_content_files',`
+	gen_require(`
+		type man2html_content_t;
+		type man2html_rw_content_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+	manage_files_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	man2html content dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`man2html_manage_content_dirs',`
+	gen_require(`
+		type man2html_content_t;
+		type man2html_rw_content_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
+	manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an man2html environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`man2html_admin',`
+	gen_require(`
+		type man2html_script_t;
+		type man2html_rw_content_t;
+		type man2html_content_t;
+	')
+
+	allow $1 man2html_script_t:process { ptrace signal_perms };
+	ps_process_pattern($1, man2html_script_t)
+
+	files_search_var($1)
+	admin_pattern($1, man2html_content_t)
+	admin_pattern($1, man2html_rw_content_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/man2html.te b/man2html.te
index e08c55d433..24b56e9ee7 100644
--- a/man2html.te
+++ b/man2html.te
@@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0)
 # Declarations
 #
 
-apache_content_template(man2html)
-
-type httpd_man2html_script_cache_t;
-files_type(httpd_man2html_script_cache_t)
 
 ########################################
 #
-# Local policy
+# man2html_script local policy
 #
 
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+optional_policy(`
+	apache_content_template(man2html)
+	apache_content_alias_template(man2html, man2html)
 
-files_read_etc_files(httpd_man2html_script_t)
+	allow man2html_script_t self:process fork;
 
-miscfiles_read_localization(httpd_man2html_script_t)
-miscfiles_read_man_pages(httpd_man2html_script_t)
+	typealias man2html_rw_content_t alias man2html_script_cache_t;
+	files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+')
diff --git a/mandb.fc b/mandb.fc
index 8ae78b5bf7..b365cddec1 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,12 @@
+HOME_DIR/\.manpath	--	gen_context(system_u:object_r:mandb_home_t,s0)
+
 /etc/cron\.(daily|weekly)/man-db.*	--	gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/bin/mandb		--	gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)?		gen_context(system_u:object_r:mandb_cache_t,s0)
+/opt/local/share/man(/.*)?        gen_context(system_u:object_r:mandb_cache_t,s0)
+
+/var/lock/man-db\.lock	--	gen_context(system_u:object_r:mandb_lock_t,s0)
+
+/root/.manpath  --  gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
index 327f3f7261..d6ae4eab6a 100644
--- a/mandb.if
+++ b/mandb.if
@@ -1,14 +1,14 @@
-## <summary>On-line manual database.</summary>
+
+## <summary>policy for mandb</summary>
 
 ########################################
 ## <summary>
-##	Execute the mandb program in
-##	the mandb domain.
+##	Transition to mandb.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`mandb_domtrans',`
@@ -22,33 +22,45 @@ interface(`mandb_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute mandb in the mandb
-##	domain, and allow the specified
-##	role the mandb domain.
+##	Search mandb cache directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`mandb_search_cache',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	allow $1 mandb_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read mandb cache files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`mandb_run',`
+interface(`mandb_read_cache_files',`
 	gen_require(`
-		attribute_role mandb_roles;
+		type mandb_cache_t;
 	')
 
-	lightsquid_domtrans($1)
-	roleattribute $2 mandb_roles;
+	files_search_var($1)
+	read_files_pattern($1, mandb_cache_t, mandb_cache_t)
 ')
 
 ########################################
 ## <summary>
-##	Search mandb cache directories.
+##	Mmap mandb cache files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -56,13 +68,17 @@ interface(`mandb_run',`
 ##	</summary>
 ## </param>
 #
-interface(`mandb_search_cache',`
-	refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_map_cache_files',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	allow $1 mandb_cache_t:file map;
 ')
 
 ########################################
 ## <summary>
-##	Delete mandb cache content.
+##	Relabel mandb cache files/directories
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -70,13 +86,18 @@ interface(`mandb_search_cache',`
 ##	</summary>
 ## </param>
 #
-interface(`mandb_delete_cache_content',`
-	refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_relabel_cache',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	allow $1 mandb_cache_t:dir relabel_dir_perms;
+	allow $1 mandb_cache_t:file relabel_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read mandb cache content.
+##	Set attributes on mandb cache files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,8 +105,35 @@ interface(`mandb_delete_cache_content',`
 ##	</summary>
 ## </param>
 #
-interface(`mandb_read_cache_content',`
-	refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_setattr_cache_dirs',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 mandb_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Delete mandb cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mandb_delete_cache',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 mandb_cache_t:dir list_dir_perms;
+	delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+	delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
+	delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
 ')
 
 ########################################
@@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',`
 ##	</summary>
 ## </param>
 #
-interface(`mandb_manage_cache_content',`
-	refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_manage_cache_files',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an mandb environment.
+##	Manage mandb cache dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`mandb_manage_cache_dirs',`
+	gen_require(`
+		type mandb_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+')
+
+########################################
+## <summary>
+##	Create configuration files in user
+##	home directories with a named file
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mandb_filetrans_named_home_content',`
+	gen_require(`
+		type mandb_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an mandb environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`mandb_admin',`
 	gen_require(`
-		type mandb_t, mandb_cache_t;
+		type mandb_t;
+		type mandb_cache_t, mandb_lock_t;
 	')
 
 	allow $1 mandb_t:process { ptrace signal_perms };
 	ps_process_pattern($1, mandb_t)
 
-	mandb_run($1, $2)
+	files_search_var($1)
+	admin_pattern($1, mandb_cache_t)
 
-	# pending
-	# miscfiles_manage_man_cache_content(mandb_t)
+	files_search_locks($1)
+	admin_pattern($1, mandb_lock_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/mandb.te b/mandb.te
index e6136fd372..2edabefc3e 100644
--- a/mandb.te
+++ b/mandb.te
@@ -10,19 +10,41 @@ roleattribute system_r mandb_roles;
 
 type mandb_t;
 type mandb_exec_t;
-application_domain(mandb_t, mandb_exec_t)
+init_daemon_domain(mandb_t, mandb_exec_t)
 role mandb_roles types mandb_t;
 
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
+type mandb_home_t;
+userdom_user_home_content(mandb_home_t)
+
+type mandb_lock_t;
+files_lock_file(mandb_lock_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow mandb_t self:capability { setuid setgid };
+allow mandb_t self:capability { dac_read_search dac_override setuid setgid fsetid };
 allow mandb_t self:process { setsched signal };
 allow mandb_t self:fifo_file rw_fifo_file_perms;
 allow mandb_t self:unix_stream_socket create_stream_socket_perms;
 
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+can_exec(mandb_t, mandb_exec_t)
+allow mandb_t mandb_cache_t:file map;
+
+userdom_search_user_home_dirs(mandb_t)
+allow mandb_t mandb_home_t:file read_file_perms;
+
+allow mandb_t mandb_lock_t:file manage_file_perms;
+files_lock_filetrans(mandb_t, mandb_lock_t, file)
+
 kernel_read_kernel_sysctls(mandb_t)
 kernel_read_system_state(mandb_t)
 
@@ -33,11 +55,14 @@ dev_search_sysfs(mandb_t)
 
 domain_use_interactive_fds(mandb_t)
 
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
+files_dontaudit_search_all_mountpoints(mandb_t)
+
+fs_getattr_all_fs(mandb_t)
 
 miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
 miscfiles_read_man_pages(mandb_t)
-miscfiles_read_localization(mandb_t)
 
 ifdef(`distro_debian',`
 	optional_policy(`
diff --git a/mcelog.if b/mcelog.if
index f89651e753..c73214d811 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
 	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
 ')
 
+######################################
+## <summary>
+##	Read mcelog logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcelog_read_log',`
+	gen_require(`
+		type mcelog_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, mcelog_log_t, mcelog_log_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/mcelog.te b/mcelog.te
index 59b3b3dd6f..494c4f3a46 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
 ## </desc>
 gen_tunable(mcelog_server, false)
 
-## <desc>
-##	<p>
-##	Determine whether mcelog can use syslog.
-##	</p>
-## </desc>
-gen_tunable(mcelog_syslog, false)
-
 type mcelog_t;
 type mcelog_exec_t;
 init_daemon_domain(mcelog_t, mcelog_exec_t)
@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(mcelog_t)
 
+corecmd_exec_shell(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
 dev_read_raw_memory(mcelog_t)
 dev_read_kmsg(mcelog_t)
 dev_rw_sysfs(mcelog_t)
-
-files_read_etc_files(mcelog_t)
+dev_rw_cpu_microcode(mcelog_t)
 
 mls_file_read_all_levels(mcelog_t)
 
+auth_use_nsswitch(mcelog_t)
+
 locallogin_use_fds(mcelog_t)
 
-miscfiles_read_localization(mcelog_t)
+logging_send_syslog_msg(mcelog_t)
 
 tunable_policy(`mcelog_client',`
 	allow mcelog_t self:unix_stream_socket connectto;
@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
 	allow mcelog_t self:unix_stream_socket { listen accept };
 ')
 
-tunable_policy(`mcelog_syslog',`
-	logging_send_syslog_msg(mcelog_t)
-')
 
 optional_policy(`
 	cron_system_entry(mcelog_t, mcelog_exec_t)
diff --git a/mcollective.fc b/mcollective.fc
new file mode 100644
index 0000000000..821bf88222
--- /dev/null
+++ b/mcollective.fc
@@ -0,0 +1,3 @@
+/etc/mcollective/facts\.yaml		--	gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
+
+/usr/libexec/mcollective/update_yaml\.rb		--	gen_context(system_u:object_r:mcollective_exec_t,s0)
diff --git a/mcollective.if b/mcollective.if
new file mode 100644
index 0000000000..3f433f1e2b
--- /dev/null
+++ b/mcollective.if
@@ -0,0 +1,109 @@
+
+## <summary>policy for mcollective</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the mcollective domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mcollective_domtrans',`
+	gen_require(`
+		type mcollective_t, mcollective_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mcollective_exec_t, mcollective_t)
+')
+
+########################################
+## <summary>
+##	Search mcollective conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcollective_search_conf',`
+	gen_require(`
+		type mcollective_etc_rw_t;
+	')
+
+	allow $1 mcollective_etc_rw_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read mcollective conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcollective_read_conf_files',`
+	gen_require(`
+		type mcollective_etc_rw_t;
+	')
+
+	allow $1 mcollective_etc_rw_t:dir list_dir_perms;
+	read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Manage mcollective conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcollective_manage_conf_files',`
+	gen_require(`
+		type mcollective_etc_rw_t;
+	')
+
+	manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
+	files_search_etc($1)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an mcollective environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcollective_admin',`
+	gen_require(`
+		type mcollective_t;
+		type mcollective_etc_rw_t;
+	')
+
+	allow $1 mcollective_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mcollective_t)
+
+	files_search_etc($1)
+	admin_pattern($1, mcollective_etc_rw_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/mcollective.te b/mcollective.te
new file mode 100644
index 0000000000..8bc27f4c5c
--- /dev/null
+++ b/mcollective.te
@@ -0,0 +1,27 @@
+policy_module(mcollective, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcollective_t;
+type mcollective_exec_t;
+init_daemon_domain(mcollective_t, mcollective_exec_t)
+cron_system_entry(mcollective_t, mcollective_exec_t)
+
+type mcollective_etc_rw_t;
+files_type(mcollective_etc_rw_t)
+
+########################################
+#
+# mcollective local policy
+#
+allow mcollective_t self:fifo_file rw_fifo_file_perms;
+allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
+
+domain_use_interactive_fds(mcollective_t)
+
diff --git a/mediawiki.fc b/mediawiki.fc
index 99f7c41879..1745603189 100644
--- a/mediawiki.fc
+++ b/mediawiki.fc
@@ -1,8 +1,8 @@
-/usr/lib/mediawiki/math/texvc	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-/usr/lib/mediawiki/math/texvc_tex	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-/usr/lib/mediawiki/math/texvc_tes	--	gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tex	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
+/usr/lib/mediawiki/math/texvc_tes	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
 
-/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+/usr/share/mediawiki[0-9]?(/.*)?      gen_context(system_u:object_r:mediawiki_content_t,s0)
 
-/var/www/wiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
-/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+/var/www/wiki[0-9]?(/.*)?     gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
+/var/www/wiki[0-9]?\.php   --      gen_context(system_u:object_r:mediawiki_content_t,s0)
diff --git a/mediawiki.if b/mediawiki.if
index 9771b4ba34..9b183e62be 100644
--- a/mediawiki.if
+++ b/mediawiki.if
@@ -1 +1,40 @@
-## <summary>Open source wiki package written in PHP.</summary>
+## <summary>Mediawiki policy</summary>
+
+#######################################
+## <summary>
+##      Allow the specified domain to read
+##      mediawiki tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mediawiki_read_tmp_files',`
+        gen_require(`
+                type mediawiki_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+	read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
+
+#######################################
+## <summary>
+##      Delete mediawiki tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mediawiki_delete_tmp_files',`
+        gen_require(`
+                type mediawiki_tmp_t;
+        ')
+
+        delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
+')
diff --git a/mediawiki.te b/mediawiki.te
index c528b9fa70..f577a7fa6c 100644
--- a/mediawiki.te
+++ b/mediawiki.te
@@ -5,13 +5,29 @@ policy_module(mediawiki, 1.0.0)
 # Declarations
 #
 
-apache_content_template(mediawiki)
+type mediawiki_tmp_t;
+files_tmp_file(mediawiki_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-files_search_var_lib(httpd_mediawiki_script_t)
+optional_policy(`
 
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+	apache_content_template(mediawiki)
+	apache_content_alias_template(mediawiki, mediawiki)
+
+	manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+	manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+	manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+	manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t)
+	files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file })
+
+	files_search_var_lib(mediawiki_script_t)
+
+	miscfiles_read_tetex_data(mediawiki_script_t)
+
+	auth_read_passwd(mediawiki_script_t)
+
+')
diff --git a/memcached.if b/memcached.if
index 1d4eb19b8f..650014e0f2 100644
--- a/memcached.if
+++ b/memcached.if
@@ -1,4 +1,4 @@
-## <summary>High-performance memory object caching system.</summary>
+## <summary>high-performance memory object caching system</summary>
 
 ########################################
 ## <summary>
@@ -12,17 +12,16 @@
 #
 interface(`memcached_domtrans',`
 	gen_require(`
-		type memcached_t,memcached_exec_t;
+		type memcached_t;
+		type memcached_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, memcached_exec_t, memcached_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	memcached pid files.
+##	Read memcached PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -30,18 +29,18 @@ interface(`memcached_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`memcached_manage_pid_files',`
+interface(`memcached_read_pid_files',`
 	gen_require(`
 		type memcached_var_run_t;
 	')
 
 	files_search_pids($1)
-	manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
+	allow $1 memcached_var_run_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read memcached pid files.
+##	Manage memcached PID files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`memcached_read_pid_files',`
+interface(`memcached_manage_pid_files',`
 	gen_require(`
 		type memcached_var_run_t;
 	')
 
 	files_search_pids($1)
-	allow $1 memcached_var_run_t:file read_file_perms;
+	manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to memcached using a unix
-##	domain stream socket.
+##	Connect to memcached over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',`
 
 ########################################
 ## <summary>
-## 	Connect to memcache over the network.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`memcached_tcp_connect',`
-	gen_require(`
-		type memcached_t;
-	')
-
-	corenet_sendrecv_memcache_client_packets($1)
-	corenet_tcp_connect_memcache_port($1)
-	corenet_tcp_recvfrom_labeled($1, memcached_t)
-	corenet_tcp_sendrecv_memcache_port($1)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an memcached environment.
+##	All of the rules required to administrate 
+##	an memcached environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the memcached domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -121,14 +98,17 @@ interface(`memcached_admin',`
 		type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
 	')
 
-	allow $1 memcached_t:process { ptrace signal_perms };
+	allow $1 memcached_t:process signal_perms;
 	ps_process_pattern($1, memcached_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 memcached_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, memcached_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 memcached_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, memcached_var_run_t)
 ')
diff --git a/memcached.te b/memcached.te
index 29b752160f..5000dd91c7 100644
--- a/memcached.te
+++ b/memcached.te
@@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1)
 type memcached_t;
 type memcached_exec_t;
 init_daemon_domain(memcached_t, memcached_exec_t)
+init_nnp_daemon_domain(memcached_t)
 
 type memcached_initrc_exec_t;
 init_script_file(memcached_initrc_exec_t)
@@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t)
 # Local policy
 #
 
-allow memcached_t self:capability { setuid setgid };
+allow memcached_t self:capability { setuid setgid sys_resource };
 dontaudit memcached_t self:capability sys_tty_config;
 allow memcached_t self:process { setrlimit signal_perms };
 allow memcached_t self:tcp_socket { accept listen };
@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen };
 allow memcached_t self:fifo_file rw_fifo_file_perms;
 allow memcached_t self:unix_stream_socket create_stream_socket_perms;
 
+allow memcached_t memcached_exec_t:file map;
+
 manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
 manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
 manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t)
 
 auth_use_nsswitch(memcached_t)
 
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
index 89409ebbc7..67e42f6a9f 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,18 +1,29 @@
+/etc/mail/dkim-milter/keys(/.*)?        gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter           --      gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim      --  gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendmarc     --  gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex	--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey       --      gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
-/var/lib/milter-greylist(/.*)?	gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/sqlgrey(/.*)?	gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/spamass-milter(/.*)?	gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/dkim-milter(/.*)?          gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/sqlgrey(/.*)?  			gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
 
-/var/run/milter-greylist(/.*)?	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)?              gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/opendmarc(/.*)?              gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass(/.*)?	gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/var/run/sqlgrey\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass(/.*)?			gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/sqlgrey\.pid    	--      gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /var/run/spamass-milter\.pid	--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/opendkim(/.*)?         gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/var/spool/milter-regex(/.*)?	gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/milter-regex(/.*)?		gen_context(system_u:object_r:regex_milter_data_t,s0)
 /var/spool/postfix/spamass(/.*)?	gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)?       gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/spool/opendmarc(/.*)?       gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
index cba62db12b..562833a816 100644
--- a/milter.if
+++ b/milter.if
@@ -1,47 +1,43 @@
-## <summary>Milter mail filters.</summary>
+## <summary>Milter mail filters</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a milter domain.
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="milter_name">
 ##	<summary>
-##	Domain prefix to be used.
+##	The name to be used for deriving type names.
 ##	</summary>
 ## </param>
 #
 template(`milter_template',`
+	# attributes common to all milters
 	gen_require(`
 		attribute milter_data_type, milter_domains;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	type $1_milter_t, milter_domains;
 	type $1_milter_exec_t;
 	init_daemon_domain($1_milter_t, $1_milter_exec_t)
+	role system_r types $1_milter_t;
 
+	# Type for the milter data (e.g. the socket used to communicate with the MTA)
 	type $1_milter_data_t, milter_data_type;
 	files_pid_file($1_milter_data_t)
 
-	########################################
-	#
-	# Policy
-	#
+	# Allow communication with MTA over a unix-domain socket
+	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
 
+	# Create other data files and directories in the data directory
 	manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
-	manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
 
-	auth_use_nsswitch($1_milter_t)
+	logging_send_syslog_msg($1_milter_t)
 ')
 
 ########################################
 ## <summary>
-##	connect to all milter domains using
-##	a unix domain stream socket.
+##	MTA communication with milter sockets
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
 	')
 
 	files_search_pids($1)
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
 	stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
 ')
 
 ########################################
 ## <summary>
-##	Get attributes of all  milter sock files.
+##	Allow getattr of milter sockets
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
 		attribute milter_data_type;
 	')
 
+	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
 	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	spamassissin milter data content.
+##	Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_setattr_all_dirs',`
+	gen_require(`
+		attribute milter_data_type;
+	')
+
+	setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+##	Manage spamassassin milter state
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
 	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 ')
+
+#######################################
+## <summary>
+##	Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+	gen_require(`
+		type dkim_milter_data_t;
+	')
+
+	files_search_pids($1)
+	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
index 4dc99f4645..48e3f38138 100644
--- a/milter.te
+++ b/milter.te
@@ -5,73 +5,117 @@ policy_module(milter, 1.5.0)
 # Declarations
 #
 
+# attributes common to all milters
 attribute milter_domains;
 attribute milter_data_type;
 
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+type dkim_milter_tmp_t;
+files_tmp_file(dkim_milter_tmp_t)
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
 milter_template(greylist)
 milter_template(regex)
 milter_template(spamass)
 
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
 type spamass_milter_state_t;
 files_type(spamass_milter_state_t)
 
+
 #######################################
 #
-# Common local policy
+# milter domains local policy
 #
 
+# Allow communication with MTA over a unix-domain socket
+# Note: usage with TCP sockets requires additional policy
+
 allow milter_domains self:fifo_file rw_fifo_file_perms;
-allow milter_domains self:tcp_socket { accept listen };
+
+allow milter_domains self:process signull;
+
+# Allow communication with MTA over a TCP socket
+allow milter_domains self:tcp_socket create_stream_socket_perms;
 
 kernel_dontaudit_read_system_state(milter_domains)
 
-corenet_all_recvfrom_unlabeled(milter_domains)
-corenet_all_recvfrom_netlabel(milter_domains)
-corenet_tcp_sendrecv_generic_if(milter_domains)
-corenet_tcp_sendrecv_generic_node(milter_domains)
 corenet_tcp_bind_generic_node(milter_domains)
-
 corenet_tcp_bind_milter_port(milter_domains)
-corenet_tcp_sendrecv_all_ports(milter_domains)
 
-miscfiles_read_localization(milter_domains)
+dev_read_rand(milter_domains)
+dev_read_urand(milter_domains)
+
+mta_read_config(milter_domains)
+
+sysnet_read_config(greylist_milter_t)
+
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
-logging_send_syslog_msg(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
+files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+corenet_udp_bind_all_ports(dkim_milter_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
 
 ########################################
 #
-# greylist local policy
+# milter-greylist local policy
+#   ensure smtp clients retry mail like real MTAs and not spamware
+#   http://hcpnet.free.fr/milter-greylist/
 #
 
-allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
 allow greylist_milter_t self:process { setsched getsched };
 
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
+# It creates a pid file /var/run/milter-greylist.pid
 files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
 
 kernel_read_kernel_sysctls(greylist_milter_t)
 
-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t)
-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t)
-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)
-
-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
-corenet_tcp_bind_kismet_port(greylist_milter_t)
-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
-
 corecmd_exec_bin(greylist_milter_t)
 corecmd_exec_shell(greylist_milter_t)
 
-dev_read_rand(greylist_milter_t)
-dev_read_urand(greylist_milter_t)
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
 
-files_read_usr_files(greylist_milter_t)
+# perl getgroups() reads a bunch of files in /etc
+# Allow the milter to read a GeoIP database in /usr/share
+# The milter runs from /var/lib/milter-greylist and maintains files there
 files_search_var_lib(greylist_milter_t)
 
-mta_read_config(greylist_milter_t)
-
-miscfiles_read_localization(greylist_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
 
 optional_policy(`
 	mysql_stream_connect(greylist_milter_t)
@@ -79,30 +123,45 @@ optional_policy(`
 
 ########################################
 #
-# regex local policy
+# milter-regex local policy
+#   filter emails using regular expressions
+#   http://www.benzedrine.cx/milter-regex.html
 #
 
-allow regex_milter_t self:capability { setuid setgid dac_override };
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override };
 
+# The milter's socket directory lives under /var/spool
 files_search_spool(regex_milter_t)
 
-mta_read_config(regex_milter_t)
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
 
 ########################################
 #
-# spamass local policy
+# spamass-milter local policy
+#   pipe emails through SpamAssassin
+#   http://savannah.nongnu.org/projects/spamass-milt/
 #
 
+# The milter runs from /var/lib/spamass-milter
 allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
 
 kernel_read_system_state(spamass_milter_t)
 
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
 corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
 
-files_search_var_lib(spamass_milter_t)
+auth_use_nsswitch(spamass_milter_t)
 
 mta_send_mail(spamass_milter_t)
 
+# The main job of the milter is to pipe spam through spamc and act on the result
 optional_policy(`
 	spamassassin_domtrans_client(spamass_milter_t)
 ')
diff --git a/minissdpd.if b/minissdpd.if
index b3301610f5..54509375eb 100644
--- a/minissdpd.if
+++ b/minissdpd.if
@@ -39,10 +39,10 @@ interface(`minissdpd_read_config',`
 interface(`minissdpd_admin',`
 	gen_require(`
 		type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
-		type minissdpd_var_run_t
+		type minissdpd_var_run_t;
 	')
 
-	allow $1 minissdpd_t:process { ptrace signal_perms };
+	allow $1 minissdpd_t:process { signal_perms };
 	ps_process_pattern($1, minissdpd_t)
 
 	init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
diff --git a/mip6d.fc b/mip6d.fc
new file mode 100644
index 0000000000..767bbad7b2
--- /dev/null
+++ b/mip6d.fc
@@ -0,0 +1,3 @@
+/usr/lib/systemd/system/mip6d.*     --  gen_context(system_u:object_r:mip6d_unit_file_t,s0)
+
+/usr/sbin/mip6d		--	gen_context(system_u:object_r:mip6d_exec_t,s0)
diff --git a/mip6d.if b/mip6d.if
new file mode 100644
index 0000000000..861b486dc2
--- /dev/null
+++ b/mip6d.if
@@ -0,0 +1,80 @@
+
+## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the mip6d domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mip6d_domtrans',`
+	gen_require(`
+		type mip6d_t, mip6d_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mip6d_exec_t, mip6d_t)
+')
+########################################
+## <summary>
+##	Execute mip6d server in the mip6d domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mip6d_systemctl',`
+	gen_require(`
+		type mip6d_t;
+		type mip6d_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 mip6d_unit_file_t:file read_file_perms;
+	allow $1 mip6d_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, mip6d_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an mip6d environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mip6d_admin',`
+	gen_require(`
+		type mip6d_t;
+	    type mip6d_unit_file_t;
+	')
+
+	allow $1 mip6d_t:process { signal_perms };
+	ps_process_pattern($1, mip6d_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 mip6d_t:process ptrace;
+    ')
+
+	mip6d_systemctl($1)
+	admin_pattern($1, mip6d_unit_file_t)
+	allow $1 mip6d_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/mip6d.te b/mip6d.te
new file mode 100644
index 0000000000..0f290e9d45
--- /dev/null
+++ b/mip6d.te
@@ -0,0 +1,33 @@
+policy_module(mip6d, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mip6d_t;
+type mip6d_exec_t;
+init_daemon_domain(mip6d_t, mip6d_exec_t)
+
+type mip6d_unit_file_t;
+systemd_unit_file(mip6d_unit_file_t)
+
+########################################
+#
+# mip6d local policy
+#
+allow mip6d_t self:capability { net_admin net_raw };
+allow mip6d_t self:process { setpgid fork signal };
+allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
+allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow mip6d_t self:rawip_socket create_socket_perms;
+allow mip6d_t self:udp_socket create_socket_perms;
+allow mip6d_t self:fifo_file rw_fifo_file_perms;
+allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_rw_net_sysctls(mip6d_t)
+kernel_read_network_state(mip6d_t)
+kernel_request_load_module(mip6d_t)
+
+logging_send_syslog_msg(mip6d_t)
+
diff --git a/mirrormanager.fc b/mirrormanager.fc
new file mode 100644
index 0000000000..abd53a4c78
--- /dev/null
+++ b/mirrormanager.fc
@@ -0,0 +1,7 @@
+/usr/share/mirrormanager/server/mirrormanager(/.*)?			gen_context(system_u:object_r:mirrormanager_exec_t,s0)
+
+/var/lib/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
+
+/var/log/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_log_t,s0)
+
+/var/run/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
index 0000000000..86467cffba
--- /dev/null
+++ b/mirrormanager.if
@@ -0,0 +1,256 @@
+
+## <summary>policy for mirrormanager</summary>
+
+########################################
+## <summary>
+##	Execute mirrormanager in the mirrormanager domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mirrormanager_domtrans',`
+	gen_require(`
+		type mirrormanager_t, mirrormanager_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
+')
+
+########################################
+## <summary>
+##	Read mirrormanager's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mirrormanager_read_log',`
+	gen_require(`
+		type mirrormanager_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+## <summary>
+##	Append to mirrormanager log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_append_log',`
+	gen_require(`
+		type mirrormanager_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+## <summary>
+##	Manage mirrormanager log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_manage_log',`
+	gen_require(`
+		type mirrormanager_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+	manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+	manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
+')
+
+########################################
+## <summary>
+##	Search mirrormanager lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_search_lib',`
+	gen_require(`
+		type mirrormanager_var_lib_t;
+	')
+
+	allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read mirrormanager lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_read_lib_files',`
+	gen_require(`
+		type mirrormanager_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+    list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+	read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage mirrormanager lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_manage_lib_files',`
+	gen_require(`
+		type mirrormanager_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage mirrormanager lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_manage_lib_dirs',`
+	gen_require(`
+		type mirrormanager_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read mirrormanager PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_read_pid_files',`
+	gen_require(`
+		type mirrormanager_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage mirrormanager PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_manage_pid_files',`
+	gen_require(`
+		type mirrormanager_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
+##     Manage mirrormanager PID sock files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mirrormanager_manage_pid_sock_files',`
+       gen_require(`
+               type mirrormanager_var_run_t;
+       ')
+
+       files_search_pids($1)
+       manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an mirrormanager environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mirrormanager_admin',`
+	gen_require(`
+		type mirrormanager_t;
+		type mirrormanager_log_t;
+		type mirrormanager_var_lib_t;
+		type mirrormanager_var_run_t;
+	')
+
+	allow $1 mirrormanager_t:process { signal_perms };
+	ps_process_pattern($1, mirrormanager_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 mirrormanager_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, mirrormanager_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, mirrormanager_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, mirrormanager_var_run_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/mirrormanager.te b/mirrormanager.te
new file mode 100644
index 0000000000..2e3289ed3d
--- /dev/null
+++ b/mirrormanager.te
@@ -0,0 +1,46 @@
+policy_module(mirrormanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mirrormanager_t;
+type mirrormanager_exec_t;
+application_domain(mirrormanager_t, mirrormanager_exec_t)
+
+type mirrormanager_log_t;
+logging_log_file(mirrormanager_log_t)
+
+type mirrormanager_var_lib_t;
+files_type(mirrormanager_var_lib_t)
+
+type mirrormanager_var_run_t;
+files_pid_file(mirrormanager_var_run_t)
+
+########################################
+#
+# mirrormanager local policy
+#
+
+allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
+allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
+logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
+files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
+
+manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
+
+optional_policy(`
+	cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
+')
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000000..394bc46584
--- /dev/null
+++ b/mock.fc
@@ -0,0 +1,7 @@
+
+/usr/sbin/mock		--	gen_context(system_u:object_r:mock_exec_t,s0)
+
+/usr/libexec/mock/mock  --  gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)?		gen_context(system_u:object_r:mock_var_lib_t,s0)
+/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
index 0000000000..f5b98e6de8
--- /dev/null
+++ b/mock.if
@@ -0,0 +1,311 @@
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mock_domtrans',`
+	gen_require(`
+		type mock_t, mock_exec_t;
+	')
+
+	domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+########################################
+## <summary>
+##	Search mock lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_search_lib',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	allow $1 mock_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read mock lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Getattr on mock lib file,dir,sock_file ...
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_getattr_lib',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	allow $1 mock_var_lib_t:dir_file_class_set getattr;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mock lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+## <summary>
+##	Manage mock lib symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_manage_lib_symlinks',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage mock lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_manage_lib_chr_files',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage mock lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_dontaudit_write_lib_chr_files',`
+	gen_require(`
+		type mock_var_lib_t;
+	')
+
+	dontaudit $1 mock_var_lib_t:chr_file write;
+')
+
+#######################################
+## <summary>
+##  Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`mock_dontaudit_leaks',`
+    gen_require(`
+        type mock_tmp_t;
+    ')
+
+	dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute mock in the mock domain, and
+##	allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mock domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_run',`
+	gen_require(`
+		type mock_t;
+		type mock_build_t;
+	')
+
+	mock_domtrans($1)
+	role $2 types mock_t;
+	role $2 types mock_build_t;
+
+	mount_run(mock_t, $2)
+')
+
+########################################
+## <summary>
+##	Role access for mock
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_role',`
+	gen_require(`
+		type mock_t;
+	')
+
+	role $1 types mock_t;
+
+	mock_run($2, $1)
+
+	ps_process_pattern($2, mock_t)
+	allow $2 mock_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 mock_t:process ptrace;
+	')
+
+    optional_policy(`
+        mock_read_lib_files($2)
+    ')
+')
+
+#######################################
+## <summary>
+##	Send a generic signal to mock.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_signal',`
+	gen_require(`
+		type mock_t;
+	')
+
+	allow $1 mock_t:process signal;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an mock environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mock_admin',`
+	gen_require(`
+		type mock_t, mock_var_lib_t;
+		type mock_build_t, mock_etc_t, mock_tmp_t;
+	')
+
+	allow $1 mock_t:process signal_perms;
+	ps_process_pattern($1, mock_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 mock_t:process ptrace;
+		allow $1 mock_build_t:process ptrace;
+	')
+
+	allow $1 mock_build_t:process signal_perms;
+	ps_process_pattern($1, mock_build_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, mock_var_lib_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, mock_tmp_t)
+
+	files_search_etc($1)
+	admin_pattern($1, mock_etc_t)
+')
diff --git a/mock.te b/mock.te
new file mode 100644
index 0000000000..f647022cb9
--- /dev/null
+++ b/mock.te
@@ -0,0 +1,288 @@
+policy_module(mock,1.0.0)
+
+## <desc>
+##  <p>
+##  Allow mock to read files in home directories.
+##  </p>
+## </desc>
+gen_tunable(mock_enable_homedirs, false)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+type mock_build_t;
+type mock_build_exec_t;
+application_domain(mock_build_t, mock_build_exec_t)
+role system_r types mock_build_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+type mock_var_run_t;
+files_pid_file(mock_var_run_t)
+
+type mock_etc_t;
+files_config_file(mock_etc_t)
+
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search  dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:capability2 block_suspend;
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+allow mock_t mock_var_lib_t:dir mounton;
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
+manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
+files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
+
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
+# we run mount in mock_t
+kernel_mount_proc(mock_t)
+kernel_unmount_proc(mock_t)
+
+fs_mount_tmpfs(mock_t)
+fs_unmount_tmpfs(mock_t)
+fs_unmount_xattr_fs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+corecmd_dontaudit_exec_all_executables(mock_t)
+
+corenet_tcp_connect_git_port(mock_t)
+corenet_tcp_connect_http_port(mock_t)
+corenet_tcp_connect_ftp_port(mock_t)
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
+dev_rw_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
+dev_mount_sysfs_fs(mock_t)
+dev_unmount_sysfs_fs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_runtime_files(mock_t)
+files_dontaudit_list_boot(mock_t)
+files_list_isid_type_dirs(mock_t)
+
+fs_getattr_all_fs(mock_t)
+fs_manage_cgroup_dirs(mock_t)
+fs_search_all(mock_t)
+fs_setattr_tmpfs_dirs(mock_t)
+	
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
+term_use_generic_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
+term_use_ptmx(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+init_dontaudit_stream_connect(mock_t)
+
+libs_exec_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+lvm_manage_lock(mock_t)
+lvm_read_config(mock_t)
+lvm_read_metadata(mock_t)
+lvm_getattr_exec_files(mock_t)
+
+miscfiles_dontaudit_write_generic_cert_files(mock_t)
+
+userdom_use_user_ptys(mock_t)
+userdom_use_user_ttys(mock_t)
+
+files_search_home(mock_t)
+
+tunable_policy(`mock_enable_homedirs',`
+	userdom_manage_user_home_content_dirs(mock_t)
+	userdom_manage_user_home_content_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
+    rpc_search_nfs_state_data(mock_t)
+    fs_list_auto_mountpoints(mock_t)
+    fs_manage_nfs_files(mock_t)
+')
+
+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
+    fs_list_auto_mountpoints(mock_t)
+    fs_read_cifs_files(mock_t)
+    fs_manage_cifs_files(mock_t)
+')
+
+optional_policy(`
+	abrt_read_spool_retrace(mock_t)
+	abrt_read_cache_retrace(mock_t)
+	abrt_stream_connect(mock_t)
+')
+
+optional_policy(`
+	apache_read_sys_content_rw_files(mock_t)
+')
+
+optional_policy(`
+	rpm_exec(mock_t)
+    rpm_manage_cache(mock_t)
+    rpm_manage_db(mock_t)
+    rpm_manage_tmp_files(mock_t)
+    rpm_read_log(mock_t)
+')
+
+optional_policy(`
+	mount_exec(mock_t)
+    mount_rw_pid_files(mock_t)
+')
+
+
+########################################
+#
+# mock_build local policy
+#
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+# Needed because mock can run java and mono withing build environment
+allow mock_build_t self:process { execmem execstack };
+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
+allow mock_build_t self:fifo_file manage_fifo_file_perms;
+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_build_t self:unix_dgram_socket create_socket_perms;
+allow mock_build_t self:dir list_dir_perms;
+allow mock_build_t self:dir read_file_perms;
+      
+ps_process_pattern(mock_t, mock_build_t)
+allow mock_t mock_build_t:process signal_perms;
+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_tmp_t)
+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
+domain_entry_file(mock_build_t, mock_var_lib_t)
+
+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
+can_exec(mock_build_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
+can_exec(mock_build_t, mock_var_lib_t)
+allow mock_build_t mock_var_lib_t:dir mounton;
+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
+
+kernel_list_proc(mock_build_t)
+kernel_read_irq_sysctls(mock_build_t)
+kernel_read_system_state(mock_build_t)
+kernel_read_network_state(mock_build_t)
+kernel_read_kernel_sysctls(mock_build_t)
+kernel_request_load_module(mock_build_t)
+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
+
+corecmd_exec_bin(mock_build_t)
+corecmd_exec_shell(mock_build_t)
+corecmd_dontaudit_exec_all_executables(mock_build_t)
+
+dev_getattr_all_chr_files(mock_build_t)
+dev_dontaudit_list_all_dev_nodes(mock_build_t)
+dev_dontaudit_getattr_all(mock_build_t)
+fs_getattr_all_dirs(mock_build_t)
+dev_read_sysfs(mock_build_t)
+
+domain_dontaudit_read_all_domains_state(mock_build_t)
+domain_use_interactive_fds(mock_build_t)
+
+files_dontaudit_list_boot(mock_build_t)
+
+fs_getattr_all_fs(mock_build_t)
+fs_manage_cgroup_dirs(mock_build_t)
+
+selinux_get_enforce_mode(mock_build_t)
+
+auth_use_nsswitch(mock_build_t)
+
+init_exec(mock_build_t)
+init_dontaudit_stream_connect(mock_build_t)
+
+libs_exec_ldconfig(mock_build_t)
+
+term_use_all_inherited_terms(mock_build_t)
+userdom_use_inherited_user_ptys(mock_build_t)
+term_dontaudit_manage_pty_dirs(mock_build_t)
+
+tunable_policy(`mock_enable_homedirs',`
+	userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.fc b/modemmanager.fc
index a83894c6ec..481dca3ff8 100644
--- a/modemmanager.fc
+++ b/modemmanager.fc
@@ -1 +1,4 @@
 /usr/sbin/modem-manager	--	gen_context(system_u:object_r:modemmanager_exec_t,s0)
+/usr/sbin/ModemManager	--	gen_context(system_u:object_r:modemmanager_exec_t,s0)
+
+/usr/lib/systemd/system/ModemManager.service		--	gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if
index b1ac8b5d81..24782b35f6 100644
--- a/modemmanager.if
+++ b/modemmanager.if
@@ -19,6 +19,31 @@ interface(`modemmanager_domtrans',`
 	domtrans_pattern($1, modemmanager_exec_t, modemmanager_t)
 ')
 
+########################################
+## <summary>
+##	Execute modemmanager server in the modemmanager domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modemmanager_systemctl',`
+	gen_require(`
+		type modemmanager_t;
+		type modemmanager_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 modemmanager_unit_file_t:file read_file_perms;
+	allow $1 modemmanager_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, modemmanager_t)
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -39,3 +64,33 @@ interface(`modemmanager_dbus_chat',`
 	allow $1 modemmanager_t:dbus send_msg;
 	allow modemmanager_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an modemmanager environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`modemmanager_admin',`
+	gen_require(`
+		type modemmanager_t;
+		type modemmanager_unit_file_t;
+	')
+
+	allow $1 modemmanager_t:process { ptrace signal_perms };
+	ps_process_pattern($1, modemmanager_t)
+
+	modemmanager_systemctl($1)
+	admin_pattern($1, modemmanager_unit_file_t)
+	allow $1 modemmanager_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/modemmanager.te b/modemmanager.te
index d15eb5b643..c7fd00ea07 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
 typealias modemmanager_t alias ModemManager_t;
 typealias modemmanager_exec_t alias ModemManager_exec_t;
 
+type modemmanager_unit_file_t;
+systemd_unit_file(modemmanager_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
 allow modemmanager_t self:process { getsched signal };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 kernel_read_system_state(modemmanager_t)
 
-dev_read_sysfs(modemmanager_t)
-dev_rw_modem(modemmanager_t)
+corecmd_exec_bin(modemmanager_t)
 
-files_read_etc_files(modemmanager_t)
+dev_rw_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
+dev_rw_modem(modemmanager_t)
 
 term_use_generic_ptys(modemmanager_t)
 term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
 
-miscfiles_read_localization(modemmanager_t)
+xserver_read_state_xdm(modemmanager_t)
 
 logging_send_syslog_msg(modemmanager_t)
 
@@ -50,6 +55,11 @@ optional_policy(`
 	optional_policy(`
 		policykit_dbus_chat(modemmanager_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind(modemmanager_t)
+		systemd_write_inhibit_pipes(modemmanager_t)
+	')
 ')
 
 optional_policy(`
diff --git a/mojomojo.fc b/mojomojo.fc
index 7b827ca7fb..5ee8a0f2b0 100644
--- a/mojomojo.fc
+++ b/mojomojo.fc
@@ -1,5 +1,5 @@
-/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+/usr/bin/mojomojo_fastcgi\.pl	--	gen_context(system_u:object_r:mojomojo_script_exec_t,s0)
 
-/usr/share/mojomojo/root(/.*)?	gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
+/usr/share/mojomojo/root(/.*)?	gen_context(system_u:object_r:mojomojo_content_t,s0)
 
-/var/lib/mojomojo(/.*)?	gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
+/var/lib/mojomojo(/.*)?	gen_context(system_u:object_r:mojomojo_rw_content_t,s0)
diff --git a/mojomojo.if b/mojomojo.if
index 73952f4c9b..b19a6ee2dc 100644
--- a/mojomojo.if
+++ b/mojomojo.if
@@ -15,7 +15,6 @@
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`mojomojo_admin',`
 	refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
index b94102efd0..25d1d33a10 100644
--- a/mojomojo.te
+++ b/mojomojo.te
@@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0)
 # Declarations
 #
 
-apache_content_template(mojomojo)
+type mojomojo_tmp_t alias httpd_mojomojo_tmp_t;
+files_tmp_file(mojomojo_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+optional_policy(`
+	apache_content_template(mojomojo)
+	apache_content_alias_template(mojomojo, mojomojo)
 
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+	manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
+	manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t)
+	files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir })
 
-files_search_var_lib(httpd_mojomojo_script_t)
+	corenet_tcp_connect_postgresql_port(mojomojo_script_t)
+	corenet_tcp_connect_mysqld_port(mojomojo_script_t)
+	corenet_tcp_connect_smtp_port(mojomojo_script_t)
+	corenet_sendrecv_postgresql_client_packets(mojomojo_script_t)
+	corenet_sendrecv_mysqld_client_packets(mojomojo_script_t)
+	corenet_sendrecv_smtp_client_packets(mojomojo_script_t)
 
-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+	files_search_var_lib(mojomojo_script_t)
 
-mta_send_mail(httpd_mojomojo_script_t)
+	sysnet_dns_name_resolve(mojomojo_script_t)
+
+	mta_send_mail(mojomojo_script_t)
+
+	optional_policy(`
+		mysql_stream_connect(mojomojo_script_t)
+	')
+
+	optional_policy(`
+		postgresql_stream_connect(mojomojo_script_t)
+	')
+')
diff --git a/mon_statd.fc b/mon_statd.fc
new file mode 100644
index 0000000000..60c11c0608
--- /dev/null
+++ b/mon_statd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/mon_statd	--	gen_context(system_u:object_r:mon_statd_initrc_exec_t,s0)
+
+/usr/sbin/mon_fsstatd		--	gen_context(system_u:object_r:mon_statd_exec_t,s0)
+/usr/sbin/mon_procd		--	gen_context(system_u:object_r:mon_procd_exec_t,s0)
+
+/var/run/procd.*        --  gen_context(system_u:object_r:mon_statd_var_run_t,s0)
+/var/run/fstatd.*       --  gen_context(system_u:object_r:mon_statd_var_run_t,s0)
diff --git a/mon_statd.if b/mon_statd.if
new file mode 100644
index 0000000000..1ce3e44286
--- /dev/null
+++ b/mon_statd.if
@@ -0,0 +1,39 @@
+## <summary>policy for mon_statd</summary>
+
+########################################
+## <summary>
+##	Execute mon_statd in the mon_statd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mon_statd_domtrans',`
+	gen_require(`
+		type mon_statd_t, mon_statd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mon_statd_exec_t, mon_statd_t)
+')
+
+########################################
+## <summary>
+##	Execute mon_procd in the mon_procd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mon_procd_domtrans',`
+	gen_require(`
+		type mon_procd_t, mon_procd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mon_procd_exec_t, mon_procd_t)
+')
diff --git a/mon_statd.te b/mon_statd.te
new file mode 100644
index 0000000000..e7220a5a86
--- /dev/null
+++ b/mon_statd.te
@@ -0,0 +1,76 @@
+policy_module(mon_statd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mon_statd_domain;
+
+type mon_statd_t, mon_statd_domain;
+type mon_statd_exec_t;
+init_daemon_domain(mon_statd_t, mon_statd_exec_t)
+
+type mon_procd_t, mon_statd_domain;
+type mon_procd_exec_t;
+init_daemon_domain(mon_procd_t, mon_procd_exec_t)
+
+type mon_statd_initrc_exec_t;
+init_script_file(mon_statd_initrc_exec_t)
+
+type mon_statd_var_run_t;
+files_pid_file(mon_statd_var_run_t)
+
+########################################
+#
+# mon_statd domain policy
+#
+
+manage_files_pattern(mon_statd_domain, mon_statd_var_run_t, mon_statd_var_run_t)
+files_pid_filetrans(mon_statd_domain, mon_statd_var_run_t, file)
+
+domain_read_all_domains_state(mon_statd_domain)
+
+dev_rw_monitor_dev(mon_statd_domain)
+
+########################################
+#
+# mon_fstatd local policy
+#
+allow mon_statd_t self:process { fork signal };
+allow mon_statd_t self:fifo_file rw_fifo_file_perms;
+
+allow mon_statd_t self:unix_stream_socket create_stream_socket_perms;
+allow mon_statd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(mon_statd_t)
+kernel_read_fs_sysctls(mon_statd_t)
+
+fs_getattr_all_fs(mon_statd_t)
+fs_getattr_all_dirs(mon_statd_t)
+
+fs_search_cgroup_dirs(mon_statd_t)
+
+logging_send_syslog_msg(mon_statd_t)
+
+optional_policy(`
+    rpc_read_nfs_state_data(mon_statd_t)
+')
+
+########################################
+#
+# mon_procd local policy
+#
+allow mon_procd_t self:capability sys_ptrace;
+
+allow mon_procd_t self:unix_dgram_socket { create connect };
+
+auth_read_passwd(mon_procd_t)
+
+kernel_dgram_send(mon_procd_t)
+kernel_read_system_state(mon_procd_t)
+
+init_read_utmp(mon_procd_t)
+
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
index 6fcfc31b46..e9e6bc51c0 100644
--- a/mongodb.fc
+++ b/mongodb.fc
@@ -1,9 +1,19 @@
 /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongos	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 
-/usr/bin/mongod	--	gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/lib/systemd/system/mongod.*    --     gen_context(system_u:object_r:mongod_unit_file_t,s0)
+/usr/lib/systemd/system/mongos.*    --     gen_context(system_u:object_r:mongod_unit_file_t,s0)
+
+/usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/libexec/mongodb-scl-helper             --      gen_context(system_u:object_r:mongod_exec_t,s0)
 
 /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)
 
-/var/log/mongo.*	gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/mongo.*	                                    gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.*      --      gen_context(system_u:object_r:mongod_log_t,s0)
 
-/var/run/mongo.*	gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/mongo.*	                gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
index 169f236e87..bc47602c8c 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
 type mongod_initrc_exec_t;
 init_script_file(mongod_initrc_exec_t)
 
+type mongod_unit_file_t;
+systemd_unit_file(mongod_unit_file_t)
+
 type mongod_log_t;
 logging_log_file(mongod_log_t)
 
@@ -21,41 +24,73 @@ files_type(mongod_var_lib_t)
 type mongod_var_run_t;
 files_pid_file(mongod_var_run_t)
 
+type mongod_tmp_t;
+files_tmp_file(mongod_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow mongod_t self:process signal;
+
+allow mongod_t self:process { setsched signal execmem };
 allow mongod_t self:fifo_file rw_fifo_file_perms;
 
-manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-logging_log_filetrans(mongod_t, mongod_log_t, dir)
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+allow mongod_t self:tcp_socket { accept listen };
+
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, { dir file })
 
 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
 manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
 files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+allow mongod_t mongod_var_lib_t:file map;
 
 manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
 
 kernel_read_system_state(mongod_t)
+kernel_read_vm_sysctls(mongod_t)
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
 
 corenet_all_recvfrom_unlabeled(mongod_t)
 corenet_all_recvfrom_netlabel(mongod_t)
 corenet_tcp_sendrecv_generic_if(mongod_t)
 corenet_tcp_sendrecv_generic_node(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
 corenet_tcp_bind_generic_node(mongod_t)
 
 dev_read_sysfs(mongod_t)
 dev_read_urand(mongod_t)
 
-files_read_etc_files(mongod_t)
-
 fs_getattr_all_fs(mongod_t)
 
-miscfiles_read_localization(mongod_t)
+auth_use_nsswitch(mongod_t)
+
+logging_send_syslog_msg(mongod_t)
+
+optional_policy(`
+	mysql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(mongod_t)
+')
+
diff --git a/mono.te b/mono.te
index a6a86439fa..c0f6cf503d 100644
--- a/mono.te
+++ b/mono.te
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
 # local policy
 #
 
-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(mono_t)
 
 init_dbus_chat_script(mono_t)
 
diff --git a/monop.if b/monop.if
index 8fdaecea21..5440757657 100644
--- a/monop.if
+++ b/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
 	role_transition $2 monopd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	logging_search_etc($1)
+	logging_search_logs($1)
 	admin_pattern($1, monopd_etc_t)
 
 	files_search_pids($1)
diff --git a/monop.te b/monop.te
index 5f93763848..8596763e7a 100644
--- a/monop.te
+++ b/monop.te
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
 kernel_list_proc(monopd_t)
 kernel_read_proc_symlinks(monopd_t)
 
-corenet_all_recvfrom_unlabeled(monopd_t)
 corenet_all_recvfrom_netlabel(monopd_t)
 corenet_tcp_sendrecv_generic_if(monopd_t)
 corenet_tcp_sendrecv_generic_node(monopd_t)
@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t)
 
 domain_use_interactive_fds(monopd_t)
 
-files_read_etc_files(monopd_t)
-
 fs_getattr_all_fs(monopd_t)
 fs_search_auto_mountpoints(monopd_t)
 
 logging_send_syslog_msg(monopd_t)
 
-miscfiles_read_localization(monopd_t)
-
 sysnet_dns_name_resolve(monopd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/motion.fc b/motion.fc
new file mode 100644
index 0000000000..74151069bc
--- /dev/null
+++ b/motion.fc
@@ -0,0 +1,9 @@
+/usr/bin/motion		--	gen_context(system_u:object_r:motion_exec_t,s0)
+
+/usr/lib/systemd/system/motion.*		--	gen_context(system_u:object_r:motion_unit_file_t,s0)
+
+/var/log/motion\.log.*		--	gen_context(system_u:object_r:motion_log_t,s0)
+
+/var/run/motion\.pid    --  gen_context(system_u:object_r:motion_var_run_t,s0)
+
+/var/motion(/.*)?       gen_context(system_u:object_r:motion_data_t,s0)
diff --git a/motion.if b/motion.if
new file mode 100644
index 0000000000..edfd267776
--- /dev/null
+++ b/motion.if
@@ -0,0 +1,198 @@
+
+## <summary>Detect motion using a video4linux device</summary>
+
+########################################
+## <summary>
+##	Execute motion in the motion domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`motion_domtrans',`
+	gen_require(`
+		type motion_t, motion_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, motion_exec_t, motion_t)
+')
+########################################
+## <summary>
+##	Read motion's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`motion_read_log',`
+	gen_require(`
+		type motion_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+## <summary>
+##	Append to motion log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`motion_append_log',`
+	gen_require(`
+		type motion_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+## <summary>
+##	Manage motion log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`motion_manage_log',`
+	gen_require(`
+		type motion_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, motion_log_t, motion_log_t)
+	manage_files_pattern($1, motion_log_t, motion_log_t)
+	manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
+')
+
+########################################
+## <summary>
+## Manage motion pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`motion_manage_pid',`
+    gen_require(`
+        type motion_var_run_t;
+    ')
+
+    manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
+    manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage motion data files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`motion_manage_data',`
+    gen_require(`
+        type motion_data_t;
+    ')
+
+    manage_dirs_pattern($1, motion_data_t, motion_data_t)
+    manage_files_pattern($1, motion_data_t, motion_data_t)
+')
+
+########################################
+## <summary>
+##	Execute motion server in the motion domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`motion_systemctl',`
+	gen_require(`
+		type motion_t;
+		type motion_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 motion_unit_file_t:file read_file_perms;
+	allow $1 motion_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, motion_t)
+')
+
+########################################
+## <summary>
+## Manage all motion files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`motion_manage_all_files',`
+
+    motion_manage_log($1)
+    motion_manage_pid($1)
+    motion_manage_data($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an motion environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`motion_admin',`
+	gen_require(`
+		type motion_t;
+		type motion_log_t;
+	    type motion_unit_file_t;
+	')
+
+	allow $1 motion_t:process { signal_perms };
+	ps_process_pattern($1, motion_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 motion_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, motion_log_t)
+
+	motion_systemctl($1)
+	admin_pattern($1, motion_unit_file_t)
+	allow $1 motion_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/motion.te b/motion.te
new file mode 100644
index 0000000000..c7f4eb5837
--- /dev/null
+++ b/motion.te
@@ -0,0 +1,65 @@
+policy_module(motion, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type motion_t;
+type motion_exec_t;
+init_daemon_domain(motion_t, motion_exec_t)
+
+type motion_log_t;
+logging_log_file(motion_log_t)
+
+type motion_unit_file_t;
+systemd_unit_file(motion_unit_file_t)
+
+type motion_var_run_t;
+files_pid_file(motion_var_run_t)
+
+type motion_data_t;
+files_type(motion_data_t)
+
+########################################
+#
+# motion local policy
+#
+allow motion_t self:udp_socket { create connect getattr };
+allow motion_t self:tcp_socket create_stream_socket_perms;
+allow motion_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
+manage_files_pattern(motion_t, motion_log_t, motion_log_t)
+logging_log_filetrans(motion_t, motion_log_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t)
+files_pid_filetrans(motion_t, motion_var_run_t, { dir file })
+
+manage_dirs_pattern(motion_t, motion_data_t, motion_data_t)
+manage_files_pattern(motion_t, motion_data_t, motion_data_t)
+files_var_filetrans(motion_t, motion_data_t, { dir file })
+
+corenet_tcp_bind_http_cache_port(motion_t)
+corenet_tcp_bind_transproxy_port(motion_t)
+corenet_tcp_bind_us_cli_port(motion_t)
+corenet_tcp_connect_http_port(motion_t)
+corenet_tcp_bind_generic_node(motion_t)
+
+dev_read_video_dev(motion_t)
+dev_write_video_dev(motion_t)
+
+domain_use_interactive_fds(motion_t)
+
+logging_send_syslog_msg(motion_t)
+
+sysnet_read_config(motion_t)
+
+userdom_home_manager(motion_t)
+
+optional_policy(`
+    zoneminder_domtrans(motion_t)
+    zoneminder_manage_lib_files(motion_t)
+')
+
diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2e43..e863bad61f 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,73 @@
-HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.netscape(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
-
-HOME_DIR/\.adobe(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.macromedia(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gnash(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.gcjwebplugin(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.icedteaplugin(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.spicec(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/\.ICAClient(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-HOME_DIR/zimbrauserdata(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
-
-/usr/bin/epiphany	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/epiphany-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/mozilla	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/icedtea-web(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/POkemon.*(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.webex(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnashpluginrc		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/abc			-- 	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/mozilla\.pdf			-- 	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedtea(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.juniper_networks(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)?                   gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)?          	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+#
+# /bin
+#
+/usr/bin/netscape		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-snapshot	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/netscape	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-
-/usr/lib/[^/]*firefox[^/]*/firefox	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/galeon/galeon	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/iceweasel/iceweasel	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/reg.+	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla[^/]*/mozilla-.*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/mozilla/plugins-wrapped(/.*)?	gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 /usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/lib/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
-/usr/lib/xulrunner[^/]*/plugin-container	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+')
+
+ifdef(`distro_debian',`
+/usr/lib/iceweasel/iceweasel	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+')
+
+#
+# /lib
+#
+
+/usr/lib/galeon/galeon 	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ --	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/firefox/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+/usr/libexec/WebKitPluginProcess    --   gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b806b2..ded39ae5c2 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
-## <summary>Policy for Mozilla and related web browsers.</summary>
+## <summary>Policy for Mozilla and related web browsers</summary>
 
 ########################################
 ## <summary>
-##	Role access for mozilla.
+##	Role access for mozilla
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`mozilla_role',`
 	gen_require(`
 		type mozilla_t, mozilla_exec_t, mozilla_home_t;
-		type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
-		type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
 		attribute_role mozilla_roles;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	roleattribute $1 mozilla_roles;
 
-	########################################
-	#
-	# Policy
-	#
-
-	domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+	domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+	# Unrestricted inheritance from the caller.
+	allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+	allow mozilla_t $2:fd use;
+	allow mozilla_t $2:process { sigchld signull };
+	allow mozilla_t $2:unix_stream_socket connectto;
 
-	allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+	# Allow the user domain to signal/ps.
 	ps_process_pattern($2, mozilla_t)
-
-	allow mozilla_t $2:process signull;
-	allow mozilla_t $2:unix_stream_socket connectto;
+	allow $2 mozilla_t:process signal_perms;
 
 	allow $2 mozilla_t:fd use;
-	allow $2 mozilla_t:shm rw_shm_perms;
-
-	stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
-
-	allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+	allow $2 mozilla_t:shm { associate getattr };
+	allow $2 mozilla_t:shm { unix_read unix_write };
+	allow $2 mozilla_t:unix_stream_socket connectto;
 
-	filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+	# X access, Home files
+	manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
 
-	allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	#should be remove then with adding of roleattribute
+	mozilla_run_plugin(mozilla_t, $1)
+	mozilla_dbus_chat($2)
 
-	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	userdom_manage_tmp_role($1, mozilla_t)
 
 	optional_policy(`
-		mozilla_dbus_chat($2)
+		nsplugin_role($1, mozilla_t)
 	')
-')
 
-########################################
-## <summary>
-##	Role access for mozilla plugin.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`mozilla_role_plugin',`
-	gen_require(`
-		type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
-		type mozilla_home_t;
+	optional_policy(`
+		pulseaudio_role($1, mozilla_t)
+		pulseaudio_filetrans_admin_home_content(mozilla_t)
+		pulseaudio_filetrans_home_content(mozilla_t)
 	')
 
-	mozilla_run_plugin($2, $1)
-	mozilla_run_plugin_config($2, $1)
-
-	allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
-	ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
+	mozilla_filetrans_home_content($2)
 
-	allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
-	allow $2 mozilla_plugin_t:fd use;
-
-	stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
-	allow mozilla_plugin_t $2:process signull;
-	allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
-	allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
-	allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
-	allow mozilla_plugin_t $2:sem create_sem_perms;
-
-	allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
-	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-
-	allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
-	allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
-	allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
-	allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-	allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
-	allow $2 mozilla_plugin_rw_t:file read_file_perms;
-	allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
-	can_exec($2, mozilla_plugin_rw_t)
-
-	optional_policy(`
-		mozilla_dbus_chat_plugin($2)
-	')
 ')
 
 ########################################
 ## <summary>
-##	Read mozilla home directory content.
+##	Read mozilla home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',`
 		type mozilla_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
 	allow $1 mozilla_home_t:dir list_dir_perms;
 	allow $1 mozilla_home_t:file read_file_perms;
 	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Write mozilla home directory files.
+##	Write mozilla home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',`
 		type mozilla_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
 	write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write mozilla home directory files.
+##	Dontaudit attempts to read/write mozilla home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
 		type mozilla_home_t;
 	')
 
-	dontaudit $1 mozilla_home_t:file rw_file_perms;
+	dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempt to Create,
-##	read, write, and delete mozilla
-##	home directory content.
+##	Dontaudit attempts to write mozilla home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
 
 	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
 	dontaudit $1 mozilla_home_t:file manage_file_perms;
-	dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Execute mozilla home directory files.  (Deprecated)
+##	Execute mozilla home directory content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
 ## </param>
 #
 interface(`mozilla_exec_user_home_files',`
-	refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
-	mozilla_exec_user_plugin_home_files($1)
-')
-
-########################################
-## <summary>
-##	Execute mozilla plugin home directory files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mozilla_exec_user_plugin_home_files',`
 	gen_require(`
-		type mozilla_home_t, mozilla_plugin_home_t;
+		type mozilla_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+	can_exec($1, mozilla_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Mozilla home directory file
-##	text relocation.  (Deprecated)
+##	Execmod mozilla home directory content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -265,140 +173,157 @@ interface(`mozilla_exec_user_plugin_home_files',`
 ## </param>
 #
 interface(`mozilla_execmod_user_home_files',`
-	refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
-	mozilla_execmod_user_plugin_home_files($1)
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	allow $1 mozilla_home_t:file execmod;
 ')
 
 ########################################
 ## <summary>
-##	Mozilla plugin home directory file
-##	text relocation.
+##	Run mozilla in the mozilla domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_execmod_user_plugin_home_files',`
+interface(`mozilla_domtrans',`
 	gen_require(`
-		type mozilla_plugin_home_t;
+		type mozilla_t, mozilla_exec_t;
 	')
 
-	allow $1 mozilla_plugin_home_t:file execmod;
+	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
 ')
 
 ########################################
 ## <summary>
-##	Run mozilla in the mozilla domain.
+##	Execute a mozilla_exec_t in the specified domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
 ## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
 #
-interface(`mozilla_domtrans',`
+interface(`mozilla_domtrans_spec',`
 	gen_require(`
-		type mozilla_t, mozilla_exec_t;
+		type mozilla_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+	domain_entry_file($2, mozilla_exec_t)
+	domtrans_pattern($1, mozilla_exec_t, $2)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run mozilla plugin.
+##	Execute a domain transition to run mozilla_plugin.
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ## </summary>
 ## </param>
 #
 interface(`mozilla_domtrans_plugin',`
 	gen_require(`
 		type mozilla_plugin_t, mozilla_plugin_exec_t;
+		type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+		type mozilla_plugin_rw_t;
+		class dbus send_msg;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+	domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+	allow mozilla_plugin_t $1:process signull;
+	dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
+	dontaudit mozilla_plugin_t $1:process signal;
+	allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+	allow $1 mozilla_plugin_t:fd use;
+
+	allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+	allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
+	allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
+	allow mozilla_plugin_t $1:sem create_sem_perms;
+	allow $1 mozilla_plugin_t:sem rw_sem_perms;
+	allow $1 mozilla_plugin_t:shm rw_shm_perms;
+	allow $1 mozilla_plugin_t:fifo_file rw_fifo_file_perms;
+
+	ps_process_pattern($1, mozilla_plugin_t)
+	ps_process_pattern(mozilla_plugin_t, $1)
+	allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
+
+	list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+	read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+	can_exec($1, mozilla_plugin_rw_t)
+
+	allow $1 mozilla_plugin_t:dbus send_msg;
+	allow mozilla_plugin_t $1:dbus send_msg;
+
+	allow mozilla_plugin_t $1:process signull;
 ')
 
 ########################################
 ## <summary>
-##	Execute mozilla plugin in the
-##	mozilla plugin domain, and allow
-##	the specified role the mozilla
-##	plugin domain.
+##	Execute mozilla_plugin in the mozilla_plugin domain, and
+##	allow the specified role the mozilla_plugin domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed the mozilla_plugin domain.
 ##	</summary>
 ## </param>
 #
 interface(`mozilla_run_plugin',`
 	gen_require(`
-		attribute_role mozilla_plugin_roles;
+		type mozilla_plugin_t;
+		attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
 	')
 
 	mozilla_domtrans_plugin($1)
 	roleattribute $2 mozilla_plugin_roles;
-')
+	roleattribute $2 mozilla_plugin_config_roles;
 
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run mozilla plugin config.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`mozilla_domtrans_plugin_config',`
-	gen_require(`
-		type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 mozilla_plugin_t:process ptrace;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+	optional_policy(`
+		lpd_run_lpr(mozilla_plugin_t, $2)
+	')
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute mozilla plugin config in
-##	the mozilla plugin config domain,
-##	and allow the specified role the
-##	mozilla plugin config domain.
+##  Execute qemu unconfined programs in the role.
 ## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  The role to allow the mozilla_plugin domain.
+##  </summary>
 ## </param>
+## <rolecap/>
 #
-interface(`mozilla_run_plugin_config',`
-	gen_require(`
-		attribute_role mozilla_plugin_config_roles;
-	')
+interface(`mozilla_role_plugin',`
+    gen_require(`
+		attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
+    ')
 
-	mozilla_domtrans_plugin_config($1)
-	roleattribute $2 mozilla_plugin_config_roles;
+    roleattribute $1 mozilla_plugin_roles;
+    roleattribute $1 mozilla_plugin_config_roles;
 ')
 
 ########################################
@@ -424,8 +349,7 @@ interface(`mozilla_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Send and receive messages from
-##	mozilla plugin over dbus.
+##	read/write mozilla per user tcp_socket
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -433,57 +357,162 @@ interface(`mozilla_dbus_chat',`
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_dbus_chat_plugin',`
+interface(`mozilla_rw_tcp_sockets',`
 	gen_require(`
-		type mozilla_plugin_t;
-		class dbus send_msg;
+		type mozilla_t;
 	')
 
-	allow $1 mozilla_plugin_t:dbus send_msg;
-	allow mozilla_plugin_t $1:dbus send_msg;
+	allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
+
+#######################################
+## <summary>
+##  Read mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+    gen_require(`
+        type mozilla_plugin_tmpfs_t;
+    ')
+
+    allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Read/Write mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_tmpfs_files',`
+    gen_require(`
+        type mozilla_plugin_tmpfs_t;
+    ')
+
+    rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write mozilla TCP sockets.
+##	Delete mozilla_plugin tmpfs files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed access
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_rw_tcp_sockets',`
+interface(`mozilla_plugin_delete_tmpfs_files',`
 	gen_require(`
-		type mozilla_t;
+		type mozilla_plugin_tmpfs_t;
 	')
 
-	allow $1 mozilla_t:tcp_socket rw_socket_perms;
+	allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+#######################################
+## <summary>
+##      Dontaudit generict ipc read/write to a mozilla_plugin
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`mozilla_plugin_dontaudit_rw_sem',`
+        gen_require(`
+                type mozilla_plugin_t;
+        ')
+
+        dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
+')
+
+#######################################
+## <summary>
+##      Allow generict ipc read/write to a mozilla_plugin
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_sem',`
+        gen_require(`
+                type mozilla_plugin_t;
+        ')
+
+        allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mozilla plugin rw files.
+##	Dontaudit read/write to a mozilla_plugin leaks
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_manage_plugin_rw_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
 	gen_require(`
-		type mozilla_plugin_rw_t;
+		type mozilla_plugin_t;
 	')
 
-	libs_search_lib($1)
-	manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
+#######################################
+## <summary>
+##  Dontaudit read/write to a mozilla_plugin tmp files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
+    gen_require(`
+        type mozilla_plugin_tmp_t;
+    ')
+
+    dontaudit $1 mozilla_plugin_tmp_t:file { read write };
+')
+
+#######################################
+## <summary>
+##  Allow read/write to a mozilla_plugin tmp files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_tmp_files',`
+    gen_require(`
+        type mozilla_plugin_tmp_t;
+    ')
+
+    dontaudit $1 mozilla_plugin_tmp_t:file { read write };
 ')
 
 ########################################
 ## <summary>
-##	Read mozilla_plugin tmpfs files.
+##	Create, read, write, and delete
+##	mozilla_plugin rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -491,18 +520,18 @@ interface(`mozilla_manage_plugin_rw_files',`
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_plugin_read_tmpfs_files',`
+interface(`mozilla_plugin_manage_rw_files',`
 	gen_require(`
-		type mozilla_plugin_tmpfs_t;
+		type mozilla_plugin_rw_t;
 	')
 
-	fs_search_tmpfs($1)
-	allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+	allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+	allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Delete mozilla_plugin tmpfs files.
+##	read mozilla_plugin rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -510,19 +539,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_read_rw_files',`
 	gen_require(`
-		type mozilla_plugin_tmpfs_t;
+		type mozilla_plugin_rw_t;
 	')
 
-	fs_search_tmpfs($1)
-	allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+	read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic mozilla plugin home content.
+##	Create mozilla content in the user home directory
+##	with an correct label.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -530,45 +558,59 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`mozilla_manage_generic_plugin_home_content',`
+interface(`mozilla_filetrans_home_content',`
+
 	gen_require(`
-		type mozilla_plugin_home_t;
+		type mozilla_home_t, mozilla_plugin_rw_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
-	allow $1 mozilla_plugin_home_t:file manage_file_perms;
-	allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
+	files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "mozilla.pdf")
+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+	optional_policy(`
+		gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+		gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
+	')
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic mozilla
-##	plugin home type.
+##	Allow the domain to read mozilla_plugin state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`mozilla_home_filetrans_plugin_home',`
+interface(`mozilla_plugin_read_state',`
 	gen_require(`
-		type mozilla_plugin_home_t;
+		type mozilla_plugin_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
+	kernel_search_proc($1)
+	ps_process_pattern($1, mozilla_plugin_t)
 ')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4fce..e2a8b27f67 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether mozilla can
-##	make its stack executable.
-##	</p>
+## <p>
+## Allow mozilla plugin domain to connect to the network using TCP.
+## </p>
 ## </desc>
-gen_tunable(mozilla_execstack, false)
+gen_tunable(mozilla_plugin_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin domain to bind unreserved tcp/udp ports.
+## </p>
+## </desc>
+
+gen_tunable(mozilla_plugin_bind_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin to support spice protocols.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_spice, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin to support GPS.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_gps, false)
+
+## <desc>
+## <p>
+## Allow mozilla plugin to use Bluejeans.
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_use_bluejeans, false)
+
+## <desc>
+## <p>
+## Allow confined web browsers to read home directory content
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content, false)
 
 attribute_role mozilla_roles;
 attribute_role mozilla_plugin_roles;
 attribute_role mozilla_plugin_config_roles;
 
+roleattribute system_r mozilla_roles;
+roleattribute system_r mozilla_plugin_roles;
+roleattribute system_r mozilla_plugin_config_roles;
+
 type mozilla_t;
 type mozilla_exec_t;
 typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
@@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
 userdom_user_application_domain(mozilla_t, mozilla_exec_t)
 role mozilla_roles types mozilla_t;
 
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
 type mozilla_home_t;
 typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t)
 
 type mozilla_plugin_t;
 type mozilla_plugin_exec_t;
-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
 role mozilla_plugin_roles types mozilla_plugin_t;
 
-type mozilla_plugin_home_t;
-userdom_user_home_content(mozilla_plugin_home_t)
-
 type mozilla_plugin_tmp_t;
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
 userdom_user_tmp_file(mozilla_plugin_tmp_t)
 
 type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
 userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
 
-optional_policy(`
-	pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
-')
-
 type mozilla_plugin_rw_t;
 files_type(mozilla_plugin_rw_t)
 
 type mozilla_plugin_config_t;
 type mozilla_plugin_config_exec_t;
-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+role mozilla_roles types mozilla_plugin_config_t;
 role mozilla_plugin_config_roles types mozilla_plugin_config_t;
 
 type mozilla_tmp_t;
@@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
 typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
 userdom_user_tmpfs_file(mozilla_tmpfs_t)
 
-optional_policy(`
-	pulseaudio_tmpfs_content(mozilla_tmpfs_t)
-')
-
 ########################################
 #
 # Local policy
@@ -75,104 +109,101 @@ optional_policy(`
 allow mozilla_t self:capability { sys_nice setgid setuid };
 allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
 allow mozilla_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_t self:shm create_shm_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
 allow mozilla_t self:sem create_sem_perms;
 allow mozilla_t self:socket create_socket_perms;
-allow mozilla_t self:unix_stream_socket { accept listen };
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
-allow mozilla_t mozilla_plugin_t:fd use;
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
 
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
 
-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
 
 manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
 manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+# mozilla will manage user_tmp_t, so it will transition to it.
+#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
 
 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
-
-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
+allow mozilla_plugin_t mozilla_tmpfs_t:file map;
 
 kernel_read_kernel_sysctls(mozilla_t)
 kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
 kernel_read_system_state(mozilla_t)
 kernel_read_net_sysctls(mozilla_t)
 
+# Look for plugins
 corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
 corecmd_exec_shell(mozilla_t)
 corecmd_exec_bin(mozilla_t)
 
-corenet_all_recvfrom_unlabeled(mozilla_t)
+# Browse the web, connect to printer
 corenet_all_recvfrom_netlabel(mozilla_t)
 corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
 corenet_tcp_sendrecv_generic_node(mozilla_t)
-
-corenet_sendrecv_http_client_packets(mozilla_t)
-corenet_tcp_connect_http_port(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
 corenet_tcp_sendrecv_http_port(mozilla_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_t)
-corenet_tcp_connect_http_cache_port(mozilla_t)
 corenet_tcp_sendrecv_http_cache_port(mozilla_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_t)
-corenet_tcp_connect_squid_port(mozilla_t)
 corenet_tcp_sendrecv_squid_port(mozilla_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_t)
-corenet_tcp_connect_ftp_port(mozilla_t)
 corenet_tcp_sendrecv_ftp_port(mozilla_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_t)
-corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
 corenet_tcp_sendrecv_ipp_port(mozilla_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
 corenet_tcp_connect_soundd_port(mozilla_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
 corenet_tcp_connect_speech_port(mozilla_t)
-corenet_tcp_sendrecv_speech_port(mozilla_t)
 
-dev_getattr_sysfs_dirs(mozilla_t)
-dev_read_sound(mozilla_t)
-dev_read_rand(mozilla_t)
 dev_read_urand(mozilla_t)
-dev_rw_dri(mozilla_t)
+dev_read_rand(mozilla_t)
 dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
 
 domain_dontaudit_read_all_domains_state(mozilla_t)
 
 files_read_etc_runtime_files(mozilla_t)
-files_read_usr_files(mozilla_t)
-files_read_var_files(mozilla_t)
+# /var/lib
 files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
 files_read_var_symlinks(mozilla_t)
 files_dontaudit_getattr_boot_dirs(mozilla_t)
 
-fs_getattr_all_fs(mozilla_t)
+fs_dontaudit_getattr_all_fs(mozilla_t)
 fs_search_auto_mountpoints(mozilla_t)
 fs_list_inotifyfs(mozilla_t)
-fs_rw_tmpfs_files(mozilla_t)
+fs_rw_inherited_tmpfs_files(mozilla_t)
 
 term_dontaudit_getattr_pty_dirs(mozilla_t)
 
@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t)
 logging_send_syslog_msg(mozilla_t)
 
 miscfiles_read_fonts(mozilla_t)
-miscfiles_read_localization(mozilla_t)
 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
 
-userdom_use_user_ptys(mozilla_t)
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
 
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
 
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
 xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
 
-ifndef(`enable_mls',`
-	fs_list_dos(mozilla_t)
-	fs_read_dos_files(mozilla_t)
-
-	fs_search_removable(mozilla_t)
-	fs_read_removable_files(mozilla_t)
-	fs_read_removable_symlinks(mozilla_t)
-
-	fs_read_iso9660_files(mozilla_t)
+tunable_policy(`selinuxuser_execstack',`
+	allow mozilla_t self:process execstack;
 ')
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
 	allow mozilla_t self:process execmem;
 ')
 
-tunable_policy(`mozilla_execstack',`
-	allow mozilla_t self:process { execmem execstack };
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(mozilla_t)
-	fs_manage_nfs_files(mozilla_t)
-	fs_manage_nfs_symlinks(mozilla_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(mozilla_t)
-	fs_manage_cifs_files(mozilla_t)
-	fs_manage_cifs_symlinks(mozilla_t)
+userdom_home_manager(mozilla_t)
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mozilla_t)
+	files_list_home(mozilla_t)
+	fs_read_nfs_files(mozilla_t)
+	fs_read_nfs_symlinks(mozilla_t)
+
+',`
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_auto_mountpoints(mozilla_t)
+	fs_dontaudit_read_nfs_files(mozilla_t)
+	fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mozilla_t)
+	files_list_home(mozilla_t)
+	fs_read_cifs_files(mozilla_t)
+	fs_read_cifs_symlinks(mozilla_t)
+',`
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_auto_mountpoints(mozilla_t)
+	fs_dontaudit_read_cifs_files(mozilla_t)
+	fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+	userdom_list_user_tmp(mozilla_t)
+	userdom_read_user_tmp_files(mozilla_t)
+	userdom_read_user_tmp_symlinks(mozilla_t)
+	userdom_read_user_home_content_files(mozilla_t)
+	userdom_read_user_home_content_symlinks(mozilla_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(mozilla_t)
+		fs_read_removable_files(mozilla_t)
+		fs_read_removable_symlinks(mozilla_t)
+	')
+',`
+	files_dontaudit_list_tmp(mozilla_t)
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_removable(mozilla_t)
+	fs_dontaudit_read_removable_files(mozilla_t)
+	userdom_dontaudit_list_user_tmp(mozilla_t)
+	userdom_dontaudit_read_user_tmp_files(mozilla_t)
+	userdom_dontaudit_list_user_home_dirs(mozilla_t)
+	userdom_dontaudit_read_user_home_content_files(mozilla_t)
 ')
 
 optional_policy(`
@@ -244,19 +292,12 @@ optional_policy(`
 
 optional_policy(`
 	cups_read_rw_config(mozilla_t)
+	cups_dbus_chat(mozilla_t)
 ')
 
 optional_policy(`
-	dbus_all_session_bus_client(mozilla_t)
 	dbus_system_bus_client(mozilla_t)
-
-	optional_policy(`
-		cups_dbus_chat(mozilla_t)
-	')
-
-	optional_policy(`
-		mozilla_dbus_chat_plugin(mozilla_t)
-	')
+	dbus_session_bus_client(mozilla_t)
 
 	optional_policy(`
 		networkmanager_dbus_chat(mozilla_t)
@@ -265,33 +306,32 @@ optional_policy(`
 
 optional_policy(`
 	gnome_stream_connect_gconf(mozilla_t)
-	gnome_manage_generic_gconf_home_content(mozilla_t)
-	gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
-	gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
-	gnome_manage_generic_home_content(mozilla_t)
-	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
-	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
-	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+	gnome_manage_config(mozilla_t)
+	gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+	java_domtrans(mozilla_t)
 ')
 
 optional_policy(`
-	java_exec(mozilla_t)
-	java_manage_generic_home_content(mozilla_t)
-	java_home_filetrans_java_home(mozilla_t, dir, ".java")
+	lpd_domtrans_lpr(mozilla_t)
 ')
 
 optional_policy(`
-	lpd_run_lpr(mozilla_t, mozilla_roles)
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
 ')
 
 optional_policy(`
-	mplayer_exec(mozilla_t)
-	mplayer_manage_generic_home_content(mozilla_t)
-	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
+	nscd_socket_use(mozilla_t)
 ')
 
 optional_policy(`
-	pulseaudio_run(mozilla_t, mozilla_roles)
+	#pulseaudio_role(mozilla_roles, mozilla_t)
+	pulseaudio_exec(mozilla_t)
+	pulseaudio_stream_connect(mozilla_t)
+	pulseaudio_manage_home_files(mozilla_t)
 ')
 
 optional_policy(`
@@ -300,259 +340,261 @@ optional_policy(`
 
 ########################################
 #
-# Plugin local policy
+# mozilla_plugin local policy
 #
 
-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
+allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
 allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
 allow mozilla_plugin_t self:sem create_sem_perms;
 allow mozilla_plugin_t self:shm create_shm_perms;
-allow mozilla_plugin_t self:tcp_socket { accept listen };
-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
-
-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
-allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
-
-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-
-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+allow mozilla_plugin_t self:msgq create_msgq_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 
 manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
 
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_manage_home_texlive(mozilla_plugin_t)
+allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map;
 
-allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
 
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
 
 kernel_read_all_sysctls(mozilla_plugin_t)
 kernel_read_system_state(mozilla_plugin_t)
 kernel_read_network_state(mozilla_plugin_t)
 kernel_request_load_module(mozilla_plugin_t)
 kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
+kernel_dontaudit_list_all_proc(mozilla_plugin_t)
+kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
 
 corecmd_exec_bin(mozilla_plugin_t)
 corecmd_exec_shell(mozilla_plugin_t)
+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
+corecmd_getattr_all_executables(mozilla_plugin_t)
 
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
 corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
 corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
 corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
 corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
 corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
 corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
 corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
 corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
 corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
 corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
 corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
-corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
 corenet_tcp_connect_squid_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
 corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_whois_port(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
 
-dev_read_generic_usb_dev(mozilla_plugin_t)
+dev_dontaudit_append_rand(mozilla_plugin_t)
 dev_read_rand(mozilla_plugin_t)
-dev_read_realtime_clock(mozilla_plugin_t)
-dev_read_sound(mozilla_plugin_t)
-dev_read_sysfs(mozilla_plugin_t)
 dev_read_urand(mozilla_plugin_t)
+dev_read_generic_usb_dev(mozilla_plugin_t)
 dev_read_video_dev(mozilla_plugin_t)
-dev_write_sound(mozilla_plugin_t)
 dev_write_video_dev(mozilla_plugin_t)
-dev_rw_dri(mozilla_plugin_t)
+dev_read_realtime_clock(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
 dev_rw_xserver_misc(mozilla_plugin_t)
+dev_rwx_zero(mozilla_plugin_t)
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
+dev_map_video_dev(mozilla_plugin_t)
+xserver_dri_domain(mozilla_plugin_t)
 
-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
+dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
 
 domain_use_interactive_fds(mozilla_plugin_t)
 domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
 
-files_exec_usr_files(mozilla_plugin_t)
-files_list_mnt(mozilla_plugin_t)
 files_read_config_files(mozilla_plugin_t)
-files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
+files_dontaudit_all_access_check(mozilla_plugin_t)
 
 fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
-fs_search_auto_mountpoints(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
 
-term_getattr_all_ttys(mozilla_plugin_t)
-term_getattr_all_ptys(mozilla_plugin_t)
+storage_raw_read_removable_device(mozilla_plugin_t)
+fs_read_removable_files(mozilla_plugin_t)
+fs_read_removable_symlinks(mozilla_plugin_t)
 
 application_exec(mozilla_plugin_t)
+application_dontaudit_signull(mozilla_plugin_t)
 
 auth_use_nsswitch(mozilla_plugin_t)
 
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
+init_read_all_script_files(mozilla_plugin_t)
+
 libs_exec_ld_so(mozilla_plugin_t)
 libs_exec_lib_files(mozilla_plugin_t)
+libs_legacy_use_shared_libs(mozilla_plugin_t)
 
 logging_send_syslog_msg(mozilla_plugin_t)
 
-miscfiles_read_localization(mozilla_plugin_t)
 miscfiles_read_fonts(mozilla_plugin_t)
 miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t)
 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
 miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
 
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
+systemd_read_logind_sessions_files(mozilla_plugin_t)
 
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
+term_dontaudit_use_ptmx(mozilla_plugin_t)
 
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
 userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
+userdom_map_user_home_files(mozilla_plugin_t)
 
-ifndef(`enable_mls',`
-	fs_list_dos(mozilla_plugin_t)
-	fs_read_dos_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
 
-	fs_search_removable(mozilla_plugin_t)
-	fs_read_removable_files(mozilla_plugin_t)
-	fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_home_manager(mozilla_plugin_t)
 
-	fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+	corenet_tcp_connect_all_ports(mozilla_plugin_t)
 ')
 
-tunable_policy(`allow_execmem',`
-	allow mozilla_plugin_t self:process execmem;
+optional_policy(`
+    abrt_stream_connect(mozilla_plugin_t)
 ')
 
-tunable_policy(`mozilla_execstack',`
-	allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
+	alsa_read_rw_config(mozilla_plugin_t)
+	alsa_read_rw_config(mozilla_plugin_config_t)
+	alsa_read_home_files(mozilla_plugin_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(mozilla_plugin_t)
-	fs_manage_nfs_files(mozilla_plugin_t)
-	fs_manage_nfs_symlinks(mozilla_plugin_t)
+optional_policy(`
+	apache_list_modules(mozilla_plugin_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(mozilla_plugin_t)
-	fs_manage_cifs_files(mozilla_plugin_t)
-	fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
+	bluetooth_stream_connect(mozilla_plugin_t)
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mozilla_plugin_t)
-	alsa_read_home_files(mozilla_plugin_t)
+	bumblebee_stream_connect(mozilla_plugin_t)
 ')
 
 optional_policy(`
-	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
+	cups_stream_connect(mozilla_plugin_t)
 ')
 
 optional_policy(`
-	dbus_all_session_bus_client(mozilla_plugin_t)
-	dbus_connect_all_session_bus(mozilla_plugin_t)
 	dbus_system_bus_client(mozilla_plugin_t)
+	dbus_session_bus_client(mozilla_plugin_t)
+	dbus_connect_session_bus(mozilla_plugin_t)
+	dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+    devicekit_dbus_chat_disk(mozilla_plugin_t)
+')
+
+optional_policy(`
+	gnome_manage_config(mozilla_plugin_t)
+	gnome_read_usr_config(mozilla_plugin_t)
+	gnome_filetrans_home_content(mozilla_plugin_t)
+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
 ')
 
 optional_policy(`
-	gnome_manage_generic_home_content(mozilla_plugin_t)
-	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
-	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
-	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
 ')
 
 optional_policy(`
 	java_exec(mozilla_plugin_t)
-	java_manage_generic_home_content(mozilla_plugin_t)
-	java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
 ')
 
 optional_policy(`
-	lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+    mplayer_exec(mozilla_plugin_t)
+    mplayer_manage_generic_home_content(mozilla_plugin_t)
+    mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
 ')
 
 optional_policy(`
-	mplayer_exec(mozilla_plugin_t)
-	mplayer_manage_generic_home_content(mozilla_plugin_t)
-	mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
+	pulseaudio_exec(mozilla_plugin_t)
+	pulseaudio_stream_connect(mozilla_plugin_t)
+	pulseaudio_setattr_home_dir(mozilla_plugin_t)
+	pulseaudio_manage_home_dirs(mozilla_plugin_t)
+	pulseaudio_manage_home_files(mozilla_plugin_t)
+	pulseaudio_manage_home_symlinks(mozilla_plugin_t)
 ')
 
 optional_policy(`
@@ -560,7 +602,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+	policykit_dbus_chat(mozilla_plugin_t)
+')
+
+optional_policy(`
+	rtkit_scheduled(mozilla_plugin_t)
 ')
 
 optional_policy(`
@@ -568,108 +614,144 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_read_user_xauth(mozilla_plugin_t)
+	xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+	xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
 	xserver_use_user_fonts(mozilla_plugin_t)
-	xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+	xserver_read_user_iceauth(mozilla_plugin_t)
+	xserver_read_user_xauth(mozilla_plugin_t)
+	xserver_append_xdm_home_files(mozilla_plugin_t)
+	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
+	xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
+	xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
 ')
 
 ########################################
 #
-# Plugin config local policy
+# mozilla_plugin_config local policy
 #
 
 allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
 
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
 
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
 
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
 
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
 
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
+dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
 
 corecmd_exec_bin(mozilla_plugin_config_t)
 corecmd_exec_shell(mozilla_plugin_config_t)
 
-dev_read_urand(mozilla_plugin_config_t)
-dev_rw_dri(mozilla_plugin_config_t)
-dev_search_sysfs(mozilla_plugin_config_t)
-dev_dontaudit_read_rand(mozilla_plugin_config_t)
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
 
 domain_use_interactive_fds(mozilla_plugin_config_t)
 
-files_list_tmp(mozilla_plugin_config_t)
-files_read_usr_files(mozilla_plugin_config_t)
 files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
 
 fs_getattr_all_fs(mozilla_plugin_config_t)
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
-fs_list_inotifyfs(mozilla_plugin_config_t)
+
+term_dontaudit_use_ptmx(mozilla_plugin_config_t)
 
 auth_use_nsswitch(mozilla_plugin_config_t)
 
-miscfiles_read_localization(mozilla_plugin_config_t)
 miscfiles_read_fonts(mozilla_plugin_config_t)
 
+userdom_search_user_home_content(mozilla_plugin_config_t)
 userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
 userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+        fs_read_ecryptfs_files(mozilla_plugin_config_t)
+')
 
-userdom_use_user_ptys(mozilla_plugin_config_t)
+optional_policy(`
+	gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
+')
 
-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+optional_policy(`
+	xserver_use_user_fonts(mozilla_plugin_config_t)
+')
 
-tunable_policy(`allow_execmem',`
-	allow mozilla_plugin_config_t self:process execmem;
+ifdef(`distro_redhat',`
+	typealias mozilla_plugin_t  alias nsplugin_t;
+	typealias mozilla_plugin_exec_t  alias nsplugin_exec_t;
+	typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
+	typealias mozilla_plugin_tmp_t  alias nsplugin_tmp_t;
+	typealias mozilla_home_t alias nsplugin_home_t;
+	typealias mozilla_plugin_config_t  alias nsplugin_config_t;
+	typealias mozilla_plugin_config_exec_t  alias nsplugin_config_exec_t;
 ')
 
-tunable_policy(`mozilla_execstack',`
-	allow mozilla_plugin_config_t self:process { execmem execstack };
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+#	userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
+
+	#userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
+  	#userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
+#')
+
+tunable_policy(`selinuxuser_execmod',`
+	userdom_execmod_user_home_files(mozilla_plugin_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(mozilla_plugin_config_t)
-	fs_manage_nfs_files(mozilla_plugin_config_t)
-	fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+	dev_rw_generic_usb_dev(mozilla_plugin_t)
+	dev_setattr_generic_usb_dev(mozilla_plugin_t)
+	corenet_tcp_bind_vnc_port(mozilla_plugin_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(mozilla_plugin_config_t)
-	fs_manage_cifs_files(mozilla_plugin_config_t)
-	fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+    fs_manage_dos_dirs(mozilla_plugin_t)
+    fs_manage_dos_files(mozilla_plugin_t)
 ')
 
-optional_policy(`
-	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+    corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+    corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+    corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
+    corenet_dontaudit_udp_bind_all_ports(mozilla_plugin_t)
+    corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
 ')
 
-optional_policy(`
-	xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
+    corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+    corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
 ')
diff --git a/mpd.fc b/mpd.fc
index 313ce521c7..ae93e07eb0 100644
--- a/mpd.fc
+++ b/mpd.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.mpd(/.*)?    gen_context(system_u:object_r:mpd_home_t,s0)
+
 /etc/mpd\.conf	--	gen_context(system_u:object_r:mpd_etc_t,s0)
 
 /etc/rc\.d/init\.d/mpd	--	gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
@@ -9,3 +11,5 @@
 /var/lib/mpd/playlists(/.*)?	gen_context(system_u:object_r:mpd_data_t,s0)
 
 /var/log/mpd(/.*)?	gen_context(system_u:object_r:mpd_log_t,s0)
+
+/var/run/mpd(/.*)?	gen_context(system_u:object_r:mpd_var_run_t,s0)
diff --git a/mpd.if b/mpd.if
index 5fa77c7e6f..2e01c7d0a9 100644
--- a/mpd.if
+++ b/mpd.if
@@ -320,6 +320,25 @@ interface(`mpd_manage_lib_dirs',`
 	manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Connect to mpd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mpd_stream_connect',`
+	gen_require(`
+		type mpd_t, mpd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -344,9 +363,13 @@ interface(`mpd_admin',`
 		type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
 	')
 
-	allow $1 mpd_t:process { ptrace signal_perms };
+	allow $1 mpd_t:process signal_perms;
 	ps_process_pattern($1, mpd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 mpd_t:process ptrace;
+	')
+
 	mpd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
index fe72523551..062ad640af 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
 type mpd_user_data_t;
 userdom_user_home_content(mpd_user_data_t) # customizable
 
+type mpd_home_t;
+userdom_user_home_content(mpd_home_t)
+
+type mpd_var_run_t;
+files_pid_file(mpd_var_run_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid };
 allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
 allow mpd_t self:fifo_file rw_fifo_file_perms;
 allow mpd_t self:unix_stream_socket { accept connectto listen };
 allow mpd_t self:unix_dgram_socket sendto;
 allow mpd_t self:tcp_socket { accept listen };
 allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
 
 allow mpd_t mpd_data_t:dir manage_dir_perms;
 allow mpd_t mpd_data_t:file manage_file_perms;
@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
 manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
 files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
 
+manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
+manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
+
 kernel_getattr_proc(mpd_t)
 kernel_read_system_state(mpd_t)
 kernel_read_kernel_sysctls(mpd_t)
 
 corecmd_exec_bin(mpd_t)
 
-corenet_all_recvfrom_unlabeled(mpd_t)
 corenet_all_recvfrom_netlabel(mpd_t)
 corenet_tcp_sendrecv_generic_if(mpd_t)
 corenet_tcp_sendrecv_generic_node(mpd_t)
@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
 dev_write_sound(mpd_t)
 dev_read_sysfs(mpd_t)
 
-files_read_usr_files(mpd_t)
 
 fs_getattr_all_fs(mpd_t)
+fs_getattr_all_dirs(mpd_t)
 fs_list_inotifyfs(mpd_t)
 fs_rw_anon_inodefs_files(mpd_t)
 fs_search_auto_mountpoints(mpd_t)
@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
 
 logging_send_syslog_msg(mpd_t)
 
-miscfiles_read_localization(mpd_t)
+userdom_home_reader(mpd_t)
 
 tunable_policy(`mpd_enable_homedirs',`
-	userdom_search_user_home_dirs(mpd_t)
+	userdom_stream_connect(mpd_t)
+	userdom_read_home_audio_files(mpd_t)
+	userdom_list_user_tmp(mpd_t)
+	userdom_read_user_tmp_files(mpd_t)
+	userdom_dontaudit_setattr_user_tmp(mpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`mpd_enable_homedirs',`
+		pulseaudio_read_home_files(mpd_t)
+	')
 ')
 
 tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(mpd_t)
 	fs_read_nfs_symlinks(mpd_t)
+
 ')
 
 tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
@@ -191,13 +218,23 @@ optional_policy(`
 ')
 
 optional_policy(`
-	pulseaudio_domtrans(mpd_t)
+	pulseaudio_exec(mpd_t)
 ')
 
 optional_policy(`
 	rpc_search_nfs_state_data(mpd_t)
 ')
 
+optional_policy(`
+    #needed by pulseaudio
+    systemd_read_logind_sessions_files(mpd_t)
+    systemd_login_read_pid_files(mpd_t)
+')
+
+optional_policy(`
+	rtkit_daemon_dontaudit_dbus_chat(mpd_t)
+')
+
 optional_policy(`
 	udev_read_db(mpd_t)
 ')
diff --git a/mplayer.if b/mplayer.if
index 861d5e9746..1c3d5a538f 100644
--- a/mplayer.if
+++ b/mplayer.if
@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',`
 
 	userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
 ')
+
+########################################
+## <summary>
+##	Create specified objects in user home
+##	directories with the generic mplayer
+##	home type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mplayer_filetrans_home_content',`
+	gen_require(`
+		type mplayer_home_t;
+	')
+
+    userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
+')
diff --git a/mplayer.te b/mplayer.te
index 0f03cd9375..e3ed3933de 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
 ##	its stack executable.
 ##	</p>
 ## </desc>
-gen_tunable(allow_mplayer_execstack, false)
+gen_tunable(mplayer_execstack, false)
 
 attribute_role mencoder_roles;
 attribute_role mplayer_roles;
@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t)
 dev_rwx_zero(mencoder_t)
 dev_read_video_dev(mencoder_t)
 
-files_read_usr_files(mencoder_t)
 
 fs_search_auto_mountpoints(mencoder_t)
 
@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t)
 
 userdom_manage_user_home_content_dirs(mencoder_t)
 userdom_manage_user_home_content_files(mencoder_t)
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
+userdom_filetrans_home_content(mencoder_t)
 
 ifndef(`enable_mls',`
 	fs_list_dos(mencoder_t)
@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
 	fs_read_iso9660_files(mencoder_t)
 ')
 
-tunable_policy(`allow_execmem',`
-	allow mencoder_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+        allow mencoder_t self:process execmem;
 ')
 
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
 	dev_execmod_zero(mencoder_t)
 ')
 
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
 	allow mencoder_t self:process { execmem execstack };
 ')
 
@@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
 files_read_non_security_files(mplayer_t)
 files_list_home(mplayer_t)
 files_read_etc_runtime_files(mplayer_t)
-files_read_usr_files(mplayer_t)
 
 fs_getattr_all_fs(mplayer_t)
 fs_search_auto_mountpoints(mplayer_t)
@@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
 
 userdom_manage_user_home_content_dirs(mplayer_t)
 userdom_manage_user_home_content_files(mplayer_t)
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+userdom_filetrans_home_content(mplayer_t)
 
 userdom_write_user_tmp_sockets(mplayer_t)
 
@@ -221,15 +219,15 @@ ifndef(`enable_mls',`
 	fs_read_iso9660_files(mplayer_t)
 ')
 
-tunable_policy(`allow_execmem',`
-	allow mplayer_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
+        allow mplayer_t self:process execmem;
 ')
 
-tunable_policy(`allow_execmod',`
+tunable_policy(`selinuxuser_execmod',`
 	dev_execmod_zero(mplayer_t)
 ')
 
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
 	allow mplayer_t self:process { execmem execstack };
 ')
 
@@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(mplayer_t)
 ')
 
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
 	allow mplayer_t mplayer_tmpfs_t:file execute;
 ')
 
diff --git a/mrtg.if b/mrtg.if
index c595094a64..23464583b5 100644
--- a/mrtg.if
+++ b/mrtg.if
@@ -1,5 +1,24 @@
 ## <summary>Network traffic graphing.</summary>
 
+########################################
+## <summary>
+##	Read mrtg lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mrtg_read_lib_files',`
+	gen_require(`
+		type mrtg_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+    read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Create and append mrtg log files.
diff --git a/mrtg.te b/mrtg.te
index 65a246a520..fa8632064c 100644
--- a/mrtg.te
+++ b/mrtg.te
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
 corecmd_exec_bin(mrtg_t)
 corecmd_exec_shell(mrtg_t)
 
-corenet_all_recvfrom_unlabeled(mrtg_t)
 corenet_all_recvfrom_netlabel(mrtg_t)
 corenet_tcp_sendrecv_generic_if(mrtg_t)
 corenet_tcp_sendrecv_generic_node(mrtg_t)
@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
 
 files_getattr_tmp_dirs(mrtg_t)
 files_read_etc_runtime_files(mrtg_t)
-files_read_usr_files(mrtg_t)
 files_search_var(mrtg_t)
 files_search_locks(mrtg_t)
 files_search_var_lib(mrtg_t)
@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
 
 logging_send_syslog_msg(mrtg_t)
 
-miscfiles_read_localization(mrtg_t)
-
 selinux_dontaudit_getattr_dir(mrtg_t)
 
-userdom_use_user_terminals(mrtg_t)
+userdom_use_inherited_user_terminals(mrtg_t)
 userdom_dontaudit_read_user_home_content_files(mrtg_t)
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
 
 netutils_domtrans_ping(mrtg_t)
 
diff --git a/mta.fc b/mta.fc
index f42896cbf9..fce39c1ce6 100644
--- a/mta.fc
+++ b/mta.fc
@@ -1,34 +1,39 @@
-HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
-HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
-HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.esmtp_queue(/.*)?    gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
 
-/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-/etc/aliases	--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/mail(/.*)?	gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail(/.*)?			gen_context(system_u:object_r:etc_mail_t,s0)
 /etc/mail/aliases.*	--	gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/postfix/aliases.*	--	gen_context(system_u:object_r:etc_aliases_t,s0)
-
-/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-
+/etc/mail/.*\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/root/\.forward		--	gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc		--	gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.esmtp_queue(/.*)?     gen_context(system_u:object_r:mail_home_rw_t,s0)
+/root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/lib/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
-/usr/sbin/rmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/rmail			--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail\.postfix	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/sbin/sendmail(\.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/ssmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp 		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
-/var/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
 
 /var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
-/var/spool/imap(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
-/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index ed81cac5a1..806055cba9 100644
--- a/mta.if
+++ b/mta.if
@@ -1,4 +1,4 @@
-## <summary>Common e-mail transfer agent policy.</summary>
+## <summary>Policy common to all email tranfer agents.</summary>
 
 ########################################
 ## <summary>
@@ -18,23 +18,37 @@ interface(`mta_stub',`
 
 #######################################
 ## <summary>
-##	The template to define a mail domain.
+##	Basic mail transfer agent domain template.
 ## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is
+##	a email transfer agent, which sends mail on
+##	behalf of the user.
+##	</p>
+##	<p>
+##	This is the basic types and rules, common
+##	to the system agent and user agents.
+##	</p>
+## </desc>
 ## <param name="domain_prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`mta_base_mail_template',`
+
 	gen_require(`
 		attribute user_mail_domain;
 		type sendmail_exec_t;
 	')
 
-	########################################
+	##############################
 	#
-	# Declarations
+	# $1_mail_t declarations
 	#
 
 	type $1_mail_t, user_mail_domain;
@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
 	type $1_mail_tmp_t;
 	files_tmp_file($1_mail_tmp_t)
 
-	########################################
-	#
-	# Declarations
-	#
-
 	manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
 	manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
 	files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
 
+	kernel_read_system_state($1_mail_t)
+
+	corenet_all_recvfrom_netlabel($1_mail_t)
+
 	auth_use_nsswitch($1_mail_t)
 
+	logging_send_syslog_msg($1_mail_t)
+
 	optional_policy(`
 		postfix_domtrans_user_mail_handler($1_mail_t)
 	')
@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
 
 ########################################
 ## <summary>
-##	Role access for mta.
+##	Role access for mta
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`mta_role',`
 	gen_require(`
 		attribute mta_user_agent;
-		attribute_role user_mail_roles;
-		type user_mail_t, sendmail_exec_t, mail_home_t;
-		type user_mail_tmp_t, mail_home_rw_t;
+		type user_mail_t, sendmail_exec_t;
 	')
 
-	roleattribute $1 user_mail_roles;
-
-	# this is something i need to fix
-	# i dont know if and why it is needed
-	# will role attribute work?
-	role $1 types mta_user_agent;
+	role $1 types { user_mail_t mta_user_agent };
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
 	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
 
-	allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
-	ps_process_pattern($2, { user_mail_t mta_user_agent })
-
-	allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
-	userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
-
-	allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
-	allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
-	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
-
-	allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
+	allow mta_user_agent $2:fd use;
+	allow mta_user_agent $2:process sigchld;
+	allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
 
 	optional_policy(`
 		exim_run($2, $1)
 	')
 
 	optional_policy(`
-		mailman_run($2, $1)
+		mailman_run(mta_user_agent, $1)
 	')
 ')
 
@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
 	application_executable_file($1)
 ')
 
-#######################################
-## <summary>
-##	Read mta mail home files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mta_read_mail_home_files',`
-	gen_require(`
-		type mail_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 mail_home_t:file read_file_perms;
-')
-
-#######################################
-## <summary>
-##	Create, read, write, and delete
-##	mta mail home files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mta_manage_mail_home_files',`
-	gen_require(`
-		type mail_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 mail_home_t:file manage_file_perms;
-')
-
-########################################
+######################################
 ## <summary>
-##	Create specified objects in user home
-##	directories with the generic mail
-##	home type.
+##  Dontaudit read and write an leaked file descriptors
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`mta_home_filetrans_mail_home',`
-	gen_require(`
-		type mail_home_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
-')
-
-#######################################
-## <summary>
-##	Create, read, write, and delete
-##	mta mail home rw content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`mta_manage_mail_home_rw_content',`
-	gen_require(`
-		type mail_home_rw_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
-	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
-')
-
-########################################
-## <summary>
-##	Create specified objects in user home
-##	directories with the generic mail
-##	home rw type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`mta_home_filetrans_mail_home_rw',`
+interface(`mta_dontaudit_leaks_system_mail',`
 	gen_require(`
-		type mail_home_rw_t;
+		type system_mail_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+	dontaudit $1 system_mail_t:fifo_file write;
+	dontaudit $1 system_mail_t:tcp_socket { read write };
 ')
 
 ########################################
@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
 	')
 
 	init_system_domain($1, sendmail_exec_t)
-
 	typeattribute $1 mailserver_domain;
 ')
 
@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
 	')
 
 	typeattribute $1 mailserver_delivery;
+
+	userdom_home_manager($1)
+
+	optional_policy(`
+		mta_rw_delivery_tcp_sockets($1)
+	')
+
+	userdom_filetrans_home_content($1)
+
 ')
 
 #######################################
@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
 	')
 
 	typeattribute $1 mta_user_agent;
+
+	optional_policy(`
+		# apache should set close-on-exec
+		apache_dontaudit_rw_stream_sockets($1)
+		apache_dontaudit_rw_sys_script_stream_sockets($1)
+	')
 ')
 
 ########################################
@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
 #
 interface(`mta_send_mail',`
 	gen_require(`
+		attribute mta_user_agent;
 		type system_mail_t;
 		attribute mta_exec_type;
 	')
 
-	corecmd_search_bin($1)
+	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	corecmd_read_bin_symlinks($1)
 	domtrans_pattern($1, mta_exec_type, system_mail_t)
 
-	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	allow mta_user_agent $1:fd use;
+	allow mta_user_agent $1:process sigchld;
+	allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
 #
 interface(`mta_sendmail_domtrans',`
 	gen_require(`
-		type sendmail_exec_t;
+		attribute mta_exec_type;
+		attribute mta_user_agent;
 	')
 
-	corecmd_search_bin($1)
-	domain_auto_trans($1, sendmail_exec_t, $2)
+	files_search_usr($1)
+	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	corecmd_read_bin_symlinks($1)
 
-	allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+	allow $2 mta_exec_type:file entrypoint;
+	domtrans_pattern($1, mta_exec_type, $2)
+	allow mta_user_agent $1:fd use;
+	allow mta_user_agent $1:process sigchld;
+	allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Send signals to system mail.
+##	Send system mail client a signal
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`mta_signal_system_mail',`
 	gen_require(`
 		type system_mail_t;
@@ -475,7 +392,61 @@ interface(`mta_signal_system_mail',`
 
 ########################################
 ## <summary>
-##	Send kill signals to system mail.
+##	Allow role to access system_mail_t.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_role_access_system_mail',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
+##	Send all user mail client a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_signal_user_agent',`
+	gen_require(`
+		attribute mta_user_agent;
+	')
+
+	allow $1 mta_user_agent:process signal;
+')
+
+########################################
+## <summary>
+##	Send all user mail client a kill signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_kill_user_agent',`
+	gen_require(`
+		attribute mta_user_agent;
+	')
+
+	allow $1 mta_user_agent:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send system mail client a kill signal
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -506,13 +477,32 @@ interface(`mta_sendmail_exec',`
 		type sendmail_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, sendmail_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Read mail server configuration content.
+##	Check whether sendmail executable
+##	files are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_sendmail_access_check',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 sendmail_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+## <summary>
+##	Read mail server configuration.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -528,13 +518,13 @@ interface(`mta_read_config',`
 
 	files_search_etc($1)
 	allow $1 etc_mail_t:dir list_dir_perms;
-	allow $1 etc_mail_t:file read_file_perms;
-	allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
+	read_files_pattern($1, etc_mail_t, etc_mail_t)
+	read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
 ')
 
 ########################################
 ## <summary>
-##	Write mail server configuration files.
+##	write mail server configuration.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -548,33 +538,31 @@ interface(`mta_write_config',`
 		type etc_mail_t;
 	')
 
-	files_search_etc($1)
 	write_files_pattern($1, etc_mail_t, etc_mail_t)
 ')
 
 ########################################
 ## <summary>
-##	Read mail address alias files.
+##	Manage mail server configuration.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`mta_read_aliases',`
+interface(`mta_manage_config',`
 	gen_require(`
-		type etc_aliases_t;
+		type etc_mail_t;
 	')
 
-	files_search_etc($1)
-	allow $1 etc_aliases_t:file read_file_perms;
+	manage_files_pattern($1, etc_mail_t, etc_mail_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mail address alias content.
+##	Read mail address aliases.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -582,84 +570,64 @@ interface(`mta_read_aliases',`
 ##	</summary>
 ## </param>
 #
-interface(`mta_manage_aliases',`
+interface(`mta_read_aliases',`
 	gen_require(`
 		type etc_aliases_t;
 	')
 
 	files_search_etc($1)
-	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
-	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+	allow $1 etc_aliases_t:file read_file_perms;
+	allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create specified object in generic
-##	etc directories with the mail address
-##	alias type.
+##	Create, read, write, and delete mail address aliases.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`mta_etc_filetrans_aliases',`
+interface(`mta_manage_aliases',`
 	gen_require(`
 		type etc_aliases_t;
 	')
 
-	files_etc_filetrans($1, etc_aliases_t, $2, $3)
+	files_search_etc($1)
+	manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+	manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+	mta_filetrans_named_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the mail address alias type.
+##	Type transition files created in /etc
+##	to the mail address aliases type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
 ## <param name="name" optional="true">
 ##	<summary>
 ##	The name of the object being created.
 ##	</summary>
 ## </param>
 #
-interface(`mta_spec_filetrans_aliases',`
+interface(`mta_etc_filetrans_aliases',`
 	gen_require(`
 		type etc_aliases_t;
 	')
 
-	filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
+	files_etc_filetrans($1, etc_aliases_t, file, $2)
 ')
 
 ########################################
 ## <summary>
-##	Read and write mail alias files.
+##	Read and write mail aliases.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -674,14 +642,13 @@ interface(`mta_rw_aliases',`
 	')
 
 	files_search_etc($1)
-	allow $1 etc_aliases_t:file rw_file_perms;
+	allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
 ')
 
 #######################################
 ## <summary>
-##	Do not audit attempts to read
-##	and write TCP sockets of mail
-##	delivery domains.
+##	Do not audit attempts to read and write TCP
+##	sockets of mail delivery domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -697,6 +664,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
 	dontaudit $1 mailserver_delivery:tcp_socket { read write };
 ')
 
+######################################
+## <summary>
+##  Allow attempts to read and write TCP
+##  sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`mta_rw_delivery_tcp_sockets',`
+    gen_require(`
+        attribute mailserver_delivery;
+    ')
+
+    allow $1 mailserver_delivery:tcp_socket { read write };
+')
+
 #######################################
 ## <summary>
 ##	Connect to all mail servers over TCP.  (Deprecated)
@@ -713,8 +699,8 @@ interface(`mta_tcp_connect_all_mailservers',`
 
 #######################################
 ## <summary>
-##	Do not audit attempts to read
-##	mail spool symlinks.
+##	Do not audit attempts to read a symlink
+##	in the mail spool.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -732,7 +718,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
 
 ########################################
 ## <summary>
-##	Get attributes of mail spool content.
+##	Get the attributes of mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -753,8 +739,8 @@ interface(`mta_getattr_spool',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get
-##	attributes of mail spool files.
+##	Do not audit attempts to get the attributes
+##	of mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -775,9 +761,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
 
 #######################################
 ## <summary>
-##	Create specified objects in the
-##	mail spool directory with a
-##	private type.
+##	Create private objects in the
+##	mail spool directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -811,7 +796,7 @@ interface(`mta_spool_filetrans',`
 
 #######################################
 ## <summary>
-##  Read mail spool files.
+##  Read the mail spool.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
@@ -819,10 +804,10 @@ interface(`mta_spool_filetrans',`
 ##  </summary>
 ## </param>
 #
-interface(`mta_read_spool_files',`
-	gen_require(`
-		type mail_spool_t;
-	')
+interface(`mta_read_spool',`
+    gen_require(`
+        type mail_spool_t;
+    ')
 
 	files_search_spool($1)
 	read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -830,7 +815,7 @@ interface(`mta_read_spool_files',`
 
 ########################################
 ## <summary>
-##	Read and write mail spool files.
+##	Read and write the mail spool.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -845,13 +830,14 @@ interface(`mta_rw_spool',`
 
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
-	allow $1 mail_spool_t:file rw_file_perms;
-	allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+	allow $1 mail_spool_t:file setattr_file_perms;
+	manage_files_pattern($1, mail_spool_t, mail_spool_t)
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
 #######################################
 ## <summary>
-##	Create, read, and write mail spool files.
+##	Create, read, and write the mail spool.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -866,13 +852,14 @@ interface(`mta_append_spool',`
 
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
-	manage_files_pattern($1, mail_spool_t, mail_spool_t)
-	allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+	create_files_pattern($1, mail_spool_t, mail_spool_t)
+	write_files_pattern($1, mail_spool_t, mail_spool_t)
+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
 #######################################
 ## <summary>
-##	Delete mail spool files.
+##	Delete from the mail spool.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -891,8 +878,7 @@ interface(`mta_delete_spool',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mail spool content.
+##	Create, read, write, and delete mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -909,47 +895,12 @@ interface(`mta_manage_spool',`
 	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
 	manage_files_pattern($1, mail_spool_t, mail_spool_t)
 	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
-')
-
-#######################################
-## <summary>
-##	Create specified objects in the
-##	mail queue spool directory with a
-##	private type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`mta_queue_filetrans',`
-	gen_require(`
-		type mqueue_spool_t;
-	')
-
-	files_search_spool($1)
-	filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+    allow $1 mail_spool_t:file map;
 ')
 
 ########################################
 ## <summary>
-##	Search mail queue directories.
+##	Search mail queue dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -968,7 +919,7 @@ interface(`mta_search_queue',`
 
 #######################################
 ## <summary>
-##	List mail queue directories.
+##	List the mail queue.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -981,13 +932,13 @@ interface(`mta_list_queue',`
 		type mqueue_spool_t;
 	')
 
-	files_search_spool($1)
 	allow $1 mqueue_spool_t:dir list_dir_perms;
+	files_search_spool($1)
 ')
 
 #######################################
 ## <summary>
-##	Read mail queue files.
+##	Read the mail queue.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1000,14 +951,14 @@ interface(`mta_read_queue',`
 		type mqueue_spool_t;
 	')
 
-	files_search_spool($1)
 	read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+	files_search_spool($1)
 ')
 
 #######################################
 ## <summary>
 ##	Do not audit attempts to read and
-##	write mail queue content.
+##	write the mail queue.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1027,7 +978,7 @@ interface(`mta_dontaudit_rw_queue',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	mail queue content.
+##	mail queue files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1045,6 +996,41 @@ interface(`mta_manage_queue',`
 	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
 ')
 
+#######################################
+## <summary>
+##	Create private objects in the
+##	mqueue spool directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`mta_spool_filetrans_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+')
+
 #######################################
 ## <summary>
 ##	Read sendmail binary.
@@ -1055,6 +1041,7 @@ interface(`mta_manage_queue',`
 ##	</summary>
 ## </param>
 #
+# cjp: added for postfix
 interface(`mta_read_sendmail_bin',`
 	gen_require(`
 		type sendmail_exec_t;
@@ -1065,8 +1052,8 @@ interface(`mta_read_sendmail_bin',`
 
 #######################################
 ## <summary>
-##	Read and write unix domain stream
-##	sockets of all base mail domains.
+##	Read and write unix domain stream sockets
+##	of user mail domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1081,3 +1068,227 @@ interface(`mta_rw_user_mail_stream_sockets',`
 
 	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
 ')
+
+########################################
+## <summary>
+##	Type transition files created in calling dir 
+##	to the mail address aliases type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Directory to transition on.
+##	</summary>
+## </param>
+#
+interface(`mta_filetrans_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+## <summary>
+##	ALlow domain to append mail content in the homedir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_append_home',`
+	gen_require(`
+		type mail_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	append_files_pattern($1, mail_home_t, mail_home_t)
+
+	ifdef(`distro_redhat',`
+		userdom_search_admin_dir($1)
+	')
+')
+
+######################################
+## <summary>
+##	ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_read_home',`
+	gen_require(`
+		type mail_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, mail_home_t, mail_home_t)
+
+	ifdef(`distro_redhat',`
+		userdom_search_admin_dir($1)
+	')
+')
+
+####################################
+## <summary>
+##      ALlow domain to mmap mail content in the homedir
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mta_mmap_home_rw',`
+        gen_require(`
+                type mail_home_rw_t;
+        ')
+
+		allow $1 mail_home_rw_t:file map;
+')
+
+####################################
+## <summary>
+##      ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mta_read_home_rw',`
+        gen_require(`
+                type mail_home_rw_t;
+        ')
+
+        userdom_search_user_home_dirs($1)
+        read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+		read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+
+        ifdef(`distro_redhat',`
+                userdom_search_admin_dir($1)
+        ')
+')
+
+####################################
+## <summary>
+##      Allow domain to manage mail content in the homedir
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mta_manage_home_rw',`
+        gen_require(`
+                type mail_home_rw_t;
+        ')
+
+        userdom_search_user_home_dirs($1)
+	userdom_search_admin_dir($1)
+	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+        ifdef(`distro_redhat',`
+                userdom_search_admin_dir($1)
+		userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+        ')
+')
+
+########################################
+## <summary>
+##	create mail content in the  in the /root directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_filetrans_admin_home_content',`
+	gen_require(`
+		type mail_home_t;
+		type mail_home_rw_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
+## <summary>
+##	Transition to mta named home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_filetrans_home_content',`
+	gen_require(`
+		type mail_home_t;
+		type mail_home_rw_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
+	userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
+	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
+')
+
+########################################
+## <summary>
+##	Transition to mta named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_filetrans_named_content',`
+	gen_require(`
+		type etc_aliases_t;
+		type etc_mail_t;
+	')
+
+	#filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
+	mta_etc_filetrans_aliases($1, "aliases")
+	mta_etc_filetrans_aliases($1, "aliases.db")
+	mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
+	mta_etc_filetrans_aliases($1, "__db.aliases.db")
+    mta_etc_filetrans_aliases($1, "virtusertable.db")
+    mta_etc_filetrans_aliases($1, "access.db")
+    mta_etc_filetrans_aliases($1, "domaintable.db")
+    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "virtusertable.db")
+    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "access.db")
+    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "domaintable.db")
+    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "mailertable.db")
+    filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "aliasesdb-stamp")
+	mta_filetrans_home_content($1)
+	mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c6aa..630956deb3 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
 
 attribute user_mail_domain;
 
-attribute_role user_mail_roles;
-
 type etc_aliases_t;
 files_type(etc_aliases_t)
 
@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t)
 
 type mqueue_spool_t;
 files_mountpoint(mqueue_spool_t)
+files_spool_file(mqueue_spool_t)
 
 type mail_spool_t;
 files_mountpoint(mail_spool_t)
+files_spool_file(mail_spool_t)
 
 type sendmail_exec_t;
 mta_agent_executable(sendmail_exec_t)
@@ -43,11 +43,9 @@ role system_r types system_mail_t;
 mta_base_mail_template(user)
 typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
 typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
-userdom_user_application_type(user_mail_t)
-role user_mail_roles types user_mail_t;
-
 typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
 typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+userdom_user_application_type(user_mail_t)
 userdom_user_tmp_file(user_mail_tmp_t)
 
 ########################################
@@ -61,13 +59,11 @@ allow user_mail_domain self:fifo_file rw_fifo_file_perms;
 
 allow user_mail_domain mta_exec_type:file entrypoint;
 
-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
+manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
 
 manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
 manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
 manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
 
 read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
 
@@ -79,12 +75,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
 can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
 
 kernel_read_crypto_sysctls(user_mail_domain)
-kernel_read_system_state(user_mail_domain)
 kernel_read_kernel_sysctls(user_mail_domain)
 kernel_read_network_state(user_mail_domain)
 kernel_request_load_module(user_mail_domain)
 
-corenet_all_recvfrom_netlabel(user_mail_domain)
 corenet_tcp_sendrecv_generic_if(user_mail_domain)
 corenet_tcp_sendrecv_generic_node(user_mail_domain)
 
@@ -107,10 +101,6 @@ fs_getattr_all_fs(user_mail_domain)
 
 init_dontaudit_rw_utmp(user_mail_domain)
 
-logging_send_syslog_msg(user_mail_domain)
-
-miscfiles_read_localization(user_mail_domain)
-
 tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_dirs(user_mail_domain)
 	fs_manage_cifs_files(user_mail_domain)
@@ -123,6 +113,11 @@ tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(user_mail_domain)
 ')
 
+optional_policy(`
+	antivirus_stream_connect(user_mail_domain)
+	antivirus_stream_connect(mta_user_agent)
+')
+
 optional_policy(`
 	courier_manage_spool_dirs(user_mail_domain)
 	courier_manage_spool_files(user_mail_domain)
@@ -149,6 +144,11 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	openshift_rw_inherited_content(mta_user_agent)
+	openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
+')
+
 optional_policy(`
 	procmail_exec(user_mail_domain)
 ')
@@ -166,57 +166,79 @@ optional_policy(`
 	uucp_manage_spool(user_mail_domain)
 ')
 
+mta_filetrans_admin_home_content(user_mail_domain)
+mta_filetrans_home_content(user_mail_domain)
+
 ########################################
 #
 # System local policy
 #
 
-allow system_mail_t self:capability { dac_override fowner };
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_read_search dac_override fowner };
+dontaudit system_mail_t self:capability net_admin;
 
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
 
 read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
 
-allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
-
-allow system_mail_t user_mail_domain:dir list_dir_perms;
-allow system_mail_t user_mail_domain:file read_file_perms;
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
+kernel_search_network_sysctl(system_mail_t)
 
 corecmd_exec_shell(system_mail_t)
 
-dev_read_rand(system_mail_t)
 dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
 
 fs_rw_anon_inodefs_files(system_mail_t)
 
-selinux_getattr_fs(system_mail_t)
-
 term_dontaudit_use_unallocated_ttys(system_mail_t)
 
 init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
+
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+userdom_dontaudit_list_user_tmp(system_mail_t)
+userdom_dontaudit_read_inherited_admin_home_files(system_mail_t)
 
-userdom_use_user_terminals(system_mail_t)
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
+
+	# apache should set close-on-exec
 	apache_dontaudit_append_log(system_mail_t)
 	apache_dontaudit_rw_stream_sockets(system_mail_t)
 	apache_dontaudit_rw_tcp_sockets(system_mail_t)
 	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+	apache_dontaudit_rw_tmp_files(system_mail_t)
+
+	apache_dontaudit_rw_fifo_file(user_mail_domain)
+	apache_dontaudit_rw_fifo_file(mta_user_agent)
+	# apache should set close-on-exec
+	apache_dontaudit_rw_stream_sockets(mta_user_agent)
+	apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+	apache_append_log(mta_user_agent)
 ')
 
 optional_policy(`
 	arpwatch_manage_tmp_files(system_mail_t)
 
-	ifdef(`hide_broken_symptoms',`
-		arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
-	')
+        ifdef(`hide_broken_symptoms', `
+                arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+        ')
+
 ')
 
 optional_policy(`
@@ -225,17 +247,21 @@ optional_policy(`
 ')
 
 optional_policy(`
-	clamav_stream_connect(system_mail_t)
-	clamav_append_log(system_mail_t)
+	courier_stream_connect_authdaemon(system_mail_t)
 ')
 
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
 	cron_rw_system_job_stream_sockets(system_mail_t)
+	cron_rw_inherited_spool_files(system_mail_t)
+	cron_rw_inherited_user_spool_files(system_mail_t)
 ')
 
 optional_policy(`
+	courier_manage_spool_dirs(system_mail_t)
+	courier_manage_spool_files(system_mail_t)
+	courier_rw_spool_pipes(system_mail_t)
 	courier_stream_connect_authdaemon(system_mail_t)
 ')
 
@@ -244,9 +270,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-	fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
-	fail2ban_append_log(system_mail_t)
-	fail2ban_rw_inherited_tmp_files(system_mail_t)
+	fail2ban_append_log(user_mail_domain)
+	fail2ban_dontaudit_leaks(user_mail_domain)
+	fail2ban_rw_inherited_tmp_files(mta_user_agent)
+	fail2ban_rw_inherited_tmp_files(user_mail_domain)
 ')
 
 optional_policy(`
@@ -258,10 +285,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# newaliases runs as system_mail_t when the sendmail initscript does a restart
 	milter_getattr_all_sockets(system_mail_t)
 ')
 
 optional_policy(`
+	munin_dontaudit_leaks(system_mail_t)
+	munin_manage_var_lib_files(system_mail_t)
+')
+
+optional_policy(`
+    nagios_append_spool(system_mail_t)
 	nagios_read_tmp_files(system_mail_t)
 ')
 
@@ -272,12 +306,29 @@ optional_policy(`
 	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
 	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+	domain_use_interactive_fds(system_mail_t)
+')
+
+optional_policy(`
+	postfix_domtrans_postdrop(system_mail_t)
+')
+
+optional_policy(`
+	qmail_domtrans_inject(system_mail_t)
+	qmail_manage_spool_dirs(system_mail_t)
+	qmail_manage_spool_files(system_mail_t)
+	qmail_rw_spool_pipes(system_mail_t)
 ')
 
 optional_policy(`
 	sxid_read_log(system_mail_t)
 ')
 
+optional_policy(`
+    systemd_write_inhibit_pipes(system_mail_t)
+')
+
 optional_policy(`
 	userdom_dontaudit_use_user_ptys(system_mail_t)
 
@@ -287,42 +338,36 @@ optional_policy(`
 ')
 
 optional_policy(`
-	spamassassin_stream_connect_spamd(system_mail_t)
+	spamd_stream_connect(system_mail_t)
 ')
 
 optional_policy(`
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
-########################################
-#
-# MTA user agent local policy
-#
-
-userdom_use_user_terminals(mta_user_agent)
-
-optional_policy(`
-	apache_append_log(mta_user_agent)
-')
+# should break this up among sections:
 
 optional_policy(`
+	# why is mail delivered to a directory of type arpwatch_data_t?
+	arpwatch_search_data(mailserver_delivery)
 	arpwatch_manage_tmp_files(mta_user_agent)
 
-	ifdef(`hide_broken_symptoms',`
-		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
-	')
-
 	optional_policy(`
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
 
+ifdef(`hide_broken_symptoms',`
+	domain_dontaudit_leaks(user_mail_domain)
+	domain_dontaudit_leaks(mta_user_agent)
+')
+
 ########################################
 #
 # Mailserver delivery local policy
 #
 
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
 
 allow mailserver_delivery mail_spool_t:dir list_dir_perms;
 create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +376,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+
 manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
 manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
 
 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(mailserver_delivery)
-	fs_manage_cifs_files(mailserver_delivery)
-	fs_read_cifs_symlinks(mailserver_delivery)
+optional_policy(`
+	dovecot_manage_spool(mailserver_delivery)
+	dovecot_domtrans_deliver(mailserver_delivery)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(mailserver_delivery)
-	fs_manage_nfs_files(mailserver_delivery)
-	fs_read_nfs_symlinks(mailserver_delivery)
+optional_policy(`
+	logwatch_search_cache_dir(mailserver_delivery)
 ')
 
 optional_policy(`
-	arpwatch_search_data(mailserver_delivery)
+	# so MTA can access /var/lib/mailman/mail/wrapper
+	files_search_var_lib(mailserver_delivery)
+
+	mailman_domtrans(mailserver_delivery)
+	mailman_read_data_symlinks(mailserver_delivery)
 ')
 
 optional_policy(`
-	dovecot_manage_spool(mailserver_delivery)
-	dovecot_domtrans_deliver(mailserver_delivery)
+	mailman_manage_data_files(mailserver_domain)
+	mailman_domtrans(mailserver_domain)
+	mailman_append_log(mailserver_domain)
+	mailman_read_log(mailserver_domain)
 ')
 
 optional_policy(`
-	files_search_var_lib(mailserver_delivery)
+    mta_filetrans_home_content(mailserver_domain)
+    mta_filetrans_admin_home_content(mailserver_domain)
+    mta_read_home(mailserver_domain)
+    mta_append_home(mailserver_domain)
+')
 
-	mailman_domtrans(mailserver_delivery)
-	mailman_read_data_symlinks(mailserver_delivery)
+optional_policy(`
+    pcp_read_lib_files(mailserver_delivery)
 ')
 
 optional_policy(`
@@ -381,24 +430,49 @@ optional_policy(`
 
 ########################################
 #
-# User local policy
+# User send mail local policy
 #
 
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_inherited_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_inherited_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_filetrans_home_content(user_mail_t)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
 
 dev_read_sysfs(user_mail_t)
 
-userdom_use_user_terminals(user_mail_t)
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(user_mail_t)
+	fs_manage_cifs_symlinks(user_mail_t)
+')
 
 optional_policy(`
-	allow user_mail_t self:capability dac_override;
+	allow user_mail_t self:capability {dac_read_search dac_override };
 
+	# Read user temporary files.
+	# postfix seems to need write access if the file handle is opened read/write
 	userdom_rw_user_tmp_files(user_mail_t)
 
 	postfix_read_config(user_mail_t)
 	postfix_list_spool(user_mail_t)
 ')
+
+
diff --git a/munin.fc b/munin.fc
index eb4b72a92a..4ea6ce7e29 100644
--- a/munin.fc
+++ b/munin.fc
@@ -1,77 +1,78 @@
-/etc/munin(/.*)?	gen_context(system_u:object_r:munin_etc_t,s0)
-
+/etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
 /etc/rc\.d/init\.d/munin-node	--	gen_context(system_u:object_r:munin_initrc_exec_t,s0)
 
-/usr/bin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
-
-/usr/sbin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
-
+/usr/bin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.*		--	gen_context(system_u:object_r:munin_exec_t,s0)
 /usr/share/munin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 
+# label all plugins as unconfined_munin_plugin_exec_t
 /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
 
-/usr/share/munin/plugins/diskstat.*	--	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+# disk plugins
+/usr/share/munin/plugins/diskstat.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/df.*	--	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/hddtemp.*	--	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/smart_.*	--	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
 
-/usr/share/munin/plugins/courier_mta_.*	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/exim_mail.*	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailman	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mailscanner	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postfix_mail.*	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/sendmail_.*	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/qmail.*	--	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.*	-- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.*	-- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
 
-/usr/share/munin/plugins/apache_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/asterisk_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/http_loadtime	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/fail2ban	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# services plugins
+/usr/share/munin/plugins/apache_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/lpstat	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/mysql_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/named	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/ntp_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/nut.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/openvpn	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/ping_	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/postgres_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ 	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/samba	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/slapd_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/snmp_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/squid_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/tomcat_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/varnish_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
 
+# selinux plugins
 /usr/share/munin/plugins/selinux_avcstat	--	gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
 
+# system plugins
 /usr/share/munin/plugins/acpi	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/cpu.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/forks	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/if_.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/iostat.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/interrupts	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/irqstats	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/load	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/memory	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/munin_.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/netstat	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/nfs.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/open_files	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/proc_pri	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/processes	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/swap	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/threads	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/unbound	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/uptime	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/users	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-/usr/share/munin/plugins/yum	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 
-/var/lib/munin(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
-
-/var/log/munin.*	gen_context(system_u:object_r:munin_log_t,s0)
-
-/var/run/munin.*	gen_context(system_u:object_r:munin_var_run_t,s0)
-
-/var/www/html/munin(/.*)?	gen_context(system_u:object_r:httpd_munin_content_t,s0)
-/var/www/html/munin/cgi(/.*)?	gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/html/cgi/munin.*       	gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.*		gen_context(system_u:object_r:munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
index b744fe35ea..cb0e2af61a 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
-## <summary>Munin network-wide load graphing.</summary>
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a munin plugin domain.
+##	Create a set of derived types for various
+##	munin plugins,
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The name to be used for deriving type names.
 ##	</summary>
 ## </param>
 #
@@ -14,12 +15,8 @@ template(`munin_plugin_template',`
 	gen_require(`
 		attribute munin_plugin_domain, munin_plugin_tmp_content;
 		type munin_t;
-	')
 
-	########################################
-	#
-	# Declarations
-	#
+	')
 
 	type $1_munin_plugin_t, munin_plugin_domain;
 	type $1_munin_plugin_exec_t;
@@ -33,15 +30,22 @@ template(`munin_plugin_template',`
 	files_tmp_file($1_munin_plugin_tmp_t)
 
 	########################################
-	#
-	# Policy
-	#
+	# 
+    # Policy
+    #            
 
+	# automatic transition rules from munin domain
+	# to specific munin plugin domain
 	domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
 
 	manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
 	manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
 	files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+	kernel_read_system_state($1_munin_plugin_t)
+
+	corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
+	corenet_all_recvfrom_netlabel($1_munin_plugin_t)
 ')
 
 ########################################
@@ -66,7 +70,7 @@ interface(`munin_stream_connect',`
 
 #######################################
 ## <summary>
-##	Read munin configuration content.
+##	Read munin configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -80,15 +84,92 @@ interface(`munin_read_config',`
 		type munin_etc_t;
 	')
 
-	files_search_etc($1)
 	allow $1 munin_etc_t:dir list_dir_perms;
 	allow $1 munin_etc_t:file read_file_perms;
 	allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+	files_search_etc($1)
+')
+
+#######################################
+## <summary>
+##	Read munin library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_read_var_lib_files',`
+	gen_require(`
+		type munin_var_lib_t;
+	')
+
+	files_search_var_lib($1)	
+	read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+#######################################
+## <summary>
+##	Manage munin library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_manage_var_lib_files',`
+	gen_require(`
+		type munin_var_lib_t;
+	')
+
+	files_search_var_lib($1)	
+	manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Append munin library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_append_var_lib_files',`
+	gen_require(`
+		type munin_var_lib_t;
+	')
+
+	files_search_var_lib($1)	
+	append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+######################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`munin_dontaudit_leaks',`
+	gen_require(`
+		type munin_t;
+	')
+
+	dontaudit $1 munin_t:tcp_socket { read write };
 ')
 
 #######################################
 ## <summary>
-##	Append munin log files.
+##	Append to the munin log.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an munin environment.
+##	All of the rules required to administrate
+##	an munin environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -157,7 +238,7 @@ interface(`munin_dontaudit_search_lib',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the munin domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -167,11 +248,15 @@ interface(`munin_admin',`
 		attribute munin_plugin_domain, munin_plugin_tmp_content;
 		type munin_t, munin_etc_t, munin_tmp_t;
 		type munin_log_t, munin_var_lib_t, munin_var_run_t;
-		type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+		type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
 	')
 
-	allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { munin_plugin_domain munin_t })
+	allow $1 munin_t:process signal_perms;
+	ps_process_pattern($1, munin_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 munin_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, munin_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -193,5 +278,5 @@ interface(`munin_admin',`
 	files_list_pids($1)
 	admin_pattern($1, munin_var_run_t)
 
-	admin_pattern($1, httpd_munin_content_t)
+	admin_pattern($1, munin_content_t)
 ')
diff --git a/munin.te b/munin.te
index b70870816b..7d87f0a806 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
 munin_plugin_template(system)
 munin_plugin_template(unconfined)
 
+type munin_script_tmp_t alias httpd_munin_script_tmp_t;
+files_tmp_file(munin_script_tmp_t)
+
 ################################
 #
 # Common munin plugin local policy
 #
 
-allow munin_plugin_domain self:process signal;
+allow munin_plugin_domain self:process signal_perms;
 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
 
 allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
 
 read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
 
+allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
+
 allow munin_plugin_domain munin_exec_t:file read_file_perms;
 
 allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
 
 manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
 
-kernel_read_system_state(munin_plugin_domain)
-
-corenet_all_recvfrom_unlabeled(munin_plugin_domain)
-corenet_all_recvfrom_netlabel(munin_plugin_domain)
 corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
 corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
 
 corecmd_exec_bin(munin_plugin_domain)
 corecmd_exec_shell(munin_plugin_domain)
 
-files_read_etc_files(munin_plugin_domain)
-files_read_usr_files(munin_plugin_domain)
 files_search_var_lib(munin_plugin_domain)
 
 fs_getattr_all_fs(munin_plugin_domain)
 
-miscfiles_read_localization(munin_plugin_domain)
+auth_read_passwd(munin_plugin_domain)
 
 optional_policy(`
 	nscd_use(munin_plugin_domain)
@@ -89,7 +88,7 @@ optional_policy(`
 # Local policy
 #
 
-allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
+allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio };
 dontaudit munin_t self:capability sys_tty_config;
 allow munin_t self:process { getsched setsched signal_perms };
 allow munin_t self:unix_stream_socket { accept connectto listen };
@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 
-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
 
 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
 corecmd_exec_bin(munin_t)
 corecmd_exec_shell(munin_t)
 
-corenet_all_recvfrom_unlabeled(munin_t)
 corenet_all_recvfrom_netlabel(munin_t)
 corenet_tcp_sendrecv_generic_if(munin_t)
 corenet_tcp_sendrecv_generic_node(munin_t)
@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
 domain_read_all_domains_state(munin_t)
 
 files_read_etc_runtime_files(munin_t)
-files_read_usr_files(munin_t)
 files_list_spool(munin_t)
 
 fs_getattr_all_fs(munin_t)
@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
 logging_read_all_logs(munin_t)
 
 miscfiles_read_fonts(munin_t)
-miscfiles_read_localization(munin_t)
 miscfiles_setattr_fonts_cache_dirs(munin_t)
 
 sysnet_exec_ifconfig(munin_t)
@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
 userdom_dontaudit_search_user_home_dirs(munin_t)
 
-optional_policy(`
-	apache_content_template(munin)
-
-	manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
-	manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
-	apache_search_sys_content(munin_t)
-')
 
 optional_policy(`
 	cron_system_entry(munin_t, munin_exec_t)
@@ -217,7 +206,6 @@ optional_policy(`
 
 optional_policy(`
 	postfix_list_spool(munin_t)
-	postfix_getattr_all_spool_files(munin_t)
 ')
 
 optional_policy(`
@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 
 rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
+kernel_read_fs_sysctls(disk_munin_plugin_t)
+
 corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
 corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
 corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
 
-dev_getattr_all_blk_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
 dev_getattr_lvm_control(disk_munin_plugin_t)
 dev_read_sysfs(disk_munin_plugin_t)
 dev_read_urand(disk_munin_plugin_t)
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
+dev_read_all_blk_files(disk_munin_plugin_t)
 
 fs_getattr_all_fs(disk_munin_plugin_t)
 fs_getattr_all_dirs(disk_munin_plugin_t)
 
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
 
 sysnet_read_config(disk_munin_plugin_t)
 
@@ -272,34 +262,50 @@ optional_policy(`
 	fstools_exec(disk_munin_plugin_t)
 ')
 
+optional_policy(`
+    rpc_search_nfs_state_data(disk_munin_plugin_t)
+')
+
 ####################################
 #
 # Mail local policy
 #
 
-allow mail_munin_plugin_t self:capability dac_override;
+allow mail_munin_plugin_t self:capability { dac_read_search dac_override };
+
+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mail_munin_plugin_t self:udp_socket create_socket_perms;
 
 rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
+kernel_read_net_sysctls(mail_munin_plugin_t)
+
 dev_read_urand(mail_munin_plugin_t)
 
 logging_read_generic_logs(mail_munin_plugin_t)
 
+sysnet_read_config(mail_munin_plugin_t)
+
+optional_policy(`
+	exim_read_log(mail_munin_plugin_t)
+')
+
 optional_policy(`
-	mta_list_queue(mail_munin_plugin_t)
 	mta_read_config(mail_munin_plugin_t)
-	mta_read_queue(mail_munin_plugin_t)
 	mta_send_mail(mail_munin_plugin_t)
+	mta_list_queue(mail_munin_plugin_t)
+	mta_read_queue(mail_munin_plugin_t)
 ')
 
 optional_policy(`
-	nscd_use(mail_munin_plugin_t)
+	nscd_socket_use(mail_munin_plugin_t)
 ')
 
 optional_policy(`
-	postfix_getattr_all_spool_files(mail_munin_plugin_t)
 	postfix_read_config(mail_munin_plugin_t)
 	postfix_list_spool(mail_munin_plugin_t)
+	postfix_getattr_spool_files(mail_munin_plugin_t)
 ')
 
 optional_policy(`
@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t)
 sysnet_read_config(services_munin_plugin_t)
 
 optional_policy(`
-	bind_read_config(munin_services_plugin_t)
+	bind_read_config(services_munin_plugin_t)
 ')
 
 optional_policy(`
@@ -347,6 +353,10 @@ optional_policy(`
 	cups_stream_connect(services_munin_plugin_t)
 ')
 
+optional_policy(`
+    fail2ban_domtrans_client(services_munin_plugin_t)
+')
+
 optional_policy(`
 	lpd_exec_lpr(services_munin_plugin_t)
 ')
@@ -361,7 +371,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_use(services_munin_plugin_t)
+	nscd_socket_use(services_munin_plugin_t)
+')
+
+optional_policy(`
+	ntp_exec(services_munin_plugin_t)
 ')
 
 optional_policy(`
@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
 
 kernel_read_network_state(system_munin_plugin_t)
 kernel_read_all_sysctls(system_munin_plugin_t)
+kernel_read_fs_sysctls(system_munin_plugin_t)
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
@@ -421,3 +436,33 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(unconfined_munin_plugin_t)
 ')
+
+
+#######################################
+#
+# Munin CGI script local policy
+#
+
+apache_content_template(munin)
+apache_content_alias_template(munin, munin)
+
+manage_dirs_pattern(munin_t, munin_content_t, munin_content_t)
+manage_files_pattern(munin_t, munin_content_t, munin_content_t)
+
+manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
+manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file })
+
+read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
+list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+
+manage_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(munin_script_t)
+
+auth_read_passwd(munin_script_t)
+
+optional_policy(`
+	apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 06f8666df6..3099f74f56 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,27 +1,47 @@
-HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/my\.cnf\.d(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
-/etc/mysql(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
-
-/etc/rc\.d/init\.d/mysqld?	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
-
+# mysql database server
+
+#
+# /HOME
+#
+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
+/usr/lib/systemd/system/mysqld.*	--	gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+/usr/lib/systemd/system/mariadb.*   --  gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
+# /etc
+#
+/etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/my\.cnf\.d(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld --	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
 /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+/usr/bin/mysqld_safe_helper    --      gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /usr/libexec/mysqld	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/libexec/mysqld_safe-scl-helper --  gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
 
 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
-/usr/sbin/ndbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd		--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
-/var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)
-/var/lib/mysql/mysql.*	-s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
+#
+# /var
+#
+/var/lib/mysql(-files|-keyring)?(/.*)?  gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
 
 /var/log/mariadb(/.*)?	gen_context(system_u:object_r:mysqld_log_t,s0)
 /var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
 
-/var/run/mysqld.*	gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
-/var/run/mysqld/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+/var/run/mariadb(/.*)?      gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
index 687af38bbd..5381f1b390 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
-## <summary>Open source database.</summary>
-
-########################################
-## <summary>
-##	Role access for mysql.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`mysql_role',`
-	refpolicywarn(`$0($*) has been deprecated')
-')
+## <summary>Policy for MySQL</summary>
 
 ######################################
 ## <summary>
@@ -34,38 +15,30 @@ interface(`mysql_domtrans',`
 		type mysqld_t, mysqld_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, mysqld_exec_t, mysqld_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute mysqld in the mysqld domain, and
-##	allow the specified role the mysqld domain.
+##	Execute MySQL in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`mysql_run_mysqld',`
+interface(`mysql_exec',`
 	gen_require(`
-		attribute_role mysqld_roles;
+		type  mysqld_exec_t;
 	')
 
-	mysql_domtrans($1)
-	roleattribute $2 mysqld_roles;
+	can_exec($1, mysqld_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to mysqld.
+##	Send a generic signal to MySQL.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -81,9 +54,27 @@ interface(`mysql_signal',`
 	allow $1 mysqld_t:process signal;
 ')
 
+#######################################
+## <summary>
+##  Send a null signal to mysql.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`mysql_signull',`
+    gen_require(`
+        type mysqld_t;
+    ')
+
+    allow $1 mysqld_t:process signull;
+')
+
 ########################################
 ## <summary>
-##	Connect to mysqld with a tcp socket.
+##	Allow the specified domain to connect to postgresql with a tcp socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',`
 
 ########################################
 ## <summary>
-##	Connect to mysqld with a unix
-#	domain stream socket.
+##	Connect to MySQL using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',`
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
+	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
 ')
 
 ########################################
 ## <summary>
-##	Read mysqld configuration content.
+##	Read MySQL configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -139,7 +130,6 @@ interface(`mysql_read_config',`
 		type mysqld_etc_t;
 	')
 
-	files_search_etc($1)
 	allow $1 mysqld_etc_t:dir list_dir_perms;
 	allow $1 mysqld_etc_t:file read_file_perms;
 	allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
@@ -147,7 +137,8 @@ interface(`mysql_read_config',`
 
 ########################################
 ## <summary>
-##	Search mysqld db directories.
+##	Search the directories that contain MySQL
+##	database storage.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -155,6 +146,8 @@ interface(`mysql_read_config',`
 ##	</summary>
 ## </param>
 #
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
 interface(`mysql_search_db',`
 	gen_require(`
 		type mysqld_db_t;
@@ -166,7 +159,27 @@ interface(`mysql_search_db',`
 
 ########################################
 ## <summary>
-##	Read and write mysqld database directories.
+##	List the directories that contain MySQL
+##	database storage.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_list_db',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to the MySQL database directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mysqld database directories.
+##	Create, read, write, and delete MySQL database directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',`
 
 #######################################
 ## <summary>
-##	Append mysqld database files.
+##	Append to the MySQL database directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -221,10 +233,28 @@ interface(`mysql_append_db_files',`
 	files_search_var_lib($1)
 	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
 ')
+#######################################
+## <summary>
+##	Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_read_db_lnk_files',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+    read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
 
 #######################################
 ## <summary>
-##	Read and write mysqld database files.
+##	Read and write to the MySQL database directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',`
 
 #######################################
 ## <summary>
-##	Create, read, write, and delete
-##	mysqld database files.
+##	Create, read, write, and delete MySQL database files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',`
 
 ########################################
 ## <summary>
-##	Read and write mysqld database sockets.
+##	Read and write to the MySQL database
 ##	named socket.
 ## </summary>
 ## <param name="domain">
@@ -273,13 +302,18 @@ interface(`mysql_manage_db_files',`
 ## </param>
 #
 interface(`mysql_rw_db_sockets',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir search_dir_perms;
+	allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mysqld home files.
+##	Write to the MySQL log.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -287,86 +321,92 @@ interface(`mysql_rw_db_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`mysql_manage_mysqld_home_files',`
+interface(`mysql_write_log',`
 	gen_require(`
-		type mysqld_home_t;
+		type mysqld_log_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 mysqld_home_t:file manage_file_perms;
+	logging_search_logs($1)
+	allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
 ')
 
-########################################
+######################################
 ## <summary>
-##	Relabel mysqld home files.
+##	Execute MySQL safe script in the mysql safe domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`mysql_relabel_mysqld_home_files',`
+interface(`mysql_domtrans_mysql_safe',`
 	gen_require(`
-		type mysqld_home_t;
+		type mysqld_safe_t, mysqld_safe_exec_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 mysqld_home_t:file relabel_file_perms;
+	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Create objects in user home
-##	directories with the mysqld home type.
+##	Execute MySQL_safe in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
+#
+interface(`mysql_safe_exec',`
+	gen_require(`
+		type  mysqld_safe_exec_t;
+	')
+
+	can_exec($1, mysqld_safe_exec_t)
+')
+
+#####################################
+## <summary>
+##	Read MySQL PID files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`mysql_home_filetrans_mysqld_home',`
+interface(`mysql_read_pid_files',`
 	gen_require(`
-		type mysqld_home_t;
+		type mysqld_var_run_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3)
+	mysql_search_pid_files($1)
+	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
 ')
 
-########################################
+#####################################
 ## <summary>
-##	Write mysqld log files.
+##	Search MySQL PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+##
 #
-interface(`mysql_write_log',`
+interface(`mysql_search_pid_files',`
 	gen_require(`
-		type mysqld_log_t;
+		type mysqld_var_run_t;
 	')
 
-	logging_search_logs($1)
-	allow $1 mysqld_log_t:file write_file_perms;
+	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
 ')
 
-######################################
+########################################
 ## <summary>
-##	Execute mysqld safe in the
-##	mysqld safe domain.
+##	Execute mysqld server in the mysqld domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -374,18 +414,23 @@ interface(`mysql_write_log',`
 ##	</summary>
 ## </param>
 #
-interface(`mysql_domtrans_mysql_safe',`
+interface(`mysql_systemctl',`
 	gen_require(`
-		type mysqld_safe_t, mysqld_safe_exec_t;
+		type mysqld_unit_file_t;
+		type mysqld_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 mysqld_unit_file_t:file read_file_perms;
+	allow $1 mysqld_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, mysqld_t)
 ')
 
-#####################################
+########################################
 ## <summary>
-##	Read mysqld pid files.
+##	read mysqld homedir content (.k5login)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -393,39 +438,37 @@ interface(`mysql_domtrans_mysql_safe',`
 ##	</summary>
 ## </param>
 #
-interface(`mysql_read_pid_files',`
+interface(`mysql_read_home_content',`
 	gen_require(`
-		type mysqld_var_run_t;
+		type mysqld_home_t;
 	')
 
-	files_search_pids($1)
-	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, mysqld_home_t, mysqld_home_t)
 ')
 
-#####################################
+########################################
 ## <summary>
-##	Search mysqld pid files.
+##	Transition to mysqld named content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-##
 #
-interface(`mysql_search_pid_files',`
+interface(`mysql_filetrans_named_content',`
 	gen_require(`
-		type mysqld_var_run_t;
+		type mysqld_home_t;
 	')
 
-	files_search_pids($1)
-	search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+	userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
+	userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an mysqld environment.
+##	All of the rules required to administrate an mysql environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -434,41 +477,52 @@ interface(`mysql_search_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the mysql domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`mysql_admin',`
 	gen_require(`
-		type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+		type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
 		type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
-		type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
-		type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
+		type mysqld_etc_t;
+		type mysqld_home_t;
+		type mysqld_unit_file_t;
 	')
 
-	allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
+	allow $1 mysqld_t:process signal_perms;
+	ps_process_pattern($1, mysqld_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 mysqld_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, {  mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
+	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
 	domain_system_change_exemption($1)
-	role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
+	role_transition $2 mysqld_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_pids($1)
-	admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
+	files_list_pids($1)
+	admin_pattern($1, mysqld_var_run_t)
 
-	files_search_var_lib($1)
 	admin_pattern($1, mysqld_db_t)
 
-	files_search_etc($1)
-	admin_pattern($1, { mysqld_etc_t mysqld_home_t })
+	files_list_etc($1)
+	admin_pattern($1, mysqld_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, mysqld_log_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, mysqld_tmp_t)
 
-	mysql_run_mysqld($1, $2)
+	userdom_search_user_home_dirs($1)
+	files_list_root($1)
+	admin_pattern($1, mysqld_home_t)
+
+	mysql_systemctl($1)
+	admin_pattern($1, mysqld_unit_file_t)
+	allow $1 mysqld_unit_file_t:service all_service_perms;
+
+	mysql_stream_connect($1)
 ')
diff --git a/mysql.te b/mysql.te
index 7584bbe7cd..34251389c7 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether mysqld can
-##	connect to all TCP ports.
-##	</p>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
 ## </desc>
 gen_tunable(mysql_connect_any, false)
 
-attribute_role mysqld_roles;
-
 type mysqld_t;
 type mysqld_exec_t;
 init_daemon_domain(mysqld_t, mysqld_exec_t)
-application_domain(mysqld_t, mysqld_exec_t)
-role mysqld_roles types mysqld_t;
 
 type mysqld_safe_t;
 type mysqld_safe_exec_t;
@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
 
 type mysqld_var_run_t;
 files_pid_file(mysqld_var_run_t)
-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
 
 type mysqld_db_t;
 files_type(mysqld_db_t)
@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t)
 type mysqld_home_t;
 userdom_user_home_content(mysqld_home_t)
 
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
 type mysqld_initrc_exec_t;
 init_script_file(mysqld_initrc_exec_t)
 
@@ -62,89 +59,112 @@ files_pid_file(mysqlmanagerd_var_run_t)
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_nice sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
-allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+allow mysqld_t mysqld_db_t:file map;
 
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
+allow mysqld_t mysqld_etc_t:file read_file_perms;
 allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
 
 manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
 manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
 manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+manage_fifo_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
 
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+allow mysqld_t mysqld_tmp_t:file map;
 
 manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
 
-kernel_read_kernel_sysctls(mysqld_t)
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
 
-corenet_all_recvfrom_unlabeled(mysqld_t)
 corenet_all_recvfrom_netlabel(mysqld_t)
 corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
 corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
 corenet_tcp_bind_generic_node(mysqld_t)
-
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
 corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_tcp_bind_tram_port(mysqld_t)
 corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
+corenet_tcp_connect_tram_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
 
-corecmd_exec_bin(mysqld_t)
-corecmd_exec_shell(mysqld_t)
+can_exec(mysqld_t, mysqld_exec_t)
 
 dev_read_sysfs(mysqld_t)
 dev_read_urand(mysqld_t)
 
-domain_use_interactive_fds(mysqld_t)
-
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
 fs_rw_hugetlbfs_files(mysqld_t)
 
+domain_use_interactive_fds(mysqld_t)
+domain_read_all_domains_state(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
 files_read_etc_runtime_files(mysqld_t)
-files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+files_search_pids(mysqld_t)
+files_getattr_all_sockets(mysqld_t)
 
-auth_use_nsswitch(mysqld_t)
+auth_use_pam(mysqld_t)
 
 logging_send_syslog_msg(mysqld_t)
 
-miscfiles_read_localization(mysqld_t)
+sysnet_read_config(mysqld_t)
+sysnet_exec_ifconfig(mysqld_t)
 
-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ifdef(`distro_redhat',`
+	filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
 
 tunable_policy(`mysql_connect_any',`
-	corenet_sendrecv_all_client_packets(mysqld_t)
 	corenet_tcp_connect_all_ports(mysqld_t)
-	corenet_tcp_sendrecv_all_ports(mysqld_t)
+	corenet_sendrecv_all_client_packets(mysqld_t)
 ')
 
 optional_policy(`
 	daemontools_service_domain(mysqld_t, mysqld_exec_t)
 ')
 
+optional_policy(`
+    openshift_search_lib(mysqld_t)
+')
+
+optional_policy(`
+    rhcs_manage_cluster_pid_files(mysqld_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mysqld_t)
 ')
@@ -155,21 +175,20 @@ optional_policy(`
 
 #######################################
 #
-# Safe local policy
+# Local mysqld_safe policy
 #
 
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_read_search dac_override setgid setuid fowner kill sys_nice sys_resource };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure };
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 
-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
 
 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
@@ -177,31 +196,39 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
 manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
-
-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
 
 kernel_read_system_state(mysqld_safe_t)
 kernel_read_kernel_sysctls(mysqld_safe_t)
 
+can_exec(mysqld_safe_t, mysqld_safe_exec_t)
+
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
 
+dev_read_urand(mysqld_safe_t)
 dev_list_sysfs(mysqld_safe_t)
 
 domain_read_all_domains_state(mysqld_safe_t)
 
-files_read_etc_files(mysqld_safe_t)
-files_read_usr_files(mysqld_safe_t)
-files_search_pids(mysqld_safe_t)
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_access_check_root(mysqld_safe_t)
 files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
 
+files_write_root_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 logging_send_syslog_msg(mysqld_safe_t)
 
-miscfiles_read_localization(mysqld_safe_t)
+auth_use_nsswitch(mysqld_safe_t)
+
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
 
-userdom_search_user_home_dirs(mysqld_safe_t)
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_signull(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
 
 optional_policy(`
 	hostname_exec(mysqld_safe_t)
@@ -209,20 +236,21 @@ optional_policy(`
 
 ########################################
 #
-# Manager local policy
+# MySQL Manager Policy
 #
 
-allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill };
 allow mysqlmanagerd_t self:process signal;
 allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
 allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
 allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
 
-allow mysqlmanagerd_t mysqld_t:process signal;
-
-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
 
 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
 
@@ -230,31 +258,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
 
-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
-
 kernel_read_system_state(mysqlmanagerd_t)
 
 corecmd_exec_shell(mysqlmanagerd_t)
 
-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
 corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
 corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
 corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
 corenet_tcp_bind_generic_node(mysqlmanagerd_t)
-
-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
 corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
 corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
 
 dev_read_urand(mysqlmanagerd_t)
 
-files_read_etc_files(mysqlmanagerd_t)
-files_read_usr_files(mysqlmanagerd_t)
-files_search_pids(mysqlmanagerd_t)
-files_search_var_lib(mysqlmanagerd_t)
-
-miscfiles_read_localization(mysqlmanagerd_t)
-
-userdom_search_user_home_dirs(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
index 0000000000..d62cf886e6
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
+/usr/share/mythweb/mythweb\.pl	--	gen_context(system_u:object_r:mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)?	gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)?	gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+/usr/share/mythtv(/.*)?		gen_context(system_u:object_r:mythtv_content_t,s0)
+/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:mythtv_content_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
index 0000000000..e2403dd506
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,152 @@
+
+## <summary>policy for mythtv_script</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the mythtv_script domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mythtv_script_domtrans',`
+	gen_require(`
+		type mythtv_script_t, mythtv_script_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
+')
+
+#######################################
+## <summary>
+##	read mythtv libs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_read_lib',`
+	gen_require(`
+		type mythtv_var_lib_t;
+	')
+
+	read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+	files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	mythtv lib content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_manage_lib',`
+	gen_require(`
+		type mythtv_var_lib_t;
+	')
+
+	manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+	manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+	files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+##	read mythtv logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_read_log',`
+	gen_require(`
+		type mythtv_var_log_t;
+	')
+
+	read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Append mythtv log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_append_log',`
+	gen_require(`
+		type mythtv_var_log_t;
+	')
+
+	append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	mythtv log content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_manage_log',`
+	gen_require(`
+		type mythtv_var_log_t;
+	')
+
+	manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an mythtv environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mythtv_admin',`
+	gen_require(`
+		type mythtv_script_t, mythtv_var_lib_t;
+		type mythtv_var_log_t;
+	')
+
+	allow $1 mythtv_script_t:process signal_perms;
+	ps_process_pattern($1, mythtv_script_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 mythtv_script_t:process ptrace;
+	')
+
+	logging_list_logs($1)
+	admin_pattern($1, mythtv_var_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, mythtv_var_lib_t)
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
index 0000000000..0e585e3c51
--- /dev/null
+++ b/mythtv.te
@@ -0,0 +1,47 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mythtv)
+apache_content_alias_template(mythtv, mythtv)
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
+
+type mythtv_var_log_t;
+logging_log_file(mythtv_var_log_t)
+
+########################################
+#
+# mythtv_script local policy
+#
+#============= httpd_mythtv_script_t ==============
+allow httpd_mythtv_script_t self:process setpgid;
+dev_list_sysfs(httpd_mythtv_script_t)
+
+manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file )
+
+domain_use_interactive_fds(mythtv_script_t)
+
+files_read_etc_files(mythtv_script_t)
+
+fs_read_nfs_files(mythtv_script_t)
+
+auth_read_passwd(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
+	mysql_read_config(mythtv_script_t)
+	mysql_stream_connect(mythtv_script_t)
+	mysql_tcp_connect(mythtv_script_t)
+')
diff --git a/naemon.fc b/naemon.fc
new file mode 100644
index 0000000000..85407d3376
--- /dev/null
+++ b/naemon.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/naemon	--	gen_context(system_u:object_r:naemon_initrc_exec_t,s0)
+
+/usr/bin/naemon		--	gen_context(system_u:object_r:naemon_exec_t,s0)
+
+/var/cache/naemon(/.*)?		gen_context(system_u:object_r:naemon_cache_t,s0)
+
+/var/lib/naemon(/.*)?		gen_context(system_u:object_r:naemon_var_lib_t,s0)
+
+/var/log/naemon(/.*)?		gen_context(system_u:object_r:naemon_log_t,s0)
+
+/var/run/naemon(/.*)?		gen_context(system_u:object_r:naemon_var_run_t,s0)
diff --git a/naemon.if b/naemon.if
new file mode 100644
index 0000000000..e904df0273
--- /dev/null
+++ b/naemon.if
@@ -0,0 +1,305 @@
+
+## <summary>New monitoring suite that aims to be faster and more stable, while giving you a clearer view of the state of your network.</summary>
+
+########################################
+## <summary>
+##	Execute naemon in the naemon domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`naemon_domtrans',`
+	gen_require(`
+		type naemon_t, naemon_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, naemon_exec_t, naemon_t)
+')
+
+########################################
+## <summary>
+##	Execute naemon server in the naemon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_initrc_domtrans',`
+	gen_require(`
+		type naemon_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, naemon_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search naemon cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_search_cache',`
+	gen_require(`
+		type naemon_cache_t;
+	')
+
+	allow $1 naemon_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read naemon cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_read_cache_files',`
+	gen_require(`
+		type naemon_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	naemon cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_manage_cache_files',`
+	gen_require(`
+		type naemon_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage naemon cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_manage_cache_dirs',`
+	gen_require(`
+		type naemon_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, naemon_cache_t, naemon_cache_t)
+')
+
+########################################
+## <summary>
+##	Read naemon's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`naemon_read_log',`
+	gen_require(`
+		type naemon_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+## <summary>
+##	Append to naemon log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_append_log',`
+	gen_require(`
+		type naemon_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+## <summary>
+##	Manage naemon log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_manage_log',`
+	gen_require(`
+		type naemon_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, naemon_log_t, naemon_log_t)
+	manage_files_pattern($1, naemon_log_t, naemon_log_t)
+	manage_lnk_files_pattern($1, naemon_log_t, naemon_log_t)
+')
+
+########################################
+## <summary>
+##	Search naemon lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_search_lib',`
+	gen_require(`
+		type naemon_var_lib_t;
+	')
+
+	allow $1 naemon_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read naemon lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_read_lib_files',`
+	gen_require(`
+		type naemon_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage naemon lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_manage_lib_files',`
+	gen_require(`
+		type naemon_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage naemon lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`naemon_manage_lib_dirs',`
+	gen_require(`
+		type naemon_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an naemon environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`naemon_admin',`
+	gen_require(`
+		type naemon_t;
+		type naemon_initrc_exec_t;
+		type naemon_cache_t;
+		type naemon_log_t;
+		type naemon_var_lib_t;
+	')
+
+	allow $1 naemon_t:process { signal_perms };
+	ps_process_pattern($1, naemon_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 naemon_t:process ptrace;
+    ')
+
+	naemon_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 naemon_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var($1)
+	admin_pattern($1, naemon_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, naemon_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, naemon_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/naemon.te b/naemon.te
new file mode 100644
index 0000000000..79f1250ebc
--- /dev/null
+++ b/naemon.te
@@ -0,0 +1,59 @@
+policy_module(naemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type naemon_t;
+type naemon_exec_t;
+init_daemon_domain(naemon_t, naemon_exec_t)
+
+type naemon_initrc_exec_t;
+init_script_file(naemon_initrc_exec_t)
+
+type naemon_cache_t;
+files_type(naemon_cache_t)
+
+type naemon_log_t;
+logging_log_file(naemon_log_t)
+
+type naemon_var_lib_t;
+files_type(naemon_var_lib_t)
+
+type naemon_var_run_t;
+files_pid_file(naemon_var_run_t)
+
+########################################
+#
+# naemon local policy
+#
+allow naemon_t self:process { fork setpgid setrlimit signal_perms };
+allow naemon_t self:fifo_file rw_fifo_file_perms;
+allow naemon_t self:unix_stream_socket create_stream_socket_perms;
+allow naemon_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+manage_files_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+manage_sock_files_pattern(naemon_t, naemon_cache_t, naemon_cache_t)
+files_var_filetrans(naemon_t, naemon_cache_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_log_t, naemon_log_t)
+manage_files_pattern(naemon_t, naemon_log_t, naemon_log_t)
+logging_log_filetrans(naemon_t, naemon_log_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_sock_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+manage_fifo_files_pattern(naemon_t, naemon_var_lib_t, naemon_var_lib_t)
+files_var_lib_filetrans(naemon_t, naemon_var_lib_t, { dir })
+
+manage_dirs_pattern(naemon_t, naemon_var_run_t, naemon_var_run_t)
+manage_files_pattern(naemon_t, naemon_var_run_t, naemon_var_run_t)
+files_pid_filetrans(naemon_t, naemon_var_run_t, { dir })
+
+kernel_read_system_state(naemon_t)
+
+auth_read_passwd(naemon_t)
+
+fs_getattr_xattr_fs(naemon_t)
diff --git a/nagios.fc b/nagios.fc
index d78dfc38d7..c781b72bba 100644
--- a/nagios.fc
+++ b/nagios.fc
@@ -1,88 +1,113 @@
-/etc/nagios(/.*)?	gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg	--	gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)?					gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/icinga(/.*)?					gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg				--	gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/pnp4nagios(/.*)?                   gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/rc\.d/init\.d/nagios			--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe				--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
 
-/etc/rc\.d/init\.d/nagios	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
 
-/usr/bin/nagios	--	gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe	--	gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/bin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/icinga		        --	gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/bin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
 
-/usr/sbin/nagios	--	gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe	--	gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/icinga		        --	gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/sbin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
 
-/usr/lib/cgi-bin/nagios(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/cgi-bin/netsaint(/.*)?			gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi(/.*)?				gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/icinga/cgi(/.*)?				gen_context(system_u:object_r:nagios_script_exec_t,s0)
 
-/usr/lib/nagios/cgi(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/var/log/nagios(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/icinga(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/pnp4nagios(/.*)?                   gen_context(system_u:object_r:nagios_log_t,s0)
 
-/usr/lib/nagios/plugins/eventhandlers(/.*)	gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/var/lib/pnp4nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+/var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)?					gen_context(system_u:object_r:nagios_spool_t,s0)
+/var/spool/icinga(/.*)?					gen_context(system_u:object_r:nagios_spool_t,s0)
 
+ifdef(`distro_debian',`
+/usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib/cgi-bin/nagios(/.+)?			gen_context(system_u:object_r:nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)?			gen_context(system_u:object_r:nagios_script_exec_t,s0)
+
+# admin plugins
 /usr/lib/nagios/plugins/check_file_age	--	gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
 
-/usr/lib/nagios/plugins/check_disk	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+# check disk plugins
+/usr/lib/nagios/plugins/check_disk		--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 /usr/lib/nagios/plugins/check_disk_smb	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 /usr/lib/nagios/plugins/check_ide_smart	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 /usr/lib/nagios/plugins/check_linux_raid	--	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 
-/usr/lib/nagios/plugins/check_mailq		--	gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_breeze	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dummy	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_flexlm	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ifoperstatus	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ifstatus	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_load	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_log	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtg	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mrtgtraf	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nagios	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nwstat	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_overcr	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_procs	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_swap	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_wave	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_cluster	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dhcp	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dig	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_dns	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_game	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_fping	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_hpjd	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_http	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_icmp	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ircd	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ldap	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_mysql_query	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nrpe	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_nt	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ntp.*	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_oracle	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_pgsql	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ping	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_radius	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_real	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_rpc	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_tcp	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_time	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_sip	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_smtp	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_snmp.*	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ssh	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib/nagios/plugins/check_ups	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
-/usr/lib/nagios/plugins/check_by_ssh	--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-
-/usr/lib/pnp4nagios(/.*)?	gen_context(system_u:object_r:nagios_var_lib_t,s0)
-
-/var/log/nagios(/.*)?	gen_context(system_u:object_r:nagios_log_t,s0)
-/var/log/netsaint(/.*)?	gen_context(system_u:object_r:nagios_log_t,s0)
-
-/var/run/nagios.*	--	gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.*	--	gen_context(system_u:object_r:nrpe_var_run_t,s0)
-
-/var/spool/nagios(/.*)?	gen_context(system_u:object_r:nagios_spool_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq	--	gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+/usr/lib/pnp4nagios(/.*)?			gen_context(system_u:object_r:nagios_var_lib_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_breeze	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave		--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query 	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.*	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.*	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# openshift plugins
+/usr/lib64/nagios/plugins/check_node_accept_status      --      gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+/usr/lib64/nagios/plugins/check_number_openshift_apps        --      gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
+
+# label all nagios plugin as unconfined by default
+/usr/lib/nagios/plugins/.*	--	gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*)	gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+/usr/lib/icinga/plugins/eventhandlers(/.*)	gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+
diff --git a/nagios.if b/nagios.if
index 0641e970ff..d012e9b045 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
-## <summary>Network monitoring server.</summary>
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a nagios plugin domain.
+##	Create a set of derived types for various
+##	nagios plugins,
 ## </summary>
-## <param name="domain_prefix">
+## <param name="plugins_group_name">
 ##	<summary>
-##	Domain prefix to be used.
+##	The name to be used for deriving type names.
 ##	</summary>
 ## </param>
 #
@@ -16,38 +17,51 @@ template(`nagios_plugin_template',`
 		type nagios_t, nrpe_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	type nagios_$1_plugin_t, nagios_plugin_domain;
 	type nagios_$1_plugin_exec_t;
 	application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
 	role system_r types nagios_$1_plugin_t;
 
-	########################################
-	#
-	# Policy
-	#
-
 	domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
 	allow nagios_t nagios_$1_plugin_exec_t:file ioctl; 
 
+	# needed by command.cfg
 	domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+	kernel_read_system_state(nagios_$1_plugin_t)
+
+')
+
+########################################
+## <summary>
+## Execute the nagios unconfined plugins with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_domtrans_unconfined_plugins',`
+   gen_require(`
+        type nagios_unconfined_plugin_t;
+        type nagios_unconfined_plugin_exec_t;
+   ')
+
+    domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read or
-##	write nagios unnamed pipes.
+##	Do not audit attempts to read or write nagios
+##	unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`nagios_dontaudit_rw_pipes',`
 	gen_require(`
@@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',`
 
 ########################################
 ## <summary>
-##	Read nagios configuration content.
+##	Allow the specified domain to read
+##	nagios configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,15 +88,33 @@ interface(`nagios_read_config',`
 		type nagios_etc_t;
 	')
 
-	files_search_etc($1)
 	allow $1 nagios_etc_t:dir list_dir_perms;
 	allow $1 nagios_etc_t:file read_file_perms;
-	allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+	files_search_etc($1)
+')
+######################################
+## <summary>
+##	Read nagios lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_read_lib',`
+	gen_require(`
+		type nagios_var_lib_t;
+	')
+
+	files_search_var($1)
+    list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+	read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
 ')
 
 ######################################
 ## <summary>
-##	Read nagios log files.
+##	Read nagios logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -100,8 +133,7 @@ interface(`nagios_read_log',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read or
-##	write nagios log files.
+##	Do not audit attempts to read or write nagios logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -132,13 +164,33 @@ interface(`nagios_search_spool',`
 		type nagios_spool_t;
 	')
 
-	files_search_spool($1)
 	allow $1 nagios_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Append nagios spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_append_spool',`
+	gen_require(`
+		type nagios_spool_t;
+	')
+
+	allow $1 nagios_spool_t:file append_file_perms;
+	files_search_spool($1)
 ')
 
 ########################################
 ## <summary>
-##	Read nagios temporary files.
+##	Allow the specified domain to read
+##	nagios temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',`
 		type nagios_tmp_t;
 	')
 
-	files_search_tmp($1)
 	allow $1 nagios_tmp_t:file read_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	nagios temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_rw_inerited_tmp_files',`
+	gen_require(`
+		type nagios_tmp_t;
+	')
+
+	allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Execute nrpe with a domain transition.
+##	Execute the nagios NRPE with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',`
 		type nrpe_t, nrpe_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
 ')
 
+######################################
+## <summary>
+## Do not audit attempts to write nrpe daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_dontaudit_write_pipes_nrpe',`
+ gen_require(`
+                type nrpe_t;
+        ')
+
+        dontaudit $1 nrpe_t:fifo_file write;
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an nagios environment.
+##	All of the rules required to administrate
+##	an nagios environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -186,44 +276,61 @@ interface(`nagios_domtrans_nrpe',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the nagios domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`nagios_admin',`
 	gen_require(`
-		attribute nagios_plugin_domain;
 		type nagios_t, nrpe_t, nagios_initrc_exec_t;
-		type nagios_tmp_t, nagios_log_t, nagios_var_lib_t;
-		type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t;
-		type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t;
-		type nagios_eventhandler_plugin_tmp_t;
+		type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+		type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
 	')
 
-	allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
-	ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
+	allow $1 nagios_t:process signal_perms;
+	ps_process_pattern($1, nagios_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 nagios_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 nagios_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_tmp($1)
-	admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
+	files_list_tmp($1)
+	admin_pattern($1, nagios_tmp_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, nagios_log_t)
 
-	files_search_etc($1)
-	admin_pattern($1, { nrpe_etc_t nagios_etc_t })
+	files_list_etc($1)
+	admin_pattern($1, nagios_etc_t)
 
-	files_search_spool($1)
+	files_list_spool($1)
 	admin_pattern($1, nagios_spool_t)
 
-	files_search_pids($1)
-	admin_pattern($1, { nrpe_var_run_t nagios_var_run_t })
+	files_list_pids($1)
+	admin_pattern($1, nagios_var_run_t)
+
+	admin_pattern($1, nrpe_etc_t)
+')
+
+########################################
+## <summary>
+##      Send a null signal to nagios_unconfined_plugin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`nagios_unconfined_signull',`
+	gen_require(`
+		type nagios_unconfined_plugin_t;
+	')
 
-	files_search_var_lib($1)
-	admin_pattern($1, nagios_var_lib_t)
+	allow $1 nagios_unconfined_plugin_t:process signull;
 ')
diff --git a/nagios.te b/nagios.te
index 7b3e682e6f..ad6f9cb62b 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow nagios/nrpe to call sudo from NRPE utils scripts.
+## </p>
+## </desc>
+gen_tunable(nagios_run_sudo, false)
+
+## <desc>
+## <p>
+## Allow nagios run in conjunction with PNP4Nagios.
+## </p>
+## </desc>
+gen_tunable(nagios_run_pnp4nagios, false)
+
+## <desc>
+##	<p>
+##	Determine whether Nagios, NRPE can
+##	access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(nagios_use_nfs, false)
+
+gen_require(`
+    class passwd rootok;
+    class passwd passwd;
+')
+
 attribute nagios_plugin_domain;
 
 type nagios_t;
@@ -27,7 +54,7 @@ type nagios_var_run_t;
 files_pid_file(nagios_var_run_t)
 
 type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
 
 type nagios_var_lib_t;
 files_type(nagios_var_lib_t)
@@ -39,6 +66,7 @@ nagios_plugin_template(services)
 nagios_plugin_template(system)
 nagios_plugin_template(unconfined)
 nagios_plugin_template(eventhandler)
+nagios_plugin_template(openshift)
 
 type nagios_eventhandler_plugin_tmp_t;
 files_tmp_file(nagios_eventhandler_plugin_tmp_t)
@@ -46,6 +74,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
 type nagios_system_plugin_tmp_t;
 files_tmp_file(nagios_system_plugin_tmp_t)
 
+type nagios_openshift_plugin_tmp_t;
+files_tmp_file(nagios_openshift_plugin_tmp_t)
+
 type nrpe_t;
 type nrpe_exec_t;
 init_daemon_domain(nrpe_t, nrpe_exec_t)
@@ -63,44 +94,52 @@ files_pid_file(nrpe_var_run_t)
 
 allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
 
+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
+   
+allow nagios_t nagios_plugin_domain:process signal_perms;
+allow nagios_plugin_domain nagios_t:process signal_perms;
+
+# cjp: leaked file descriptor
 dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
 dontaudit nagios_plugin_domain nagios_log_t:file { read write };
 
-kernel_read_system_state(nagios_plugin_domain)
+corecmd_exec_bin(nagios_plugin_domain)
 
 dev_read_urand(nagios_plugin_domain)
 dev_read_rand(nagios_plugin_domain)
+dev_read_sysfs(nagios_plugin_domain)
 
-files_read_usr_files(nagios_plugin_domain)
-
-miscfiles_read_localization(nagios_plugin_domain)
-
-userdom_use_user_terminals(nagios_plugin_domain)
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
+userdom_use_inherited_user_ttys(nagios_plugin_domain)
 
 ########################################
 #
 # Nagios local policy
 #
 
-allow nagios_t self:capability { dac_override setgid setuid };
+allow nagios_t self:capability { chown dac_read_search dac_override setgid setuid };
 dontaudit nagios_t self:capability sys_tty_config;
 allow nagios_t self:process { setpgid signal_perms };
 allow nagios_t self:fifo_file rw_fifo_file_perms;
 allow nagios_t self:tcp_socket { accept listen };
+allow nagios_t self:unix_stream_socket { connectto };
 
 allow nagios_t nagios_plugin_domain:process signal_perms;
 
 allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
 
 allow nagios_t nagios_etc_t:dir list_dir_perms;
-allow nagios_t nagios_etc_t:file read_file_perms;
+allow nagios_t nagios_etc_t:file { read_file_perms map };
 allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
 
-allow nagios_t nagios_log_t:dir setattr_dir_perms;
-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
-logging_log_filetrans(nagios_t, nagios_log_t, file)
+#allow nagios_t nagios_log_t:dir setattr_dir_perms;
+#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { dir file })
+allow nagios_t nagios_log_t:file map;
 
 manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
 manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
@@ -110,11 +149,15 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
 files_pid_filetrans(nagios_t, nagios_var_run_t, file)
 
 manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })
+allow nagios_t nagios_spool_t:file map;
 
 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
 manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file })
+manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
 
 kernel_read_system_state(nagios_t)
 kernel_read_kernel_sysctls(nagios_t)
@@ -123,7 +166,6 @@ kernel_read_software_raid_state(nagios_t)
 corecmd_exec_bin(nagios_t)
 corecmd_exec_shell(nagios_t)
 
-corenet_all_recvfrom_unlabeled(nagios_t)
 corenet_all_recvfrom_netlabel(nagios_t)
 corenet_tcp_sendrecv_generic_if(nagios_t)
 corenet_tcp_sendrecv_generic_node(nagios_t)
@@ -143,18 +185,16 @@ domain_read_all_domains_state(nagios_t)
 
 files_read_etc_runtime_files(nagios_t)
 files_read_kernel_symbol_table(nagios_t)
-files_read_usr_files(nagios_t)
 files_search_spool(nagios_t)
 
 fs_getattr_all_fs(nagios_t)
 fs_search_auto_mountpoints(nagios_t)
+fs_search_cgroup_dirs(nagios_t)
 
 auth_use_nsswitch(nagios_t)
 
 logging_send_syslog_msg(nagios_t)
 
-miscfiles_read_localization(nagios_t)
-
 userdom_dontaudit_use_unpriv_user_fds(nagios_t)
 userdom_dontaudit_search_user_home_dirs(nagios_t)
 
@@ -162,6 +202,60 @@ mta_send_mail(nagios_t)
 mta_signal_system_mail(nagios_t)
 mta_kill_system_mail(nagios_t)
 
+systemd_exec_systemctl(nagios_t)
+
+tunable_policy(`nagios_run_sudo',`
+    allow nagios_t self:capability { chown setuid setgid sys_resource sys_ptrace };
+    allow nagios_t self:process { setrlimit setsched };
+
+    allow nagios_t self:key write;
+
+    allow nagios_t self:passwd { passwd rootok };
+
+    auth_rw_lastlog(nagios_t)
+    auth_rw_faillog(nagios_t)
+
+    auth_domtrans_chkpwd(nagios_t)
+
+    selinux_compute_access_vector(nagios_t)
+
+    systemd_write_inherited_logind_sessions_pipes(nagios_t)
+    systemd_dbus_chat_logind(nagios_t)
+
+    logging_send_audit_msgs(nagios_t)
+')
+
+optional_policy(`
+    apache_systemctl(nagios_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(nagios_t)
+')
+
+optional_policy(`
+    tunable_policy(`nagios_run_sudo',`
+        sudo_exec(nagios_t)
+        sudo_manage_db(nagios_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`nagios_run_sudo',`
+	    init_read_utmp(nagios_t)
+    ')
+')
+
+tunable_policy(`nagios_run_pnp4nagios',`
+    allow nagios_t nagios_log_t:file execute;
+')
+
+tunable_policy(`nagios_use_nfs',`
+	fs_manage_nfs_files(nagios_t)
+    fs_manage_nfs_dirs(nagios_t)
+    fs_manage_nfs_symlinks(nagios_t)
+')
+
 optional_policy(`
 	netutils_kill_ping(nagios_t)
 ')
@@ -178,35 +272,40 @@ optional_policy(`
 #
 # CGI local policy
 #
+
 optional_policy(`
 	apache_content_template(nagios)
-	typealias httpd_nagios_script_t alias nagios_cgi_t;
-	typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+	apache_content_alias_template(nagios, nagios)
+	typealias nagios_script_t alias nagios_cgi_t;
+	typealias nagios_script_exec_t alias nagios_cgi_exec_t;
 
-	allow httpd_nagios_script_t self:process signal_perms;
+	allow nagios_script_t self:process signal_perms;
 
-	read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-	read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+	read_files_pattern(nagios_script_t, nagios_t, nagios_t)
+	read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t)
 
-	allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
-	allow httpd_nagios_script_t nagios_etc_t:file read_file_perms;
-	allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
+	allow nagios_script_t nagios_etc_t:dir list_dir_perms;
+	allow nagios_script_t nagios_etc_t:file { map read_file_perms };
+	allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms;
 
-	files_search_spool(httpd_nagios_script_t)
-	rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+	files_search_spool(nagios_script_t)
+	rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+	read_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t)
+    allow nagios_script_t nagios_spool_t:file map;
 
-	allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
-	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+	allow nagios_script_t nagios_log_t:dir list_dir_perms;
+	read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+	read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t)
+    allow nagios_script_t nagios_log_t:file map;
 
-	kernel_read_system_state(httpd_nagios_script_t)
+	kernel_read_system_state(nagios_script_t)
 
-	domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+	domain_dontaudit_read_all_domains_state(nagios_script_t)
 
-	files_read_etc_runtime_files(httpd_nagios_script_t)
-	files_read_kernel_symbol_table(httpd_nagios_script_t)
+	files_read_etc_runtime_files(nagios_script_t)
+	files_read_kernel_symbol_table(nagios_script_t)
 
-	logging_send_syslog_msg(httpd_nagios_script_t)
+	logging_send_syslog_msg(nagios_script_t)
 ')
 
 ########################################
@@ -214,7 +313,7 @@ optional_policy(`
 # Nrpe local policy
 #
 
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { setuid setgid kill };
 dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
 allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
 allow nrpe_t self:fifo_file rw_fifo_file_perms;
@@ -229,9 +328,11 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
 
 domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
 
+kernel_read_system_state(nrpe_t)
 kernel_read_kernel_sysctls(nrpe_t)
 kernel_read_software_raid_state(nrpe_t)
-kernel_read_system_state(nrpe_t)
+
+can_exec(nagios_t, nagios_exec_t)
 
 corecmd_exec_bin(nrpe_t)
 corecmd_exec_shell(nrpe_t)
@@ -252,8 +353,8 @@ dev_read_urand(nrpe_t)
 domain_use_interactive_fds(nrpe_t)
 domain_read_all_domains_state(nrpe_t)
 
+files_list_var(nrpe_t)
 files_read_etc_runtime_files(nrpe_t)
-files_read_usr_files(nrpe_t)
 
 fs_getattr_all_fs(nrpe_t)
 fs_search_auto_mountpoints(nrpe_t)
@@ -262,10 +363,56 @@ auth_use_nsswitch(nrpe_t)
 
 logging_send_syslog_msg(nrpe_t)
 
-miscfiles_read_localization(nrpe_t)
-
 userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
 
+tunable_policy(`nagios_run_sudo',`
+    allow nrpe_t self:capability { setuid setgid sys_resource sys_ptrace };
+    allow nrpe_t self:process { setrlimit setsched };
+
+    allow nrpe_t self:key write;
+
+    allow nrpe_t self:passwd { passwd rootok };
+
+    auth_rw_lastlog(nrpe_t)
+    auth_rw_faillog(nrpe_t)
+
+    auth_domtrans_chkpwd(nrpe_t)
+
+    selinux_compute_access_vector(nrpe_t)
+
+    systemd_write_inherited_logind_sessions_pipes(nrpe_t)
+    systemd_dbus_chat_logind(nrpe_t)
+    systemd_logind_read_state(nrpe_t)
+
+    logging_send_audit_msgs(nrpe_t)
+')
+
+optional_policy(`
+    tunable_policy(`nagios_run_sudo',`
+        sudo_exec(nrpe_t)
+        sudo_manage_db(nrpe_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`nagios_run_sudo',`
+        sssd_read_config(nrpe_t)
+        sssd_manage_lib_files(nrpe_t)
+        sssd_read_pid_files(nrpe_t)
+        sssd_signull(nrpe_t)
+    ')
+')
+
+tunable_policy(`nagios_use_nfs',`
+	fs_manage_nfs_files(nrpe_t)
+    fs_manage_nfs_dirs(nrpe_t)
+    fs_manage_nfs_symlinks(nrpe_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(nrpe_t)
+')
+
 optional_policy(`
 	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
 ')
@@ -309,16 +456,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
 # Mail local policy
 #
 
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override };
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
 
 kernel_read_kernel_sysctls(nagios_mail_plugin_t)
 
 corecmd_read_bin_files(nagios_mail_plugin_t)
 corecmd_read_bin_symlinks(nagios_mail_plugin_t)
 
-files_read_etc_files(nagios_mail_plugin_t)
-
 logging_send_syslog_msg(nagios_mail_plugin_t)
 
 sysnet_dns_name_resolve(nagios_mail_plugin_t)
@@ -345,9 +492,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
 
 kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
 
+corecmd_exec_bin(nagios_checkdisk_plugin_t)
+
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
 files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
 
+fs_read_configfs_files(nagios_checkdisk_plugin_t)
+fs_read_configfs_dirs(nagios_checkdisk_plugin_t)
 fs_getattr_all_fs(nagios_checkdisk_plugin_t)
 
 storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
@@ -357,9 +509,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
 # Services local policy
 #
 
-allow nagios_services_plugin_t self:capability net_raw;
+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
 allow nagios_services_plugin_t self:process { signal sigkill };
-allow nagios_services_plugin_t self:tcp_socket { accept listen };
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
 
 corecmd_exec_bin(nagios_services_plugin_t)
 
@@ -391,6 +545,11 @@ optional_policy(`
 
 optional_policy(`
 	mysql_stream_connect(nagios_services_plugin_t)
+    mysql_read_config(nagios_services_plugin_t)
+')
+
+optional_policy(`
+    postgresql_stream_connect(nagios_services_plugin_t)
 ')
 
 optional_policy(`
@@ -402,32 +561,40 @@ optional_policy(`
 # System local policy
 #
 
-allow nagios_system_plugin_t self:capability dac_override;
+allow nagios_system_plugin_t self:capability { dac_read_search dac_override };
 dontaudit nagios_system_plugin_t self:capability { setuid setgid };
 
 read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
+allow nagios_system_plugin_t nrpe_exec_t:file read_file_perms;
+allow nagios_system_plugin_t nagios_exec_t:file read_file_perms;
 
 manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
 manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
 files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
 
+kernel_read_system_state(nagios_system_plugin_t)
 kernel_read_kernel_sysctls(nagios_system_plugin_t)
 
 corecmd_exec_bin(nagios_system_plugin_t)
 corecmd_exec_shell(nagios_system_plugin_t)
+corecmd_getattr_all_executables(nagios_system_plugin_t)
 
 dev_read_sysfs(nagios_system_plugin_t)
 
 domain_read_all_domains_state(nagios_system_plugin_t)
 
-files_read_etc_files(nagios_system_plugin_t)
-
 fs_getattr_all_fs(nagios_system_plugin_t)
 
+auth_read_passwd(nagios_system_plugin_t)
+
 optional_policy(`
 	init_read_utmp(nagios_system_plugin_t)
 ')
 
+optional_policy(`
+    mrtg_read_lib_files(nagios_system_plugin_t)
+')
+
 #######################################
 #
 # Event local policy
@@ -442,11 +609,45 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
 
 init_domtrans_script(nagios_eventhandler_plugin_t)
 
+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
+
+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
+
+optional_policy(`
+    unconfined_domain(nagios_eventhandler_plugin_t)
+')
+
 ########################################
 #
-# Unconfined plugin policy
+# nagios openshift plugin policy
+#
+
+allow nagios_openshift_plugin_t self:capability sys_ptrace;
+
+manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
+files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
+
+corecmd_exec_bin(nagios_openshift_plugin_t)
+corecmd_exec_shell(nagios_openshift_plugin_t)
+
+domain_read_all_domains_state(nagios_openshift_plugin_t)
+
+fs_getattr_all_fs(nagios_openshift_plugin_t)
+
+optional_policy(`
+        apache_read_config(nagios_openshift_plugin_t)
+')
+
+######################################
+#
+# nagios plugin domain policy
 #
 
 optional_policy(`
 	unconfined_domain(nagios_unconfined_plugin_t)
 ')
+
+optional_policy(`
+    systemd_dbus_chat_logind(nagios_unconfined_plugin_t)
+')
diff --git a/namespace.fc b/namespace.fc
new file mode 100644
index 0000000000..ce51c8d4f1
--- /dev/null
+++ b/namespace.fc
@@ -0,0 +1,3 @@
+
+/etc/security/namespace.init		--	gen_context(system_u:object_r:namespace_init_exec_t,s0)
+
diff --git a/namespace.if b/namespace.if
new file mode 100644
index 0000000000..8d7c751573
--- /dev/null
+++ b/namespace.if
@@ -0,0 +1,48 @@
+
+## <summary>policy for namespace</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run namespace_init.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`namespace_init_domtrans',`
+	gen_require(`
+		type namespace_init_t, namespace_init_exec_t;
+	')
+
+	domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
+')
+
+
+########################################
+## <summary>
+##	Execute namespace_init in the namespace_init domain, and
+##	allow the specified role the namespace_init domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the namespace_init domain.
+##	</summary>
+## </param>
+#
+interface(`namespace_init_run',`
+	gen_require(`
+		type namespace_init_t;
+	')
+
+	namespace_init_domtrans($1)
+	role $2 types namespace_init_t;
+
+	seutil_run_setfiles(namespace_init_t, $2)
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
index 0000000000..814e62e4fd
--- /dev/null
+++ b/namespace.te
@@ -0,0 +1,41 @@
+policy_module(namespace,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type namespace_init_t;
+type namespace_init_exec_t;
+init_system_domain(namespace_init_t, namespace_init_exec_t)
+role system_r types namespace_init_t;
+
+########################################
+#
+# namespace_init local policy
+#
+
+allow namespace_init_t self:capability { dac_read_search  dac_override};
+
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(namespace_init_t)
+
+corecmd_exec_shell(namespace_init_t)
+
+domain_use_interactive_fds(namespace_init_t)
+domain_obj_id_change_exemption(namespace_init_t)
+
+files_polyinstantiate_all(namespace_init_t)
+
+fs_getattr_xattr_fs(namespace_init_t)
+
+auth_use_nsswitch(namespace_init_t)
+
+term_use_console(namespace_init_t)
+
+userdom_manage_user_home_content(namespace_init_t)
+userdom_relabelto_user_home_dirs(namespace_init_t)
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_filetrans_home_content(namespace_init_t)
diff --git a/ncftool.if b/ncftool.if
index db9578f4e0..4309e3da55 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',`
 #
 interface(`ncftool_run',`
 	gen_require(`
+		type ncftool_t;
 		attribute_role ncftool_roles;
 	')
 
 	ncftool_domtrans($1)
 	roleattribute $2 ncftool_roles;
 ')
+
diff --git a/ncftool.te b/ncftool.te
index 71f30ba606..d61686078d 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t;
 
 allow ncftool_t self:capability net_admin;
 allow ncftool_t self:process signal;
+
 allow ncftool_t self:fifo_file manage_fifo_file_perms;
 allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
 allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
 allow ncftool_t self:tcp_socket create_stream_socket_perms;
 
 kernel_read_kernel_sysctls(ncftool_t)
-kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_usermodehelper_state(ncftool_t)
 kernel_read_network_state(ncftool_t)
 kernel_read_system_state(ncftool_t)
 kernel_request_load_module(ncftool_t)
@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
 
 dev_read_sysfs(ncftool_t)
 
-files_read_etc_files(ncftool_t)
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
 files_read_etc_runtime_files(ncftool_t)
-files_read_usr_files(ncftool_t)
 
-miscfiles_read_localization(ncftool_t)
+term_use_all_inherited_terms(ncftool_t)
 
 sysnet_delete_dhcpc_pid(ncftool_t)
 sysnet_run_dhcpc(ncftool_t, ncftool_roles)
@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles)
 sysnet_etc_filetrans_config(ncftool_t)
 sysnet_manage_config(ncftool_t)
 sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
 sysnet_read_dhcpc_pid(ncftool_t)
 sysnet_signal_dhcpc(ncftool_t)
 
@@ -73,11 +76,14 @@ optional_policy(`
 
 optional_policy(`
 	iptables_initrc_domtrans(ncftool_t)
+	iptables_systemctl(ncftool_t)
 ')
 
 optional_policy(`
+	modutils_list_module_config(ncftool_t)
 	modutils_read_module_config(ncftool_t)
 	modutils_run_insmod(ncftool_t, ncftool_roles)
+
 ')
 
 optional_policy(`
diff --git a/nessus.te b/nessus.te
index fe1068ba59..98166ee0b0 100644
--- a/nessus.te
+++ b/nessus.te
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
 
 corecmd_exec_bin(nessusd_t)
 
-corenet_all_recvfrom_unlabeled(nessusd_t)
 corenet_all_recvfrom_netlabel(nessusd_t)
 corenet_tcp_sendrecv_generic_if(nessusd_t)
 corenet_udp_sendrecv_generic_if(nessusd_t)
@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t)
 domain_use_interactive_fds(nessusd_t)
 
 files_list_var_lib(nessusd_t)
-files_read_etc_files(nessusd_t)
 files_read_etc_runtime_files(nessusd_t)
 
 fs_getattr_all_fs(nessusd_t)
@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t)
 
 logging_send_syslog_msg(nessusd_t)
 
-miscfiles_read_localization(nessusd_t)
-
 sysnet_read_config(nessusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
index 94b9734074..448a7e8364 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -1,44 +1,46 @@
-/etc/rc\.d/init\.d/wicd	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /etc/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_t,s0)
 /etc/NetworkManager/NetworkManager\.conf	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
 /etc/NetworkManager/system-connections(/.*)?	gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
 /etc/NetworkManager/dispatcher\.d(/.*)?	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
-/etc/dhcp/manager-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/dhcp/wired-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
 
-/etc/wicd/manager-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
-/etc/wicd/wired-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
 
-/usr/lib/NetworkManager/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/systemd/system/NetworkManager.* --	gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
 
-/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/libexec/nm-dispatcher.* --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /usr/sbin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wicd	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 /usr/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/bin/teamd          --  gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd 			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)?			gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
 
-/var/lib/wicd(/.*)?	gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-/var/lib/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/log/wicd.*				--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 
-/var/log/wicd(/.*)?	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 /var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
 
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/nm-dhclient.*	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/nm-dns-dnsmasq\.conf	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)?	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.*       --  gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/teamd(/.*)?       gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 86dc29dfa8..690cb88a84 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Read and write networkmanager udp sockets.
+##	Read and write NetworkManager UDP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -10,6 +10,7 @@
 ##	</summary>
 ## </param>
 #
+# cjp: added for named.
 interface(`networkmanager_rw_udp_sockets',`
 	gen_require(`
 		type NetworkManager_t;
@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',`
 
 ########################################
 ## <summary>
-##	Read and write networkmanager packet sockets.
+##	Read and write NetworkManager packet sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',`
 ##	</summary>
 ## </param>
 #
+# cjp: added for named.
 interface(`networkmanager_rw_packet_sockets',`
 	gen_require(`
 		type NetworkManager_t;
@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',`
 
 #######################################
 ## <summary>
-## Relabel networkmanager tun socket.
+## Allow caller to relabel tun_socket
 ## </summary>
 ## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`networkmanager_attach_tun_iface',`
@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',`
 
 ########################################
 ## <summary>
-##	Read and write networkmanager netlink
+##	Read and write NetworkManager netlink
 ##	routing sockets.
 ## </summary>
 ## <param name="domain">
@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',`
 ##	</summary>
 ## </param>
 #
+# cjp: added for named.
 interface(`networkmanager_rw_routing_sockets',`
 	gen_require(`
 		type NetworkManager_t;
@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',`
 
 ########################################
 ## <summary>
-##	Execute networkmanager with a domain transition.
+##	Execute NetworkManager with a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
 	domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
 ')
 
+#######################################
+## <summary>
+##      Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+        gen_require(`
+                type NetworkManager_initrc_exec_t;
+        ')
+
+        init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
-##	Execute networkmanager scripts with
-##	an automatic domain transition to initrc.
+##	Execute NetworkManager server in the NetworkManager domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,18 +124,24 @@ interface(`networkmanager_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`networkmanager_initrc_domtrans',`
+interface(`networkmanager_systemctl',`
 	gen_require(`
-		type NetworkManager_initrc_exec_t;
+		type NetworkManager_unit_file_t;
+		type NetworkManager_t;
 	')
 
-	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 NetworkManager_unit_file_t:file read_file_perms;
+	allow $1 NetworkManager_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, NetworkManager_t)
 ')
 
 ########################################
 ## <summary>
 ##	Send and receive messages from
-##	networkmanager over dbus.
+##	NetworkManager over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -155,7 +181,29 @@ interface(`networkmanager_read_state',`
 
 ########################################
 ## <summary>
-##	Send generic signals to networkmanager.
+##	Do not audit attempts to send and
+##	receive messages from NetworkManager
+##	over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+	gen_require(`
+		type NetworkManager_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 NetworkManager_t:dbus send_msg;
+	dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to NetworkManager
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+	allow $1 NetworkManager_var_lib_t:file map;
 ')
 
 ########################################
@@ -209,11 +258,31 @@ interface(`networkmanager_read_lib_files',`
 	files_search_var_lib($1)
 	list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+	allow $1 NetworkManager_var_lib_t:file map;
+')
+
+#######################################
+## <summary>
+##  Read NetworkManager conf files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`networkmanager_read_conf',`
+    gen_require(`
+        type NetworkManager_etc_t;
+    ')
+
+	allow $1 NetworkManager_etc_t:dir list_dir_perms;
+	read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
 ')
 
 ########################################
 ## <summary>
-##	Append networkmanager log files.
+##	Read NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`networkmanager_append_log_files',`
+interface(`networkmanager_read_pid_files',`
 	gen_require(`
-		type NetworkManager_log_t;
+		type NetworkManager_var_run_t;
 	')
 
-	logging_search_logs($1)
-	allow $1 NetworkManager_log_t:dir list_dir_perms;
-	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+	files_search_pids($1)
+	read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Read networkmanager pid files.
+##	Manage NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage NetworkManager PID sock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_manage_pid_sock_files',`
 	gen_require(`
 		type NetworkManager_var_run_t;
 	')
 
 	files_search_pids($1)
-	allow $1 NetworkManager_var_run_t:file read_file_perms;
+	manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create objects in /etc with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_pid_filetrans',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
 ')
 
 ####################################
@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an networkmanager environment.
+##	Delete NetworkManager PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`networkmanager_delete_pid_files',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+	')
+
+	files_search_pids($1)
+    delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute NetworkManager in the NetworkManager domain, and
+##	allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
@@ -287,33 +427,194 @@ interface(`networkmanager_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
-interface(`networkmanager_admin',`
+interface(`networkmanager_run',`
 	gen_require(`
-		type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
-		type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
-		type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
+		type NetworkManager_t, NetworkManager_exec_t;
 	')
 
-	allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
-
-	init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 NetworkManager_initrc_exec_t system_r;
-	allow $2 system_r;
+	networkmanager_domtrans($1)
+	role $2 types NetworkManager_t;
+')
 
-	logging_search_etc($1)
-	admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	to Network Manager log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_append_log',`
+	gen_require(`
+		type NetworkManager_log_t;
+	')
 
 	logging_search_logs($1)
-	admin_pattern($1, NetworkManager_log_t)
+	allow $1 NetworkManager_log_t:dir list_dir_perms;
+	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+	allow $1 NetworkManager_var_lib_t:file map;
 
-	files_search_var_lib($1)
-	admin_pattern($1, NetworkManager_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to manage
+##  to Network Manager lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`networkmanager_manage_lib',`
+    gen_require(`
+        type NetworkManager_var_lib_t;
+    ')
+
+    manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+    allow $1 NetworkManager_var_lib_t:file map;
+
+')
+
+#######################################
+## <summary>
+##      Read the process state (/proc/pid) of NetworkManager.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`NetworkManager_read_state',`
+        gen_require(`
+            type NetworkManager_t;
+    ')
+
+    allow $1 NetworkManager_t:dir search_dir_perms;
+    allow $1 NetworkManager_t:file read_file_perms;
+    allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+##	Send to NetworkManager with a unix dgram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_dgram_send',`
+	gen_require(`
+		type NetworkManager_t, NetworkManager_var_run_t;
+	')
 
 	files_search_pids($1)
-	admin_pattern($1, NetworkManager_var_run_t)
+	dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
+##	Send sigchld to networkmanager.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`networkmanager_sigchld',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+    allow $1 NetworkManager_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send signull to networkmanager.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`networkmanager_signull',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+    allow $1 NetworkManager_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send sigkill to networkmanager.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`networkmanager_sigkill',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+    allow $1 NetworkManager_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Transition to networkmanager named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_filetrans_named_content',`
+	gen_require(`
+		type NetworkManager_var_run_t;
+		type NetworkManager_var_lib_t;
+	')
 
-	files_search_tmp($1)
-	admin_pattern($1, NetworkManager_tmp_t)
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+	files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd")
+	files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
+	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
 ')
diff --git a/networkmanager.te b/networkmanager.te
index 55f20095e6..67738f4a88 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
 type NetworkManager_exec_t;
 init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
 
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
 type NetworkManager_etc_t;
 files_config_file(NetworkManager_etc_t)
 
 type NetworkManager_etc_rw_t;
 files_config_file(NetworkManager_etc_rw_t)
 
-type NetworkManager_initrc_exec_t;
-init_script_file(NetworkManager_initrc_exec_t)
-
 type NetworkManager_log_t;
 logging_log_file(NetworkManager_log_t)
 
@@ -39,25 +42,58 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 # Local policy
 #
 
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+
+allow NetworkManager_t self:bpf { map_create map_read map_write prog_load prog_run };
+
+ifdef(`hide_broken_symptoms',`
+	# caused by some bogus kernel code
+	dontaudit NetworkManager_t self:capability sys_module;
+')
+
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
+
+allow NetworkManager_t self:process setfscreate;
+selinux_validate_context(NetworkManager_t)
+
+tunable_policy(`deny_ptrace',`',`
+	allow NetworkManager_t self:capability sys_ptrace;
+	allow NetworkManager_t self:process ptrace;
+')
+
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-allow NetworkManager_t self:unix_dgram_socket sendto;
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
+allow NetworkManager_t self:netlink_generic_socket create_socket_perms;
 allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow NetworkManager_t self:netlink_socket create_socket_perms;
 allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow NetworkManager_t self:tcp_socket { accept listen };
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket create_socket_perms;
+allow NetworkManager_t self:socket create_socket_perms;
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
 
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
@@ -68,6 +104,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
 setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
@@ -81,17 +118,17 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
 
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
-
-kernel_read_crypto_sysctls(NetworkManager_t)
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_request_load_module(NetworkManager_t)
 kernel_read_debugfs(NetworkManager_t)
 kernel_rw_net_sysctls(NetworkManager_t)
+kernel_dontaudit_setsched(NetworkManager_t)
+kernel_signull(NetworkManager_t)
 
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_ib_manage_subnet_unlabeled_endports(NetworkManager_t)
+corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
 corenet_tcp_sendrecv_generic_if(NetworkManager_t)
 corenet_udp_sendrecv_generic_if(NetworkManager_t)
@@ -102,36 +139,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
 corenet_tcp_sendrecv_all_ports(NetworkManager_t)
 corenet_udp_sendrecv_all_ports(NetworkManager_t)
 corenet_udp_bind_generic_node(NetworkManager_t)
-
-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
 corenet_udp_bind_isakmp_port(NetworkManager_t)
-
-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
 corenet_udp_bind_dhcpc_port(NetworkManager_t)
-
-corenet_sendrecv_all_client_packets(NetworkManager_t)
 corenet_tcp_connect_all_ports(NetworkManager_t)
-
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
 corenet_rw_tun_tap_dev(NetworkManager_t)
 corenet_getattr_ppp_dev(NetworkManager_t)
 
-corecmd_exec_shell(NetworkManager_t)
-corecmd_exec_bin(NetworkManager_t)
-
+dev_access_check_sysfs(NetworkManager_t)
 dev_rw_sysfs(NetworkManager_t)
 dev_read_rand(NetworkManager_t)
 dev_read_urand(NetworkManager_t)
+dev_write_sysfs_dirs(NetworkManager_t)
 dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
 dev_getattr_all_chr_files(NetworkManager_t)
 dev_rw_wireless(NetworkManager_t)
 
-domain_use_interactive_fds(NetworkManager_t)
-domain_read_all_domains_state(NetworkManager_t)
-
-files_read_etc_runtime_files(NetworkManager_t)
-files_read_usr_files(NetworkManager_t)
-files_read_usr_src_files(NetworkManager_t)
-
 fs_getattr_all_fs(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
@@ -140,18 +165,35 @@ mls_file_read_all_levels(NetworkManager_t)
 
 selinux_dontaudit_search_fs(NetworkManager_t)
 
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_all_domains_state(NetworkManager_t)
+
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+files_read_isid_type_files(NetworkManager_t)
+
 storage_getattr_fixed_disk_dev(NetworkManager_t)
 
+term_open_unallocated_ttys(NetworkManager_t)
+
 init_read_utmp(NetworkManager_t)
 init_dontaudit_write_utmp(NetworkManager_t)
 init_domtrans_script(NetworkManager_t)
+init_signull_script(NetworkManager_t)
+init_signal_script(NetworkManager_t)
+init_sigkill_script(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
+libs_exec_ldconfig(NetworkManager_t)
+
 logging_send_syslog_msg(NetworkManager_t)
 
 miscfiles_read_generic_certs(NetworkManager_t)
-miscfiles_read_localization(NetworkManager_t)
 
 seutil_read_config(NetworkManager_t)
 
@@ -166,21 +208,37 @@ sysnet_kill_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
 sysnet_manage_config(NetworkManager_t)
-sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_filetrans_named_content(NetworkManager_t)
+sysnet_filetrans_net_conf(NetworkManager_t)
 
-# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+systemd_machined_read_pid_files(NetworkManager_t)
+
+term_use_unallocated_ttys(NetworkManager_t)
 
-userdom_write_user_tmp_sockets(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
 userdom_dontaudit_use_user_ttys(NetworkManager_t)
+# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+    fs_read_nfs_files(NetworkManager_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+    fs_read_cifs_files(NetworkManager_t)
+')
 
 optional_policy(`
 	avahi_domtrans(NetworkManager_t)
 	avahi_kill(NetworkManager_t)
 	avahi_signal(NetworkManager_t)
 	avahi_signull(NetworkManager_t)
+	avahi_dbus_chat(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -195,10 +253,6 @@ optional_policy(`
 	bluetooth_dontaudit_read_helper_state(NetworkManager_t)
 ')
 
-optional_policy(`
-	consolekit_read_pid_files(NetworkManager_t)
-')
-
 optional_policy(`
 	consoletype_exec(NetworkManager_t)
 ')
@@ -210,31 +264,36 @@ optional_policy(`
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
 
-	optional_policy(`
-		avahi_dbus_chat(NetworkManager_t)
-	')
+	init_dbus_chat(NetworkManager_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(NetworkManager_t)
+		consolekit_read_pid_files(NetworkManager_t)
 	')
+')
 
-	optional_policy(`
-		policykit_dbus_chat(NetworkManager_t)
-	')
+optional_policy(`
+    dnssec_trigger_domtrans(NetworkManager_t)
 ')
 
 optional_policy(`
 	dnsmasq_read_pid_files(NetworkManager_t)
+	dnsmasq_dbus_chat(NetworkManager_t)
 	dnsmasq_delete_pid_files(NetworkManager_t)
 	dnsmasq_domtrans(NetworkManager_t)
 	dnsmasq_initrc_domtrans(NetworkManager_t)
 	dnsmasq_kill(NetworkManager_t)
 	dnsmasq_signal(NetworkManager_t)
 	dnsmasq_signull(NetworkManager_t)
+	dnsmasq_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+    dnssec_trigger_signull(NetworkManager_t)
 ')
 
 optional_policy(`
-	gnome_stream_connect_all_gkeyringd(NetworkManager_t)
+    fcoe_dgram_send_fcoemon(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -245,11 +304,27 @@ optional_policy(`
 	howl_signal(NetworkManager_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(NetworkManager_t)
+')
+
+optional_policy(`
+    iscsid_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+    iodined_domtrans(NetworkManager_t)
+')
+
 optional_policy(`
 	ipsec_domtrans_mgmt(NetworkManager_t)
 	ipsec_kill_mgmt(NetworkManager_t)
 	ipsec_signal_mgmt(NetworkManager_t)
 	ipsec_signull_mgmt(NetworkManager_t)
+	ipsec_domtrans(NetworkManager_t)
+	ipsec_kill(NetworkManager_t)
+	ipsec_signal(NetworkManager_t)
+	ipsec_signull(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -257,15 +332,19 @@ optional_policy(`
 ')
 
 optional_policy(`
-	libs_exec_ldconfig(NetworkManager_t)
+	l2tpd_domtrans(NetworkManager_t)
+    l2tpd_sigkill(NetworkManager_t)
+    l2tpd_signal(NetworkManager_t)
+    l2tpd_signull(NetworkManager_t)
 ')
 
 optional_policy(`
-	modutils_domtrans_insmod(NetworkManager_t)
+    lldpad_dgram_send(NetworkManager_t)
 ')
 
 optional_policy(`
 	netutils_exec_ping(NetworkManager_t)
+    netutils_exec(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -274,10 +353,17 @@ optional_policy(`
 	nscd_signull(NetworkManager_t)
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
+	nscd_systemctl(NetworkManager_t)
 ')
 
 optional_policy(`
+	# Dispatcher starting and stoping ntp
 	ntp_initrc_domtrans(NetworkManager_t)
+	ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -286,9 +372,12 @@ optional_policy(`
 	openvpn_kill(NetworkManager_t)
 	openvpn_signal(NetworkManager_t)
 	openvpn_signull(NetworkManager_t)
+	openvpn_stream_connect(NetworkManager_t)
+	openvpn_noatsecure(NetworkManager_t)
 ')
 
 optional_policy(`
+	policykit_dbus_chat(NetworkManager_t)
 	policykit_domtrans_auth(NetworkManager_t)
 	policykit_read_lib(NetworkManager_t)
 	policykit_read_reload(NetworkManager_t)
@@ -296,7 +385,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	polipo_initrc_domtrans(NetworkManager_t)
+	polipo_systemctl(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -307,6 +396,7 @@ optional_policy(`
 	ppp_signal(NetworkManager_t)
 	ppp_signull(NetworkManager_t)
 	ppp_read_config(NetworkManager_t)
+	ppp_systemctl(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -320,14 +410,21 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_exec(NetworkManager_t)
-	udev_read_db(NetworkManager_t)
-	udev_read_pid_files(NetworkManager_t)
+	systemd_write_inhibit_pipes(NetworkManager_t)
+	systemd_read_logind_sessions_files(NetworkManager_t)
+	systemd_dbus_chat_logind(NetworkManager_t)
+	systemd_dbus_chat_hostnamed(NetworkManager_t)
+    systemd_hostnamed_manage_config(NetworkManager_t)
 ')
 
 optional_policy(`
-	# unconfined_dgram_send(NetworkManager_t)
-	unconfined_stream_connect(NetworkManager_t)
+    ssh_exec(NetworkManager_t)
+')
+
+optional_policy(`
+	udev_exec(NetworkManager_t)
+	udev_read_db(NetworkManager_t)
+	udev_read_pid_files(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -338,12 +435,16 @@ optional_policy(`
 	vpn_relabelfrom_tun_socket(NetworkManager_t)
 ')
 
+optional_policy(`
+	openvswitch_stream_connect(NetworkManager_t)
+')
+
 ########################################
 #
 # wpa_cli local policy
 #
 
-allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:capability { dac_read_search dac_override };
 allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
 
 allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
@@ -357,6 +458,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
 init_dontaudit_use_fds(wpa_cli_t)
 init_use_script_ptys(wpa_cli_t)
 
-miscfiles_read_localization(wpa_cli_t)
-
 term_dontaudit_use_console(wpa_cli_t)
diff --git a/ninfod.fc b/ninfod.fc
new file mode 100644
index 0000000000..cc31b9f273
--- /dev/null
+++ b/ninfod.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/ninfod.*		--	gen_context(system_u:object_r:ninfod_unit_file_t,s0)
+
+/usr/sbin/ninfod		--	gen_context(system_u:object_r:ninfod_exec_t,s0)
+
+/var/run/ninfod.*		--	gen_context(system_u:object_r:ninfod_run_t,s0)
+
diff --git a/ninfod.if b/ninfod.if
new file mode 100644
index 0000000000..409de8c3ef
--- /dev/null
+++ b/ninfod.if
@@ -0,0 +1,80 @@
+
+## <summary>Respond to IPv6 Node Information Queries</summary>
+
+########################################
+## <summary>
+##	Execute ninfod in the ninfod domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ninfod_domtrans',`
+	gen_require(`
+		type ninfod_t, ninfod_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ninfod_exec_t, ninfod_t)
+')
+########################################
+## <summary>
+##	Execute ninfod server in the ninfod domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ninfod_systemctl',`
+	gen_require(`
+		type ninfod_t;
+		type ninfod_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 ninfod_unit_file_t:file read_file_perms;
+	allow $1 ninfod_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ninfod_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ninfod environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ninfod_admin',`
+	gen_require(`
+		type ninfod_t;
+	    type ninfod_unit_file_t;
+	')
+
+	allow $1 ninfod_t:process { signal_perms };
+	ps_process_pattern($1, ninfod_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ninfod_t:process ptrace;
+    ')
+
+	ninfod_systemctl($1)
+	admin_pattern($1, ninfod_unit_file_t)
+	allow $1 ninfod_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/ninfod.te b/ninfod.te
new file mode 100644
index 0000000000..b3aa3ce13e
--- /dev/null
+++ b/ninfod.te
@@ -0,0 +1,36 @@
+policy_module(ninfod, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ninfod_t;
+type ninfod_exec_t;
+init_daemon_domain(ninfod_t, ninfod_exec_t)
+
+type ninfod_run_t;
+files_pid_file(ninfod_run_t)
+
+type ninfod_unit_file_t;
+systemd_unit_file(ninfod_unit_file_t)
+
+########################################
+#
+# ninfod local policy
+#
+allow ninfod_t self:capability { net_raw setuid };
+allow ninfod_t self:process setcap;
+allow ninfod_t self:fifo_file rw_fifo_file_perms;
+allow ninfod_t self:rawip_socket { create setopt };
+allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
+allow ninfod_t self:rawip_socket read;
+
+manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
+files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
+
+auth_use_nsswitch(ninfod_t)
+
+logging_send_syslog_msg(ninfod_t)
+
+sysnet_dns_name_resolve(ninfod_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa28e..cd0e015f84 100644
--- a/nis.fc
+++ b/nis.fc
@@ -2,21 +2,26 @@
 /etc/rc\.d/init\.d/yppasswd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ypserv	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ypxfrd	--	gen_context(system_u:object_r:nis_initrc_exec_t,s0)
-
 /etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
 
-/sbin/ypbind	--	gen_context(system_u:object_r:ypbind_exec_t,s0)
+/sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
 
 /usr/lib/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 
-/usr/sbin/rpc\.yppasswdd	--	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
 /usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 /usr/sbin/ypbind	--	gen_context(system_u:object_r:ypbind_exec_t,s0)
 /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
 
-/var/yp(/.*)?	gen_context(system_u:object_r:var_yp_t,s0)
+/var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
 
 /var/run/ypxfrd.*	--	gen_context(system_u:object_r:ypxfr_var_run_t,s0)
 /var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
 /var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
 /var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
+/usr/lib/systemd/system/ypbind.*	--	gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/usr/lib/systemd/system/ypserv.*	--	gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/yppasswdd.*	--	gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.*	--	gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
index 46e55c3ff1..afe399a0ea 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
-## <summary>Policy for NIS (YP) servers and clients.</summary>
+## <summary>Policy for NIS (YP) servers and clients</summary>
 
 ########################################
 ## <summary>
@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
 	gen_require(`
 		type var_yp_t;
 	')
-
-	allow $1 self:capability net_bind_service;
+	dontaudit $1 self:capability net_bind_service;
 
 	allow $1 self:tcp_socket create_stream_socket_perms;
 	allow $1 self:udp_socket create_socket_perms;
 
 	allow $1 var_yp_t:dir list_dir_perms;
-	allow $1 var_yp_t:file read_file_perms;
 	allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+	allow $1 var_yp_t:file read_file_perms;
 
-	corenet_all_recvfrom_unlabeled($1)
-	corenet_all_recvfrom_netlabel($1)
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_generic_node($1)
@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
 	corenet_udp_bind_generic_node($1)
 	corenet_tcp_bind_generic_port($1)
 	corenet_udp_bind_generic_port($1)
-	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
-	corenet_dontaudit_udp_bind_all_reserved_ports($1)
 	corenet_dontaudit_tcp_bind_all_ports($1)
 	corenet_dontaudit_udp_bind_all_ports($1)
 	corenet_tcp_connect_portmap_port($1)
-	corenet_tcp_connect_reserved_port($1)
+	corenet_tcp_connect_all_reserved_ports($1)
 	corenet_tcp_connect_generic_port($1)
-	corenet_dontaudit_tcp_connect_all_ports($1)
 	corenet_sendrecv_portmap_client_packets($1)
 	corenet_sendrecv_generic_client_packets($1)
 	corenet_sendrecv_generic_server_packets($1)
@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
 ## <rolecap/>
 #
 interface(`nis_use_ypbind',`
-	tunable_policy(`allow_ypbind',`
+	tunable_policy(`nis_enabled',`
 		nis_use_ypbind_uncond($1)
 	')
 ')
 
 ########################################
 ## <summary>
-##	Use nis to authenticate passwords.
+##	Use the nis to authenticate passwords
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
 ## <rolecap/>
 #
 interface(`nis_authenticate',`
-	tunable_policy(`allow_ypbind',`
+	tunable_policy(`nis_enabled',`
 		nis_use_ypbind_uncond($1)
 		corenet_tcp_bind_all_rpc_ports($1)
 		corenet_udp_bind_all_rpc_ports($1)
@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
 
 #######################################
 ## <summary>
-##	Execute ypbind in the caller domain.
+##  Execute ypbind in the caller domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
 interface(`nis_exec_ypbind',`
-	gen_require(`
-		type ypbind_exec_t;
-	')
+    gen_require(`
+        type ypbind_t, ypbind_exec_t;
+    ')
 
-	corecmd_search_bin($1)
 	can_exec($1, ypbind_exec_t)
 ')
 
@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
 #
 interface(`nis_run_ypbind',`
 	gen_require(`
-		attribute_role ypbind_roles;
+		type ypbind_t;
 	')
 
 	nis_domtrans_ypbind($1)
-	roleattribute $2 ypbind_roles;
+	role $2 types ypbind_t;
 ')
 
 ########################################
@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
 
 ########################################
 ## <summary>
-##	List nis data directories.
+##	List the contents of the NIS data directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
 #
 interface(`nis_delete_ypbind_pid',`
 	gen_require(`
-		type ypbind_var_run_t;
+		type ypbind_t;
 	')
 
-	allow $1 ypbind_var_run_t:file delete_file_perms;
+	# TODO: add delete pid from dir call to files
+	allow $1 ypbind_t:file unlink;
 ')
 
 ########################################
@@ -355,8 +349,59 @@ interface(`nis_initrc_domtrans_ypbind',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an nis environment.
+##	Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nis_systemctl_ypbind',`
+	gen_require(`
+		type ypbind_unit_file_t;
+		type ypbind_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 ypbind_unit_file_t:file read_file_perms;
+	allow $1 ypbind_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ypbind_t)
+')
+
+########################################
+## <summary>
+##	Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nis_systemctl',`
+	gen_require(`
+		type nis_unit_file_t, ypbind_unit_file_t;
+		type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 nis_unit_file_t:file read_file_perms;
+	allow $1 nis_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ypbind_t)
+	ps_process_pattern($1, yppasswdd_t)
+	ps_process_pattern($1, ypserv_t)
+	ps_process_pattern($1, ypxfr_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an nis environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -372,32 +417,56 @@ interface(`nis_initrc_domtrans_ypbind',`
 #
 interface(`nis_admin',`
 	gen_require(`
-		type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
-		type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+		type ypbind_t, yppasswdd_t, ypserv_t;
+		type ypserv_conf_t;
 		type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
-		type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t;
+		type ypserv_tmp_t;
+		type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+		type nis_unit_file_t;
+		type ypbind_unit_file_t;
+	')
+
+	allow $1 ypbind_t:process signal_perms;
+	ps_process_pattern($1, ypbind_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ypbind_t:process ptrace;
+		allow $1 yppasswdd_t:process ptrace;
+		allow $1 ypserv_t:process ptrace;
+		allow $1 ypxfr_t:process ptrace;
 	')
 
-	allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
+	allow $1 yppasswdd_t:process signal_perms;
+	ps_process_pattern($1, yppasswdd_t)
+
+	allow $1 ypserv_t:process signal_perms;
+	ps_process_pattern($1, ypserv_t)
+
+	allow $1 ypxfr_t:process signal_perms;
+	ps_process_pattern($1, ypxfr_t)
 
 	nis_initrc_domtrans($1)
 	nis_initrc_domtrans_ypbind($1)
 	domain_system_change_exemption($1)
-	role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
+	role_transition $2 nis_initrc_exec_t system_r;
+	role_transition $2 ypbind_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_list_tmp($1)
-	admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
-
 	files_list_pids($1)
-	admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t })
+	admin_pattern($1, ypbind_var_run_t)
+	nis_systemctl_ypbind($1)
+	admin_pattern($1, ypbind_unit_file_t)
+	allow $1 ypbind_unit_file_t:service all_service_perms;
+
+	admin_pattern($1, yppasswdd_var_run_t)
 
 	files_list_etc($1)
 	admin_pattern($1, ypserv_conf_t)
 
-	files_search_var($1)
-	admin_pattern($1, var_yp_t)
+	admin_pattern($1, ypserv_var_run_t)
+
+	admin_pattern($1, ypserv_tmp_t)
 
-	nis_run_ypbind($1, $2)
+	nis_systemctl($1)
+	admin_pattern($1, nis_unit_file_t)
+	allow $1 nis_unit_file_t:service all_service_perms;
 ')
diff --git a/nis.te b/nis.te
index 3a6b0352eb..31577d5675 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
 # Declarations
 #
 
-attribute_role ypbind_roles;
-
 type nis_initrc_exec_t;
 init_script_file(nis_initrc_exec_t)
 
@@ -16,16 +14,18 @@ files_type(var_yp_t)
 type ypbind_t;
 type ypbind_exec_t;
 init_daemon_domain(ypbind_t, ypbind_exec_t)
-role ypbind_roles types ypbind_t;
 
 type ypbind_initrc_exec_t;
 init_script_file(ypbind_initrc_exec_t)
 
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
 type ypbind_tmp_t;
 files_tmp_file(ypbind_tmp_t)
 
-type ypbind_var_run_t;
-files_pid_file(ypbind_var_run_t)
+type ypbind_unit_file_t;
+systemd_unit_file(ypbind_unit_file_t)
 
 type yppasswdd_t;
 type yppasswdd_exec_t;
@@ -40,7 +40,7 @@ type ypserv_exec_t;
 init_daemon_domain(ypserv_t, ypserv_exec_t)
 
 type ypserv_conf_t;
-files_type(ypserv_conf_t)
+files_config_file(ypserv_conf_t)
 
 type ypserv_tmp_t;
 files_tmp_file(ypserv_tmp_t)
@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
 type ypxfr_var_run_t;
 files_pid_file(ypxfr_var_run_t)
 
+type nis_unit_file_t;
+systemd_unit_file(nis_unit_file_t)
+
 ########################################
 #
 # ypbind local policy
@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t)
 dontaudit ypbind_t self:capability { net_admin sys_tty_config };
 allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:process signal_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow ypbind_t self:tcp_socket create_stream_socket_perms;
 allow ypbind_t self:udp_socket create_socket_perms;
@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
 kernel_read_system_state(ypbind_t)
 kernel_read_kernel_sysctls(ypbind_t)
 
-corenet_all_recvfrom_unlabeled(ypbind_t)
 corenet_all_recvfrom_netlabel(ypbind_t)
 corenet_tcp_sendrecv_generic_if(ypbind_t)
 corenet_udp_sendrecv_generic_if(ypbind_t)
@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t)
 corenet_udp_sendrecv_all_ports(ypbind_t)
 corenet_tcp_bind_generic_node(ypbind_t)
 corenet_udp_bind_generic_node(ypbind_t)
-
 corenet_tcp_bind_generic_port(ypbind_t)
 corenet_udp_bind_generic_port(ypbind_t)
 corenet_tcp_bind_reserved_port(ypbind_t)
@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t)
 corenet_tcp_bind_all_rpc_ports(ypbind_t)
 corenet_udp_bind_all_rpc_ports(ypbind_t)
 corenet_tcp_connect_all_ports(ypbind_t)
-corenet_sendrecv_all_client_packets(ypbind_t)
-corenet_sendrecv_generic_server_packets(ypbind_t)
-
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
 
 dev_read_sysfs(ypbind_t)
 
@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t)
 
 domain_use_interactive_fds(ypbind_t)
 
-files_read_etc_files(ypbind_t)
 files_list_var(ypbind_t)
 
-logging_send_syslog_msg(ypbind_t)
+init_search_pid_dirs(ypbind_t)
 
-miscfiles_read_localization(ypbind_t)
+logging_send_syslog_msg(ypbind_t)
 
 sysnet_read_config(ypbind_t)
 
@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
 optional_policy(`
 	dbus_system_bus_client(ypbind_t)
 	dbus_connect_system_bus(ypbind_t)
-
 	init_dbus_chat_script(ypbind_t)
 
 	optional_policy(`
@@ -145,11 +144,12 @@ optional_policy(`
 # yppasswdd local policy
 #
 
-allow yppasswdd_t self:capability dac_override;
+allow yppasswdd_t self:capability { dac_read_search dac_override };
 dontaudit yppasswdd_t self:capability sys_tty_config;
 allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { getsched setfscreate signal_perms };
-allow yppasswdd_t self:unix_stream_socket { accept listen };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
 allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
 allow yppasswdd_t self:udp_socket create_socket_perms;
@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
 manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
 manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
 
-can_exec(yppasswdd_t, yppasswdd_exec_t)
+can_exec(yppasswdd_t,yppasswdd_exec_t)
 
 kernel_list_proc(yppasswdd_t)
 kernel_read_proc_symlinks(yppasswdd_t)
 kernel_getattr_proc_files(yppasswdd_t)
 kernel_read_kernel_sysctls(yppasswdd_t)
 
-corenet_all_recvfrom_unlabeled(yppasswdd_t)
 corenet_all_recvfrom_netlabel(yppasswdd_t)
 corenet_tcp_sendrecv_generic_if(yppasswdd_t)
 corenet_udp_sendrecv_generic_if(yppasswdd_t)
@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
 corenet_udp_sendrecv_all_ports(yppasswdd_t)
 corenet_tcp_bind_generic_node(yppasswdd_t)
 corenet_udp_bind_generic_node(yppasswdd_t)
-
 corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
 corenet_udp_bind_all_rpc_ports(yppasswdd_t)
-corenet_sendrecv_generic_server_packets(yppasswdd_t)
-
 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
 
-corecmd_exec_bin(yppasswdd_t)
-corecmd_exec_shell(yppasswdd_t)
-
-domain_use_interactive_fds(yppasswdd_t)
-
-files_read_etc_files(yppasswdd_t)
-files_read_etc_runtime_files(yppasswdd_t)
-files_relabel_etc_files(yppasswdd_t)
-
+dev_read_urand(yppasswdd_t)
 dev_read_sysfs(yppasswdd_t)
 
 fs_getattr_all_fs(yppasswdd_t)
@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
 selinux_get_fs_mount(yppasswdd_t)
 
 auth_manage_shadow(yppasswdd_t)
+auth_manage_passwd(yppasswdd_t)
 auth_relabel_shadow(yppasswdd_t)
 auth_etc_filetrans_shadow(yppasswdd_t)
 
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
 logging_send_syslog_msg(yppasswdd_t)
 
-miscfiles_read_localization(yppasswdd_t)
 
 sysnet_read_config(yppasswdd_t)
 
@@ -218,6 +215,14 @@ optional_policy(`
 	hostname_exec(yppasswdd_t)
 ')
 
+optional_policy(`
+    mta_send_mail(yppasswdd_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(yppasswdd_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(yppasswdd_t)
 ')
@@ -234,12 +239,14 @@ optional_policy(`
 dontaudit ypserv_t self:capability sys_tty_config;
 allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:process signal_perms;
-allow ypserv_t self:unix_stream_socket { accept listen };
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
 allow ypserv_t self:tcp_socket connected_stream_socket_perms;
 allow ypserv_t self:udp_socket create_socket_perms;
 
 manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+allow ypserv_t var_yp_t:file map;
 
 allow ypserv_t ypserv_conf_t:file read_file_perms;
 
@@ -254,7 +261,6 @@ kernel_read_kernel_sysctls(ypserv_t)
 kernel_list_proc(ypserv_t)
 kernel_read_proc_symlinks(ypserv_t)
 
-corenet_all_recvfrom_unlabeled(ypserv_t)
 corenet_all_recvfrom_netlabel(ypserv_t)
 corenet_tcp_sendrecv_generic_if(ypserv_t)
 corenet_udp_sendrecv_generic_if(ypserv_t)
@@ -264,31 +270,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
 corenet_udp_sendrecv_all_ports(ypserv_t)
 corenet_tcp_bind_generic_node(ypserv_t)
 corenet_udp_bind_generic_node(ypserv_t)
-
 corenet_tcp_bind_reserved_port(ypserv_t)
 corenet_udp_bind_reserved_port(ypserv_t)
 corenet_tcp_bind_all_rpc_ports(ypserv_t)
 corenet_udp_bind_all_rpc_ports(ypserv_t)
-corenet_sendrecv_generic_server_packets(ypserv_t)
-
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+corenet_tcp_connect_portmap_port(ypserv_t)
 
-corecmd_exec_bin(ypserv_t)
+dev_read_sysfs(ypserv_t)
 
-files_read_etc_files(ypserv_t)
-files_read_var_files(ypserv_t)
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
 
-dev_read_sysfs(ypserv_t)
+corecmd_exec_bin(ypserv_t)
 
 domain_use_interactive_fds(ypserv_t)
 
-fs_getattr_all_fs(ypserv_t)
-fs_search_auto_mountpoints(ypserv_t)
+files_read_var_files(ypserv_t)
 
 logging_send_syslog_msg(ypserv_t)
 
-miscfiles_read_localization(ypserv_t)
 
 nis_domtrans_ypxfr(ypserv_t)
 
@@ -305,13 +308,17 @@ optional_policy(`
 	udev_read_db(ypserv_t)
 ')
 
+optional_policy(`
+    rpcbind_stream_connect(ypserv_t)
+')
+
 ########################################
 #
 # ypxfr local policy
 #
 
-allow ypxfr_t self:unix_stream_socket { accept listen };
-allow ypxfr_t self:unix_dgram_socket { accept listen };
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
 allow ypxfr_t self:tcp_socket create_stream_socket_perms;
 allow ypxfr_t self:udp_socket create_socket_perms;
 allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -326,7 +333,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
 manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
 files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
 
-corenet_all_recvfrom_unlabeled(ypxfr_t)
 corenet_all_recvfrom_netlabel(ypxfr_t)
 corenet_tcp_sendrecv_generic_if(ypxfr_t)
 corenet_udp_sendrecv_generic_if(ypxfr_t)
@@ -336,23 +342,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
 corenet_udp_sendrecv_all_ports(ypxfr_t)
 corenet_tcp_bind_generic_node(ypxfr_t)
 corenet_udp_bind_generic_node(ypxfr_t)
-
 corenet_tcp_bind_reserved_port(ypxfr_t)
 corenet_udp_bind_reserved_port(ypxfr_t)
 corenet_tcp_bind_all_rpc_ports(ypxfr_t)
 corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
 corenet_tcp_connect_all_ports(ypxfr_t)
 corenet_sendrecv_generic_server_packets(ypxfr_t)
 corenet_sendrecv_all_client_packets(ypxfr_t)
 
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
-
-files_read_etc_files(ypxfr_t)
 files_search_usr(ypxfr_t)
 
 logging_send_syslog_msg(ypxfr_t)
 
-miscfiles_read_localization(ypxfr_t)
 
 sysnet_read_config(ypxfr_t)
diff --git a/nova.fc b/nova.fc
new file mode 100644
index 0000000000..b5fab0e6ac
--- /dev/null
+++ b/nova.fc
@@ -0,0 +1,25 @@
+/usr/bin/nova-ajax-console-proxy       --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-console.*                --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-direct-api       --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-api                      --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-cert           --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-conductor     --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr//bin/nova-api-metadata    --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-network       --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-objectstore       --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-scheduler     --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-vncproxy      --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-volume        --  gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-xvpvncproxy      --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-cells      --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-novncproxy      --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-serialproxy      --      gen_context(system_u:object_r:nova_exec_t,s0)
+/usr/bin/nova-api-metadata      --      gen_context(system_u:object_r:nova_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-nova-*	--	gen_context(system_u:object_r:nova_unit_file_t,s0)
+
+/var/lib/nova(/.*)?     gen_context(system_u:object_r:nova_var_lib_t,s0)
+
+/var/log/nova(/.*)?     gen_context(system_u:object_r:nova_log_t,s0)
+
+/var/run/nova(/.*)?     gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
index 0000000000..e328327057
--- /dev/null
+++ b/nova.if
@@ -0,0 +1,47 @@
+## <summary>openstack-nova</summary>
+
+######################################
+## <summary>
+##  Manage nova lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`nova_manage_lib_files',`
+    gen_require(`
+                type nova_var_lib_t;
+                                ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  openstack-nova systemd daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`nova_domain_template',`
+	gen_require(`
+        type nova_t;
+        type nova_exec_t;
+        type nova_unit_file_t;
+        type nova_tmp_t;
+
+	')
+
+    typealias nova_t alias nova_$1_t;
+    typealias nova_exec_t alias nova_$1_exec_t;
+    typealias nova_unit_file_t alias nova_$1_unit_file_t;
+    typealias nova_tmp_t alias nova_$1_tmp_t;
+
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 0000000000..af8dd5527d
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,204 @@
+policy_module(nova, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# nova-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute nova_domain;
+attribute nova_sudo_domain;
+
+nova_domain_template(ajax)
+nova_domain_template(api)
+nova_domain_template(cert)
+nova_domain_template(conductor)
+nova_domain_template(compute)
+nova_domain_template(console)
+nova_domain_template(direct)
+nova_domain_template(network)
+nova_domain_template(objectstore)
+nova_domain_template(scheduler)
+nova_domain_template(vncproxy)
+nova_domain_template(volume)
+
+typeattribute nova_api_t nova_sudo_domain;
+typeattribute nova_cert_t nova_sudo_domain;
+typeattribute nova_console_t nova_sudo_domain;
+typeattribute nova_network_t nova_sudo_domain;
+typeattribute nova_volume_t nova_sudo_domain;
+
+type nova_t;
+type nova_exec_t;
+init_daemon_domain(nova_t, nova_exec_t)
+typeattribute nova_t nova_domain;
+
+type nova_unit_file_t;
+systemd_unit_file(nova_unit_file_t)
+
+type nova_tmp_t;
+files_tmp_file(nova_tmp_t)
+
+manage_dirs_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+manage_files_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+manage_lnk_files_pattern(nova_t, nova_tmp_t, nova_tmp_t)
+files_tmp_filetrans(nova_t, nova_tmp_t, { lnk_file file dir })
+fs_tmpfs_filetrans(nova_t, nova_tmp_t, { lnk_file file dir })
+can_exec(nova_t, nova_tmp_t)
+
+type nova_log_t;
+logging_log_file(nova_log_t)
+
+type nova_var_lib_t;
+files_type(nova_var_lib_t)
+
+type nova_var_run_t;
+files_pid_file(nova_var_run_t)
+
+
+######################################
+#
+# nova general domain local policy
+#
+
+allow nova_domain self:capability { dac_read_search dac_override net_admin net_bind_service };
+allow nova_domain self:process {  getcap setcap signal_perms setfscreate };
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
+allow nova_domain self:udp_socket create_socket_perms;
+allow nova_domain self:key write;
+allow nova_domain self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
+
+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
+
+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
+
+kernel_read_network_state(nova_domain)
+kernel_read_kernel_sysctls(nova_domain)
+
+kernel_read_system_state(nova_t)
+
+logging_send_syslog_msg(nova_t)
+
+miscfiles_read_generic_certs(nova_t)
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
+
+corenet_tcp_bind_generic_node(nova_domain)
+corenet_udp_bind_generic_node(nova_domain)
+# should be add to booleans
+corenet_tcp_connect_all_ports(nova_domain)
+corenet_tcp_bind_all_unreserved_ports(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+corenet_tcp_connect_amqp_port(nova_domain)
+corenet_tcp_connect_mysqld_port(nova_domain)
+corenet_tcp_connect_memcache_port(nova_domain)
+corenet_tcp_bind_varnishd_port(nova_domain)
+# should be added to boolean or fixed in the code
+# dnsmasq domtrans does not work since then dnsmasq_t wants
+# to do some stuff with nova_lib, nova_tmp
+# nova-dhcpbridge runs in dnsmasq domain
+corenet_all_recvfrom_netlabel(nova_t)
+corenet_tcp_sendrecv_generic_if(nova_domain)
+corenet_udp_sendrecv_generic_if(nova_domain)
+corenet_raw_sendrecv_generic_if(nova_domain)
+corenet_tcp_sendrecv_generic_node(nova_domain)
+corenet_udp_sendrecv_generic_node(nova_domain)
+corenet_raw_sendrecv_generic_node(nova_domain)
+corenet_tcp_sendrecv_all_ports(nova_domain)
+corenet_udp_sendrecv_all_ports(nova_domain)
+corenet_tcp_bind_dns_port(nova_domain)
+corenet_udp_bind_all_ports(nova_domain)
+corenet_sendrecv_dns_server_packets(nova_domain)
+corenet_sendrecv_dhcpd_server_packets(nova_domain)
+
+auth_use_nsswitch(nova_t)
+auth_use_pam(nova_t)
+auth_read_passwd(nova_domain)
+
+dev_read_sysfs(nova_domain)
+dev_read_urand(nova_domain)
+dev_read_rand(nova_domain)
+
+fs_getattr_all_fs(nova_domain)
+
+init_rw_utmp(nova_domain)
+
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
+    apache_search_config(nova_domain)
+')
+
+optional_policy(`
+    mysql_stream_connect(nova_domain)
+    mysql_read_db_lnk_files(nova_domain)
+')
+
+optional_policy(`
+	postgresql_stream_connect(nova_domain)
+')
+
+optional_policy(`
+	sysnet_read_config(nova_domain)
+	sysnet_domtrans_ifconfig(nova_domain)
+')
+
+optional_policy(`
+	iptables_domtrans(nova_domain)
+')
+
+optional_policy(`
+	ssh_exec_keygen(nova_domain)
+')
+
+optional_policy(`
+    gnome_dontaudit_search_config(nova_domain)
+')
+
+optional_policy(`
+	virt_getattr_exec(nova_domain)
+	virt_stream_connect(nova_domain)
+')
+
+optional_policy(`
+	brctl_domtrans(nova_domain)
+')
+
+optional_policy(`
+	dnsmasq_exec(nova_domain)
+')
+
+optional_policy(`
+	lvm_domtrans(nova_domain)
+')
+
+optional_policy(`
+	lvm_domtrans(nova_domain)
+')
+
+#######################################
+#
+# nova sudo domain local policy
+#
+
+ifdef(`hide_broken_symptoms',`
+	optional_policy(`
+		sudo_exec(nova_sudo_domain)
+        allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
+		allow nova_sudo_domain self:process { setsched setrlimit };
+		logging_send_audit_msgs(nova_sudo_domain)
+	')
+')
+
diff --git a/nscd.fc b/nscd.fc
index ba64485074..429bd799c8 100644
--- a/nscd.fc
+++ b/nscd.fc
@@ -1,13 +1,15 @@
 /etc/rc\.d/init\.d/nscd	--	gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
 
-/usr/sbin/nscd	--	gen_context(system_u:object_r:nscd_exec_t,s0)
+/usr/sbin/nscd		--	gen_context(system_u:object_r:nscd_exec_t,s0)
 
-/var/cache/nscd(/.*)?	gen_context(system_u:object_r:nscd_var_run_t,s0)
-
-/var/db/nscd(/.*)?	gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/db/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
 
 /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
 
-/var/run/nscd(/.*)?	gen_context(system_u:object_r:nscd_var_run_t,s0)
 /var/run/nscd\.pid	--	gen_context(system_u:object_r:nscd_var_run_t,s0)
 /var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
index 8f2ab09f51..e05a0c73ef 100644
--- a/nscd.if
+++ b/nscd.if
@@ -1,8 +1,8 @@
-## <summary>Name service cache daemon.</summary>
+## <summary>Name service cache daemon</summary>
 
 ########################################
 ## <summary>
-##	Send generic signals to nscd.
+##	Send generic signals to NSCD.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -20,7 +20,7 @@ interface(`nscd_signal',`
 
 ########################################
 ## <summary>
-##	Send kill signals to nscd.
+##	Send NSCD the kill signal.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,7 +38,7 @@ interface(`nscd_kill',`
 
 ########################################
 ## <summary>
-##	Send null signals to nscd.
+##	Send signulls to NSCD.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -56,7 +56,7 @@ interface(`nscd_signull',`
 
 ########################################
 ## <summary>
-##	Execute nscd in the nscd domain.
+##	Execute NSCD in the nscd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -71,11 +71,13 @@ interface(`nscd_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, nscd_exec_t, nscd_t)
+    allow $1 nscd_exec_t:file map;
 ')
 
 ########################################
 ## <summary>
-##	Execute nscd in the caller domain.
+##	Allow the specified domain to execute nscd
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,14 +90,14 @@ interface(`nscd_exec',`
 		type nscd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, nscd_exec_t)
+    allow $1 nscd_exec_t:file map;
 ')
 
 ########################################
 ## <summary>
-##	Use nscd services by connecting using
-##	a unix domain stream socket.
+##	Use NSCD services by connecting using
+##	a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112,22 +114,19 @@ interface(`nscd_socket_use',`
 	allow $1 self:unix_stream_socket create_socket_perms;
 
 	allow $1 nscd_t:nscd { getpwd getgrp gethost };
-
 	dontaudit $1 nscd_t:fd use;
 	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
-
 	files_search_pids($1)
 	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+	allow $1 nscd_t:unix_stream_socket { connectto create_socket_perms };
 	dontaudit $1 nscd_var_run_t:file read_file_perms;
-
+	allow $1 nscd_var_run_t:file map;
 	ps_process_pattern(nscd_t, $1)
 ')
 
 ########################################
 ## <summary>
-##	Use nscd services by mapping the
-##	database from an inherited nscd
-##	file descriptor.
+##	Use nscd services
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -135,28 +134,39 @@ interface(`nscd_socket_use',`
 ##	</summary>
 ## </param>
 #
-interface(`nscd_shm_use',`
+interface(`nscd_use',`
+	tunable_policy(`nscd_use_shm',`
+		nscd_shm_use($1)
+	',`
+		nscd_socket_use($1)
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write nscd sock files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nscd_dontaudit_write_sock_file',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
-		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 	')
 
-	allow $1 self:unix_stream_socket create_stream_socket_perms;
-
-	allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
-	allow $1 nscd_t:fd use;
-
-	files_search_pids($1)
-	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
-	dontaudit $1 nscd_var_run_t:file read_file_perms;
+	dontaudit $1 nscd_t:sock_file write;
+	dontaudit $1 nscd_var_run_t:sock_file write;
+	dontaudit $1 nscd_t:unix_stream_socket connectto;
 
-	allow $1 nscd_var_run_t:dir list_dir_perms;
-	allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Use nscd services.
+##	Use NSCD services by mapping the database from
+##	an inherited NSCD file descriptor.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -164,18 +174,34 @@ interface(`nscd_shm_use',`
 ##	</summary>
 ## </param>
 #
-interface(`nscd_use',`
-	tunable_policy(`nscd_use_shm',`
-		nscd_shm_use($1)
-	',`
-		nscd_socket_use($1)
+interface(`nscd_shm_use',`
+	gen_require(`
+		type nscd_t, nscd_var_run_t;
+		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp };
 	')
+
+	allow $1 nscd_var_run_t:dir list_dir_perms;
+    allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv  shmemnetgrp};
+	# Receive fd from nscd and map the backing file with read access.
+	allow $1 nscd_t:fd use;
+
+	# cjp: these were originally inherited from the
+	# nscd_socket_domain macro. need to investigate
+	# if they are all actually required
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+	# dg: This may not be required.
+	allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+	files_search_pids($1)
+	allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp };
+	dontaudit $1 nscd_var_run_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	nscd pid directories.
+##	Do not audit attempts to search the NSCD pid directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -193,7 +219,25 @@ interface(`nscd_dontaudit_search_pid',`
 
 ########################################
 ## <summary>
-##	Read nscd pid files.
+##      Do not audit attempts to read the NSCD pid directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`nscd_dontaudit_read_pid',`
+        gen_require(`
+                type nscd_var_run_t;
+        ')
+
+        dontaudit $1 nscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read NSCD pid file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -212,7 +256,7 @@ interface(`nscd_read_pid',`
 
 ########################################
 ## <summary>
-##	Unconfined access to nscd services.
+##	Unconfined access to NSCD services.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -244,20 +288,20 @@ interface(`nscd_unconfined',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`nscd_run',`
 	gen_require(`
-		attribute_role nscd_roles;
+		type nscd_t;
 	')
 
 	nscd_domtrans($1)
-	roleattribute $2 nscd_roles;
+	role $2 types nscd_t;
 ')
 
 ########################################
 ## <summary>
-##	Execute the nscd server init
-##	script in the initrc domain.
+##	Execute the nscd server init script.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -275,8 +319,32 @@ interface(`nscd_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an nscd environment.
+##	Execute nscd server in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nscd_systemctl',`
+	gen_require(`
+		type nscd_unit_file_t;
+		type nscd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 nscd_unit_file_t:file read_file_perms;
+	allow $1 nscd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, nscd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nscd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -285,7 +353,7 @@ interface(`nscd_initrc_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the nscd domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -294,10 +362,14 @@ interface(`nscd_admin',`
 	gen_require(`
 		type nscd_t, nscd_log_t, nscd_var_run_t;
 		type nscd_initrc_exec_t;
+		type nscd_unit_file_t;
 	')
 
-	allow $1 nscd_t:process { ptrace signal_perms };
+	allow $1 nscd_t:process signal_perms;
 	ps_process_pattern($1, nscd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 nscd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -310,5 +382,7 @@ interface(`nscd_admin',`
 	files_list_pids($1)
 	admin_pattern($1, nscd_var_run_t)
 
-	nscd_run($1, $2)
+	nscd_systemctl($1)
+	admin_pattern($1, nscd_unit_file_t)
+	allow $1 nscd_unit_file_t:service all_service_perms;
 ')
diff --git a/nscd.te b/nscd.te
index bcd7d0a7d5..1cd3a8b62f 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
 	class nscd all_nscd_perms;
 ')
 
-########################################
-#
-# Declarations
-#
-
 ## <desc>
 ##	<p>
-##	Determine whether confined applications
-##	can use nscd shared memory.
+##	Allow confined applications to use nscd shared memory.
 ##	</p>
 ## </desc>
 gen_tunable(nscd_use_shm, false)
 
-attribute_role nscd_roles;
+########################################
+#
+# Declarations
+#
 
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
 type nscd_var_run_t;
 files_pid_file(nscd_var_run_t)
-init_daemon_run_dir(nscd_var_run_t, "nscd")
 
+# nscd is both the client program and the daemon.
 type nscd_t;
 type nscd_exec_t;
 init_daemon_domain(nscd_t, nscd_exec_t)
-role nscd_roles types nscd_t;
 
 type nscd_initrc_exec_t;
 init_script_file(nscd_initrc_exec_t)
 
+type nscd_unit_file_t;
+systemd_unit_file(nscd_unit_file_t)
+
 type nscd_log_t;
 logging_log_file(nscd_log_t)
 
@@ -40,56 +41,61 @@ logging_log_file(nscd_log_t)
 #
 
 allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability2 block_suspend;
 dontaudit nscd_t self:capability sys_tty_config;
 allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
 allow nscd_t self:fifo_file read_fifo_file_perms;
-allow nscd_t self:unix_stream_socket { accept listen };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
 
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
 allow nscd_t self:nscd { admin getstat };
 
-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow nscd_t nscd_log_t:file manage_file_perms;
 logging_log_filetrans(nscd_t, nscd_log_t, file)
 
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
 manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
 manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+allow nscd_t nscd_var_run_t:file map;
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
 
+corecmd_search_bin(nscd_t)
 can_exec(nscd_t, nscd_exec_t)
 
-kernel_list_proc(nscd_t)
-kernel_read_kernel_sysctls(nscd_t)
 kernel_read_network_state(nscd_t)
+kernel_read_kernel_sysctls(nscd_t)
+kernel_search_network_sysctl(nscd_t)
+kernel_list_proc(nscd_t)
 kernel_read_proc_symlinks(nscd_t)
-
-corecmd_search_bin(nscd_t)
+kernel_read_net_sysctls(nscd_t)
 
 dev_read_sysfs(nscd_t)
 dev_read_rand(nscd_t)
 dev_read_urand(nscd_t)
 
-domain_search_all_domains_state(nscd_t)
-domain_use_interactive_fds(nscd_t)
-
-files_read_generic_tmp_symlinks(nscd_t)
-files_read_etc_runtime_files(nscd_t)
-
 fs_getattr_all_fs(nscd_t)
 fs_search_auto_mountpoints(nscd_t)
 fs_list_inotifyfs(nscd_t)
 
+# for when /etc/passwd has just been updated and has the wrong type
 auth_getattr_shadow(nscd_t)
 auth_use_nsswitch(nscd_t)
 
-corenet_all_recvfrom_unlabeled(nscd_t)
 corenet_all_recvfrom_netlabel(nscd_t)
 corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
 corenet_tcp_sendrecv_generic_node(nscd_t)
-
-corenet_sendrecv_all_client_packets(nscd_t)
-corenet_tcp_connect_all_ports(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
 corenet_tcp_sendrecv_all_ports(nscd_t)
-
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
 corenet_rw_tun_tap_dev(nscd_t)
 
 selinux_get_fs_mount(nscd_t)
@@ -98,16 +104,24 @@ selinux_compute_access_vector(nscd_t)
 selinux_compute_create_context(nscd_t)
 selinux_compute_relabel_context(nscd_t)
 selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
+
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
+
+files_map_system_db_files(nscd_t)
 
 logging_send_audit_msgs(nscd_t)
 logging_send_syslog_msg(nscd_t)
 
-miscfiles_read_localization(nscd_t)
-
 seutil_read_config(nscd_t)
 seutil_read_default_contexts(nscd_t)
 seutil_sigchld_newrole(nscd_t)
 
+sysnet_read_config(nscd_t)
+
 userdom_dontaudit_use_user_terminals(nscd_t)
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)
 userdom_dontaudit_search_user_home_dirs(nscd_t)
@@ -121,13 +135,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	tunable_policy(`samba_domain_controller',`
-		samba_append_log(nscd_t)
-		samba_dontaudit_use_fds(nscd_t)
-	')
+	kerberos_use(nscd_t)
+')
 
-	samba_read_config(nscd_t)
-	samba_read_var_files(nscd_t)
+optional_policy(`
+    nis_authenticate(nscd_t)
 ')
 
 optional_policy(`
@@ -138,3 +150,20 @@ optional_policy(`
 	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
 	xen_append_log(nscd_t)
 ')
+
+optional_policy(`
+	tunable_policy(`samba_domain_controller',`
+		samba_append_log(nscd_t)
+		samba_dontaudit_use_fds(nscd_t)
+	')
+')
+
+optional_policy(`
+	samba_read_config(nscd_t)
+	samba_read_var_files(nscd_t)
+    samba_stream_connect_nmbd(nscd_t)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b663c..0e24b49a92 100644
--- a/nsd.fc
+++ b/nsd.fc
@@ -1,16 +1,19 @@
-/etc/rc\.d/init\.d/nsd	--	gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
 
-/etc/nsd(/.*)?	gen_context(system_u:object_r:nsd_conf_t,s0)
-/etc/nsd/nsd\.db	--	gen_context(system_u:object_r:nsd_db_t,s0)
-/etc/nsd/primary(/.*)?	gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd(/.*)?			gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db	--	gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/primary(/.*)?		gen_context(system_u:object_r:nsd_zone_t,s0)
 /etc/nsd/secondary(/.*)?	gen_context(system_u:object_r:nsd_zone_t,s0)
 
-/usr/sbin/nsd	--	gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/nsdc	--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 /usr/sbin/nsd-notify	--	gen_context(system_u:object_r:nsd_exec_t,s0)
-/usr/sbin/zonec	--	gen_context(system_u:object_r:nsd_exec_t,s0)
-
-/var/lib/nsd(/.*)?	gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db	--	gen_context(system_u:object_r:nsd_db_t,s0)
+/usr/sbin/zonec		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-checkconf		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-checkzone		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-control		--	gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-control-setup		--	gen_context(system_u:object_r:nsd_exec_t,s0)
 
+/var/lib/nsd(/.*)?		gen_context(system_u:object_r:nsd_zone_t,s0)
 /var/run/nsd\.pid	--	gen_context(system_u:object_r:nsd_var_run_t,s0)
+
+/var/log/nsd\.log.*	--	gen_context(system_u:object_r:nsd_log_t,s0)
diff --git a/nsd.if b/nsd.if
index a9c60ff87b..ad4f14ad60 100644
--- a/nsd.if
+++ b/nsd.if
@@ -1,8 +1,8 @@
-## <summary>Authoritative only name server.</summary>
+## <summary>Authoritative only name server</summary>
 
 ########################################
 ## <summary>
-##	Send and receive datagrams from NSD.  (Deprecated)
+##	Read NSD pid file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -10,13 +10,18 @@
 ##	</summary>
 ## </param>
 #
-interface(`nsd_udp_chat',`
-	refpolicywarn(`$0($*) has been deprecated.')
+interface(`nsd_read_pid',`
+	gen_require(`
+		type nsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to NSD over a TCP socket  (Deprecated)
+##	Send and receive datagrams from NSD.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',`
 ##	</summary>
 ## </param>
 #
-interface(`nsd_tcp_connect',`
+interface(`nsd_udp_chat',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an nsd environment.
+##	Connect to NSD over a TCP socket  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`nsd_admin',`
-	gen_require(`
-		type nsd_t, nsd_conf_t, nsd_var_run_t;
-		type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t;
-	')
-
-	allow $1 nsd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, nsd_t)
-
-	init_labeled_script_domtrans($1, nsd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nsd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_etc($1)
-	admin_pattern($1, { nsd_conf_t nsd_db_t })
-
-	files_search_var_lib($1)
-	admin_pattern($1, nsd_zone_t)
-
-	files_list_pids($1)
-	admin_pattern($1, nsd_var_run_t)
+interface(`nsd_tcp_connect',`
+	refpolicywarn(`$0($*) has been deprecated.')
 ')
diff --git a/nsd.te b/nsd.te
index 47bb1d2049..94070d2237 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
 type nsd_exec_t;
 init_daemon_domain(nsd_t, nsd_exec_t)
 
-type nsd_initrc_exec_t;
-init_script_file(nsd_initrc_exec_t)
-
+# A type for configuration files of nsd
 type nsd_conf_t;
 files_type(nsd_conf_t)
 
@@ -20,40 +18,51 @@ domain_type(nsd_crond_t)
 domain_entry_file(nsd_crond_t, nsd_exec_t)
 role system_r types nsd_crond_t;
 
-type nsd_db_t;
-files_type(nsd_db_t)
+type nsd_log_t;
+logging_log_file(nsd_log_t)
 
 type nsd_var_run_t;
 files_pid_file(nsd_var_run_t)
 
-type nsd_zone_t;
+# A type for zone files
+type nsd_zone_t alias nsd_db_t;
 files_type(nsd_zone_t)
 
+type nsd_tmp_t;
+files_tmp_file(nsd_tmp_t)
+
 ########################################
 #
-# Local policy
+# NSD Local policy
 #
 
-allow nsd_t self:capability { chown dac_override kill setgid setuid };
+allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin };
 dontaudit nsd_t self:capability sys_tty_config;
 allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
 allow nsd_t self:fifo_file rw_fifo_file_perms;
-allow nsd_t self:tcp_socket { accept listen };
 
-allow nsd_t nsd_conf_t:dir list_dir_perms;
-allow nsd_t nsd_conf_t:file read_file_perms;
-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
-
-allow nsd_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
 
 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
 files_pid_filetrans(nsd_t, nsd_var_run_t, file)
 
+manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t)
+logging_log_filetrans(nsd_t, nsd_log_t, file)
+
 manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
+allow nsd_t nsd_zone_t:file { map } ;
+
+manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
+manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
+files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
+allow nsd_t nsd_tmp_t:file { map } ;
 
 can_exec(nsd_t, nsd_exec_t)
 
@@ -62,7 +71,6 @@ kernel_read_kernel_sysctls(nsd_t)
 
 corecmd_exec_bin(nsd_t)
 
-corenet_all_recvfrom_unlabeled(nsd_t)
 corenet_all_recvfrom_netlabel(nsd_t)
 corenet_tcp_sendrecv_generic_if(nsd_t)
 corenet_udp_sendrecv_generic_if(nsd_t)
@@ -72,16 +80,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
 corenet_udp_sendrecv_all_ports(nsd_t)
 corenet_tcp_bind_generic_node(nsd_t)
 corenet_udp_bind_generic_node(nsd_t)
-
-corenet_sendrecv_dns_server_packets(nsd_t)
 corenet_tcp_bind_dns_port(nsd_t)
 corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+corenet_tcp_bind_nsd_control_port(nsd_t)
+corenet_sendrecv_nsd_control_server_packets(nsd_t)
+corenet_tcp_connect_nsd_control_port(nsd_t)
 
 dev_read_sysfs(nsd_t)
+dev_read_urand(nsd_t)
 
 domain_use_interactive_fds(nsd_t)
 
 files_read_etc_runtime_files(nsd_t)
+files_search_var_lib(nsd_t)
 
 fs_getattr_all_fs(nsd_t)
 fs_search_auto_mountpoints(nsd_t)
@@ -90,8 +102,6 @@ auth_use_nsswitch(nsd_t)
 
 logging_send_syslog_msg(nsd_t)
 
-miscfiles_read_localization(nsd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(nsd_t)
 userdom_dontaudit_search_user_home_dirs(nsd_t)
 
@@ -105,23 +115,24 @@ optional_policy(`
 
 ########################################
 #
-# Cron local policy
+# Zone update cron job local policy
 #
 
-allow nsd_crond_t self:capability { dac_override kill };
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_read_search dac_override kill };
 dontaudit nsd_crond_t self:capability sys_nice;
 allow nsd_crond_t self:process { setsched signal_perms };
 allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
 
-allow nsd_crond_t nsd_t:process signal;
-ps_process_pattern(nsd_crond_t, nsd_t)
-
-allow nsd_crond_t nsd_conf_t:dir list_dir_perms;
 allow nsd_crond_t nsd_conf_t:file read_file_perms;
-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms;
 
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
 
 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
 filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
@@ -133,29 +144,33 @@ kernel_read_system_state(nsd_crond_t)
 corecmd_exec_bin(nsd_crond_t)
 corecmd_exec_shell(nsd_crond_t)
 
-corenet_all_recvfrom_unlabeled(nsd_crond_t)
 corenet_all_recvfrom_netlabel(nsd_crond_t)
 corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
 corenet_tcp_sendrecv_generic_node(nsd_crond_t)
-
-corenet_sendrecv_all_client_packets(nsd_crond_t)
-corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
 corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
 
 dev_read_urand(nsd_crond_t)
 
 domain_dontaudit_read_all_domains_state(nsd_crond_t)
 
 files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
 
 auth_use_nsswitch(nsd_crond_t)
 
 logging_send_syslog_msg(nsd_crond_t)
 
-miscfiles_read_localization(nsd_crond_t)
-
 userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
 
+optional_policy(`
+	nsd_read_pid(nsd_crond_t)
+')
+
 optional_policy(`
 	cron_system_entry(nsd_crond_t, nsd_exec_t)
 ')
diff --git a/nslcd.fc b/nslcd.fc
index 402100e40f..ce913b2442 100644
--- a/nslcd.fc
+++ b/nslcd.fc
@@ -1,7 +1,4 @@
-/etc/nss-ldapd\.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
-
-/etc/rc\.d/init\.d/nslcd	--	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
-
-/usr/sbin/nslcd	--	gen_context(system_u:object_r:nslcd_exec_t,s0)
-
-/var/run/nslcd(/.*)?	gen_context(system_u:object_r:nslcd_var_run_t,s0)
+/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd --	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd		--	gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)?		gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
index 97df768d94..852d1c6c7a 100644
--- a/nslcd.if
+++ b/nslcd.if
@@ -1,4 +1,4 @@
-## <summary>Local LDAP name service daemon.</summary>
+## <summary>nslcd - local LDAP name service daemon.</summary>
 
 ########################################
 ## <summary>
@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',`
 		type nslcd_t, nslcd_exec_t;
 	')
 
-	corecmd_searh_bin($1)
 	domtrans_pattern($1, nslcd_exec_t, nslcd_t)
 ')
 
@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Read nslcd pid files.
+##	Read nslcd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Connect to nslcd over an unix
-##	domain stream socket.
+##	Dontaudit write to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_dontaudit_write_ock_file',`
+	gen_require(`
+		type nslcd_var_run_t;
+	')
+
+	dontaudit $1 nslcd_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Connect to nslcd over an unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',`
 		type nslcd_t, nslcd_var_run_t;
 	')
 
-	files_search_pids($1)
 	stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+	files_search_pids($1)
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to write nslcd sock files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`nslcd_dontaudit_write_sock_file',`
+    gen_require(`
+            type nslcd_t, nslcd_var_run_t;
+                ')
+
+    dontaudit $1 nslcd_t:sock_file write;
+    dontaudit $1 nslcd_var_run_t:sock_file write;
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an nslcd environment.
+##	All of the rules required to administrate
+##	an nslcd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,17 +134,21 @@ interface(`nslcd_admin',`
 		type nslcd_conf_t;
 	')
 
-	allow $1 nslcd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, nslcd_t)
+	allow $1 nslcd_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 nslcd_t:process ptrace;
+	')
 
+	# Allow nslcd_t to restart the apache service
 	nslcd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 nslcd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, nslcd_conf_t)
 
-	files_search_pids($1)
-	admin_pattern($1, nslcd_var_run_t)
+	files_list_pids($1)
+	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
 ')
diff --git a/nslcd.te b/nslcd.te
index 421bf1a56c..1be3b6b306 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
 
 ########################################
 #
-# Local policy
+# nslcd local policy
 #
 
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow nslcd_t nslcd_conf_t:file read_file_perms;
 
@@ -36,16 +36,17 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
 
 kernel_read_system_state(nslcd_t)
 
+dev_read_sysfs(nslcd_t)
+
 corenet_all_recvfrom_unlabeled(nslcd_t)
 corenet_all_recvfrom_netlabel(nslcd_t)
-corenet_tcp_sendrecv_generic_if(nslcd_t)
-corenet_tcp_sendrecv_generic_node(nslcd_t)
-
-corenet_sendrecv_ldap_client_packets(nslcd_t)
 corenet_tcp_connect_ldap_port(nslcd_t)
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
+corenet_sendrecv_ldap_client_packets(nslcd_t)
 
 dev_read_sysfs(nslcd_t)
+dev_read_urand(nslcd_t)
+
+corecmd_exec_bin(nslcd_t)
 
 files_read_usr_symlinks(nslcd_t)
 files_list_tmp(nslcd_t)
@@ -54,10 +55,13 @@ auth_use_nsswitch(nslcd_t)
 
 logging_send_syslog_msg(nslcd_t)
 
-miscfiles_read_localization(nslcd_t)
-
 userdom_read_user_tmp_files(nslcd_t)
 
+optional_policy(`
+	dirsrv_stream_connect(nslcd_t)
+')
+
 optional_policy(`
 	ldap_stream_connect(nslcd_t)
 ')
+
diff --git a/nsplugin.fc b/nsplugin.fc
new file mode 100644
index 0000000000..22e6c963c0
--- /dev/null
+++ b/nsplugin.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/nsplugin.if b/nsplugin.if
new file mode 100644
index 0000000000..bceb5271eb
--- /dev/null
+++ b/nsplugin.if
@@ -0,0 +1,474 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	allow $1 nsplugin_rw_t:file manage_file_perms;
+	allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+         manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+         manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+         manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_role_notrans',`
+	gen_require(`
+		type nsplugin_rw_t;
+		type nsplugin_home_t;
+		type nsplugin_exec_t;
+		type nsplugin_config_exec_t;
+		type nsplugin_t;
+		type nsplugin_config_t;
+		class x_drawable all_x_drawable_perms;
+		class x_resource all_x_resource_perms;
+		class dbus send_msg;
+	')
+
+	role $1 types nsplugin_t;
+	role $1 types nsplugin_config_t;
+
+	allow nsplugin_t $2:process signull;
+	allow nsplugin_t $2:dbus send_msg;
+	allow $2 nsplugin_t:dbus send_msg;
+
+	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+	can_exec($2, nsplugin_rw_t)
+
+	#Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+	dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+	allow nsplugin_t $2:unix_stream_socket connectto;
+	dontaudit nsplugin_t $2:process ptrace;
+	allow nsplugin_t $2:sem rw_sem_perms;
+	allow nsplugin_t $2:shm rw_shm_perms;
+	dontaudit nsplugin_t $2:shm destroy;
+	allow $2 nsplugin_t:sem rw_sem_perms;
+
+	allow $2 nsplugin_t:process { getattr signal_perms };
+	allow $2 nsplugin_t:unix_stream_socket connectto;
+
+	# Connect to pulseaudit server
+	stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+	optional_policy(`
+		gnome_stream_connect(nsplugin_t, $2)
+	')
+
+	userdom_use_inherited_user_terminals(nsplugin_t)
+	userdom_use_inherited_user_terminals(nsplugin_config_t)
+	userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+	userdom_manage_tmp_role($1, nsplugin_t)
+
+	optional_policy(`
+		pulseaudio_role($1, nsplugin_t)
+	')
+')
+
+#######################################
+## <summary>
+##	Role access for nsplugin
+## </summary>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_role',`
+	gen_require(`
+		type nsplugin_exec_t;
+		type nsplugin_config_exec_t;
+		type nsplugin_t;
+		type nsplugin_config_t;
+	')
+
+	nsplugin_role_notrans($1, $2)
+
+	domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+	domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+	gen_require(`
+		type nsplugin_exec_t;
+		type nsplugin_t;
+	')
+
+	domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+	allow $1 nsplugin_t:unix_stream_socket connectto;
+	allow nsplugin_t $1:process signal;
+')
+
+#######################################
+## <summary>
+##	The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_domtrans_config',`
+	gen_require(`
+		type nsplugin_config_exec_t;
+		type nsplugin_config_t;
+	')
+
+	domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+## <summary>
+##	Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+	read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+	read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+##	Read nsplugin home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_read_home',`
+	gen_require(`
+		type nsplugin_home_t;
+	')
+
+	list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+	read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+	read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##	Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+	gen_require(`
+		type nsplugin_rw_t;
+	')
+
+	can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	nsplugin home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+	gen_require(`
+		type nsplugin_home_t;
+	')
+
+	manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##	manage nnsplugin home dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_manage_home_dirs',`
+	gen_require(`
+		type nsplugin_home_t;
+	')
+
+	manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	nsplugin named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_rw_pipes',`
+	gen_require(`
+		type nsplugin_home_t;
+	')
+
+	allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##	Read and write to nsplugin shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_rw_shm',`
+	gen_require(`
+		type nsplugin_t;
+	')
+
+	allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+## <summary>
+##      Allow read and write access to nsplugin semaphores.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`nsplugin_rw_semaphores',`
+        gen_require(`
+                type nsplugin_t;
+        ')
+
+        allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##	Execute nsplugin_exec_t 
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a nsplugin_exec_t
+##	in the specified domain.  
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_exec_domtrans',`
+	gen_require(`
+		type nsplugin_exec_t;
+	')
+
+	allow $2 nsplugin_exec_t:file entrypoint;
+	domtrans_pattern($1, nsplugin_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Send generic signals to user nsplugin processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_signal',`
+	gen_require(`
+		type nsplugin_t;
+	')
+
+	allow $1 nsplugin_t:process signal;
+')
+
+########################################
+## <summary>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the nsplugin home file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+	gen_require(`
+		type nsplugin_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+## <summary>
+##  Create objects in a user home directory
+##  with an automatic type transition to
+##  the nsplugin home file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  The class of the object to be created.
+##  </summary>
+## </param>
+#
+interface(`nsplugin_user_home_filetrans',`
+    gen_require(`
+        type nsplugin_home_t;
+    ')
+
+    userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
+
+########################################
+## <summary>
+##	Send signull signal to nsplugin
+##	processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_signull',`
+	gen_require(`
+		type nsplugin_t;
+	')
+
+	allow $1 nsplugin_t:process signull;
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
index 0000000000..7d839fe6ec
--- /dev/null
+++ b/nsplugin.te
@@ -0,0 +1,318 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+application_domain(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`nsplugin_execmem',`
+	allow nsplugin_t self:process { execstack execmem };
+	allow nsplugin_config_t self:process { execstack execmem };
+')
+	
+tunable_policy(`nsplugin_can_network',`
+	corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+	corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_ms_streaming_port(nsplugin_t)
+corenet_tcp_connect_rtsp_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_urand(nsplugin_t)
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_getattr_mouse_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_read_sysfs(nsplugin_t)
+dev_dontaudit_getattr_all(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+kernel_read_network_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+userdom_read_home_audio_files(nsplugin_t)
+
+optional_policy(`
+	alsa_read_rw_config(nsplugin_t)
+	alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+	chrome_dontaudit_sandbox_leaks(nsplugin_t)
+')
+
+optional_policy(`
+	cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+	dbus_session_bus_client(nsplugin_t)
+	dbus_connect_session_bus(nsplugin_t)
+	dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+	gnome_exec_gconf(nsplugin_t)
+	gnome_manage_config(nsplugin_t)
+	gnome_read_gconf_home_files(nsplugin_t)
+	gnome_read_usr_config(nsplugin_t)
+')
+
+optional_policy(`
+	gpm_getattr_gpmctl(nsplugin_t)
+')
+
+optional_policy(`
+	mozilla_exec_user_home_files(nsplugin_t)
+	mozilla_read_user_home_files(nsplugin_t)
+	mozilla_write_user_home_files(nsplugin_t)
+	mozilla_plugin_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+	mplayer_exec(nsplugin_t)
+	mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+	sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+	xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+	xserver_rw_shm(nsplugin_t)
+	xserver_read_xdm_pid(nsplugin_t)
+	xserver_read_xdm_tmp_files(nsplugin_t)
+	xserver_read_user_xauth(nsplugin_t)
+	xserver_read_user_iceauth(nsplugin_t)
+	xserver_use_user_fonts(nsplugin_t)
+	xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+domain_use_interactive_fds(nsplugin_config_t)
+
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_getattr_nfs(nsplugin_t)
+	fs_manage_nfs_dirs(nsplugin_t)
+	fs_manage_nfs_files(nsplugin_t)
+	fs_manage_nfs_symlinks(nsplugin_t)
+	fs_manage_nfs_named_pipes(nsplugin_t)
+	fs_manage_nfs_dirs(nsplugin_config_t)
+	fs_manage_nfs_files(nsplugin_config_t)
+	fs_manage_nfs_named_pipes(nsplugin_config_t)
+	fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_getattr_cifs(nsplugin_t)
+	fs_manage_cifs_dirs(nsplugin_t)
+	fs_manage_cifs_files(nsplugin_t)
+	fs_manage_cifs_symlinks(nsplugin_t)
+	fs_manage_cifs_named_pipes(nsplugin_t)
+	fs_manage_cifs_dirs(nsplugin_config_t)
+	fs_manage_cifs_files(nsplugin_config_t)
+	fs_manage_cifs_named_pipes(nsplugin_config_t)
+	fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+	xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(nsplugin_config_t)
+	mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+	devicekit_dbus_chat_power(nsplugin_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(nsplugin_t)
+	pulseaudio_stream_connect(nsplugin_t)
+	pulseaudio_manage_home_files(nsplugin_t)
+	pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
index 8ec78595b8..c696f67651 100644
--- a/ntop.te
+++ b/ntop.te
@@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t)
 # Local Policy
 #
 
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override };
 dontaudit ntop_t self:capability sys_tty_config;
 allow ntop_t self:process signal_perms;
 allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:netlink_socket create_socket_perms;
 allow ntop_t self:tcp_socket { accept listen };
 allow ntop_t self:unix_stream_socket { accept listen };
 allow ntop_t self:packet_socket create_socket_perms;
@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
 kernel_read_network_state(ntop_t)
 kernel_read_kernel_sysctls(ntop_t)
 
-corenet_all_recvfrom_unlabeled(ntop_t)
 corenet_all_recvfrom_netlabel(ntop_t)
 corenet_tcp_sendrecv_generic_if(ntop_t)
 corenet_raw_sendrecv_generic_if(ntop_t)
@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
 
 dev_read_sysfs(ntop_t)
 dev_rw_generic_usb_dev(ntop_t)
+dev_read_usbmon_dev(ntop_t)
+dev_write_usbmon_dev(ntop_t)
 
 domain_use_interactive_fds(ntop_t)
 
-files_read_usr_files(ntop_t)
 
 fs_getattr_all_fs(ntop_t)
 fs_search_auto_mountpoints(ntop_t)
@@ -100,6 +101,10 @@ optional_policy(`
 	apache_read_sys_content(ntop_t)
 ')
 
+optional_policy(`
+    snmp_read_snmp_var_lib_files(ntop_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(ntop_t)
 ')
diff --git a/ntp.fc b/ntp.fc
index af3c91e703..3e5f9cfa60 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -11,9 +11,13 @@
 
 /usr/sbin/ntpd	--	gen_context(system_u:object_r:ntpd_exec_t,s0)
 /usr/sbin/ntpdate	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/libexec/ntpdate-wrapper    --  gen_context(system_u:object_r:ntpdate_exec_t,s0)
 /usr/sbin/sntp	--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
 
+/usr/lib/systemd/system/ntpd.*               --      gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
 /var/lib/ntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
 
 /var/log/ntp.*	--	gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
index e96a309a50..42453089c8 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
-## <summary>Network time protocol daemon.</summary>
+## <summary>Network time protocol daemon</summary>
 
 ########################################
 ## <summary>
@@ -35,6 +35,25 @@ interface(`ntp_domtrans',`
 	domtrans_pattern($1, ntpd_exec_t, ntpd_t)
 ')
 
+########################################
+## <summary>
+##     Execute ntp server in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`ntp_exec',`
+       gen_require(`
+               type ntpd_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       can_exec($1, ntpd_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute ntp in the ntp domain, and
@@ -54,11 +73,11 @@ interface(`ntp_domtrans',`
 #
 interface(`ntp_run',`
 	gen_require(`
-		attribute_role ntpd_roles;
+		type ntpd_t;
 	')
 
 	ntp_domtrans($1)
-	roleattribute $2 ntpd_roles;
+	role $2 types ntpd_t;
 ')
 
 ########################################
@@ -98,6 +117,67 @@ interface(`ntp_initrc_domtrans',`
 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
 ')
 
+#####################################
+## <summary>
+##      Allow domain to read ntpd systemd unit files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_read_unit_file',`
+        gen_require(`
+                type ntpd_unit_file_t;
+        ')
+
+        files_search_var_lib($1)
+        allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute ntpd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ntp_systemctl',`
+	gen_require(`
+		type ntpd_unit_file_t;
+		type ntpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 ntpd_unit_file_t:file read_file_perms;
+	allow $1 ntpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+## <summary>
+##     Send a generic signal to ntpd
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ntp_signal',`
+    gen_require(`
+        type ntpd_t;
+    ')
+
+    allow $1 ntpd_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Read ntp drift files.
@@ -141,8 +221,27 @@ interface(`ntp_rw_shm',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ntp environment.
+##	Allow the domain to read ntpd state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_read_state',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, ntpd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ntp environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -151,28 +250,32 @@ interface(`ntp_rw_shm',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the ntp domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`ntp_admin',`
 	gen_require(`
-		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
-		type ntpd_initrc_exec_t, ntp_drift_t;
+		type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
+		type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+		type ntpd_unit_file_t;
 	')
 
-	allow $1 ntpd_t:process { ptrace signal_perms };
+	allow $1 ntpd_t:process signal_perms;
 	ps_process_pattern($1, ntpd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ntpd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ntpd_initrc_exec_t system_r;
 	allow $2 system_r;
 
 	files_list_etc($1)
-	admin_pattern($1, { ntpd_key_t ntp_conf_t })
+	admin_pattern($1, ntpd_key_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, ntpd_log_t)
@@ -186,5 +289,53 @@ interface(`ntp_admin',`
 	files_list_pids($1)
 	admin_pattern($1, ntpd_var_run_t)
 
-	ntp_run($1, $2)
+	ntp_systemctl($1)
+	admin_pattern($1, ntpd_unit_file_t)
+	allow $1 ntpd_unit_file_t:service all_service_perms;
+
+	ntp_filetrans_named_content($1)
 ')
+
+########################################
+## <summary>
+##	Transition content labels to ntp named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_filetrans_named_content',`
+	gen_require(`
+		type ntp_conf_t;
+        type ntp_drift_t;
+	')
+
+	files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
+	files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
+    files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
+')
+
+########################################
+## <summary>
+##      Create, read, write, and delete
+##      ntp log content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_manage_log',`
+         gen_require(`
+                 type ntpd_log_t;
+         ')
+ 
+        logging_search_logs($1)
+        manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t)
+        manage_files_pattern($1, ntpd_log_t, ntpd_log_t)
+        manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t)
+')
+
diff --git a/ntp.te b/ntp.te
index f81b113c78..bc1e8ce997 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
 type ntpd_initrc_exec_t;
 init_script_file(ntpd_initrc_exec_t)
 
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
 type ntp_conf_t;
 files_config_file(ntp_conf_t)
 
@@ -44,7 +47,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
 # Local policy
 #
 
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
 allow ntpd_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp")
+files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
 
 allow ntpd_t ntp_conf_t:file read_file_perms;
 
@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
@@ -77,27 +80,23 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
 files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
 
 can_exec(ntpd_t, ntpd_exec_t)
+can_exec(ntpd_t, ntpdate_exec_t)
 
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 kernel_read_network_state(ntpd_t)
 kernel_request_load_module(ntpd_t)
 
-corenet_all_recvfrom_unlabeled(ntpd_t)
 corenet_all_recvfrom_netlabel(ntpd_t)
 corenet_tcp_sendrecv_generic_if(ntpd_t)
 corenet_udp_sendrecv_generic_if(ntpd_t)
 corenet_tcp_sendrecv_generic_node(ntpd_t)
 corenet_udp_sendrecv_generic_node(ntpd_t)
 corenet_udp_bind_generic_node(ntpd_t)
-
-corenet_sendrecv_ntp_server_packets(ntpd_t)
 corenet_udp_bind_ntp_port(ntpd_t)
-corenet_udp_sendrecv_ntp_port(ntpd_t)
-
-corenet_sendrecv_ntp_client_packets(ntpd_t)
 corenet_tcp_connect_ntp_port(ntpd_t)
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
 
 corecmd_exec_bin(ntpd_t)
 corecmd_exec_shell(ntpd_t)
@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t)
 domain_dontaudit_list_all_domains_state(ntpd_t)
 
 files_read_etc_runtime_files(ntpd_t)
-files_read_usr_files(ntpd_t)
 files_list_var_lib(ntpd_t)
 
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
 
 term_use_ptmx(ntpd_t)
+term_use_unallocated_ttys(ntpd_t)
 
 auth_use_nsswitch(ntpd_t)
 
@@ -124,11 +125,13 @@ init_exec_script_files(ntpd_t)
 
 logging_send_syslog_msg(ntpd_t)
 
-miscfiles_read_localization(ntpd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_user_home_dirs(ntpd_t)
 
+optional_policy(`
+    clock_domtrans(ntpd_t)
+')
+
 optional_policy(`
 	cron_system_entry(ntpd_t, ntpdate_exec_t)
 ')
@@ -151,10 +154,19 @@ optional_policy(`
 	logrotate_exec(ntpd_t)
 ')
 
+optional_policy(`
+    ptp4l_rw_shm(ntpd_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(ntpd_t)
 ')
 
+optional_policy(`
+    timemaster_read_pid_files(ntpd_t)
+    timemaster_rw_shm(ntpd_t)
+')
+
 optional_policy(`
 	udev_read_db(ntpd_t)
 ')
diff --git a/numad.fc b/numad.fc
index 3488bb0d36..1f97624205 100644
--- a/numad.fc
+++ b/numad.fc
@@ -1,7 +1,7 @@
-/etc/rc\.d/init\.d/numad	--	gen_context(system_u:object_r:numad_initrc_exec_t,s0)
+/usr/bin/numad		--	gen_context(system_u:object_r:numad_exec_t,s0)
 
-/usr/bin/numad	--	gen_context(system_u:object_r:numad_exec_t,s0)
+/usr/lib/systemd/system/numad.*		--	gen_context(system_u:object_r:numad_unit_file_t,s0)
 
-/var/log/numad\.log.*	--	gen_context(system_u:object_r:numad_log_t,s0)
+/var/log/numad\.log.*	 --  gen_context(system_u:object_r:numad_var_log_t,s0)
 
-/var/run/numad\.pid	--	gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid      --  gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
index 0d3c270b9e..f307835ce8 100644
--- a/numad.if
+++ b/numad.if
@@ -1,39 +1,93 @@
-## <summary>Non-Uniform Memory Alignment Daemon.</summary>
+
+## <summary>policy for numad</summary>
+
+########################################
+## <summary>
+##	Transition to numad.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`numad_domtrans',`
+	gen_require(`
+		type numad_t, numad_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, numad_exec_t, numad_t)
+')
+########################################
+## <summary>
+##	Execute numad server in the numad domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`numad_systemctl',`
+	gen_require(`
+		type numad_t;
+		type numad_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 numad_unit_file_t:file read_file_perms;
+	allow $1 numad_unit_file_t:service all_service_perms;
+
+	ps_process_pattern($1, numad_t)
+')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an numad environment.
+##	Send and receive messages from
+##	numad over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`numad_dbus_chat',`
+	gen_require(`
+		type numad_t;
+		class dbus send_msg;
+	')
+
+	allow $1 numad_t:dbus send_msg;
+	allow numad_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an numad environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`numad_admin',`
 	gen_require(`
-		type numad_t, numad_initrc_exec_t, numad_log_t;
-		type numad_var_run_t;
+		type numad_t;
+		type numad_unit_file_t;
 	')
 
 	allow $1 numad_t:process { ptrace signal_perms };
 	ps_process_pattern($1, numad_t)
 
-	init_labeled_script_domtrans($1, numad_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 numad_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	logging_search_logs($1)
-	admin_pattern($1, numad_log_t)
-
-	files_search_pids($1)
-	admin_pattern($1, numad_var_run_t)
+	numad_systemctl($1)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/numad.te b/numad.te
index b0a1be4825..303a9279f7 100644
--- a/numad.te
+++ b/numad.te
@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0)
 type numad_t;
 type numad_exec_t;
 init_daemon_domain(numad_t, numad_exec_t)
-application_executable_file(numad_exec_t)
 
-type numad_initrc_exec_t;
-init_script_file(numad_initrc_exec_t)
+type numad_unit_file_t;
+systemd_unit_file(numad_unit_file_t)
 
-type numad_log_t;
-logging_log_file(numad_log_t)
+type numad_var_log_t;
+logging_log_file(numad_var_log_t)
 
 type numad_var_run_t;
 files_pid_file(numad_var_run_t)
 
 ########################################
 #
-# Local policy
+# numad local policy
 #
 
+allow numad_t self:capability sys_ptrace;
 allow numad_t self:fifo_file rw_fifo_file_perms;
-allow numad_t self:msg { send receive };
 allow numad_t self:msgq create_msgq_perms;
+allow numad_t self:msg { send receive };
 allow numad_t self:unix_stream_socket create_stream_socket_perms;
 
-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(numad_t, numad_log_t, file)
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
+logging_log_filetrans(numad_t, numad_var_log_t, file)
 
 manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
 files_pid_filetrans(numad_t, numad_var_run_t, file)
 
 kernel_read_system_state(numad_t)
 
-dev_read_sysfs(numad_t)
+dev_rw_sysfs(numad_t)
+
+domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t)
 
-files_read_etc_files(numad_t)
+fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t)
 
-miscfiles_read_localization(numad_t)
+tunable_policy(`deny_ptrace',`',`
+	virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
index 379af962cb..fac7d7bc91 100644
--- a/nut.fc
+++ b/nut.fc
@@ -1,23 +1,16 @@
-/etc/nut(/.*)?	gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/ups(/.*)?	gen_context(system_u:object_r:nut_conf_t,s0)
+/etc/ups(/.*)?		gen_context(system_u:object_r:nut_conf_t,s0)
 
-/etc/rc\.d/init\.d/nut-driver	--	gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nut-server	--	gen_context(system_u:object_r:nut_initrc_exec_t,s0)
-
-/sbin/upsd	--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
 /sbin/upsdrvctl	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
 
-/usr/lib/cgi-bin/nut/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsset\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/usr/lib/systemd/system/nut.*	--  gen_context(system_u:object_r:nut_unit_file_t,s0)
 
 /usr/sbin/upsd	--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
 /usr/sbin/upsdrvctl	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/usr/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+/usr/sbin/blazer_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/sbin/upsmon --	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
 
 /var/run/nut(/.*)?	gen_context(system_u:object_r:nut_var_run_t,s0)
 
-/var/www/nut-cgi-bin/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsset\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/var/www/nut-cgi-bin/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
index 57c0161edb..c554eb6e16 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1,60 @@
-## <summary>Network UPS Tools </summary>
+## <summary>nut - Network UPS Tools </summary>
 
-########################################
+#######################################
 ## <summary>
-##	All of the rules required to
-##	administrate an nut environment.
+##  Creates types and rules for a basic
+##  Network UPS Tools systemd daemon domain.
 ## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
 ## </param>
-## <rolecap/>
 #
-interface(`nut_admin',`
+template(`nut_domain_template',`
 	gen_require(`
 		attribute nut_domain;
-		type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
 	')
 
-	allow $1 nut_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, nut_domain_t)
+	type nut_$1_t, nut_domain;
+	type nut_$1_exec_t;
+	init_daemon_domain(nut_$1_t, nut_$1_exec_t)
+
+	type nut_$1_tmp_t;
+	files_tmp_file(nut_$1_tmp_t)
+
+	manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+	manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+	manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
+	files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
+	fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
 
-	init_labeled_script_domtrans($1, nut_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 nut_initrc_exec_t system_r;
-	allow $2 system_r;
+    auth_use_nsswitch(nut_$1_t)
+
+    logging_send_syslog_msg(nut_$1_t)
+
+')
+
+#######################################
+## <summary>
+##  Execute swift server in the swift domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`nut_systemctl',`
+    gen_require(`
+        type nut_t;
+        type nut_unit_file_t;
+    ')
 
-	files_search_etc($1)
-	admin_pattern($1, nut_conf_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 nut_unit_file_t:file read_file_perms;
+    allow $1 nut_unit_file_t:service manage_service_perms;
 
-	files_search_pids($1)
-	admin_pattern($1, nut_var_run_t)
+    ps_process_pattern($1, nut_t)
 ')
diff --git a/nut.te b/nut.te
index 5b2cb0d595..35b45d22eb 100644
--- a/nut.te
+++ b/nut.te
@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
 
 attribute nut_domain;
 
+nut_domain_template(upsd)
+nut_domain_template(upsmon)
+nut_domain_template(upsdrvctl)
+
 type nut_conf_t;
 files_config_file(nut_conf_t)
 
-type nut_upsd_t, nut_domain;
-type nut_upsd_exec_t;
-init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
-
-type nut_upsmon_t, nut_domain;
-type nut_upsmon_exec_t;
-init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
-
-type nut_upsdrvctl_t, nut_domain;
-type nut_upsdrvctl_exec_t;
-init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
-
-type nut_initrc_exec_t;
-init_script_file(nut_initrc_exec_t)
-
 type nut_var_run_t;
 files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
 
-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
+
+#######################################
 #
-# Common nut domain local policy
+# Local policy for upsd
 #
 
-allow nut_domain self:capability { setgid setuid dac_override kill };
+allow nut_domain self:capability { setgid setuid dac_read_search dac_override };
+
 allow nut_domain self:process signal_perms;
-allow nut_domain self:fifo_file rw_fifo_file_perms;
-allow nut_domain self:unix_dgram_socket sendto;
 
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
+allow nut_domain self:fifo_file rw_fifo_file_perms;
+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
 
+# pid file
 manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
 manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-
-kernel_read_kernel_sysctls(nut_domain)
-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
+manage_sock_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_domain, nut_var_run_t, dir)
 
 ########################################
 #
-# Upsd local policy
+# Local policy for upsd
 #
 
-allow nut_upsd_t self:tcp_socket { accept listen };
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
 
-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
 
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
 
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
 
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
 corenet_tcp_bind_ups_port(nut_upsd_t)
-
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
 corenet_tcp_bind_generic_port(nut_upsd_t)
-
-files_read_usr_files(nut_upsd_t)
-
-auth_use_nsswitch(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
 
 ########################################
 #
-# Upsmon local policy
+# Local policy for upsmon
 #
 
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
 
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
 kernel_read_system_state(nut_upsmon_t)
 
 corecmd_exec_bin(nut_upsmon_t)
 corecmd_exec_shell(nut_upsmon_t)
 
-corenet_all_recvfrom_unlabeled(nut_upsmon_t)
-corenet_all_recvfrom_netlabel(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_if(nut_upsmon_t)
-corenet_tcp_sendrecv_generic_node(nut_upsmon_t)
-corenet_tcp_sendrecv_all_ports(nut_upsmon_t)
-corenet_tcp_bind_generic_node(nut_upsmon_t)
-
-corenet_sendrecv_ups_client_packets(nut_upsmon_t)
 corenet_tcp_connect_ups_port(nut_upsmon_t)
-
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
 corenet_tcp_connect_generic_port(nut_upsmon_t)
 
+# Creates /etc/killpower
 files_manage_etc_runtime_files(nut_upsmon_t)
 files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
 files_search_usr(nut_upsmon_t)
 
+# /usr/bin/wall
 term_write_all_terms(nut_upsmon_t)
 
-auth_use_nsswitch(nut_upsmon_t)
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
 
 mta_send_mail(nut_upsmon_t)
 
+systemd_start_power_services(nut_upsmon_t)
+
 optional_policy(`
 	shutdown_domtrans(nut_upsmon_t)
 ')
 
 ########################################
 #
-# Upsdrvctl local policy
+# Local policy for upsdrvctl
 #
 
+allow nut_upsdrvctl_t self:capability { kill };
 allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
 
-manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
 
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
+# /sbin/upsdrvctl executes other drivers
 corecmd_exec_bin(nut_upsdrvctl_t)
 
 dev_read_sysfs(nut_upsdrvctl_t)
-dev_read_urand(nut_upsdrvctl_t)
 dev_rw_generic_usb_dev(nut_upsdrvctl_t)
 
 term_use_unallocated_ttys(nut_upsdrvctl_t)
-
-auth_use_nsswitch(nut_upsdrvctl_t)
+term_use_usb_ttys(nut_upsdrvctl_t)
 
 init_sigchld(nut_upsdrvctl_t)
 
 #######################################
 #
-# Cgi local policy
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
 #
 
 optional_policy(`
 	apache_content_template(nutups_cgi)
+	apache_content_alias_template(nutups_cgi,nutups_cgi)
+
+	read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t)
 
-	allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
-	allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
-	allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
+	corenet_all_recvfrom_netlabel(nutups_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t)
+	corenet_tcp_connect_ups_port(nutups_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(nutups_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(nutups_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(nutups_cgi_script_t)
 
-	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+	sysnet_dns_name_resolve(nutups_cgi_script_t)
 ')
diff --git a/nx.if b/nx.if
index 251d6816a0..50ae2a94b9 100644
--- a/nx.if
+++ b/nx.if
@@ -35,7 +35,9 @@ interface(`nx_read_home_files',`
 	')
 
 	files_search_var_lib($1)
-	read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t)
+	allow $1 nx_server_var_lib_t:dir search_dir_perms;
+	read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+	read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
 ')
 
 ########################################
@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',`
 
 	filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
 ')
+
+########################################
+## <summary>
+##	Transition to nx named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nx_filetrans_named_content',`
+	gen_require(`
+		type nx_server_home_ssh_t, nx_server_var_lib_t;
+	')
+
+	filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
index 091f872723..62a0b1229d 100644
--- a/nx.te
+++ b/nx.te
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
 type nx_server_var_run_t;
 files_pid_file(nx_server_var_run_t)
 
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
 ########################################
 #
 # Local policy
@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
 manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
 files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
 
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
 kernel_read_system_state(nx_server_t)
 kernel_read_kernel_sysctls(nx_server_t)
 
 corecmd_exec_shell(nx_server_t)
 corecmd_exec_bin(nx_server_t)
 
-corenet_all_recvfrom_unlabeled(nx_server_t)
 corenet_all_recvfrom_netlabel(nx_server_t)
 corenet_tcp_sendrecv_generic_if(nx_server_t)
 corenet_tcp_sendrecv_generic_node(nx_server_t)
@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t)
 
 dev_read_urand(nx_server_t)
 
-files_read_etc_files(nx_server_t)
 files_read_etc_runtime_files(nx_server_t)
-files_read_usr_files(nx_server_t)
-
-miscfiles_read_localization(nx_server_t)
-
-seutil_dontaudit_search_config(nx_server_t)
 
 sysnet_read_config(nx_server_t)
 
diff --git a/oav.te b/oav.te
index b09c4c4129..995c3f6a6d 100644
--- a/oav.te
+++ b/oav.te
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
 domain_use_interactive_fds(scannerdaemon_t)
 
 files_exec_etc_files(scannerdaemon_t)
-files_read_etc_files(scannerdaemon_t)
 files_read_etc_runtime_files(scannerdaemon_t)
 files_search_var_lib(scannerdaemon_t)
 
diff --git a/obex.fc b/obex.fc
index 03fa56040a..b254dd1041 100644
--- a/obex.fc
+++ b/obex.fc
@@ -1 +1,2 @@
-/usr/bin/obex-data-server	--	gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/bin/obex-data-server   --  gen_context(system_u:object_r:obex_exec_t,s0)
+/usr/libexec/bluetooth/obexd   --  gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
index 8635ea2057..eec20b4134 100644
--- a/obex.if
+++ b/obex.if
@@ -1,15 +1,50 @@
 ## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The role template for obex.
+##  Transition to obex.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`obex_domtrans',`
+    gen_require(`
+        type obex_t, obex_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, obex_exec_t, obex_t)
+')
+
+########################################
+## <summary>
+##  Send and receive messages from
+##  obex over dbus.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
+#
+interface(`obex_dbus_chat',`
+    gen_require(`
+        type obex_t;
+        class dbus send_msg;
+    ')
+
+    allow $1 obex_t:dbus send_msg;
+    allow obex_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##	Role access for obex domains
+##	that executes via dbus-session
+## </summary>
 ## <param name="user_role">
 ##	<summary>
 ##	The role associated with the user domain.
@@ -20,69 +55,34 @@
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
+## <param name="domain_prefix">
+##	<summary>
+##	User domain prefix to be used.
+##	</summary>
+## </param>
 #
-template(`obex_role_template',`
+template(`obex_role',`
 	gen_require(`
 		attribute_role obex_roles;
-		type obex_t, obex_exec_exec_t;
+	        type obex_t, obex_exec_t;
 	')
 
 	########################################
-	#
+	#		 
 	# Declarations
 	#
 
-	roleattribute $2 obex_roles;
+    	roleattribute $1 obex_roles;
 
 	########################################
-	#
+	#    
 	# Policy
-	#
-
-	allow $3 obex_t:process { ptrace signal_perms };
-	ps_process_pattern($3, obex_t)
+	#         
 
-	dbus_spec_session_domain($1, obex_exec_t, obex_t)
-
-	obex_dbus_chat($3)
-')
+	allow $2 obex_t:process signal_perms;
+	ps_process_pattern($2, obex_t)
 
-########################################
-## <summary>
-##	Execute obex in the obex domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`obex_domtrans',`
-	gen_require(`
-		type obex_t, obex_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, obex_exec_t, obex_t)
-')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	obex over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`obex_dbus_chat',`
-	gen_require(`
-		type obex_t;
-		class dbus send_msg;
-	')
+	dbus_session_domain($3, obex_exec_t, obex_t)
 
-	allow $1 obex_t:dbus send_msg;
-	allow obex_t $1:dbus send_msg;
+	obex_dbus_chat($2)
 ')
diff --git a/obex.te b/obex.te
index cd29ea899a..d01d2c8e61 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
-policy_module(obex, 1.0.0)
+policy_module(obex,1.0.0) 
 
 ########################################
 #
@@ -14,30 +14,26 @@ role obex_roles types obex_t;
 
 ########################################
 #
-# Local policy
+# obex local policy
 #
 
 allow obex_t self:fifo_file rw_fifo_file_perms;
 allow obex_t self:socket create_stream_socket_perms;
+allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
 
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
 
-files_read_etc_files(obex_t)
+dev_read_urand(obex_t)
 
 logging_send_syslog_msg(obex_t)
 
-miscfiles_read_localization(obex_t)
-
 userdom_search_user_home_content(obex_t)
 
-optional_policy(`
-	bluetooth_stream_connect(obex_t)
-')
-
 optional_policy(`
 	dbus_system_bus_client(obex_t)
 
 	optional_policy(`
+		bluetooth_stream_connect(obex_t)
 		bluetooth_dbus_chat(obex_t)
 	')
 ')
diff --git a/oddjob.fc b/oddjob.fc
index dd1d9ef5a3..c48733aa4b 100644
--- a/oddjob.fc
+++ b/oddjob.fc
@@ -1,10 +1,12 @@
-/sbin/mkhomedir_helper	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 
-/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib/systemd/system/oddjobd.*   --  gen_context(system_u:object_r:oddjob_unit_file_t,s0)
 
+/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 /usr/libexec/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 
-/usr/sbin/oddjobd	--	gen_context(system_u:object_r:oddjob_exec_t,s0)
-/usr/sbin/mkhomedir_helper	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/bin/oddjob_request		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/usr/sbin/mkhomedir_helper     --      gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
 
-/var/run/oddjobd\.pid	gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
index c87bd2a301..c7bfd1fdec 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -1,4 +1,8 @@
-## <summary>D-BUS service which runs odd jobs on behalf of client applications.</summary>
+## <summary>
+##	Oddjob provides a mechanism by which unprivileged applications can
+##	request that specified privileged operations be performed on their
+##	behalf.
+## </summary>
 
 ########################################
 ## <summary>
@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',`
 		type oddjob_t, oddjob_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, oddjob_exec_t, oddjob_t)
 ')
 
+#####################################
+## <summary>
+##	Do not audit attempts to read and write 
+##	oddjob fifo file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+	gen_require(`
+		type oddjob_t;
+	')
+
+	dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
-##	Make the specified program domain
-##	accessable from the oddjob.
+##	Make the specified program domain accessable
+##	from the oddjob.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',`
 	')
 
 	domtrans_pattern(oddjob_t, $2, $1)
+	domain_user_exemption_target($1)
 ')
 
 ########################################
@@ -64,32 +87,46 @@ interface(`oddjob_dbus_chat',`
 	allow oddjob_t $1:dbus send_msg;
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute a domain transition to
-##	run oddjob mkhomedir.
+##	Send a SIGCHLD signal to oddjob.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
+interface(`oddjob_sigchld',`
+	gen_require(`
+		type oddjob_t;
+	')
+
+	allow $1 oddjob_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
 interface(`oddjob_domtrans_mkhomedir',`
 	gen_require(`
 		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+    allow $1 oddjob_mkhomedir_exec_t:file map;
 ')
 
 ########################################
 ## <summary>
-##	Execute oddjob mkhomedir in the
-##	oddjob mkhomedir domain and allow
-##	the specified role the oddjob
-##	mkhomedir domain.
+##	Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,46 +142,114 @@ interface(`oddjob_domtrans_mkhomedir',`
 #
 interface(`oddjob_run_mkhomedir',`
 	gen_require(`
-		attribute_role oddjob_mkhomedir_roles;
+		type oddjob_mkhomedir_t;
 	')
 
 	oddjob_domtrans_mkhomedir($1)
-	roleattribute $2 oddjob_mkhomedir_roles;
+	role $2 types oddjob_mkhomedir_t;
 ')
 
-#####################################
+########################################
 ## <summary>
-##	Do not audit attempts to read and write 
-##	oddjob fifo files.
+##	Execute the oddjob program in the oddjob domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
 #
-interface(`oddjob_dontaudit_rw_fifo_files',`
+interface(`oddjob_run',`
 	gen_require(`
 		type oddjob_t;
 	')
 
-	dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
+	oddjob_domtrans($1)
+	role $2 types oddjob_t;
 ')
 
-######################################
+#######################################
+## <summary>
+##  Execute oddjob in the oddjob domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`oddjob_systemctl',`
+    gen_require(`
+        type oddjob_unit_file_t;
+        type oddjob_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 oddjob_unit_file_t:file read_file_perms;
+    allow $1 oddjob_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, oddjob_t)
+')
+
+########################################
 ## <summary>
-##	Send child terminated signals to oddjob.
+##	Create a domain which can be started by init,
+##	with a range transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
 ##	</summary>
 ## </param>
 #
-interface(`oddjob_sigchld',`
+interface(`oddjob_ranged_domain',`
 	gen_require(`
 		type oddjob_t;
 	')
 
-	allow $1 oddjob_t:process sigchld;
+	oddjob_system_entry($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition oddjob_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition oddjob_t $2:process $3;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
+##	Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oddjob_mkhomedir_entrypoint',`
+	gen_require(`
+		type oddjob_mkhomedir_exec_t;
+	')
+	allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
 ')
diff --git a/oddjob.te b/oddjob.te
index e403097c65..4737529c6f 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
 # Declarations
 #
 
-attribute_role oddjob_mkhomedir_roles;
-
 type oddjob_t;
 type oddjob_exec_t;
 domain_type(oddjob_t)
@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t;
 domain_type(oddjob_mkhomedir_t)
 domain_obj_id_change_exemption(oddjob_mkhomedir_t)
 init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t;
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 
+# pid files
 type oddjob_var_run_t;
 files_pid_file(oddjob_var_run_t)
 
+type oddjob_unit_file_t;
+systemd_unit_file(oddjob_unit_file_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
 ')
 
 ########################################
 #
-# Local policy
+# oddjob local policy
 #
 
 allow oddjob_t self:capability setgid;
@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
 manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
 files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
 
-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
-
 kernel_read_system_state(oddjob_t)
 
 corecmd_exec_bin(oddjob_t)
@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
 
 selinux_compute_create_context(oddjob_t)
 
+
 auth_use_nsswitch(oddjob_t)
 
-miscfiles_read_localization(oddjob_t)
 
 locallogin_dontaudit_use_fds(oddjob_t)
 
@@ -66,27 +66,31 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domtrans(oddjob_t)
+	apache_dbus_chat(oddjob_t)
 ')
 
 ########################################
 #
-# Mkhomedir local policy
+# oddjob_mkhomedir local policy
 #
 
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override };
 allow oddjob_mkhomedir_t self:process setfscreate;
 allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+allow oddjob_t oddjob_mkhomedir_exec_t:file map;
 
 kernel_read_system_state(oddjob_mkhomedir_t)
 
+fs_manage_auto_mountpoints(oddjob_mkhomedir_t)
+
+mls_file_upgrade(oddjob_mkhomedir_t)
+
 auth_use_nsswitch(oddjob_mkhomedir_t)
 
 logging_send_syslog_msg(oddjob_mkhomedir_t)
 
-miscfiles_read_localization(oddjob_mkhomedir_t)
-
 selinux_get_fs_mount(oddjob_mkhomedir_t)
 selinux_validate_context(oddjob_mkhomedir_t)
 selinux_compute_access_vector(oddjob_mkhomedir_t)
@@ -98,8 +102,11 @@ seutil_read_config(oddjob_mkhomedir_t)
 seutil_read_file_contexts(oddjob_mkhomedir_t)
 seutil_read_default_contexts(oddjob_mkhomedir_t)
 
+# Add/remove user home directories
 userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
 userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
+
diff --git a/openct.te b/openct.te
index 3b6920e31a..3e9b17fdea 100644
--- a/openct.te
+++ b/openct.te
@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
 manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
 files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
 
-can_exec(openct_t, openct_exec_t)
-
 kernel_read_kernel_sysctls(openct_t)
 kernel_list_proc(openct_t)
 kernel_read_proc_symlinks(openct_t)
 
+can_exec(openct_t, openct_exec_t)
+
 dev_read_sysfs(openct_t)
 dev_rw_usbfs(openct_t)
 dev_rw_smartcard(openct_t)
@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
 
 domain_use_interactive_fds(openct_t)
 
-files_read_etc_files(openct_t)
 
 fs_getattr_all_fs(openct_t)
 fs_search_auto_mountpoints(openct_t)
 
 logging_send_syslog_msg(openct_t)
 
-miscfiles_read_localization(openct_t)
-
 userdom_dontaudit_use_unpriv_user_fds(openct_t)
 userdom_dontaudit_search_user_home_dirs(openct_t)
 
diff --git a/opendnssec.fc b/opendnssec.fc
new file mode 100644
index 0000000000..08d0e793d7
--- /dev/null
+++ b/opendnssec.fc
@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/ods-enforcerd.service		--	gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
+
+/usr/lib/systemd/system/ods-signerd.service		--	gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
+
+/usr/sbin/ods-control	--	gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-enforcerd	--	gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-signer	--	gen_context(system_u:object_r:opendnssec_exec_t,s0)
+/usr/sbin/ods-signerd	--	gen_context(system_u:object_r:opendnssec_exec_t,s0)
+
+/etc/opendnssec(/.*)?		gen_context(system_u:object_r:opendnssec_conf_t,s0)
+
+/var/run/opendnssec(/.*)?		gen_context(system_u:object_r:opendnssec_var_run_t,s0)
+
+/var/opendnssec(/.*)?		gen_context(system_u:object_r:opendnssec_var_t,s0)
diff --git a/opendnssec.if b/opendnssec.if
new file mode 100644
index 0000000000..31d6b70698
--- /dev/null
+++ b/opendnssec.if
@@ -0,0 +1,207 @@
+
+## <summary>policy for opendnssec</summary>
+
+########################################
+## <summary>
+##	Execute opendnssec_exec_t in the opendnssec domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`opendnssec_domtrans',`
+	gen_require(`
+		type opendnssec_t, opendnssec_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, opendnssec_exec_t, opendnssec_t)
+')
+
+######################################
+## <summary>
+##	Execute opendnssec in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opendnssec_exec',`
+	gen_require(`
+		type opendnssec_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, opendnssec_exec_t)
+')
+
+########################################
+## <summary>
+##      Read the opendnssec configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`opendnssec_read_config',`
+        gen_require(`
+                type opendnssec_conf_t;
+        ')
+
+        files_search_etc($1)
+        allow $1 opendnssec_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Read the opendnssec configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`opendnssec_manage_config',`
+        gen_require(`
+                type opendnssec_conf_t;
+        ')
+
+        files_search_etc($1)
+        allow $1 opendnssec_conf_t:dir manage_dir_perms;
+        allow $1 opendnssec_conf_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to
+##      read and write opendnssec /var files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`opendnssec_manage_var_files',`
+        gen_require(`
+                type opendnssec_var_t;
+        ')
+
+        files_search_var($1)
+        files_search_var_lib($1)
+        manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t)
+')
+
+########################################
+## <summary>
+##	Read opendnssec PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opendnssec_read_pid_files',`
+	gen_require(`
+		type opendnssec_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute opendnssec server in the opendnssec domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`opendnssec_systemctl',`
+	gen_require(`
+		type opendnssec_t;
+		type opendnssec_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 opendnssec_unit_file_t:file read_file_perms;
+	allow $1 opendnssec_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, opendnssec_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an opendnssec environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opendnssec_admin',`
+	gen_require(`
+		type opendnssec_t;
+		type opendnssec_var_run_t;
+	type opendnssec_unit_file_t;
+	')
+
+	allow $1 opendnssec_t:process { signal_perms };
+	ps_process_pattern($1, opendnssec_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 opendnssec_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, opendnssec_var_run_t)
+
+	opendnssec_systemctl($1)
+	admin_pattern($1, opendnssec_unit_file_t)
+	allow $1 opendnssec_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##      Transition to quota named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`opendnssec_filetrans_etc_content',`
+        gen_require(`
+                type opendnssec_conf_t;
+        ')
+
+        files_etc_filetrans($1, opendnssec_conf_t, file)
+')
diff --git a/opendnssec.te b/opendnssec.te
new file mode 100644
index 0000000000..e246d45a5c
--- /dev/null
+++ b/opendnssec.te
@@ -0,0 +1,68 @@
+policy_module(opendnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opendnssec_t;
+type opendnssec_exec_t;
+init_daemon_domain(opendnssec_t, opendnssec_exec_t)
+
+type opendnssec_conf_t;
+files_config_file(opendnssec_conf_t)
+
+type opendnssec_var_t;
+files_type(opendnssec_var_t)
+
+type opendnssec_var_run_t;
+files_pid_file(opendnssec_var_run_t)
+
+type opendnssec_tmp_t;
+files_tmp_file(opendnssec_tmp_t)
+
+type opendnssec_unit_file_t;
+systemd_unit_file(opendnssec_unit_file_t)
+
+########################################
+#
+# opendnssec local policy
+#
+allow opendnssec_t self:capability { chown setgid setuid sys_chroot };
+allow opendnssec_t self:process { fork signal_perms };
+allow opendnssec_t self:fifo_file rw_fifo_file_perms;
+allow opendnssec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
+manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
+
+manage_dirs_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
+manage_files_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
+files_var_filetrans(opendnssec_t, opendnssec_var_t, dir)
+
+manage_dirs_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_lnk_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
+manage_files_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
+files_tmp_filetrans(opendnssec_t, opendnssec_tmp_t, { file dir })
+
+kernel_read_system_state(opendnssec_t)
+
+auth_use_nsswitch(opendnssec_t)
+
+corecmd_exec_bin(opendnssec_t)
+
+logging_send_syslog_msg(opendnssec_t)
+
+optional_policy(`
+	bind_manage_cache(opendnssec_t)
+')
+
+optional_policy(`
+    ipa_manage_lib(opendnssec_t)
+')
+
diff --git a/openhpi.te b/openhpi.te
index 8de619112d..1a01e99f2c 100644
--- a/openhpi.te
+++ b/openhpi.te
@@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir)
 manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
 files_pid_filetrans(openhpid_t, openhpid_var_run_t, file)
 
+kernel_read_system_state(openhpid_t)
+
 corenet_all_recvfrom_unlabeled(openhpid_t)
 corenet_all_recvfrom_netlabel(openhpid_t)
 corenet_tcp_sendrecv_generic_if(openhpid_t)
@@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
 
 dev_read_urand(openhpid_t)
 
-files_read_etc_files(openhpid_t)
-
 logging_send_syslog_msg(openhpid_t)
 
 miscfiles_read_localization(openhpid_t)
+
+optional_policy(`
+    snmp_read_snmp_var_lib_files(openhpid_t)
+')
diff --git a/openhpid.fc b/openhpid.fc
new file mode 100644
index 0000000000..df219e6efc
--- /dev/null
+++ b/openhpid.fc
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/openhpid	--	gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
+
+/usr/sbin/openhpid		--	gen_context(system_u:object_r:openhpid_exec_t,s0)
+
+/var/lib/openhpi(/.*)?		gen_context(system_u:object_r:openhpid_var_lib_t,s0)
+
+/var/log/dynsim[0-9]*\.log	--		gen_context(system_u:object_r:openhpid_log_t,s0)
+
+/var/run/openhpid\.pid	--	gen_context(system_u:object_r:openhpid_var_run_t,s0)
diff --git a/openhpid.if b/openhpid.if
new file mode 100644
index 0000000000..598789a3bb
--- /dev/null
+++ b/openhpid.if
@@ -0,0 +1,159 @@
+
+## <summary>policy for openhpid</summary>
+
+
+########################################
+## <summary>
+##	Transition to openhpid.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openhpid_domtrans',`
+	gen_require(`
+		type openhpid_t, openhpid_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, openhpid_exec_t, openhpid_t)
+')
+
+
+########################################
+## <summary>
+##	Execute openhpid server in the openhpid domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openhpid_initrc_domtrans',`
+	gen_require(`
+		type openhpid_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+##	Search openhpid lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openhpid_search_lib',`
+	gen_require(`
+		type openhpid_var_lib_t;
+	')
+
+	allow $1 openhpid_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read openhpid lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openhpid_read_lib_files',`
+	gen_require(`
+		type openhpid_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage openhpid lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openhpid_manage_lib_files',`
+	gen_require(`
+		type openhpid_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage openhpid lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openhpid_manage_lib_dirs',`
+	gen_require(`
+		type openhpid_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an openhpid environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openhpid_admin',`
+	gen_require(`
+		type openhpid_t;
+	type openhpid_initrc_exec_t;
+	type openhpid_var_lib_t;
+	')
+
+	allow $1 openhpid_t:process { ptrace signal_perms };
+	ps_process_pattern($1, openhpid_t)
+
+	openhpid_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 openhpid_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, openhpid_var_lib_t)
+
+
+
+')
+
diff --git a/openhpid.te b/openhpid.te
new file mode 100644
index 0000000000..a0e0eafcee
--- /dev/null
+++ b/openhpid.te
@@ -0,0 +1,67 @@
+policy_module(openhpid, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openhpid_t;
+type openhpid_exec_t;
+init_daemon_domain(openhpid_t, openhpid_exec_t)
+
+type openhpid_initrc_exec_t;
+init_script_file(openhpid_initrc_exec_t)
+
+type openhpid_log_t;
+logging_log_file(openhpid_log_t)
+
+type openhpid_var_lib_t;
+files_type(openhpid_var_lib_t)
+
+type openhpid_var_run_t;
+files_pid_file(openhpid_var_run_t)
+
+########################################
+#
+# openhpid local policy
+#
+
+allow openhpid_t self:capability { kill };
+allow openhpid_t self:process signal_perms;
+
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
+allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
+allow openhpid_t self:tcp_socket create_stream_socket_perms;
+allow openhpid_t self:udp_socket create_socket_perms;
+
+
+manage_files_pattern(openhpid_t, openhpid_log_t, openhpid_log_t)
+logging_log_filetrans(openhpid_t, openhpid_log_t, file)
+
+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
+
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
+
+kernel_read_system_state(openhpid_t)
+
+corenet_tcp_bind_generic_node(openhpid_t)
+corenet_tcp_bind_openhpid_port(openhpid_t)
+corenet_tcp_connect_http_port(openhpid_t)
+
+dev_read_urand(openhpid_t)
+dev_rw_watchdog(openhpid_t)
+
+logging_send_syslog_msg(openhpid_t)
+
+miscfiles_read_generic_certs(openhpid_t)
+
+sysnet_read_config(openhpid_t)
+
+optional_policy(`
+	snmp_manage_var_lib_files(openhpid_t)
+	snmp_manage_var_lib_dirs(openhpid_t)
+')
diff --git a/openshift-origin.fc b/openshift-origin.fc
new file mode 100644
index 0000000000..30ca148ee4
--- /dev/null
+++ b/openshift-origin.fc
@@ -0,0 +1 @@
+# Left Blank
diff --git a/openshift-origin.if b/openshift-origin.if
new file mode 100644
index 0000000000..3eb6a3057b
--- /dev/null
+++ b/openshift-origin.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/openshift-origin.te b/openshift-origin.te
new file mode 100644
index 0000000000..a437f80cae
--- /dev/null
+++ b/openshift-origin.te
@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+	attribute openshift_domain;
+')
+
+########################################
+#
+# openshift origin standard local policy
+#
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
index 0000000000..5a2f97ef68
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/libra        gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective        gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0)
+
+/var/lib/stickshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)?	       gen_context(system_u:object_r:openshift_rw_file_t,s0)
+/var/lib/containers/home(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)?          gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
+/var/lib/stickshift/.*/\.tmp(/.*)?        gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/stickshift/.*/\.sandbox(/.*)?        gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.tmp(/.*)?        gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/openshift/.*/\.sandbox(/.*)?        gen_context(system_u:object_r:openshift_tmp_t,s0)
+
+/var/log/mcollective\.log.*        --    gen_context(system_u:object_r:openshift_log_t,s0)
+/var/log/openshift(/.*)?	 gen_context(system_u:object_r:openshift_log_t,s0)
+
+/usr/s?bin/(oo|rhc)-cgroup-read        --    gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/oo-lists-ports        --    gen_context(system_u:object_r:openshift_net_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer           --    gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh    --  gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears	--	gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived			--		gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)?		    	gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
index 0000000000..c20cac3970
--- /dev/null
+++ b/openshift.if
@@ -0,0 +1,697 @@
+
+## <summary> policy for openshift </summary>
+
+########################################
+## <summary>
+##	Execute openshift server in the openshift domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`openshift_initrc_domtrans',`
+	gen_require(`
+		type openshift_initrc_t;
+		type openshift_initrc_exec_t;
+	')
+
+	domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
+')
+
+#######################################
+## <summary>
+##  Execute openshift server in the openshift domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The type of the process performing this action.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role access to this domain.
+##  </summary>
+## </param>
+#
+interface(`openshift_initrc_run',`
+	gen_require(`
+		type openshift_initrc_t;
+		type openshift_initrc_exec_t;
+	')
+
+	openshift_initrc_domtrans($1)
+	role $2 types openshift_initrc_t;
+')
+
+########################################
+## <summary>
+##	Send a null signal to openshift init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_initrc_signull',`
+	gen_require(`
+		type openshift_initrc_t;
+	')
+
+	allow $1 openshift_initrc_t:process signull;
+')
+
+#######################################
+## <summary>
+##  Send a signal to openshift init scripts.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`openshift_initrc_signal',`
+    gen_require(`
+        type openshift_initrc_t;
+    ')
+
+    allow $1 openshift_initrc_t:process signal;
+')
+
+########################################
+## <summary>
+##	Search openshift cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_search_cache',`
+    refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Read openshift cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_read_cache_files',`
+    refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	openshift cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_cache_files',`
+    refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	openshift cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_cache_dirs',`
+    refpolicywarn(`$0($*) has been deprecated.')
+')
+
+
+########################################
+## <summary>
+##	Allow the specified domain to read openshift's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_read_log',`
+	gen_require(`
+		type openshift_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	openshift log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openshift_append_log',`
+	gen_require(`
+		type openshift_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage openshift log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_log',`
+	gen_require(`
+		type openshift_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
+	manage_files_pattern($1, openshift_log_t, openshift_log_t)
+	manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
+')
+
+########################################
+## <summary>
+##	Search openshift lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_search_lib',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+    search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+    getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Getattr openshift lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_getattr_lib',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+    getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read openshift lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_read_lib_files',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read openshift lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_append_lib_files',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	openshift lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_lib_files',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	openshift lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_lib_dirs',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage openshift lib content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_content',`
+	gen_require(`
+		attribute openshift_file_type;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
+	manage_files_pattern($1, openshift_file_type, openshift_file_type)
+	manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
+	manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+')
+
+########################################
+## <summary>
+##	Relabel openshift library files 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_relabelfrom_lib',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Create private objects in the
+##	mail lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`openshift_lib_filetrans',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read openshift PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_read_pid_files',`
+	gen_require(`
+		type openshift_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 openshift_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an openshift environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_admin',`
+	gen_require(`
+		attribute openshift_domain;
+		type openshift_initrc_exec_t;
+		type openshift_log_t;
+		type openshift_var_lib_t;
+		type openshift_var_run_t;
+	')
+
+	allow $1 openshift_domain:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 openshift_domain:process ptrace;
+	')
+	ps_process_pattern($1, openshift_domain)
+
+	openshift_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 openshift_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, openshift_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, openshift_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, openshift_var_run_t)
+
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a openshift domain.
+## </summary>
+## <param name="openshiftdomain_prefix">
+##  <summary>
+##  The prefix of the domain (e.g., openshift
+##  is the prefix for openshift_t).
+##  </summary>
+## </param>
+#
+template(`openshift_service_domain_template',`
+	gen_require(`
+		attribute openshift_domain;
+		attribute openshift_user_domain;
+	')
+
+	type $1_t;
+	typeattribute $1_t openshift_domain, openshift_user_domain;
+	domain_type($1_t)
+	role system_r types $1_t;
+	mcs_constrained($1_t)
+	domain_user_exemption_target($1_t)
+	auth_use_nsswitch($1_t)
+	domain_subj_id_change_exemption($1_t)
+	domain_obj_id_change_exemption($1_t)
+	domain_dyntrans_type($1_t)
+
+	kernel_read_system_state($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	type $1_app_t;
+	typeattribute $1_app_t openshift_domain;
+	domain_type($1_app_t)
+	role system_r types $1_app_t;
+	mcs_constrained($1_app_t)
+	domain_user_exemption_target($1_app_t)
+	domain_obj_id_change_exemption($1_app_t)
+	domain_dyntrans_type($1_app_t)
+	auth_use_nsswitch($1_app_t)
+
+	kernel_read_system_state($1_app_t)
+
+	logging_send_syslog_msg($1_app_t)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable as a openshift domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a openshift domain type.
+##	</summary>
+## </param>
+#
+interface(`openshift_net_type',`
+	gen_require(`
+		attribute openshift_net_domain;
+	')
+
+	typeattribute $1 openshift_net_domain;
+')
+
+########################################
+## <summary>
+##	Read and write inherited openshift files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_rw_inherited_content',`
+	gen_require(`
+		attribute openshift_file_type;
+	')
+
+	allow $1 openshift_file_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage openshift tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_tmp_files',`
+	gen_require(`
+		type openshift_tmp_t;
+	')
+
+	manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage openshift tmp sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_manage_tmp_sockets',`
+	gen_require(`
+		type openshift_tmp_t;
+	')
+
+	manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
+')
+
+########################################
+## <summary>
+##	Mounton openshift tmp directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_mounton_tmp',`
+	gen_require(`
+		type openshift_tmp_t;
+	')
+
+	allow $1 openshift_tmp_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Dontaudit Read and write inherited script fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
+	gen_require(`
+		type openshift_initrc_t;
+		type openshift_t;
+	')
+
+	dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow calling app to transition to an openshift domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_transition',`
+	gen_require(`
+		attribute openshift_user_domain;
+	')
+
+	allow $1 openshift_user_domain:process transition;
+	dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
+	allow openshift_user_domain $1:fd use;
+	allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
+	allow openshift_user_domain $1:process sigchld;
+	dontaudit $1 openshift_user_domain:socket_class_set { read write };
+')
+
+########################################
+## <summary>
+##	Allow calling app to transition to an openshift domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openshift_dyntransition',`
+	gen_require(`
+		attribute openshift_domain;
+		attribute openshift_user_domain;
+	')
+
+	allow $1 openshift_user_domain:process dyntransition;
+	dontaudit openshift_user_domain $1:key view;
+	allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
+	allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
+	allow $1 openshift_user_domain:process { rlimitinh signal };
+	dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
+')
+
+########################################
+## <summary>
+##	Execute openshift in the openshift domain, and
+##	allow the specified role the openshift domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_run',`
+	gen_require(`
+		type openshift_initrc_exec_t;
+	')
+
+	openshift_initrc_domtrans($1)
+	role_transition $2 openshift_initrc_exec_t system_r;
+	openshift_transition($1)
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 0000000000..a98990f3ab
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,634 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
+	role system_r;
+')
+ 
+## <desc>
+## <p>
+## Allow openshift to access nfs file systems without labels
+## </p>
+## </desc>
+gen_tunable(openshift_use_nfs, false)
+
+
+########################################
+#
+# Declarations
+#
+
+
+# openshift applications that can use the network.
+attribute openshift_net_domain;
+# Attribute representing all openshift user processes (excludes apache processes)
+attribute openshift_user_domain;
+# Attribute representing all openshift processes
+attribute openshift_domain;
+
+# Attribute for all openshift content
+attribute openshift_file_type;
+
+# Type of openshift init script
+type openshift_initrc_t;
+type openshift_initrc_exec_t;
+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+domain_obj_id_change_exemption(openshift_initrc_t)
+optional_policy(`
+	oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+')
+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
+type openshift_tmpfs_t;
+files_tmpfs_file(openshift_tmpfs_t)
+
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
+files_poly(openshift_tmp_t)
+files_poly_parent(openshift_tmp_t)
+
+type openshift_var_run_t;
+files_pid_file(openshift_var_run_t)
+
+type openshift_var_lib_t, openshift_file_type;
+userdom_user_home_content(openshift_var_lib_t)
+files_poly(openshift_var_lib_t)
+files_poly_parent(openshift_var_lib_t)
+files_mountpoint(openshift_var_lib_t)
+
+type openshift_rw_file_t, openshift_file_type;
+files_poly(openshift_rw_file_t)
+files_poly_parent(openshift_rw_file_t)
+
+type openshift_log_t;
+logging_log_file(openshift_log_t)
+
+type openshift_port_t;
+corenet_port(openshift_port_t)
+corenet_reserved_port(openshift_port_t)
+
+type openshift_cgroup_read_t;
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
+type openshift_net_read_t;
+type openshift_net_read_exec_t;
+application_domain(openshift_net_read_t, openshift_net_read_exec_t)
+
+type openshift_cgroup_read_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cgroup_read_tmp_t)
+
+type openshift_cron_t;
+type openshift_cron_exec_t;
+domain_type(openshift_cron_t)
+domain_entry_file(openshift_cron_t, openshift_cron_exec_t)
+role system_r types openshift_cron_t;
+
+optional_policy(`
+	cron_system_entry(openshift_cron_t, openshift_cron_exec_t)
+')
+
+type openshift_cron_tmp_t, openshift_file_type;
+files_tmp_file(openshift_cron_tmp_t)
+
+########################################
+#
+# Template to create openshift_t and openshift_app_t
+#
+
+openshift_service_domain_template(openshift)
+
+########################################
+#
+# openshift initrc local policy
+#
+
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
+virt_sandbox_domain(openshift_initrc_t)
+
+systemd_dbus_chat_logind(openshift_initrc_t)
+
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
+
+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
+
+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow openshift_domain openshift_initrc_t:fd use;
+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_initrc_t:process sigchld;
+dontaudit openshift_domain openshift_initrc_t:key view;
+dontaudit openshift_domain openshift_initrc_t:process signull;
+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
+
+init_domtrans_script(openshift_initrc_t)
+init_initrc_domain(openshift_initrc_t)
+
+optional_policy(`
+        firewalld_dbus_chat(openshift_initrc_t)
+')
+
+#######################################################
+#
+# Policy for all openshift domains
+#
+allow openshift_domain self:process ~ptrace;
+tunable_policy(`deny_ptrace',`',`
+	allow openshift_domain self:process ptrace;
+')
+
+allow openshift_domain self:msg all_msg_perms;
+allow openshift_domain self:msgq create_msgq_perms;
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
+dontaudit openshift_domain self:dir write;
+dontaudit openshift_domain self:rawip_socket create_socket_perms;
+
+dontaudit openshift_t self:unix_stream_socket recvfrom;
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
+allow openshift_domain self:tcp_socket  create_stream_socket_perms;
+allow openshift_domain self:fifo_file manage_fifo_file_perms;
+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
+
+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
+allow openshift_domain openshift_file_type:file execmod;
+can_exec(openshift_domain, openshift_file_type)
+allow openshift_domain openshift_file_type:file entrypoint;
+# Allow users to execute files in their home dir
+allow openshift_domain openshift_file_type:file { execute execute_no_trans };
+
+# Dontaudit openshift domains trying to search other openshift domains directories, 
+# this happens just when users are probing the system
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
+can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
+
+#lsof
+allow openshift_domain openshift_initrc_t:tcp_socket getattr;
+
+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
+dontaudit openshift_domain openshift_var_run_t:file append;
+dontaudit openshift_domain openshift_file_type:sock_file execute;
+
+kernel_dontaudit_search_network_state(openshift_domain)
+kernel_dontaudit_list_all_proc(openshift_domain)
+kernel_dontaudit_list_all_sysctls(openshift_domain)
+kernel_dontaudit_request_load_module(openshift_domain)
+kernel_get_sysvipc_info(openshift_domain)
+
+corecmd_shell_entry_type(openshift_domain)
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
+dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_read_urand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
+dev_dontaudit_getattr_all_chr_files(openshift_domain)
+dev_dontaudit_all_access_check(openshift_domain)
+
+domain_use_interactive_fds(openshift_domain)
+domain_dontaudit_read_all_domains_state(openshift_domain)
+
+files_read_var_lib_symlinks(openshift_domain)
+
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
+fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
+fs_dontaudit_list_tmpfs(openshift_domain)
+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
+storage_getattr_fixed_disk_dev(openshift_domain)
+fs_get_xattr_fs_quotas(openshift_domain)
+fs_rw_inherited_tmpfs_files(openshift_domain)
+fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
+
+dontaudit openshift_domain file_type:dir read;
+files_dontaudit_list_home(openshift_domain)
+files_dontaudit_search_all_pids(openshift_domain)
+files_dontaudit_getattr_all_dirs(openshift_domain)
+files_dontaudit_getattr_all_files(openshift_domain)
+files_dontaudit_list_mnt(openshift_domain)
+files_dontaudit_list_var(openshift_domain)
+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
+files_dontaudit_search_all_mountpoints(openshift_domain)
+files_dontaudit_search_spool(openshift_domain)
+files_dontaudit_search_all_dirs(openshift_domain)
+files_exec_etc_files(openshift_domain)
+files_exec_usr_files(openshift_domain)
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
+files_dontaudit_setattr_non_security_files(openshift_domain)
+files_dontaudit_rw_inherited_locks(openshift_domain)
+
+libs_exec_lib_files(openshift_domain)
+libs_exec_ld_so(openshift_domain)
+
+selinux_validate_context(openshift_domain)
+
+logging_inherit_append_all_logs(openshift_domain)
+
+init_dontaudit_read_utmp(openshift_domain)
+
+miscfiles_read_fonts(openshift_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
+
+mta_dontaudit_read_spool_symlinks(openshift_domain)
+
+term_dontaudit_search_ptys(openshift_domain)
+term_use_generic_ptys(openshift_domain)
+term_dontaudit_getattr_generic_ptys(openshift_domain)
+term_use_ptmx(openshift_domain)
+
+userdom_use_inherited_user_ptys(openshift_domain)
+userdom_dontaudit_search_admin_dir(openshift_domain)
+
+application_exec(openshift_domain)
+
+optional_policy(`
+	apache_exec_modules(openshift_domain)
+	apache_list_modules(openshift_domain)
+	apache_read_config(openshift_domain)
+	apache_search_config(openshift_domain)
+	apache_read_sys_content(openshift_domain)
+	apache_exec_sys_script(openshift_domain)
+	apache_entrypoint(openshift_domain)
+	apache_dontaudit_read_log(openshift_domain)
+')
+
+optional_policy(`
+	#############################################
+	# 
+	# openshift cgi script policy
+	#
+	apache_content_template(openshift)
+	apache_content_alias_template(openshift, openshift)
+	domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
+
+	optional_policy(`
+		dbus_system_bus_client(openshift_script_t)
+
+		optional_policy(`
+			oddjob_dbus_chat(openshift_script_t)
+			oddjob_dontaudit_rw_fifo_file(openshift_domain)
+		')
+	')
+')
+
+optional_policy(`
+	cron_role(system_r, openshift_domain)
+')
+
+optional_policy(`
+	gear_search_lib(openshift_domain)
+')
+
+optional_policy(`
+	gpg_entry_type(openshift_domain)
+')
+
+optional_policy(`
+	mysql_search_db(openshift_domain)
+')
+
+optional_policy(`
+	screen_exec(openshift_domain)
+')
+
+optional_policy(`
+	ssh_use_ptys(openshift_domain)
+	ssh_getattr_user_home_dir(openshift_domain)
+	ssh_dontaudit_search_user_home_dir(openshift_domain)
+')
+
+optional_policy(`
+	udev_read_pid_files(openshift_domain)
+')
+
+#######################################################
+#
+# Policy for openshift user domain process
+#
+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
+
+allow openshift_user_domain openshift_domain:process transition;
+allow openshift_domain openshift_user_domain:fd use;
+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
+allow openshift_domain openshift_user_domain:process sigchld;
+dontaudit openshift_domain openshift_user_domain:key view;
+dontaudit openshift_domain openshift_user_domain:process signull;
+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
+
+tunable_policy(`deny_ptrace',`',`
+	allow openshift_user_domain openshift_domain:process ptrace;
+')
+
+mta_signal_user_agent(openshift_user_domain)
+
+optional_policy(`
+	ssh_rw_tcp_sockets(openshift_user_domain)
+')
+
+############################################################################
+#
+# Rules specific to openshift_net_domains
+#
+allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
+allow openshift_net_domain openshift_port_t:udp_socket name_bind;
+
+corenet_tcp_connect_mssql_port(openshift_net_domain)
+corenet_tcp_connect_mysqld_port(openshift_net_domain)
+corenet_tcp_connect_postgresql_port(openshift_net_domain)
+corenet_tcp_connect_git_port(openshift_net_domain)
+corenet_tcp_connect_oracle_port(openshift_net_domain)
+corenet_tcp_connect_flash_port(openshift_net_domain)
+corenet_tcp_connect_http_port(openshift_net_domain)
+corenet_tcp_connect_ftp_port(openshift_net_domain)
+#/* These ports are the ephemeral ports needed for ftp */
+corenet_tcp_connect_virt_migration_port(openshift_net_domain)
+corenet_tcp_connect_ssh_port(openshift_net_domain)
+corenet_tcp_connect_jacorb_port(openshift_net_domain)
+corenet_tcp_connect_jboss_management_port(openshift_net_domain)
+corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
+corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_connect_memcache_port(openshift_net_domain)
+corenet_tcp_connect_http_cache_port(openshift_net_domain)
+corenet_tcp_connect_amqp_port(openshift_net_domain)
+corenet_tcp_connect_generic_port(openshift_net_domain)
+corenet_tcp_connect_mongod_port(openshift_net_domain)
+corenet_tcp_connect_munin_port(openshift_net_domain)
+corenet_tcp_connect_pop_port(openshift_net_domain)
+corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
+corenet_tcp_connect_smtp_port(openshift_net_domain)
+corenet_tcp_connect_whois_port(openshift_net_domain)
+corenet_udp_bind_generic_port(openshift_net_domain)
+corenet_tcp_bind_http_cache_port(openshift_domain)
+corenet_tcp_bind_jacorb_port(openshift_net_domain)
+corenet_tcp_bind_jboss_management_port(openshift_net_domain)
+corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
+corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
+corenet_tcp_bind_mongod_port(openshift_net_domain)
+corenet_tcp_bind_mysqld_port(openshift_domain)
+corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
+corenet_tcp_bind_postgresql_port(openshift_net_domain)
+
+############################################################################
+#
+# Rules specific to openshift and openshift_app_t
+#
+kernel_read_vm_sysctls(openshift_t)
+kernel_read_vm_sysctls(openshift_app_t)
+kernel_search_vm_sysctl(openshift_t)
+kernel_search_vm_sysctl(openshift_app_t)
+netutils_domtrans_ping(openshift_t)
+netutils_kill_ping(openshift_t)
+netutils_signal_ping(openshift_t)
+
+openshift_net_type(openshift_app_t)
+openshift_net_type(openshift_t)
+
+optional_policy(`
+	postfix_rw_public_pipes(openshift_t)
+	postfix_manage_spool_maildrop_files(openshift_t)
+')
+
+########################################
+#
+# openshift_cgroup_read local policy
+#
+
+allow openshift_cgroup_read_t self:process { getattr signal_perms };
+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
+
+kernel_read_system_state(openshift_cgroup_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
+
+auth_read_passwd(openshift_cgroup_read_t)
+
+miscfiles_read_localization(openshift_cgroup_read_t)
+
+optional_policy(`
+	ssh_use_ptys(openshift_cgroup_read_t)
+')
+
+corecmd_exec_bin(openshift_cgroup_read_t)
+corecmd_exec_shell(openshift_cgroup_read_t)
+
+dev_read_urand(openshift_cgroup_read_t)
+
+domain_use_interactive_fds(openshift_cgroup_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
+
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
+
+miscfiles_read_generic_certs(openshift_cgroup_read_t)
+
+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
+role system_r types openshift_cgroup_read_t;
+
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
+
+fs_list_cgroup_dirs(openshift_cgroup_read_t)
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_net_read local policy
+#
+
+allow openshift_net_read_t self:process { getattr signal_perms };
+allow openshift_net_read_t self:fifo_file rw_fifo_file_perms;
+allow openshift_net_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_net_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
+allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms;
+
+kernel_read_network_state(openshift_net_read_t)
+kernel_read_system_state(openshift_net_read_t)
+
+corecmd_exec_bin(openshift_net_read_t)
+corecmd_exec_shell(openshift_net_read_t)
+
+dev_read_urand(openshift_net_read_t)
+
+domain_use_interactive_fds(openshift_net_read_t)
+
+fs_dontaudit_rw_anon_inodefs_files(openshift_net_read_t)
+
+term_dontaudit_use_generic_ptys(openshift_net_read_t)
+
+auth_read_passwd(openshift_net_read_t)
+
+userdom_use_inherited_user_ptys(openshift_net_read_t)
+
+miscfiles_read_generic_certs(openshift_net_read_t)
+miscfiles_read_localization(openshift_net_read_t)
+
+optional_policy(`
+	ssh_use_ptys(openshift_net_read_t)
+')
+
+domtrans_pattern(openshift_domain, openshift_net_read_exec_t, openshift_net_read_t)
+role system_r types openshift_net_read_t;
+
+allow openshift_domain openshift_net_read_t:process { getattr signal signull sigkill };
+
+allow openshift_net_read_t openshift_var_lib_t:dir list_dir_perms;
+manage_files_pattern(openshift_net_read_t, openshift_var_lib_t, openshift_var_lib_t)
+allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms;
+
+########################################
+#
+# openshift_cron local policy
+#
+allow openshift_cron_t self:capability { dac_read_search dac_override net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
+
+openshift_manage_lib_dirs(openshift_cron_t)
+openshift_manage_lib_files(openshift_cron_t)
+
+kernel_search_network_sysctl(openshift_cron_t)
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
+files_dontaudit_search_all_mountpoints(openshift_cron_t)
+
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
+dev_read_raw_memory(openshift_cron_t)
+dev_read_urand(openshift_cron_t)
+
+corenet_udp_bind_generic_node(openshift_cron_t)
+corenet_udp_bind_generic_port(openshift_cron_t)
+
+dev_getattr_fs(openshift_cron_t)
+dev_list_sysfs(openshift_cron_t)
+dev_read_sysfs(openshift_cron_t)
+
+files_getattr_home_dir(openshift_cron_t)
+files_manage_etc_files(openshift_cron_t)
+
+fs_getattr_tmpfs_dirs(openshift_cron_t)
+fs_getattr_all_fs(openshift_cron_t)
+fs_list_hugetlbfs(openshift_cron_t)
+fs_search_cgroup_dirs(openshift_cron_t)
+
+seutil_domtrans_setfiles(openshift_cron_t)
+
+term_getattr_pty_fs(openshift_cron_t)
+term_search_ptys(openshift_cron_t)
+
+auth_use_nsswitch(openshift_cron_t)
+
+miscfiles_read_generic_certs(openshift_cron_t)
+miscfiles_read_hwdata(openshift_cron_t)
+
+sysnet_exec_ifconfig(openshift_cron_t)
+sysnet_read_config(openshift_cron_t)
+
+optional_policy(`
+	dmidecode_exec(openshift_cron_t)
+')
+
+optional_policy(`
+	hostname_exec(openshift_cron_t)
+')
+
+optional_policy(`
+	quota_read_db(openshift_cron_t)
+')
+
+optional_policy(`
+	ssh_domtrans_keygen(openshift_cron_t)
+	ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
+
+tunable_policy(`openshift_use_nfs',`
+        fs_list_auto_mountpoints(openshift_domain)
+	fs_manage_nfs_dirs(openshift_domain)
+	fs_manage_nfs_files(openshift_domain)
+	fs_manage_nfs_symlinks(openshift_domain)
+	fs_exec_nfs_files(openshift_domain)
+')
diff --git a/opensm.fc b/opensm.fc
new file mode 100644
index 0000000000..65511ed7af
--- /dev/null
+++ b/opensm.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/opensm.*    	--	gen_context(system_u:object_r:opensm_unit_file_t,s0)
+
+/usr/libexec/opensm-launch	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm.*  	--	gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/opensm.if b/opensm.if
new file mode 100644
index 0000000000..45de664777
--- /dev/null
+++ b/opensm.if
@@ -0,0 +1,224 @@
+
+## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`opensm_domtrans',`
+	gen_require(`
+		type opensm_t, opensm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+## <summary>
+##	Search opensm cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_search_cache',`
+	gen_require(`
+		type opensm_cache_t;
+	')
+
+	allow $1 opensm_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read opensm cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_read_cache_files',`
+	gen_require(`
+		type opensm_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	opensm cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_manage_cache_files',`
+	gen_require(`
+		type opensm_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage opensm cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_manage_cache_dirs',`
+	gen_require(`
+		type opensm_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
+')
+
+########################################
+## <summary>
+##	Read opensm's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_read_log',`
+	gen_require(`
+		type opensm_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+## <summary>
+##	Append to opensm log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_append_log',`
+	gen_require(`
+		type opensm_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+
+########################################
+## <summary>
+##	Manage opensm log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`opensm_manage_log',`
+	gen_require(`
+		type opensm_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
+	manage_files_pattern($1, opensm_log_t, opensm_log_t)
+	manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
+')
+########################################
+## <summary>
+##	Execute opensm server in the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`opensm_systemctl',`
+	gen_require(`
+		type opensm_t;
+		type opensm_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 opensm_unit_file_t:file read_file_perms;
+	allow $1 opensm_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, opensm_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an opensm environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_admin',`
+	gen_require(`
+		type opensm_t;
+		type opensm_cache_t;
+		type opensm_log_t;
+	    type opensm_unit_file_t;
+	')
+
+	allow $1 opensm_t:process { signal_perms };
+	ps_process_pattern($1, opensm_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 opensm_t:process ptrace;
+    ')
+
+	files_search_var($1)
+	admin_pattern($1, opensm_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, opensm_log_t)
+
+	opensm_systemctl($1)
+	admin_pattern($1, opensm_unit_file_t)
+	allow $1 opensm_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/opensm.te b/opensm.te
new file mode 100644
index 0000000000..81c7870cf5
--- /dev/null
+++ b/opensm.te
@@ -0,0 +1,49 @@
+policy_module(opensm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+type opensm_unit_file_t;
+systemd_unit_file(opensm_unit_file_t)
+
+########################################
+#
+# opensm local policy
+#
+allow opensm_t self:process { signal fork };
+allow opensm_t self:fifo_file rw_fifo_file_perms;
+allow opensm_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
+
+manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file )
+
+kernel_read_system_state(opensm_t)
+
+auth_use_nsswitch(opensm_t)
+
+corenet_ib_access_unlabeled_pkeys(opensm_t)
+corenet_ib_manage_subnet_unlabeled_endports(opensm_t)
+
+corecmd_exec_bin(opensm_t)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband_dev(opensm_t)
+dev_rw_infiniband_mgmt_dev(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
diff --git a/openvpn.fc b/openvpn.fc
index 300213f834..4cdfe097c1 100644
--- a/openvpn.fc
+++ b/openvpn.fc
@@ -1,10 +1,13 @@
 /etc/openvpn(/.*)?	gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/scripts(/.*)?	gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
 /etc/openvpn/ipp\.txt	--	gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
 
 /etc/rc\.d/init\.d/openvpn	--	gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
 
 /usr/sbin/openvpn	--	gen_context(system_u:object_r:openvpn_exec_t,s0)
 
+/var/lib/openvpn(/.*)?  gen_context(system_u:object_r:openvpn_var_lib_t,s0)
+
 /var/log/openvpn-status\.log.*	--	gen_context(system_u:object_r:openvpn_status_t,s0)
 /var/log/openvpn.*	gen_context(system_u:object_r:openvpn_var_log_t,s0)
 
diff --git a/openvpn.if b/openvpn.if
index 6837e9a2bd..8d6e33b005 100644
--- a/openvpn.if
+++ b/openvpn.if
@@ -20,6 +20,25 @@ interface(`openvpn_domtrans',`
 	domtrans_pattern($1, openvpn_exec_t, openvpn_t)
 ')
 
+########################################
+## <summary>
+##	Execute openvpn clients in the
+##	caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openvpn_exec',`
+	gen_require(`
+		type openvpn_exec_t;
+	')
+
+    can_exec($1, openvpn_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute openvpn clients in the
@@ -123,6 +142,44 @@ interface(`openvpn_read_config',`
 	allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
 ')
 
+####################################
+## <summary>
+##  Connect to openvpn over
+##	a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`openvpn_stream_connect',`
+	gen_require(`
+		type openvpn_t, openvpn_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
+')
+
+########################################
+## <summary>
+##	Read and write to sopenvpn_image devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_noatsecure',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+    allow $1 openvpn_t:process noatsecure;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -147,9 +204,13 @@ interface(`openvpn_admin',`
 		type openvpn_status_t;
 	')
 
-	allow $1 openvpn_t:process { ptrace signal_perms };
+	allow $1 openvpn_t:process signal_perms;
 	ps_process_pattern($1, openvpn_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 openvpn_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
index 63957a3627..91dead6e7f 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -5,6 +5,13 @@ policy_module(openvpn, 1.12.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow openvpn to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(openvpn_run_unconfined, false)
+
 ## <desc>
 ##	<p>
 ##	Determine whether openvpn can
@@ -19,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
 ##	connect to the TCP network.
 ##	</p>
 ## </desc>
-gen_tunable(openvpn_can_network_connect, false)
+gen_tunable(openvpn_can_network_connect, true)
 
 attribute_role openvpn_roles;
 
@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
 type openvpn_status_t;
 logging_log_file(openvpn_status_t)
 
+type openvpn_var_lib_t;
+files_type(openvpn_var_lib_t)
+
 type openvpn_tmp_t;
 files_tmp_file(openvpn_tmp_t)
 
@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
 # Local policy
 #
 
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
 allow openvpn_t self:process { signal getsched setsched };
 allow openvpn_t self:fifo_file rw_fifo_file_perms;
 allow openvpn_t self:unix_dgram_socket sendto;
@@ -63,6 +73,8 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow openvpn_t self:netlink_route_socket nlmsg_write;
 
+dontaudit openvpn_t self:capability2  block_suspend ;
+
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;
 allow openvpn_t openvpn_etc_t:file read_file_perms;
 allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
@@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
 allow openvpn_t openvpn_status_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
 
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
 allow openvpn_t openvpn_tmp_t:file manage_file_perms;
 files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
 
 manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
 
 manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
 manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir })
 
 can_exec(openvpn_t, openvpn_etc_t)
 
@@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t)
 corecmd_exec_bin(openvpn_t)
 corecmd_exec_shell(openvpn_t)
 
-corenet_all_recvfrom_unlabeled(openvpn_t)
 corenet_all_recvfrom_netlabel(openvpn_t)
 corenet_tcp_sendrecv_generic_if(openvpn_t)
 corenet_udp_sendrecv_generic_if(openvpn_t)
@@ -117,13 +133,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
 corenet_sendrecv_http_server_packets(openvpn_t)
 corenet_tcp_bind_http_port(openvpn_t)
 corenet_sendrecv_http_client_packets(openvpn_t)
+corenet_tcp_connect_squid_port(openvpn_t)
 corenet_tcp_connect_http_port(openvpn_t)
 corenet_tcp_sendrecv_http_port(openvpn_t)
-
 corenet_sendrecv_http_cache_client_packets(openvpn_t)
 corenet_tcp_connect_http_cache_port(openvpn_t)
 corenet_tcp_sendrecv_http_cache_port(openvpn_t)
 
+corenet_tcp_connect_tor_port(openvpn_t)
+
 corenet_rw_tun_tap_dev(openvpn_t)
 
 dev_read_rand(openvpn_t)
@@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t)
 
 fs_getattr_all_fs(openvpn_t)
 fs_search_auto_mountpoints(openvpn_t)
+fs_list_cgroup_dirs(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
-miscfiles_read_localization(openvpn_t)
+logging_send_syslog_msg(openvpn_t)
+
 miscfiles_read_all_certs(openvpn_t)
 
+sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
 sysnet_manage_config(openvpn_t)
 sysnet_etc_filetrans_config(openvpn_t)
 sysnet_use_ldap(openvpn_t)
 
-userdom_use_user_terminals(openvpn_t)
+systemd_passwd_agent_domtrans(openvpn_t)
+systemd_manage_passwd_run(openvpn_t)
+
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
+userdom_read_inherited_user_tmp_files(openvpn_t)
+userdom_read_inherited_user_home_content_files(openvpn_t)
 
 tunable_policy(`openvpn_enable_homedirs',`
-	userdom_read_user_home_content_files(openvpn_t)
+	userdom_search_user_home_dirs(openvpn_t)
 ')
 
 tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -163,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',`
 	corenet_tcp_sendrecv_all_ports(openvpn_t)
 ')
 
+optional_policy(`
+	brctl_domtrans(openvpn_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
 ')
 
+optional_policy(`
+    networkmanager_stream_connect(openvpn_t)
+    networkmanager_manage_pid_files(openvpn_t)
+    networkmanager_manage_pid_sock_files(openvpn_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(openvpn_t)
 	dbus_connect_system_bus(openvpn_t)
@@ -175,3 +213,27 @@ optional_policy(`
 		networkmanager_dbus_chat(openvpn_t)
 	')
 ')
+
+optional_policy(`
+	unconfined_attach_tun_iface(openvpn_t)
+')
+
+type openvpn_unconfined_script_t;
+type openvpn_unconfined_script_exec_t;
+domain_type(openvpn_unconfined_script_t)
+domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t)
+corecmd_shell_entry_type(openvpn_unconfined_script_t)
+role system_r types openvpn_unconfined_script_t;
+
+allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms;
+allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
+	unconfined_domain(openvpn_unconfined_script_t)
+')
+
+tunable_policy(`openvpn_run_unconfined',`
+		domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t)
+',`
+	can_exec(openvpn_t, openvpn_unconfined_script_exec_t)
+')
diff --git a/openvswitch.fc b/openvswitch.fc
index 45d7cc5080..c5b9607c12 100644
--- a/openvswitch.fc
+++ b/openvswitch.fc
@@ -1,12 +1,16 @@
-/etc/rc\.d/init\.d/openvswitch	--	gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
+/usr/lib/systemd/system/openvswitch.service		--	gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
 
-/etc/openvswitch(/.*)?	gen_context(system_u:object_r:openvswitch_conf_t,s0)
+/usr/share/openvswitch/scripts/ovs-ctl --	gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-vsctl		--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-ctl		--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server		--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd		--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-appctl		--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
 
-/usr/share/openvswitch/scripts/ovs-ctl	--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
-/usr/share/openvswitch/scripts/openvswitch\.init	--	gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/var/lib/openvswitch(/.*)?		gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
 
-/var/lib/openvswitch(/.*)?	gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
+/var/log/openvswitch(/.*)?		gen_context(system_u:object_r:openvswitch_log_t,s0)
 
-/var/log/openvswitch(/.*)?	gen_context(system_u:object_r:openvswitch_log_t,s0)
+/var/run/openvswitch(/.*)?		gen_context(system_u:object_r:openvswitch_var_run_t,s0)
 
-/var/run/openvswitch(/.*)?	gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)?		gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
index 9b157305b1..cb00f200a4 100644
--- a/openvswitch.if
+++ b/openvswitch.if
@@ -1,13 +1,14 @@
-## <summary>Multilayer virtual switch.</summary>
+
+## <summary>policy for openvswitch</summary>
 
 ########################################
 ## <summary>
-##	Execute openvswitch in the openvswitch domain.
+##	Execute TEMPLATE in the openvswitch domin.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`openvswitch_domtrans',`
@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
 ')
+########################################
+## <summary>
+##	Read openvswitch's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvswitch_read_log',`
+	gen_require(`
+		type openvswitch_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+## <summary>
+##	Append to openvswitch log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_append_log',`
+	gen_require(`
+		type openvswitch_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
 
 ########################################
 ## <summary>
-##	Read openvswitch pid files.
+##	Manage openvswitch log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_manage_log',`
+	gen_require(`
+		type openvswitch_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
+	manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+	manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
+')
+
+########################################
+## <summary>
+##	Search openvswitch lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_search_lib',`
+	gen_require(`
+		type openvswitch_var_lib_t;
+	')
+
+	allow $1 openvswitch_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read openvswitch lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_read_lib_files',`
+	gen_require(`
+		type openvswitch_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage openvswitch lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_manage_lib_files',`
+	gen_require(`
+		type openvswitch_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage openvswitch lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_manage_lib_dirs',`
+	gen_require(`
+		type openvswitch_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read openvswitch PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -40,44 +176,87 @@ interface(`openvswitch_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an openvswitch environment.
+##	Allow stream connect to openvswitch.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+
+interface(`openvswitch_stream_connect',`
+    gen_require(`
+            type openvswitch_t, openvswitch_var_run_t;
+                ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
+')
+
+########################################
+## <summary>
+##	Execute openvswitch server in the openvswitch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openvswitch_systemctl',`
+	gen_require(`
+		type openvswitch_t;
+		type openvswitch_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 openvswitch_unit_file_t:file read_file_perms;
+	allow $1 openvswitch_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, openvswitch_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an openvswitch environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`openvswitch_admin',`
 	gen_require(`
-		type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t;
-		type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t;
+		type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
+		type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
 	')
 
 	allow $1 openvswitch_t:process { ptrace signal_perms };
 	ps_process_pattern($1, openvswitch_t)
 
-	init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 openvswitch_initrc_exec_t system_r;
-	allow $2 system_r;
+	logging_search_logs($1)
+	admin_pattern($1, openvswitch_rw_t)
 
-	files_search_etc($1)
-	admin_pattern($1, openvswitch_conf_t)
+	logging_search_logs($1)
+	admin_pattern($1, openvswitch_log_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, openvswitch_var_lib_t)
 
-	logging_search_logs($1)
-	admin_pattern($1, openvswitch_log_t)
-
 	files_search_pids($1)
 	admin_pattern($1, openvswitch_var_run_t)
+
+	openvswitch_systemctl($1)
+	admin_pattern($1, openvswitch_unit_file_t)
+	allow $1 openvswitch_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/openvswitch.te b/openvswitch.te
index 44dbc99ab8..f2c2370993 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
 type openvswitch_exec_t;
 init_daemon_domain(openvswitch_t, openvswitch_exec_t)
 
-type openvswitch_initrc_exec_t;
-init_script_file(openvswitch_initrc_exec_t)
-
-type openvswitch_conf_t;
-files_config_file(openvswitch_conf_t)
+type openvswitch_rw_t;
+files_config_file(openvswitch_rw_t)
 
 type openvswitch_var_lib_t;
 files_type(openvswitch_var_lib_t)
@@ -27,20 +24,31 @@ files_tmp_file(openvswitch_tmp_t)
 type openvswitch_var_run_t;
 files_pid_file(openvswitch_var_run_t)
 
+type openvswitch_unit_file_t;
+systemd_unit_file(openvswitch_unit_file_t)
+
 ########################################
 #
-# Local policy
+# openvswitch local policy
 #
 
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+allow openvswitch_t self:capability2 block_suspend;
+allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
 allow openvswitch_t self:fifo_file rw_fifo_file_perms;
-allow openvswitch_t self:rawip_socket create_socket_perms;
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+allow openvswitch_t self:netlink_generic_socket create_socket_perms;
+allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow openvswitch_t self:system { module_load };
+
+can_exec(openvswitch_t, openvswitch_exec_t)
 
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 
 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
@@ -48,50 +56,103 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
 files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
 
 manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
 logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
 
 manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
 manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
 manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
+manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
+files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file })
 
 manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
 manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-
-can_exec(openvswitch_t, openvswitch_exec_t)
+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
 
+kernel_load_module(openvswitch_t)
 kernel_read_network_state(openvswitch_t)
 kernel_read_system_state(openvswitch_t)
+kernel_request_load_module(openvswitch_t)
+files_map_kernel_modules(openvswitch_t)
+kernel_read_net_sysctls(openvswitch_t)
 
-corenet_all_recvfrom_unlabeled(openvswitch_t)
-corenet_all_recvfrom_netlabel(openvswitch_t)
-corenet_raw_sendrecv_generic_if(openvswitch_t)
-corenet_raw_sendrecv_generic_node(openvswitch_t)
+corenet_tcp_connect_xodbc_connect_port(openvswitch_t)
+corenet_tcp_connect_ovsdb_port(openvswitch_t)
+corenet_tcp_connect_openflow_port(openvswitch_t)
+corenet_tcp_connect_openvswitch_port(openvswitch_t)
+corenet_tcp_bind_generic_node(openvswitch_t)
+corenet_tcp_bind_openvswitch_port(openvswitch_t)
 
 corecmd_exec_bin(openvswitch_t)
+corecmd_exec_shell(openvswitch_t)
 
+dev_read_rand(openvswitch_t)
 dev_read_urand(openvswitch_t)
+dev_rw_sysfs(openvswitch_t)
+dev_rw_vfio_dev(openvswitch_t)
+corenet_rw_tun_tap_dev(openvswitch_t)
+dev_rw_infiniband_dev(openvswitch_t)
+dev_read_cpuid(openvswitch_t)
 
 domain_use_interactive_fds(openvswitch_t)
 
-files_read_etc_files(openvswitch_t)
+files_read_kernel_modules(openvswitch_t)
+files_load_kernel_modules(openvswitch_t)
 
 fs_getattr_all_fs(openvswitch_t)
 fs_search_cgroup_dirs(openvswitch_t)
+fs_manage_hugetlbfs_files(openvswitch_t)
+fs_manage_hugetlbfs_dirs(openvswitch_t)
+
+auth_use_nsswitch(openvswitch_t)
 
 logging_send_syslog_msg(openvswitch_t)
 
-miscfiles_read_localization(openvswitch_t)
+init_read_script_state(openvswitch_t)
+
+modutils_exec_insmod(openvswitch_t)
+modutils_list_module_config(openvswitch_t)
+modutils_read_module_config(openvswitch_t)
+modutils_read_module_deps(openvswitch_t)
 
 sysnet_dns_name_resolve(openvswitch_t)
 
+logging_send_audit_msgs(openvswitch_t)
+
+write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
+
+storage_rw_inherited_fixed_disk_dev(openvswitch_t)
+
+optional_policy(`
+    hostname_exec(openvswitch_t)
+')
+
 optional_policy(`
 	iptables_domtrans(openvswitch_t)
 ')
+
+optional_policy(`
+    plymouthd_exec_plymouth(openvswitch_t)
+')
+
+optional_policy(`
+    neutron_read_state(openvswitch_t)
+')
+
+optional_policy(`
+    networkmanager_read_state(openvswitch_t)
+')
+
+optional_policy(`
+    virt_svirt_manage_tmp(openvswitch_t)
+    virt_rw_svirt_image(openvswitch_t)
+    virt_stream_connect_svirt(openvswitch_t)
+    virt_rw_stream_sockets_svirt(openvswitch_t)
+')
+
+optional_policy(`
+    seutil_domtrans_setfiles(openvswitch_t)
+')
diff --git a/openwsman.fc b/openwsman.fc
new file mode 100644
index 0000000000..00d0643d9f
--- /dev/null
+++ b/openwsman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/openwsmand.*		--	gen_context(system_u:object_r:openwsman_unit_file_t,s0)
+
+/usr/sbin/openwsmand		--	gen_context(system_u:object_r:openwsman_exec_t,s0)
+
+/var/log/wsmand.*	--	gen_context(system_u:object_r:openwsman_log_t,s0)
+
+/var/run/wsmand.*	--	gen_context(system_u:object_r:openwsman_run_t,s0)
diff --git a/openwsman.if b/openwsman.if
new file mode 100644
index 0000000000..747853a1ac
--- /dev/null
+++ b/openwsman.if
@@ -0,0 +1,79 @@
+## <summary>WS-Management Server</summary>
+
+########################################
+## <summary>
+##	Execute openwsman in the openwsman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openwsman_domtrans',`
+	gen_require(`
+		type openwsman_t, openwsman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, openwsman_exec_t, openwsman_t)
+')
+########################################
+## <summary>
+##	Execute openwsman server in the openwsman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`openwsman_systemctl',`
+	gen_require(`
+		type openwsman_t;
+		type openwsman_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 openwsman_unit_file_t:file read_file_perms;
+	allow $1 openwsman_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, openwsman_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an openwsman environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openwsman_admin',`
+	gen_require(`
+		type openwsman_t;
+	    type openwsman_unit_file_t;
+	')
+
+	allow $1 openwsman_t:process { signal_perms };
+	ps_process_pattern($1, openwsman_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 openwsman_t:process ptrace;
+    ')
+
+	openwsman_systemctl($1)
+	admin_pattern($1, openwsman_unit_file_t)
+	allow $1 openwsman_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
index 0000000000..3bcd32cdf7
--- /dev/null
+++ b/openwsman.te
@@ -0,0 +1,74 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openwsman_t;
+type openwsman_exec_t;
+init_daemon_domain(openwsman_t, openwsman_exec_t)
+
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
+type openwsman_run_t;
+files_pid_file(openwsman_run_t)
+
+type openwsman_unit_file_t;
+systemd_unit_file(openwsman_unit_file_t)
+
+########################################
+#
+# openwsman local policy
+#
+
+allow openwsman_t self:capability setuid;
+
+allow openwsman_t self:process { fork };
+allow openwsman_t self:fifo_file rw_fifo_file_perms;
+allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
+manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
+files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
+
+auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+    sblim_stream_connect_sfcbd(openwsman_t)
+    sblim_rw_semaphores_sfcbd(openwsman_t)
+    sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+    unconfined_domain(openwsman_t)
+')
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 0000000000..5655facf09
--- /dev/null
+++ b/oracleasm.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/oracleasm	--	gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
+
+/etc/sysconfig/oracleasm(/.*)?	gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/etc/sysconfig/oracleasm-_dev_oracleasm		--	gen_context(system_u:object_r:oracleasm_conf_t,s0)
+
+/usr/sbin/oracleasm		--	gen_context(system_u:object_r:oracleasm_exec_t,s0)
diff --git a/oracleasm.if b/oracleasm.if
new file mode 100644
index 0000000000..6ae382cb90
--- /dev/null
+++ b/oracleasm.if
@@ -0,0 +1,75 @@
+
+## <summary>policy for oracleasm</summary>
+
+########################################
+## <summary>
+##	Transition to oracleasm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oracleasm_domtrans',`
+	gen_require(`
+		type oracleasm_t, oracleasm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
+')
+
+
+########################################
+## <summary>
+##	Execute oracleasm server in the oracleasm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oracleasm_initrc_domtrans',`
+	gen_require(`
+		type oracleasm_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an oracleasm environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oracleasm_admin',`
+	gen_require(`
+		type oracleasm_t;
+	type oracleasm_initrc_exec_t;
+	')
+
+	allow $1 oracleasm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, oracleasm_t)
+
+	oracleasm_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 oracleasm_initrc_exec_t system_r;
+	allow $2 system_r;
+
+')
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
index 0000000000..76250e0c66
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,67 @@
+policy_module(oracleasm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oracleasm_t;
+type oracleasm_exec_t;
+init_daemon_domain(oracleasm_t, oracleasm_exec_t)
+
+type oracleasm_initrc_exec_t;
+init_script_file(oracleasm_initrc_exec_t)
+
+type oracleasm_tmp_t;
+files_tmp_file(oracleasm_tmp_t)
+
+type oracleasm_conf_t;
+files_config_file(oracleasm_conf_t)
+
+########################################
+#
+# oracleasm local policy
+#
+
+allow oracleasm_t self:capability { dac_read_search dac_override fsetid fowner chown };
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit oracleasm_t self:capability { sys_admin };
+
+allow oracleasm_t oracleasm_conf_t:file manage_file_perms;
+allow oracleasm_t oracleasm_conf_t:dir manage_dir_perms;
+
+manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t)
+files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir })
+
+kernel_read_system_state(oracleasm_t)
+
+auth_read_passwd(oracleasm_t)
+
+dev_rw_sysfs(oracleasm_t)
+
+domain_use_interactive_fds(oracleasm_t)
+
+corecmd_exec_shell(oracleasm_t)
+corecmd_exec_bin(oracleasm_t)
+
+fs_getattr_xattr_fs(oracleasm_t)
+fs_list_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs(oracleasm_t)
+fs_getattr_oracleasmfs_fs(oracleasm_t)
+fs_setattr_oracleasmfs(oracleasm_t)
+fs_setattr_oracleasmfs_dirs(oracleasm_t)
+fs_manage_oracleasm(oracleasm_t)
+
+storage_raw_read_fixed_disk(oracleasm_t)
+storage_raw_read_removable_device(oracleasm_t)
+storage_rw_inherited_fixed_disk_dev(oracleasm_t)
+
+optional_policy(`
+    mount_domtrans(oracleasm_t)
+')
+
+optional_policy(`
+    modutils_domtrans_insmod(oracleasm_t)
+')
diff --git a/osad.fc b/osad.fc
new file mode 100644
index 0000000000..cf911d54ea
--- /dev/null
+++ b/osad.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/osad	--	gen_context(system_u:object_r:osad_initrc_exec_t,s0)
+
+/usr/sbin/osad		--	gen_context(system_u:object_r:osad_exec_t,s0)
+
+/var/log/osad.*		--	gen_context(system_u:object_r:osad_log_t,s0)
+
+/var/run/osad.*		--	gen_context(system_u:object_r:osad_var_run_t,s0)
diff --git a/osad.if b/osad.if
new file mode 100644
index 0000000000..05648bd2a2
--- /dev/null
+++ b/osad.if
@@ -0,0 +1,165 @@
+
+## <summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
+
+########################################
+## <summary>
+##	Execute osad in the osad domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`osad_domtrans',`
+	gen_require(`
+		type osad_t, osad_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, osad_exec_t, osad_t)
+')
+
+########################################
+## <summary>
+##	Execute osad server in the osad domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`osad_initrc_domtrans',`
+	gen_require(`
+		type osad_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, osad_initrc_exec_t)
+')
+########################################
+## <summary>
+##	Read osad's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`osad_read_log',`
+	gen_require(`
+		type osad_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, osad_log_t, osad_log_t)
+')
+
+########################################
+## <summary>
+##	Append to osad log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`osad_append_log',`
+	gen_require(`
+		type osad_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, osad_log_t, osad_log_t)
+')
+
+########################################
+## <summary>
+##	Manage osad log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`osad_manage_log',`
+	gen_require(`
+		type osad_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, osad_log_t, osad_log_t)
+	manage_files_pattern($1, osad_log_t, osad_log_t)
+	manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
+')
+########################################
+## <summary>
+##	Read osad PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`osad_read_pid_files',`
+	gen_require(`
+		type osad_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, osad_var_run_t, osad_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an osad environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`osad_admin',`
+	gen_require(`
+		type osad_t;
+		type osad_initrc_exec_t;
+		type osad_log_t;
+		type osad_var_run_t;
+	')
+
+	allow $1 osad_t:process { signal_perms };
+	ps_process_pattern($1, osad_t)
+
+    	tunable_policy(`deny_ptrace',`',`
+        	allow $1 osad_t:process ptrace;
+    	')
+
+	osad_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 osad_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, osad_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, osad_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/osad.te b/osad.te
new file mode 100644
index 0000000000..6c2f264423
--- /dev/null
+++ b/osad.te
@@ -0,0 +1,56 @@
+policy_module(osad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type osad_t;
+type osad_exec_t;
+init_daemon_domain(osad_t, osad_exec_t)
+
+type osad_initrc_exec_t;
+init_script_file(osad_initrc_exec_t)
+
+type osad_log_t;
+logging_log_file(osad_log_t)
+
+type osad_var_run_t;
+files_pid_file(osad_var_run_t)
+
+########################################
+#
+# osad local policy
+#
+
+allow osad_t self:process setpgid;
+
+manage_files_pattern(osad_t, osad_log_t, osad_log_t)
+logging_log_filetrans(osad_t, osad_log_t, file)
+
+manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
+files_pid_filetrans(osad_t, osad_var_run_t, file)
+
+kernel_read_system_state(osad_t)
+
+corecmd_exec_bin(osad_t)
+
+corenet_tcp_connect_http_port(osad_t)
+corenet_tcp_connect_jabber_client_port(osad_t)
+
+dev_read_urand(osad_t)
+
+auth_use_nsswitch(osad_t)
+
+optional_policy(`
+    gnome_dontaudit_search_config(osad_t)
+')
+
+optional_policy(`
+    rhnsd_manage_config(osad_t)
+')
+
+# execute rhn_check
+optional_policy(`
+    rpm_domtrans(osad_t)
+')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56d67..d4da0b8d00 100644
--- a/pacemaker.fc
+++ b/pacemaker.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/pacemaker	--	gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/pacemaker.*	--	gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
+
 /usr/sbin/pacemakerd	--	gen_context(system_u:object_r:pacemaker_exec_t,s0)
 
 /var/lib/heartbeat/crm(/.*)?	gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
index 9682d9af84..f1f421f9e4 100644
--- a/pacemaker.if
+++ b/pacemaker.if
@@ -1,9 +1,167 @@
-## <summary>A scalable high-availability cluster resource manager.</summary>
+## <summary>>A scalable high-availability cluster resource manager.</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an pacemaker environment.
+##	Transition to pacemaker.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pacemaker_domtrans',`
+	gen_require(`
+		type pacemaker_t, pacemaker_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
+')
+
+########################################
+## <summary>
+##	Execute pacemaker server in the pacemaker domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_initrc_domtrans',`
+	gen_require(`
+		type pacemaker_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search pacemaker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_search_lib',`
+	gen_require(`
+		type pacemaker_var_lib_t;
+	')
+
+	allow $1 pacemaker_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read pacemaker lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_read_lib_files',`
+	gen_require(`
+		type pacemaker_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage pacemaker lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_manage_lib_files',`
+	gen_require(`
+		type pacemaker_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage pacemaker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_manage_lib_dirs',`
+	gen_require(`
+		type pacemaker_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read pacemaker PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_read_pid_files',`
+	gen_require(`
+		type pacemaker_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pacemaker_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute pacemaker server in the pacemaker domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pacemaker_systemctl',`
+	gen_require(`
+		type pacemaker_t;
+		type pacemaker_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 pacemaker_unit_file_t:file read_file_perms;
+	allow $1 pacemaker_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, pacemaker_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an pacemaker environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -19,14 +177,17 @@
 #
 interface(`pacemaker_admin',`
 	gen_require(`
-		type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
+		type pacemaker_t;
+		type pacemaker_initrc_exec_t;
+		type pacemaker_var_lib_t;
 		type pacemaker_var_run_t;
+		type pacemaker_unit_file_t;
 	')
 
 	allow $1 pacemaker_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pacemaker_t)
 
-	init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+	pacemaker_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 pacemaker_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -36,4 +197,13 @@ interface(`pacemaker_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, pacemaker_var_run_t)
+
+	pacemaker_systemctl($1)
+	admin_pattern($1, pacemaker_unit_file_t)
+	allow $1 pacemaker_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/pacemaker.te b/pacemaker.te
index 6e6efb6421..d56c04963a 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow pacemaker memcheck-amd64- to use executable memory
+## </p>
+## </desc>
+gen_tunable(pacemaker_use_execmem, false)
+
 type pacemaker_t;
 type pacemaker_exec_t;
 init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -12,31 +19,36 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
 type pacemaker_initrc_exec_t;
 init_script_file(pacemaker_initrc_exec_t)
 
+type pacemaker_var_lib_t;
+files_type(pacemaker_var_lib_t)
+
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
 type pacemaker_tmp_t;
 files_tmp_file(pacemaker_tmp_t)
 
 type pacemaker_tmpfs_t;
 files_tmpfs_file(pacemaker_tmpfs_t)
 
-type pacemaker_var_lib_t;
-files_type(pacemaker_var_lib_t)
-
-type pacemaker_var_run_t;
-files_pid_file(pacemaker_var_run_t)
+type pacemaker_unit_file_t;
+systemd_unit_file(pacemaker_unit_file_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid };
+allow pacemaker_t self:capability2 block_suspend;
 allow pacemaker_t self:process { setrlimit signal setpgid };
 allow pacemaker_t self:fifo_file rw_fifo_file_perms;
 allow pacemaker_t self:unix_stream_socket { connectto accept listen };
 
 manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
 manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
+manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
 
 manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
 manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t)
 corecmd_exec_bin(pacemaker_t)
 corecmd_exec_shell(pacemaker_t)
 
+domain_use_interactive_fds(pacemaker_t)
+domain_read_all_domains_state(pacemaker_t)
+
 dev_getattr_mtrr_dev(pacemaker_t)
 dev_read_rand(pacemaker_t)
 dev_read_urand(pacemaker_t)
 
-domain_read_all_domains_state(pacemaker_t)
-domain_use_interactive_fds(pacemaker_t)
-
 files_read_kernel_symbol_table(pacemaker_t)
 
 fs_getattr_all_fs(pacemaker_t)
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
 
 logging_send_syslog_msg(pacemaker_t)
 
-miscfiles_read_localization(pacemaker_t)
+sysnet_domtrans_ifconfig(pacemaker_t)
+
+tunable_policy(`pacemaker_use_execmem',`
+    allow pacemaker_t self:process { execmem };
+')
 
 optional_policy(`
 	corosync_read_log(pacemaker_t)
+	corosync_setattr_log(pacemaker_t)
 	corosync_stream_connect(pacemaker_t)
+	corosync_rw_tmpfs(pacemaker_t)
+')
+
+optional_policy(`
+	#executes heartbeat lib files
+	rgmanager_execute_lib(pacemaker_t)
 ')
diff --git a/pads.if b/pads.if
index 6e097c9194..503c97a2d9 100644
--- a/pads.if
+++ b/pads.if
@@ -17,15 +17,19 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`pads_admin', `
+interface(`pads_admin',`
 	gen_require(`
 		type pads_t, pads_config_t, pads_var_run_t;
 		type pads_initrc_exec_t;
 	')
 
-	allow $1 pads_t:process { ptrace signal_perms };
+	allow $1 pads_t:process signal_perms;
 	ps_process_pattern($1, pads_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 pads_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, pads_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
index 078adc4783..f0c65e5dec 100644
--- a/pads.te
+++ b/pads.te
@@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t)
 # Declarations
 #
 
-allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:capability { dac_read_search  dac_override net_raw };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
 allow pads_t self:packet_socket create_socket_perms;
 allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
 
 allow pads_t pads_config_t:file manage_file_perms;
 files_etc_filetrans(pads_t, pads_config_t, file)
@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t)
 
 corecmd_search_bin(pads_t)
 
-corenet_all_recvfrom_unlabeled(pads_t)
 corenet_all_recvfrom_netlabel(pads_t)
 corenet_tcp_sendrecv_generic_if(pads_t)
 corenet_tcp_sendrecv_generic_node(pads_t)
@@ -52,11 +54,8 @@ dev_read_rand(pads_t)
 dev_read_urand(pads_t)
 dev_read_sysfs(pads_t)
 
-files_read_etc_files(pads_t)
 files_search_spool(pads_t)
 
-miscfiles_read_localization(pads_t)
-
 logging_send_syslog_msg(pads_t)
 
 sysnet_dns_name_resolve(pads_t)
diff --git a/passenger.fc b/passenger.fc
index 2c389ea7cc..9155bd0dd4 100644
--- a/passenger.fc
+++ b/passenger.fc
@@ -1,10 +1,12 @@
-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable	--	gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog	--	gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent	--	gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent	--	gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/Passenger.*	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/ApplicationPoolServerExecutable	--  gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/Passenger.*	-- 	gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/ApplicationPoolServerExecutable  --  gen_context(system_u:object_r:passenger_exec_t,s0)	
 
-/var/lib/passenger(/.*)?	gen_context(system_u:object_r:passenger_var_lib_t,s0)
+/usr/share/.*/gems/.*/helper-scripts/prespawn	--	gen_context(system_u:object_r:passenger_exec_t,s0)
 
-/var/log/passenger.*	gen_context(system_u:object_r:passenger_log_t,s0)
+/var/lib/passenger(/.*)?		gen_context(system_u:object_r:passenger_var_lib_t,s0)
 
-/var/run/passenger(/.*)?	gen_context(system_u:object_r:passenger_var_run_t,s0)
+/var/log/passenger.*			gen_context(system_u:object_r:passenger_log_t,s0)
+
+/var/run/passenger(/.*)?		gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
index bf59ef7312..0e333279cd 100644
--- a/passenger.if
+++ b/passenger.if
@@ -15,17 +15,17 @@ interface(`passenger_domtrans',`
 		type passenger_t, passenger_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, passenger_exec_t, passenger_t)
+	allow passenger_t $1:unix_stream_socket { accept getattr read write };
 ')
 
 ######################################
 ## <summary>
-##	Execute passenger in the caller domain.
+##	Execute passenger in the current domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
@@ -34,13 +34,30 @@ interface(`passenger_exec',`
 		type passenger_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, passenger_exec_t)
 ')
 
+#######################################
+## <summary>
+##  Getattr passenger log files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`passenger_getattr_log_files',`
+    gen_require(`
+        type passenger_log_t;
+    ')
+
+    getattr_files_pattern($1, passenger_log_t, passenger_log_t)
+')
+
 ########################################
 ## <summary>
-##	Read passenger lib files.
+##	Read passenger lib files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -53,6 +70,112 @@ interface(`passenger_read_lib_files',`
 		type passenger_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage passenger lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`passenger_manage_lib_files',`
+	gen_require(`
+		type passenger_var_lib_t;
+	')
+
+	manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+	files_search_var_lib($1)
 ')
+
+#####################################
+## <summary>
+##  Manage passenger var_run content.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`passenger_manage_pid_content',`
+    gen_require(`
+        type passenger_var_run_t;
+    ')
+
+    files_search_pids($1)
+    manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+    manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+    manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+    manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+## <summary>
+##	Connect to passenger unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`passenger_stream_connect',`
+	gen_require(`
+		type passenger_t;
+		type passenger_tmp_t;
+		type passenger_var_run_t;
+	')
+
+
+
+	stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
+	stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
+')
+
+#######################################
+## <summary>
+##  Allow to manage passenger tmp files/dirs.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`passenger_manage_tmp_files',`
+    gen_require(`
+        type passenger_tmp_t;
+    ')
+
+    files_search_tmp($1)
+	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
+')
+
+########################################
+## <summary>
+##	Send kill signals to passenger.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`passenger_kill',`
+	gen_require(`
+		type passenger_t;
+	')
+
+	allow $1 passenger_t:process sigkill;
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33bf21..175a4ed46d 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.1)
 
 ########################################
 #
@@ -14,6 +14,9 @@ role system_r types passenger_t;
 type passenger_log_t;
 logging_log_file(passenger_log_t)
 
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
 type passenger_var_lib_t;
 files_type(passenger_var_lib_t)
 
@@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t)
 
 ########################################
 #
-# Local policy
+# passanger local policy
 #
 
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability2 block_suspend;
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
 allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket { accept listen };
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+can_exec(passenger_t, passenger_exec_t)
 
 manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-logging_log_filetrans(passenger_t, passenger_log_t, file)
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
 
 manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
 manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+files_search_var_lib(passenger_t)
 
 manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
 manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
 manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
 files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
 
-can_exec(passenger_t, passenger_exec_t)
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
 
 kernel_read_system_state(passenger_t)
 kernel_read_kernel_sysctls(passenger_t)
@@ -53,13 +63,11 @@ kernel_read_network_state(passenger_t)
 kernel_read_net_sysctls(passenger_t)
 
 corenet_all_recvfrom_netlabel(passenger_t)
-corenet_all_recvfrom_unlabeled(passenger_t)
 corenet_tcp_sendrecv_generic_if(passenger_t)
 corenet_tcp_sendrecv_generic_node(passenger_t)
-
-corenet_sendrecv_http_client_packets(passenger_t)
 corenet_tcp_connect_http_port(passenger_t)
-corenet_tcp_sendrecv_http_port(passenger_t)
+corenet_tcp_connect_postgresql_port(passenger_t)
+corenet_tcp_connect_mysqld_port(passenger_t)
 
 corecmd_exec_bin(passenger_t)
 corecmd_exec_shell(passenger_t)
@@ -68,10 +76,10 @@ dev_read_urand(passenger_t)
 
 domain_read_all_domains_state(passenger_t)
 
-files_read_etc_files(passenger_t)
-
 auth_use_nsswitch(passenger_t)
 
+fs_getattr_xattr_fs(passenger_t)
+
 logging_send_syslog_msg(passenger_t)
 
 miscfiles_read_localization(passenger_t)
@@ -83,6 +91,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
 optional_policy(`
 	apache_append_log(passenger_t)
 	apache_read_sys_content(passenger_t)
+    apache_rw_stream_sockets(passenger_t)
 ')
 
 optional_policy(`
@@ -94,14 +103,21 @@ optional_policy(`
 ')
 
 optional_policy(`
-	puppet_manage_lib_files(passenger_t)
+    mysql_stream_connect(passenger_t)
+    mysql_list_db(passenger_t)
+')
+
+optional_policy(`
+	puppet_domtrans_master(passenger_t)
+	puppet_manage_lib(passenger_t)
 	puppet_read_config(passenger_t)
-	puppet_append_log_files(passenger_t)
-	puppet_create_log_files(passenger_t)
-	puppet_read_log_files(passenger_t)
+	puppet_append_log(passenger_t)
+	puppet_create_log(passenger_t)
+	puppet_read_log(passenger_t)
+	puppet_search_pid(passenger_t)
 ')
 
 optional_policy(`
-	rpm_exec(passenger_t)
-	rpm_read_db(passenger_t)
+    rpm_exec(passenger_t)
+    rpm_read_db(passenger_t)
 ')
diff --git a/pcmcia.te b/pcmcia.te
index 8176e4aa4b..2df178919a 100644
--- a/pcmcia.te
+++ b/pcmcia.te
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
 
 logging_send_syslog_msg(cardmgr_t)
 
-miscfiles_read_localization(cardmgr_t)
-
 modutils_domtrans_insmod(cardmgr_t)
 
 sysnet_domtrans_ifconfig(cardmgr_t)
 sysnet_etc_filetrans_config(cardmgr_t)
 sysnet_manage_config(cardmgr_t)
 
-userdom_use_user_terminals(cardmgr_t)
+userdom_use_inherited_user_terminals(cardmgr_t)
 userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
 userdom_dontaudit_search_user_home_dirs(cardmgr_t)
 
 optional_policy(`
-	seutil_dontaudit_read_config(cardmgr_t)
 	seutil_sigchld_newrole(cardmgr_t)
 ')
 
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
index 0000000000..de7c78ca04
--- /dev/null
+++ b/pcp.fc
@@ -0,0 +1,33 @@
+/etc/rc\.d/init\.d/pmcd		--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger 	--      gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy 	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmwebd      --       gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmie      --       gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmmgr    --      gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
+
+/usr/bin/pmie       --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/bin/pmcd	    --	    gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/bin/pmwebd	    --	    gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
+/usr/bin/pmmgr      --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+
+/usr/libexec/pcp/bin/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/libexec/pcp/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/libexec/pcp/bin/pmwebd	--	gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
+/usr/libexec/pcp/bin/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmmgr  --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
+
+/usr/share/pcp/lib/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+
+/usr/share/pcp/lib/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+
+/var/lib/pcp(/.*)?		gen_context(system_u:object_r:pcp_var_lib_t,s0)
+
+/var/log/pcp(/.*)?		gen_context(system_u:object_r:pcp_log_t,s0)
+
+/var/run/pcp(/.*)?		gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmlogger\.primary\.socket    -l  gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
index 0000000000..abb250dbaf
--- /dev/null
+++ b/pcp.if
@@ -0,0 +1,160 @@
+## <summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  pcp daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`pcp_domain_template',`
+    gen_require(`
+        attribute pcp_domain;
+    ')
+
+    type pcp_$1_t, pcp_domain;
+    type pcp_$1_exec_t;
+    init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
+    
+    type pcp_$1_initrc_exec_t;
+    init_script_file(pcp_$1_initrc_exec_t)
+
+    auth_use_nsswitch(pcp_$1_t)
+
+    optional_policy(`
+        cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
+    ')
+')
+
+######################################
+## <summary>
+##  Allow domain to read pcp lib files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+interface(`pcp_read_lib_files',`
+    gen_require(`
+        type pcp_var_lib_t;
+    ')
+    files_search_var_lib($1)
+    read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
+')
+
+########################################
+## <summary>
+##  All of the rules required to administrate
+##  an pcp environment
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pcp_admin',`
+    gen_require(`
+        type pcp_pmcd_t;
+        type pcp_pmlogger_t;
+        type pcp_pmproxy_t;
+        type pcp_pmwebd_t;
+        type pcp_pmie_t;
+        type pcp_pmmgr_t;
+        type pcp_var_run_t;
+    ')
+
+    allow $1 pcp_pmcd_t:process signal_perms;
+    ps_process_pattern($1, pcp_pmcd_t)
+
+    allow $1 pcp_pmlogger_t:process signal_perms;
+    ps_process_pattern($1, pcp_pmlogger_t)
+
+    allow $1 pcp_pmproxy_t:process signal_perms;
+    ps_process_pattern($1, pcp_pmproxy_t)
+
+    allow $1 pcp_pmwebd_t:process signal_perms;
+    ps_process_pattern($1, pcp_pmwebd_t)
+
+    allow $1 pcp_pmie_t:process signal_perms;
+    ps_process_pattern($1, pcp_pmie_t)
+
+    allow $1 pcp_pmmgr_t:process signal_perms;
+    ps_process_pattern($1, pcp_pmmgr_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 pcp_pmcd_t:process ptrace;
+        allow $1 pcp_pmlogger_t:process ptrace;
+        allow $1 pcp_pmproxy_t:process ptrace;
+        allow $1 pcp_pmwebd_t:process ptrace;
+        allow $1 pcp_pmie_t:process ptrace;
+        allow $1 pcp_pmmgr_t:process ptrace;
+    ')
+
+    files_search_pids($1)
+    admin_pattern($1, pcp_var_run_t)
+')
+
+########################################
+## <summary>
+##  Allow the specified domain to execute pcp_pmie
+##  in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcp_pmie_exec',`
+    gen_require(`
+        type pcp_pmie_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    can_exec($1, pcp_pmie_exec_t)
+')
+
+########################################
+## <summary>
+##  Allow the specified domain to execute pcp_pmlogger
+##  in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcp_pmlogger_exec',`
+    gen_require(`
+        type pcp_pmlogger_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    can_exec($1, pcp_pmlogger_exec_t)
+')
+
+#######################################
+## <summary>
+##      Transition to pcp named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pcp_filetrans_named_content',`
+    gen_require(`
+        type pcp_var_run_t;
+    ')
+    files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
+')
diff --git a/pcp.pp b/pcp.pp
new file mode 100644
index 0000000000..fa4cfaa88c
Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 0000000000..ba4aa47696
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,318 @@
+policy_module(pcp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+
+## <desc>
+## <p>
+## Allow pcp to bind to all unreserved_ports
+## </p>
+## </desc>
+gen_tunable(pcp_bind_all_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow pcp to read generic logs
+## </p>
+## </desc>
+gen_tunable(pcp_read_generic_logs, false)
+
+attribute pcp_domain;
+
+pcp_domain_template(pmcd)
+pcp_domain_template(pmlogger)
+pcp_domain_template(pmproxy)
+pcp_domain_template(pmwebd)
+pcp_domain_template(pmie)
+pcp_domain_template(pmmgr)
+
+type pcp_log_t;
+logging_log_file(pcp_log_t)
+
+type pcp_var_lib_t;
+files_type(pcp_var_lib_t)
+
+type pcp_var_run_t;
+files_pid_file(pcp_var_run_t)
+
+type pcp_tmp_t;
+files_tmp_file(pcp_tmp_t)
+
+type pcp_tmpfs_t;
+files_tmpfs_file(pcp_tmpfs_t)
+
+########################################
+#
+# pcp domain local  policy
+#
+
+allow pcp_domain self:capability { setuid setgid dac_read_search dac_override };
+allow pcp_domain self:process signal_perms;
+allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms;
+allow pcp_domain self:netlink_route_socket create_socket_perms;
+allow pcp_domain self:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_domain)
+
+manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
+logging_log_filetrans(pcp_domain, pcp_log_t, { dir })
+
+manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+manage_lnk_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
+files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
+
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
+
+dev_read_urand(pcp_domain)
+
+files_read_etc_files(pcp_domain)
+
+fs_getattr_all_fs(pcp_domain)
+
+miscfiles_read_generic_certs(pcp_domain)
+
+sysnet_read_config(pcp_domain)
+
+tunable_policy(`pcp_bind_all_unreserved_ports',`
+    corenet_sendrecv_all_server_packets(pcp_pmcd_t)
+    corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
+    corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
+    corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
+    
+')
+
+
+########################################
+#
+# pcp_pmcd local  policy
+#
+
+allow pcp_pmcd_t self:capability { net_admin sys_admin sys_ptrace };
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_get_sysvipc_info(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
+kernel_read_fs_sysctls(pcp_pmcd_t)
+kernel_read_rpc_sysctls(pcp_pmcd_t)
+kernel_search_network_sysctl(pcp_pmcd_t)
+kernel_read_net_sysctls(pcp_pmcd_t)
+
+corecmd_exec_bin(pcp_pmcd_t)
+
+corenet_tcp_bind_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_amqp_port(pcp_pmcd_t)
+corenet_tcp_connect_http_port(pcp_pmcd_t)
+
+dev_read_sysfs(pcp_pmcd_t)
+dev_rw_lvm_control(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
+domain_getattr_all_domains(pcp_pmcd_t)
+
+dev_getattr_all_blk_files(pcp_pmcd_t)
+dev_getattr_all_chr_files(pcp_pmcd_t)
+dev_read_sysfs(pcp_pmcd_t)
+dev_read_urand(pcp_pmcd_t)
+
+fs_getattr_all_fs(pcp_pmcd_t)
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
+
+init_read_utmp(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
+lvm_domtrans(pcp_pmcd_t)
+
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
+userdom_read_user_tmp_files(pcp_pmcd_t)
+
+optional_policy(`
+	cron_read_pid_files(pcp_pmcd_t)
+')
+
+optional_policy(`
+    container_manage_lib_files(pcp_pmcd_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(pcp_pmcd_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(pcp_pmcd_t)
+
+    optional_policy(`
+        avahi_dbus_chat(pcp_pmcd_t)
+    ')
+')
+
+optional_policy(`
+    postfix_read_config(pcp_pmcd_t)
+    postfix_search_spool(pcp_pmcd_t)
+')
+
+tunable_policy(`pcp_read_generic_logs',`
+    logging_read_generic_logs(pcp_pmcd_t)
+
+')
+
+########################################
+#
+# pcp_pmproxy local  policy
+#
+
+allow pcp_pmproxy_t self:process setsched;
+allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+
+kernel_search_network_sysctl(pcp_pmproxy_t)
+
+logging_send_syslog_msg(pcp_pmproxy_t)
+
+optional_policy(`
+    dbus_system_bus_client(pcp_pmproxy_t)
+
+    optional_policy(`
+        avahi_dbus_chat(pcp_pmproxy_t)
+    ')
+')
+
+########################################
+#
+# pcp_pmwebd local  policy
+#
+
+corenet_tcp_bind_generic_node(pcp_pmwebd_t)
+
+optional_policy(`
+    dbus_system_bus_client(pcp_pmwebd_t)
+
+    optional_policy(`
+        avahi_dbus_chat(pcp_pmwebd_t)
+    ')
+')
+
+########################################
+#
+# pcp_pmmgr local  policy
+#
+
+allow pcp_pmmgr_t self:process { setpgid };
+allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
+allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+
+kernel_read_system_state(pcp_pmmgr_t)
+
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
+corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corecmd_exec_bin(pcp_pmmgr_t)
+
+logging_send_syslog_msg(pcp_pmmgr_t)
+
+optional_policy(`
+    pcp_pmie_exec(pcp_pmmgr_t)
+    pcp_pmlogger_exec(pcp_pmmgr_t)
+')
+
+########################################
+#
+# pcp_pmie local  policy
+#
+allow pcp_pmie_t self:capability { chown sys_ptrace };
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+allow pcp_pmie_t pcp_pmcd_t:process signal;
+
+kernel_read_system_state(pcp_pmie_t)
+
+corecmd_exec_bin(pcp_pmie_t)
+corecmd_getattr_all_executables(pcp_pmie_t)
+
+domain_read_all_domains_state(pcp_pmie_t)
+
+fs_search_cgroup_dirs(pcp_pmie_t)
+
+init_status(pcp_pmie_t)
+
+logging_send_syslog_msg(pcp_pmie_t)
+
+systemd_exec_systemctl(pcp_pmie_t)
+systemd_read_unit_files(pcp_pmie_t)
+systemd_search_unit_dirs(pcp_pmie_t)
+
+userdom_read_user_tmp_files(pcp_pmie_t)
+
+########################################
+#
+# pcp_pmlogger local  policy
+#
+
+allow pcp_pmlogger_t self:capability { kill sys_ptrace chown };
+allow pcp_pmlogger_t self:process setpgid;
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(pcp_pmlogger_t)
+kernel_read_network_state(pcp_pmlogger_t)
+
+corecmd_exec_bin(pcp_pmlogger_t)
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
+domain_read_all_domains_state(pcp_pmlogger_t)
+
+init_read_utmp(pcp_pmlogger_t)
+init_status(pcp_pmlogger_t)
+
+logging_send_syslog_msg(pcp_pmlogger_t)
+
+systemd_exec_systemctl(pcp_pmlogger_t)
+systemd_getattr_unit_files(pcp_pmlogger_t)
+
+optional_policy(`
+    hostname_exec(pcp_pmlogger_t)
+')
+
+optional_policy(`
+    unconfined_signal(pcp_pmlogger_t)
+')
+
+optional_policy(`
+    xserver_dontaudit_search_log(pcp_pmlogger_t)
+')
diff --git a/pcscd.if b/pcscd.if
index 43d50f95bd..6b1544f621 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -17,6 +17,8 @@ interface(`pcscd_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+
+	ps_process_pattern(pcscd_t, $1)
 ')
 
 ########################################
@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',`
 	')
 
 	files_search_pids($1)
-	allow $1 pcscd_var_run_t:file read_file_perms;
+	read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
 ')
 
 ########################################
diff --git a/pcscd.te b/pcscd.te
index 1fb1964107..5212cd2030 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
 #
 
 allow pcscd_t self:capability { dac_override dac_read_search fsetid };
-allow pcscd_t self:process signal;
+allow pcscd_t self:process { signal signull };
 allow pcscd_t self:fifo_file rw_fifo_file_perms;
-allow pcscd_t self:unix_stream_socket { accept listen };
-allow pcscd_t self:tcp_socket { accept listen };
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
 allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
 
 kernel_read_system_state(pcscd_t)
 
-corenet_all_recvfrom_unlabeled(pcscd_t)
 corenet_all_recvfrom_netlabel(pcscd_t)
 corenet_tcp_sendrecv_generic_if(pcscd_t)
 corenet_tcp_sendrecv_generic_node(pcscd_t)
@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
 corenet_tcp_connect_http_port(pcscd_t)
 corenet_tcp_sendrecv_http_port(pcscd_t)
 
+domain_read_all_domains_state(pcscd_t)
+
 dev_rw_generic_usb_dev(pcscd_t)
 dev_rw_smartcard(pcscd_t)
 dev_rw_usbfs(pcscd_t)
 dev_read_sysfs(pcscd_t)
 
-files_read_etc_files(pcscd_t)
 files_read_etc_runtime_files(pcscd_t)
 
 term_use_unallocated_ttys(pcscd_t)
@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t)
 
 logging_send_syslog_msg(pcscd_t)
 
-miscfiles_read_localization(pcscd_t)
-
 sysnet_dns_name_resolve(pcscd_t)
 
+userdom_read_all_users_state(pcscd_t)
+
 optional_policy(`
 	dbus_system_bus_client(pcscd_t)
 
 	optional_policy(`
 		hal_dbus_chat(pcscd_t)
 	')
+
+    optional_policy(`
+        policykit_dbus_chat(pcscd_t)
+        policykit_dbus_chat_auth(pcscd_t)
+    ')
+
+')
+
+optional_policy(`
+	policykit_dbus_chat(pcscd_t)
 ')
 
 optional_policy(`
@@ -85,3 +96,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(pcscd_t)
 ')
+
+optional_policy(`
+	virt_rw_svirt_dev(pcscd_t)
+')
+
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4126..feaa8e174c 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,33 @@
-/etc/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
 /etc/Pegasus/pegasus_current\.conf	gen_context(system_u:object_r:pegasus_data_t,s0)
+/etc/Pegasus/cimserver_current\.conf   gen_context(system_u:object_r:pegasus_data_t,s0)
 
-/etc/rc\.d/init\.d/tog-pegasus	--	gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver		--	gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository	-- 	gen_context(system_u:object_r:pegasus_exec_t,s0)
 
-/usr/sbin/cimserver	--	gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository	--	gen_context(system_u:object_r:pegasus_exec_t,s0)
+/var/lib/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_data_t,s0)
 
-/var/cache/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_cache_t,s0)
+/var/run/tog-pegasus(/.*)?		gen_context(system_u:object_r:pegasus_var_run_t,s0)
 
-/var/lib/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_data_t,s0)
+/usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
 
-/var/run/tog-pegasus(/.*)?	gen_context(system_u:object_r:pegasus_var_run_t,s0)
+/var/lib/openlmi-storage(/.*)?       gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
 
-/usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
+/var/run/openlmi-storage(/.*)?       gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt      --  gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt    --  gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt   --  gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt    --  gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677c11..86dce34a22 100644
--- a/pegasus.if
+++ b/pegasus.if
@@ -1,52 +1,60 @@
 ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
 
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  openlmi init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`pegasus_openlmi_domain_template',`
+    gen_require(`
+        attribute pegasus_openlmi_domain;
+        type pegasus_t;
+    ')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
+	type pegasus_openlmi_$1_exec_t;
+	init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
+
+	##############################
+	#
+	# Local policy
+	#
+	
+	domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
+    allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl;
+
+	kernel_read_system_state(pegasus_openlmi_$1_t)
+	logging_send_syslog_msg(pegasus_openlmi_$1_t)
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an pegasus environment.
+##	Connect to pegasus over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`pegasus_admin',`
+interface(`pegasus_stream_connect',`
 	gen_require(`
-		type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
-		type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
-		type pegasus_mof_t, pegasus_var_run_t;
+		type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
 	')
 
-	allow $1 pegasus_t:process { ptrace signal_perms };
-	ps_process_pattern($1, pegasus_t)
-
-	init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pegasus_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_etc($1)
-	admin_pattern($1, pegasus_conf_t)
-
-	files_search_usr($1)
-	admin_pattern($1, pegasus_mof_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, pegasus_tmp_t)
-
-	files_search_var($1)
-	admin_pattern($1, pegasus_cache_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, pegasus_data_t)
-
 	files_search_pids($1)
-	admin_pattern($1, pegasus_var_run_t)
+    stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
+    stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
 ')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454d8e..a78b356aa7 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
 # Declarations
 #
 
+attribute pegasus_openlmi_domain;
+
 type pegasus_t;
 type pegasus_exec_t;
 init_daemon_domain(pegasus_t, pegasus_exec_t)
 
-type pegasus_initrc_exec_t;
-init_script_file(pegasus_initrc_exec_t)
-
 type pegasus_cache_t;
 files_type(pegasus_cache_t)
 
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
 type pegasus_var_run_t;
 files_pid_file(pegasus_var_run_t)
 
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
+typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
+
+pegasus_openlmi_domain_template(account)
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
+domain_system_change_exemption(pegasus_openlmi_account_t)
+
+pegasus_openlmi_domain_template(logicalfile)
+pegasus_openlmi_domain_template(services)
+
+pegasus_openlmi_domain_template(storage)
+type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
+
+type pegasus_openlmi_storage_lib_t;
+files_type(pegasus_openlmi_storage_lib_t)
+
+type pegasus_openlmi_storage_var_run_t;
+files_pid_file(pegasus_openlmi_storage_var_run_t)
+
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
+
+#######################################
+#
+# pegasus openlmi providers local policy
+#
+
+allow pegasus_openlmi_domain self:capability { setuid setgid };
+
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+
+corecmd_exec_bin(pegasus_openlmi_domain)
+corecmd_exec_shell(pegasus_openlmi_domain)
+
+dev_read_sysfs(pegasus_openlmi_domain)
+
+auth_read_passwd(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
+optional_policy(`
+    pegasus_stream_connect(pegasus_openlmi_domain)
+')
+
+######################################
+#
+# pegasus openlmi account local policy
+#
+
+allow pegasus_openlmi_account_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
+auth_manage_shadow(pegasus_openlmi_account_t)
+auth_relabel_shadow(pegasus_openlmi_account_t)
+auth_read_login_records(pegasus_openlmi_account_t)
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
+
+logging_send_audit_msgs(pegasus_openlmi_account_t)
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+init_rw_utmp(pegasus_openlmi_account_t)
+
+seutil_semanage_policy(pegasus_openlmi_account_t)
+
+logging_send_syslog_msg(pegasus_openlmi_account_t)
+
+seutil_read_config(pegasus_openlmi_account_t)
+seutil_read_file_contexts(pegasus_openlmi_account_t)
+seutil_read_default_contexts(pegasus_openlmi_account_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
+
+optional_policy(`
+    # run userdel
+    usermanage_domtrans_useradd(pegasus_openlmi_account_t)
+')
+
+######################################
+#
+# pegasus openlmi logicalfile local policy
+#
+
+allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search dac_override };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
+dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t)
+dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t)
+
+files_list_all(pegasus_openlmi_logicalfile_t)
+files_read_all_files(pegasus_openlmi_logicalfile_t)
+files_read_all_symlinks(pegasus_openlmi_logicalfile_t)
+files_read_all_blk_files(pegasus_openlmi_logicalfile_t)
+files_read_all_chr_files(pegasus_openlmi_logicalfile_t)
+files_getattr_all_pipes(pegasus_openlmi_logicalfile_t)
+files_getattr_all_sockets(pegasus_openlmi_logicalfile_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t)
+userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t)
+userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t)
+
+optional_policy(`
+    # it can delete/create empty dirs
+    # so we want to have unconfined_domain attribute for filename rules
+    unconfined_domain(pegasus_openlmi_logicalfile_t)
+')
+
+######################################
+#
+# pegasus openlmi services local policy
+#
+
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_services_t)
+
+miscfiles_read_certs(pegasus_openlmi_services_t)
+
+optional_policy(`
+    dbus_system_bus_client(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+    realmd_dbus_chat(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+	sssd_read_public_files(pegasus_openlmi_services_t)
+    sssd_stream_connect(pegasus_openlmi_services_t)
+')
+
+######################################
+#
+# pegasus openlmi system (networking) local policy
+#
+
+allow pegasus_openlmi_system_t self:capability { net_admin sys_boot };
+allow pegasus_openlmi_system_t self:process signal_perms;
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
+
+kernel_read_network_state(pegasus_openlmi_system_t)
+
+auth_use_nsswitch(pegasus_openlmi_system_t)
+
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
+
+fs_getattr_all_fs(pegasus_openlmi_system_t)
+
+init_read_utmp(pegasus_openlmi_system_t)
+
+systemd_config_power_services(pegasus_openlmi_system_t)
+systemd_dbus_chat_logind(pegasus_openlmi_system_t)
+
+optional_policy(`
+    dbus_system_bus_client(pegasus_openlmi_system_t)
+')
+
+optional_policy(`
+    networkmanager_dbus_chat(pegasus_openlmi_system_t)
+')
+
+######################################
+#
+# pegasus openlmi service local policy
+#
+
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
+
+init_manage_transient_unit(pegasus_openlmi_admin_t)
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
+init_status(pegasus_openlmi_admin_t)
+init_reboot(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+
+systemd_config_all_services(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
+logging_read_generic_logs(pegasus_openlmi_admin_t)
+
+optional_policy(`
+    dbus_system_bus_client(pegasus_openlmi_admin_t)
+    
+    optional_policy(`
+        init_dbus_chat(pegasus_openlmi_admin_t)
+    ')
+')
+
+optional_policy(`
+    sssd_stream_connect(pegasus_openlmi_admin_t)
+')
+
+######################################
+#
+# pegasus openlmi storage local policy
+#
+
+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
+allow pegasus_openlmi_storage_t self:process setrlimit;
+
+allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
+files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file)
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
+kernel_request_load_module(pegasus_openlmi_storage_t)
+
+auth_use_nsswitch(pegasus_openlmi_storage_t)
+
+dev_read_raw_memory(pegasus_openlmi_storage_t)
+dev_read_rand(pegasus_openlmi_storage_t)
+dev_read_urand(pegasus_openlmi_storage_t)
+
+dev_rw_lvm_control(pegasus_openlmi_storage_t)
+dev_rw_sysfs(pegasus_openlmi_storage_t)
+
+selinux_validate_context(pegasus_openlmi_storage_t)
+
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
+
+storage_raw_read_removable_device(pegasus_openlmi_storage_t)
+storage_raw_write_removable_device(pegasus_openlmi_storage_t)
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
+
+files_read_kernel_modules(pegasus_openlmi_storage_t)
+
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
+
+udev_domtrans(pegasus_openlmi_storage_t)
+udev_read_pid_files(pegasus_openlmi_storage_t)
+
+init_read_state(pegasus_openlmi_storage_t)
+
+miscfiles_read_hwdata(pegasus_openlmi_storage_t)
+
+optional_policy(`
+    dmidecode_domtrans(pegasus_openlmi_storage_t)  
+')
+
+optional_policy(`
+    gnome_dontaudit_search_config(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+    fstools_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+    iscsi_manage_lock(pegasus_openlmi_storage_t)
+    iscsi_read_lib_files(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+    libs_exec_ldconfig(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+    lvm_domtrans(pegasus_openlmi_storage_t)
+    lvm_read_metadata(pegasus_openlmi_storage_t)
+    lvm_write_metadata(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+    mount_domtrans(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
+    raid_domtrans_mdadm(pegasus_openlmi_storage_t)   
+    raid_filetrans_named_content(pegasus_openlmi_storage_t)
+    raid_manage_conf_files(pegasus_openlmi_storage_t)
+')
+
+######################################
+#
+# pegasus openlmi unconfined local policy
+#
+
+optional_policy(`
+    unconfined_domain(pegasus_openlmi_unconfined_t)
+')
+
 ########################################
 #
-# Local policy
+# pegasus local policy
 #
 
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
-dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search dac_override net_admin net_bind_service sys_ptrace };
+dontaudit pegasus_t self:capability { sys_admin sys_tty_config };
+allow pegasus_t self:process { setsched signal };
 allow pegasus_t self:fifo_file rw_fifo_file_perms;
-allow pegasus_t self:unix_stream_socket { connectto accept listen };
-allow pegasus_t self:tcp_socket { accept listen };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
 
 allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
 manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file })
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
 
 allow pegasus_t pegasus_mof_t:dir list_dir_perms;
-allow pegasus_t pegasus_mof_t:file read_file_perms;
-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
 
 manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
 manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file })
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
 
+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
 manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
 manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file })
-
-can_exec(pegasus_t, pegasus_exec_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
 
 kernel_read_network_state(pegasus_t)
 kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_sysctl(pegasus_t)
 kernel_read_fs_sysctls(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
@@ -80,43 +397,42 @@ kernel_read_net_sysctls(pegasus_t)
 kernel_read_xen_state(pegasus_t)
 kernel_write_xen_state(pegasus_t)
 
-corenet_all_recvfrom_unlabeled(pegasus_t)
 corenet_all_recvfrom_netlabel(pegasus_t)
 corenet_tcp_sendrecv_generic_if(pegasus_t)
 corenet_tcp_sendrecv_generic_node(pegasus_t)
 corenet_tcp_sendrecv_all_ports(pegasus_t)
 corenet_tcp_bind_generic_node(pegasus_t)
-
-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
 corenet_tcp_bind_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
 corenet_tcp_bind_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
 corenet_tcp_connect_pegasus_http_port(pegasus_t)
-
-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
 corenet_tcp_connect_pegasus_https_port(pegasus_t)
-
-corenet_sendrecv_generic_client_packets(pegasus_t)
 corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
 
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
 
 dev_rw_sysfs(pegasus_t)
 dev_read_urand(pegasus_t)
+dev_rw_lvm_control(pegasus_t)
 
 fs_getattr_all_fs(pegasus_t)
 fs_search_auto_mountpoints(pegasus_t)
+fs_mount_tracefs(pegasus_t)
+fs_unmount_tracefs(pegasus_t)
 files_getattr_all_dirs(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
+domain_named_filetrans(pegasus_t)
 
 files_list_var_lib(pegasus_t)
 files_read_var_lib_files(pegasus_t)
@@ -128,18 +444,29 @@ init_stream_connect_script(pegasus_t)
 logging_send_audit_msgs(pegasus_t)
 logging_send_syslog_msg(pegasus_t)
 
-miscfiles_read_localization(pegasus_t)
+mount_domtrans(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
 userdom_dontaudit_search_user_home_dirs(pegasus_t)
 
 optional_policy(`
-	dbus_system_bus_client(pegasus_t)
-	dbus_connect_system_bus(pegasus_t)
+	dmidecode_domtrans(pegasus_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(pegasus_t)
+    dbus_connect_system_bus(pegasus_t)
+
+    optional_policy(`
+	networkmanager_dbus_chat(pegasus_t)
+    ')
+')
 
-	optional_policy(`
-		networkmanager_dbus_chat(pegasus_t)
-	')
+optional_policy(`
+	rhcs_stream_connect_cluster(pegasus_t)
 ')
 
 optional_policy(`
@@ -151,16 +478,28 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rpm_exec(pegasus_t)
+	lvm_exec(pegasus_t)
 ')
 
 optional_policy(`
-	samba_manage_config(pegasus_t)
+	ricci_stream_connect_modclusterd(pegasus_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(pegasus_t)
-	seutil_dontaudit_read_config(pegasus_t)
+    realmd_dbus_chat(pegasus_t)
+')
+
+optional_policy(`
+    rpc_read_exports(pegasus_t)
+    rpc_read_nfs_state_data(pegasus_t)
+')
+
+optional_policy(`
+	rpm_domtrans(pegasus_t)
+')
+
+optional_policy(`
+	samba_manage_config(pegasus_t)
 ')
 
 optional_policy(`
@@ -168,7 +507,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	sysnet_domtrans_ifconfig(pegasus_t)
+	seutil_sigchld_newrole(pegasus_t)
 ')
 
 optional_policy(`
@@ -180,11 +519,16 @@ optional_policy(`
 ')
 
 optional_policy(`
+    virt_getattr_images(pegasus_t)
 	virt_domtrans(pegasus_t)
 	virt_stream_connect(pegasus_t)
 	virt_manage_config(pegasus_t)
 ')
 
+optional_policy(`
+	qemu_getattr_exec(pegasus_t)
+')
+
 optional_policy(`
 	xen_stream_connect(pegasus_t)
 	xen_stream_connect_xenstore(pegasus_t)
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000000..7b54c3926b
--- /dev/null
+++ b/pesign.fc
@@ -0,0 +1,6 @@
+/usr/bin/pesign		--	gen_context(system_u:object_r:pesign_exec_t,s0)
+
+/usr/lib/systemd/system/pesign.service		--	gen_context(system_u:object_r:pesign_unit_file_t,s0)
+
+/var/run/pesign(/.*)?		gen_context(system_u:object_r:pesign_var_run_t,s0)
+/var/run/pesign\.pid    --  gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
index 0000000000..4d531cb9dc
--- /dev/null
+++ b/pesign.if
@@ -0,0 +1,99 @@
+
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the pesign domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pesign_domtrans',`
+	gen_require(`
+		type pesign_t, pesign_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, pesign_exec_t, pesign_t)
+')
+########################################
+## <summary>
+##	Read pesign PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pesign_read_pid_files',`
+	gen_require(`
+		type pesign_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute pesign server in the pesign domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pesign_systemctl',`
+	gen_require(`
+		type pesign_t;
+		type pesign_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 pesign_unit_file_t:file read_file_perms;
+	allow $1 pesign_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, pesign_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an pesign environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pesign_admin',`
+	gen_require(`
+		type pesign_t;
+		type pesign_var_run_t;
+		type pesign_unit_file_t;
+	')
+
+	allow $1 pesign_t:process { ptrace signal_perms };
+	ps_process_pattern($1, pesign_t)
+
+	files_search_pids($1)
+	admin_pattern($1, pesign_var_run_t)
+
+	pesign_systemctl($1)
+	admin_pattern($1, pesign_unit_file_t)
+	allow $1 pesign_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/pesign.te b/pesign.te
new file mode 100644
index 0000000000..55d7442b04
--- /dev/null
+++ b/pesign.te
@@ -0,0 +1,54 @@
+policy_module(pesign, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pesign_t;
+type pesign_exec_t;
+init_daemon_domain(pesign_t, pesign_exec_t)
+
+type pesign_var_run_t;
+files_pid_file(pesign_var_run_t)
+
+type pesign_unit_file_t;
+systemd_unit_file(pesign_unit_file_t)
+
+type pesign_tmp_t;
+files_tmp_file(pesign_tmp_t)
+
+########################################
+#
+# pesign local policy
+#
+
+allow pesign_t self:capability { dac_read_search dac_override setgid setuid };
+allow pesign_t self:process setsched;
+allow pesign_t self:fifo_file rw_fifo_file_perms;
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
+allow pesign_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
+
+manage_dirs_pattern(pesign_t, pesign_tmp_t, pesign_tmp_t)
+manage_files_pattern(pesign_t, pesign_tmp_t, pesign_tmp_t)
+files_tmp_filetrans(pesign_t, pesign_tmp_t, { file dir })
+
+dev_read_urand(pesign_t)
+dev_read_rand(pesign_t)
+
+files_dontaudit_list_tmp(pesign_t)
+
+fs_getattr_all_fs(pesign_t)
+
+auth_use_nsswitch(pesign_t)
+
+logging_send_syslog_msg(pesign_t)
+
+miscfiles_read_certs(pesign_t)
+miscfiles_read_localization(pesign_t)
diff --git a/pingd.if b/pingd.if
index 21a6ecbe79..b99e4cb0b5 100644
--- a/pingd.if
+++ b/pingd.if
@@ -55,7 +55,8 @@ interface(`pingd_manage_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 pingd_etc_t:file manage_file_perms;
+	manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+	manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
 ')
 
 #######################################
@@ -81,9 +82,13 @@ interface(`pingd_admin',`
 		type pingd_initrc_exec_t;
 	')
 
-	allow $1 pingd_t:process { ptrace signal_perms };
+	allow $1 pingd_t:process signal_perms;
 	ps_process_pattern($1, pingd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 pingd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, pingd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
index ab01060275..778c8eb12c 100644
--- a/pingd.te
+++ b/pingd.te
@@ -10,7 +10,7 @@ type pingd_exec_t;
 init_daemon_domain(pingd_t, pingd_exec_t)
 
 type pingd_etc_t;
-files_type(pingd_etc_t)
+files_config_file(pingd_etc_t)
 
 type pingd_initrc_exec_t;
 init_script_file(pingd_initrc_exec_t)
@@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t)
 corenet_sendrecv_pingd_server_packets(pingd_t)
 corenet_tcp_bind_pingd_port(pingd_t)
 
+dev_read_urand(pingd_t)
+
 auth_use_nsswitch(pingd_t)
 
 files_search_usr(pingd_t)
 
 logging_send_syslog_msg(pingd_t)
-
-miscfiles_read_localization(pingd_t)
diff --git a/piranha.fc b/piranha.fc
new file mode 100644
index 0000000000..20ea9f54b2
--- /dev/null
+++ b/piranha.fc
@@ -0,0 +1,24 @@
+
+/etc/rc\.d/init\.d/pulse	--	gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf	--	gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf		--	gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/sbin/fos               --  gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd				--	gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui		--	gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse       		--  gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)?             gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)?        gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)?         gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)?			gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid           --  gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid			--	gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid --	gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid         --  gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
index 0000000000..cf54103b6a
--- /dev/null
+++ b/piranha.if
@@ -0,0 +1,187 @@
+## <summary>policy for piranha</summary>
+
+#######################################
+## <summary>
+##	Creates types and rules for a basic
+##	cluster init daemon domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`piranha_domain_template',`
+	gen_require(`
+		attribute piranha_domain;
+	')
+
+	##############################
+	#
+	# piranha_$1_t declarations
+	#
+
+	type piranha_$1_t, piranha_domain;
+	type piranha_$1_exec_t;
+	init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+    # tmpfs files
+    type piranha_$1_tmpfs_t, piranha_tmpfs;
+    files_tmpfs_file(piranha_$1_tmpfs_t)
+
+	# pid files
+	type piranha_$1_var_run_t;
+	files_pid_file(piranha_$1_var_run_t)
+
+	##############################
+	#
+	# piranha_$1_t local policy
+	#
+
+    manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+    manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
+    fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
+
+	manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+	manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+	files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+
+	kernel_read_system_state(piranha_$1_t)
+
+	auth_use_nsswitch(piranha_$1_t)
+
+	logging_send_syslog_msg(piranha_$1_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run fos.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`piranha_domtrans_fos',`
+	gen_require(`
+		type piranha_fos_t, piranha_fos_exec_t;
+	')
+
+	domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+## <summary>
+##	Execute a domain transition to run lvsd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`piranha_domtrans_lvs',`
+	gen_require(`
+		type piranha_lvs_t, piranha_lvs_exec_t;
+	')
+
+	domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+## <summary>
+##	Execute a domain transition to run pulse.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`piranha_domtrans_pulse',`
+	gen_require(`
+		type piranha_pulse_t, piranha_pulse_exec_t;
+	')
+
+	domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+## <summary>
+##	Execute pulse server in the pulse domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`piranha_pulse_initrc_domtrans',`
+	gen_require(`
+		type piranha_pulse_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read piranha's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`piranha_read_log',`
+	gen_require(`
+		type piranha_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	piranha log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`piranha_append_log',`
+	gen_require(`
+		type piranha_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage piranha log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`piranha_manage_log',`
+	gen_require(`
+		type piranha_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+	manage_files_pattern($1, piranha_log_t, piranha_log_t)
+	manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
index 0000000000..a989aea2e1
--- /dev/null
+++ b/piranha.te
@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Allow piranha-lvs domain to connect to the network using TCP.
+##	</p>
+## </desc>
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_config_file(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+optional_policy(`
+	consoletype_exec(piranha_fos_t)
+')
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull };
+
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_servistaitsm_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_rand(piranha_web_t)
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+
+optional_policy(`
+	consoletype_exec(piranha_web_t)
+')
+
+optional_policy(`
+	apache_read_config(piranha_web_t)
+	apache_exec_modules(piranha_web_t)
+	apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+	gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+	sasl_connect(piranha_web_t)
+')
+
+optional_policy(`
+    snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
+    snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+allow piranha_lvs_t self:process signal;
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+	corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+	iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:capability net_admin;
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+kernel_read_kernel_sysctls(piranha_pulse_t)
+kernel_read_rpc_sysctls(piranha_pulse_t)
+kernel_rw_rpc_sysctls(piranha_pulse_t)
+kernel_search_debugfs(piranha_pulse_t)
+kernel_search_network_state(piranha_pulse_t)
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
+optional_policy(`
+	consoletype_exec(piranha_pulse_t)
+')
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
+
+domain_read_all_domains_state(piranha_pulse_t)
+domain_getattr_all_domains(piranha_pulse_t)
+
+fs_getattr_all_fs(piranha_pulse_t)
+
+init_initrc_domain(piranha_pulse_t)
+
+logging_send_syslog_msg(piranha_pulse_t)
+
+# various services to failover
+
+optional_policy(`
+	apache_domtrans(piranha_pulse_t)
+	apache_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+	ftp_domtrans(piranha_pulse_t)
+	ftp_initrc_domtrans(piranha_pulse_t)
+	ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
+	hostname_exec(piranha_pulse_t)
+')
+
+optional_policy(`
+	iptables_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+    ldap_systemctl(piranha_pulse_t)
+    ldap_initrc_domtrans(piranha_pulse_t)
+    ldap_domtrans(piranha_pulse_t)
+')
+
+optional_policy(`
+    mysql_domtrans_mysql_safe(piranha_pulse_t)
+    mysql_stream_connect(piranha_pulse_t)
+')
+
+optional_policy(`
+	netutils_domtrans(piranha_pulse_t)
+	netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+	postgresql_domtrans(piranha_pulse_t)
+	postgresql_signal(piranha_pulse_t)
+')
+
+optional_policy(`
+	samba_initrc_domtrans(piranha_pulse_t)
+	samba_systemctl(piranha_pulse_t)
+	samba_domtrans_smbd(piranha_pulse_t)
+	samba_domtrans_nmbd(piranha_pulse_t)
+	samba_manage_var_files(piranha_pulse_t)
+	samba_rw_config(piranha_pulse_t)
+	samba_signal_smbd(piranha_pulse_t)
+	samba_signal_nmbd(piranha_pulse_t)
+')
+
+optional_policy(`
+    sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+optional_policy(`
+    udev_read_db(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:process signal_perms;
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
+manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
+
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+sysnet_read_config(piranha_domain)
diff --git a/pkcs.fc b/pkcs.fc
index 9a72226e38..b2968942f7 100644
--- a/pkcs.fc
+++ b/pkcs.fc
@@ -4,4 +4,8 @@
 
 /var/lib/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
 
+/var/log/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_log_t,s0)
+
+/var/lock/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
+
 /var/run/pkcsslotd.*	gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
diff --git a/pkcs.if b/pkcs.if
index 69be2aaf28..2d7b3f656c 100644
--- a/pkcs.if
+++ b/pkcs.if
@@ -19,7 +19,7 @@
 #
 interface(`pkcs_admin_slotd',`
 	gen_require(`
-		type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
+		type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t;
 		type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
 	')
 
@@ -34,6 +34,9 @@ interface(`pkcs_admin_slotd',`
 	files_search_var_lib($1)
 	admin_pattern($1, pkcs_slotd_var_lib_t)
 
+	files_search_locks($1)
+	admin_pattern($1, pkcs_slotd_lock_t)
+
 	files_search_pids($1)
 	admin_pattern($1, pkcs_slotd_var_run_t)
 
diff --git a/pkcs.te b/pkcs.te
index 8eb3f7bc1e..1b79ed4541 100644
--- a/pkcs.te
+++ b/pkcs.te
@@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1)
 
 type pkcs_slotd_t;
 type pkcs_slotd_exec_t;
+typealias pkcs_slotd_t alias pkcsslotd_t;
+typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t;
 init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
 
 type pkcs_slotd_initrc_exec_t;
 init_script_file(pkcs_slotd_initrc_exec_t)
 
 type pkcs_slotd_var_lib_t;
+typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
 files_type(pkcs_slotd_var_lib_t)
 
+type pkcs_slotd_lock_t;
+typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t;
+files_lock_file(pkcs_slotd_lock_t)
+
+type pkcs_slotd_log_t;
+logging_log_file(pkcs_slotd_log_t)
+
 type pkcs_slotd_var_run_t;
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
 files_pid_file(pkcs_slotd_var_run_t)
 
 type pkcs_slotd_tmp_t;
+typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t;
 files_tmp_file(pkcs_slotd_tmp_t)
 
 type pkcs_slotd_tmpfs_t;
+typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t;
 files_tmpfs_file(pkcs_slotd_tmpfs_t)
 
 ########################################
@@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
 manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
 files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
 
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
+files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir)
+
+manage_files_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
+manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
+logging_log_filetrans(pkcs_slotd_t, pkcs_slotd_log_t, dir)
+
 manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
 manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
 manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
@@ -51,10 +72,13 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
 
 manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
 manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir })
+allow pkcs_slotd_t pkcs_slotd_tmpfs_t:file map;
+
+auth_use_nsswitch(pkcs_slotd_t)
 
-files_read_etc_files(pkcs_slotd_t)
+files_search_locks(pkcs_slotd_t)
 
 logging_send_syslog_msg(pkcs_slotd_t)
 
-miscfiles_read_localization(pkcs_slotd_t)
+userdom_read_all_users_state(pkcs_slotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000000..47cd0f8ba9
--- /dev/null
+++ b/pki.fc
@@ -0,0 +1,57 @@
+/etc/pki/pki-tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/etc/pki/pki-tomcat/ca(/.*)?		gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/pki/pki-tomcat(/.*)?       	gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/pki-tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? 	gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/log/pki(/.*)?                            gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon                      gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)?         gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/etc/pki-ra(/.*)?               	gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/run/pki/ra(/.*)? 	        	gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/sysconfig/pki/ra(/.*)?		gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra                  gen_context(system_u:object_r:pki_ra_exec_t,s0)
+
+/etc/pki-tps(/.*)?              	gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_log_t,s0)
+/var/run/pki/tps(/.*)? 	        	gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/sysconfig/pki/tps(/.*)?		gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps                gen_context(system_u:object_r:pki_tps_exec_t,s0)
+
+# default labeling for nCipher
+/opt/nfast/scripts/init.d/(.*)  	gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast/sbin/init.d-ncipher  	gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast(/.*)?                	gen_context(system_u:object_r:pki_common_t, s0)
+/dev/nfast(/.*)?                	gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# old paths (for migration)
+/etc/pki-ca(/.*)?                       gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ca(/.*)?                   gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ca.pid                     gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)?                   gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)?             gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/var/lib/ipa/pki-ca/publish(/.*)?       gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-kra(/.*)?                      gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)?                  gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid                    gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-kra(/.*)?                  gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-kra/alias(/.*)?            gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-ocsp(/.*)?                     gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ocsp(/.*)?                 gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ocsp.pid                   gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ocsp(/.*)?                 gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ocsp/alias(/.*)?           gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-tks(/.*)?                      gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-tks(/.*)?                  gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-tks.pid                    gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-tks(/.*)?                  gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)?            gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
+/var/lock/subsys/pkidaemon		--		gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
+
+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)?	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
+/usr/lib/systemd/system/pki-tomcat.*	gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
index 0000000000..0a79513588
--- /dev/null
+++ b/pki.if
@@ -0,0 +1,523 @@
+
+## <summary>policy for pki</summary>
+
+########################################
+## <summary>
+##      Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pki_rw_tomcat_cert',`
+        gen_require(`
+                type pki_tomcat_cert_t;
+				type pki_tomcat_etc_rw_t;
+        ')
+
+		allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
+        rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+        create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+## <summary>
+##      Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_cert',`
+        gen_require(`
+                type pki_tomcat_cert_t;
+				type pki_tomcat_etc_rw_t;
+        ')
+
+		allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms;
+        manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+        manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+## <summary>
+##      Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_etc_rw',`
+        gen_require(`
+				type pki_tomcat_etc_rw_t;
+        ')
+
+        manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+        manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+')
+
+########################################
+## <summary>
+##      Allow domain to read pki cert files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pki_read_tomcat_cert',`
+        gen_require(`
+                type pki_tomcat_cert_t;
+        ')
+
+        read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+        read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_apache_template',`
+	gen_require(`
+		attribute pki_apache_domain;
+		attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
+		attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
+	')
+
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_apache_domain;
+	type $1_exec_t, pki_apache_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_apache_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_apache_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_run_t, pki_apache_var_run;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_lib_t, pki_apache_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_apache_var_log;
+	logging_log_file($1_log_t)
+
+	type $1_lock_t;
+	files_lock_file($1_lock_t)
+
+    type $1_tmp_t;
+    files_tmpfs_file($1_tmp_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	files_read_etc_files($1_t)
+	allow $1_t $1_etc_rw_t:lnk_file read;
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
+	manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
+	manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
+	files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
+
+    manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+    manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+    files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+	#talk to lunasa hsm
+	logging_send_syslog_msg($1_t)
+
+	kernel_read_kernel_sysctls($1_t)
+	kernel_read_system_state($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+
+	# need to resolve addresses?
+	auth_use_nsswitch($1_t)
+')
+
+#######################################
+## <summary>
+##  Send a null signal to pki apache domains.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_apache_domain_signal',`
+    gen_require(`
+        attribute pki_apache_domain;
+    ')
+
+    allow $1 pki_apache_domain:process signal;
+')
+
+#######################################
+## <summary>
+##  Send a null signal to pki apache domains.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_apache_domain_signull',`
+    gen_require(`
+        attribute pki_apache_domain;
+    ')
+
+    allow $1 pki_apache_domain:process signull;
+')
+
+###################################
+## <summary>
+##  Allow domain to read pki apache subsystem pid files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_manage_apache_run',`
+    gen_require(`
+        attribute pki_apache_var_run;
+    ')
+
+    files_search_var_lib($1)
+    read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
+')
+
+####################################
+## <summary>
+##  Allow domain to manage pki apache subsystem lib files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_manage_apache_lib',`
+    gen_require(`
+        attribute pki_apache_var_lib;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+	manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
+')
+
+##################################
+## <summary>
+##  Dontaudit domain to write pki log files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_search_log_dirs',`
+    gen_require(`
+        type pki_log_t;
+    ')
+
+    search_dirs_pattern($1, pki_log_t, pki_log_t)
+
+')
+
+##################################
+## <summary>
+##  Dontaudit domain to write pki log files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_dontaudit_write_log',`
+    gen_require(`
+        type pki_log_t;
+    ')
+
+	dontaudit $1 pki_log_t:file write;
+')
+
+###################################
+## <summary>
+##  Allow domain to manage pki apache subsystem log files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_manage_apache_log_files',`
+    gen_require(`
+        attribute pki_apache_var_log;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
+')
+
+##################################
+## <summary>
+##  Allow domain to manage pki apache subsystem config files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_manage_apache_config_files',`
+    gen_require(`
+        attribute pki_apache_config;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, pki_apache_config, pki_apache_config)
+')
+
+#################################
+## <summary>
+##  Allow domain to read pki tomcat lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_read_tomcat_lib_files',`
+    gen_require(`
+        type pki_tomcat_var_lib_t;
+    ')
+
+    read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+    read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+
+#################################
+## <summary>
+##  Allow domain to manage pki tomcat lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_lib',`
+    gen_require(`
+        type pki_tomcat_var_lib_t;
+    ')
+
+    manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+    manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+    manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+#################################
+## <summary>
+##  Allow domain to manage pki tomcat lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_manage_tomcat_log',`
+    gen_require(`
+        type pki_tomcat_log_t;
+    ')
+
+    manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
+    manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
+')
+
+#################################
+## <summary>
+##  Allow domain to read pki tomcat lib dirs
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`pki_read_tomcat_lib_dirs',`
+    gen_require(`
+        type pki_tomcat_var_lib_t;
+    ')
+
+    list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow read pki_common_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pki_read_common_files',`
+	gen_require(`
+		type pki_common_t;
+	')
+
+	read_files_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
+##	Allow execute pki_common_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pki_exec_common_files',`
+	gen_require(`
+		type pki_common_t;
+	')
+
+	exec_files_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
+##	Allow read pki_common_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pki_manage_common_files',`
+	gen_require(`
+		type pki_common_t;
+	')
+
+	manage_files_pattern($1, pki_common_t, pki_common_t)
+	manage_dirs_pattern($1, pki_common_t, pki_common_t)
+')
+
+########################################
+## <summary>
+##	Connect to pki over an unix
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pki_stream_connect',`
+	gen_require(`
+		type pki_tomcat_t, pki_common_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+')
+
+########################################
+## <summary>
+##	Execute pki in the pkit_tomcat_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pki_tomcat_systemctl',`
+	gen_require(`
+		type pki_tomcat_t;
+		type pki_tomcat_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 pki_tomcat_unit_file_t:file read_file_perms;
+	allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, pki_tomcat_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	pki tomcat pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pki_manage_tomcat_pid',`
+	gen_require(`
+		type pki_tomcat_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t)
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000000..67e7036fbb
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,285 @@
+policy_module(pki,10.0.11)
+
+########################################
+#
+# Declarations
+#
+
+attribute pki_apache_domain;
+attribute pki_apache_config;
+attribute pki_apache_executable;
+attribute pki_apache_var_lib;
+attribute pki_apache_var_log;
+attribute pki_apache_var_run;
+attribute pki_apache_pidfiles;
+attribute pki_apache_script;
+
+type pki_log_t;
+logging_log_file(pki_log_t)
+
+type pki_common_t;
+files_type(pki_common_t)
+
+type pki_common_dev_t;
+files_type(pki_common_dev_t)
+
+type pki_tomcat_etc_rw_t;
+files_type(pki_tomcat_etc_rw_t)
+
+type pki_tomcat_cert_t;
+miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
+domain_obj_id_change_exemption(pki_tomcat_t)
+
+type pki_tomcat_unit_file_t;
+systemd_unit_file(pki_tomcat_unit_file_t)
+
+type pki_tomcat_lock_t;
+files_lock_file(pki_tomcat_lock_t)
+
+# old type aliases for migration
+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
+
+
+# pki policy types
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_apache_template(pki_tps)
+
+# ra policy types
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_apache_template(pki_ra)
+
+# needed for dogtag 9 style instances
+type pki_tomcat_script_t;
+domain_type(pki_tomcat_script_t)
+role system_r types pki_tomcat_script_t;
+
+optional_policy(`
+             unconfined_domain(pki_tomcat_script_t)
+')
+
+########################################
+#
+# pki-tomcat local policy
+#
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search dac_override sys_nice fsetid };
+dontaudit  pki_tomcat_t self:capability net_admin;
+allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+allow pki_tomcat_t self:tcp_socket { accept listen };
+
+# allow writing to the kernel keyring
+allow pki_tomcat_t self:key { write read };
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
+manage_dirs_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
+manage_lnk_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
+files_lock_filetrans(pki_tomcat_t,  pki_tomcat_lock_t, { dir file lnk_file })
+
+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
+systemd_search_unit_dirs(pki_tomcat_t)
+
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
+allow pki_tomcat_t pki_common_dev_t:dir search;
+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
+auth_use_nsswitch(pki_tomcat_t)
+
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
+kernel_read_net_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
+libs_exec_ldconfig(pki_tomcat_t)
+
+logging_send_audit_msgs(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
+
+# is this really needed?
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
+
+# for crl publishing
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
+
+# for ECC
+auth_getattr_shadow(pki_tomcat_t)
+
+optional_policy(`
+        consoletype_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+	dirsrv_manage_var_lib(pki_tomcat_t)
+')
+
+optional_policy(`
+        hostname_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+    ipa_read_lib(pki_tomcat_t)
+')
+
+#######################################
+#
+# tps local policy
+#
+
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
+
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
+# customer may run an ldap server on 389
+corenet_tcp_connect_ldap_port(pki_tps_t)
+# connect to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+files_exec_usr_files(pki_tps_t)
+
+######################################
+#
+# ra local policy
+#
+
+#  RA specific? talking to mysql?
+allow pki_ra_t self:udp_socket { write read create connect };
+allow pki_ra_t self:unix_dgram_socket { write create connect };
+
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+# talk to other subsystems
+corenet_tcp_connect_http_port(pki_ra_t)
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+corenet_tcp_connect_smtp_port(pki_ra_t)
+
+fs_getattr_xattr_fs(pki_ra_t)
+
+files_search_spool(pki_ra_t)
+files_exec_usr_files(pki_ra_t)
+
+optional_policy(`
+	mta_send_mail(pki_ra_t)
+	mta_manage_spool(pki_ra_t)
+	mta_manage_queue(pki_ra_t)
+	mta_read_config(pki_ra_t)
+')
+
+#####################################
+#
+# pki_apache_domain local policy
+#
+
+
+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search dac_override fowner fsetid kill chown};
+allow pki_apache_domain self:process { setsched signal getsched  signull execstack execmem sigkill};
+
+allow pki_apache_domain self:sem all_sem_perms;
+allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+# allow writing to the kernel keyring
+allow pki_apache_domain self:key { write read };
+
+## internal communication is often done using fifo and unix sockets.
+allow pki_apache_domain self:fifo_file rw_file_perms;
+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
+
+# talk to the hsm
+allow pki_apache_domain pki_common_dev_t:sock_file write;
+allow pki_apache_domain pki_common_dev_t:dir search;
+allow pki_apache_domain pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
+can_exec(pki_apache_domain, pki_common_t)
+init_stream_connect_script(pki_apache_domain)
+
+corenet_sendrecv_unlabeled_packets(pki_apache_domain)
+corenet_tcp_bind_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_if(pki_apache_domain)
+corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
+corenet_tcp_sendrecv_all_ports(pki_apache_domain)
+#corenet_all_recvfrom_unlabeled(pki_apache_domain)
+corenet_tcp_connect_generic_port(pki_apache_domain)
+
+# Init script handling
+domain_use_interactive_fds(pki_apache_domain)
+
+seutil_exec_setfiles(pki_apache_domain)
+
+init_dontaudit_write_utmp(pki_apache_domain)
+
+libs_use_ld_so(pki_apache_domain)
+libs_use_shared_libs(pki_apache_domain)
+libs_exec_ld_so(pki_apache_domain)
+libs_exec_lib_files(pki_apache_domain)
+
+fs_search_cgroup_dirs(pki_apache_domain)
+
+corecmd_exec_bin(pki_apache_domain)
+corecmd_exec_shell(pki_apache_domain)
+
+dev_read_urand(pki_apache_domain)
+dev_read_rand(pki_apache_domain)
+
+# shutdown script uses ps
+domain_dontaudit_read_all_domains_state(pki_apache_domain)
+ps_process_pattern(pki_apache_domain, pki_apache_domain)
+
+sysnet_read_config(pki_apache_domain)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(pki_apache_domain)
+	term_dontaudit_use_generic_ptys(pki_apache_domain)
+')
+
+optional_policy(`
+	# apache permissions
+	apache_exec_modules(pki_apache_domain)
+	apache_list_modules(pki_apache_domain)
+	apache_read_config(pki_apache_domain)
+	apache_exec(pki_apache_domain)
+	apache_exec_suexec(pki_apache_domain)
+	apache_entrypoint(pki_apache_domain)
+')
+
+# allow rpm -q in init scripts
+optional_policy(`
+	rpm_exec(pki_apache_domain)
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
index 735500fd14..7f694728c3 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
@@ -1,15 +1,14 @@
-/bin/plymouth	--	gen_context(system_u:object_r:plymouth_exec_t,s0)
+/bin/plymouth			--	gen_context(system_u:object_r:plymouth_exec_t,s0)
 
-/sbin/plymouthd	--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/sbin/plymouthd			--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
 
-/usr/bin/plymouth	--	gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouth		--	gen_context(system_u:object_r:plymouth_exec_t,s0)
 
-/usr/sbin/plymouthd	--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
+/var/lib/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
 
-/var/lib/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/log/boot\.log.*			gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
 
-/var/log/boot\.log.*	--	gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd		--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
 
-/var/run/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-
-/var/spool/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_spool_t,s0)
+/var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
index 30e751f18b..61feb3a812 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
-## <summary>Plymouth graphical boot.</summary>
+## <summary>Plymouth graphical boot</summary>
 
 ########################################
 ## <summary>
@@ -10,18 +10,17 @@
 ## </summary>
 ## </param>
 #
-interface(`plymouthd_domtrans',`
+interface(`plymouthd_domtrans', `
 	gen_require(`
 		type plymouthd_t, plymouthd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute plymouthd in the caller domain.
+##	Execute the plymoth daemon in the current domain
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',`
 ## </summary>
 ## </param>
 #
-interface(`plymouthd_exec',`
+interface(`plymouthd_exec', `
 	gen_require(`
 		type plymouthd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, plymouthd_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to plymouthd using a unix
-##	domain stream socket.
+##	Allow domain to Stream socket connect
+##	to Plymouth daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -49,18 +47,17 @@ interface(`plymouthd_exec',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_stream_connect',`
+interface(`plymouthd_stream_connect', `
 	gen_require(`
-		type plymouthd_t, plymouthd_spool_t;
+		type plymouthd_t;
 	')
 
-	files_search_spool($1)
-	stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+	allow $1 plymouthd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Execute plymouth in the caller domain.
+##	Execute the plymoth command in the current domain
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',`
 ## </summary>
 ## </param>
 #
-interface(`plymouthd_exec_plymouth',`
+interface(`plymouthd_exec_plymouth', `
 	gen_require(`
 		type plymouth_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, plymouth_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run plymouth.
+##	Execute a domain transition to run plymouthd.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',`
 ## </summary>
 ## </param>
 #
-interface(`plymouthd_domtrans_plymouth',`
+interface(`plymouthd_domtrans_plymouth', `
 	gen_require(`
 		type plymouth_t, plymouth_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, plymouth_exec_t, plymouth_t)
 ')
 
@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_search_spool',`
+interface(`plymouthd_search_spool', `
 	gen_require(`
 		type plymouthd_spool_t;
 	')
 
-	files_search_spool($1)
 	allow $1 plymouthd_spool_t:dir search_dir_perms;
+	files_search_spool($1)
 ')
 
 ########################################
@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_manage_spool_files',`
+interface(`plymouthd_manage_spool_files', `
 	gen_require(`
 		type plymouthd_spool_t;
 	')
@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_search_lib',`
+interface(`plymouthd_search_lib', `
 	gen_require(`
 		type plymouthd_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_read_lib_files',`
+interface(`plymouthd_read_lib_files', `
 	gen_require(`
 		type plymouthd_var_lib_t;
 	')
@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_manage_lib_files',`
+interface(`plymouthd_manage_lib_files', `
 	gen_require(`
 		type plymouthd_var_lib_t;
 	')
@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	Read plymouthd pid files.
+##	Read plymouthd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`plymouthd_read_pid_files',`
+interface(`plymouthd_read_pid_files', `
 	gen_require(`
 		type plymouthd_var_run_t;
 	')
@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an plymouthd environment.
+##	Allow the specified domain to read
+##	to plymouthd log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`plymouthd_read_log',`
+	gen_require(`
+		type plymouthd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#####################################
+## <summary>
+##  Allow the specified domain to create plymouthd's log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`plymouthd_create_log',`
+    gen_require(`
+        type plymouthd_var_log_t;
+    ')
+
+    logging_search_logs($1)
+    create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	to plymouthd log files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`plymouthd_admin',`
+interface(`plymouthd_manage_log',`
+	gen_require(`
+		type plymouthd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+	manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+	read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
+#######################################
+## <summary>
+##      Allow domain to create boot.log
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`plymouthd_filetrans_named_content',`
+
+    gen_require(`
+        type plymouthd_var_log_t;
+    ')
+    
+    logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an plymouthd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`plymouthd_admin', `
 	gen_require(`
 		type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
 		type plymouthd_var_run_t;
 	')
 
-	allow $1 plymouthd_t:process { ptrace signal_perms };
-	read_files_pattern($1, plymouthd_t, plymouthd_t)
+	allow $1 plymouthd_t:process signal_perms;
+	ps_process_pattern($1, plymouthd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 plymouthd_t:process ptrace;
+	')
 
-	files_search_spool($1)
+	files_list_var_lib($1)
 	admin_pattern($1, plymouthd_spool_t)
 
-	files_search_var_lib($1)
 	admin_pattern($1, plymouthd_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, plymouthd_var_run_t)
 ')
diff --git a/plymouthd.te b/plymouthd.te
index 3078ce9055..39e5a88ee4 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
 init_daemon_domain(plymouthd_t, plymouthd_exec_t)
 
 type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
+files_spool_file(plymouthd_spool_t)
 
 type plymouthd_var_lib_t;
 files_type(plymouthd_var_lib_t)
@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t)
 
 ########################################
 #
-# Daemon local policy
+# Plymouthd private policy
 #
 
 allow plymouthd_t self:capability { sys_admin sys_tty_config };
-dontaudit plymouthd_t self:capability dac_override;
 allow plymouthd_t self:capability2 block_suspend;
+dontaudit plymouthd_t self:capability{ dac_read_search  dac_override };
 allow plymouthd_t self:process { signal getsched };
+allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow plymouthd_t self:fifo_file rw_fifo_file_perms;
 allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
 
@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
 files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
 
 manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
 
 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
@@ -65,24 +64,33 @@ dev_rw_dri(plymouthd_t)
 dev_read_sysfs(plymouthd_t)
 dev_read_framebuffer(plymouthd_t)
 dev_write_framebuffer(plymouthd_t)
+dev_map_framebuffer(plymouthd_t)
 
 domain_use_interactive_fds(plymouthd_t)
 
 fs_getattr_all_fs(plymouthd_t)
 
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
-
 term_getattr_pty_fs(plymouthd_t)
 term_use_all_terms(plymouthd_t)
 term_use_ptmx(plymouthd_t)
+term_use_usb_ttys(plymouthd_t)
+
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_use_nsswitch(plymouthd_t)
 
-miscfiles_read_localization(plymouthd_t)
 miscfiles_read_fonts(plymouthd_t)
 miscfiles_manage_fonts_cache(plymouthd_t)
 
+userdom_read_admin_home_files(plymouthd_t)
+
+term_use_unallocated_ttys(plymouthd_t)
+
 optional_policy(`
-	gnome_read_generic_home_content(plymouthd_t)
+	gnome_read_config(plymouthd_t)
 ')
 
 optional_policy(`
@@ -90,35 +98,37 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_manage_xdm_spool_files(plymouthd_t)
-	xserver_read_xdm_state(plymouthd_t)
+    udev_read_pid_files(plymouthd_t)
+')
+
+optional_policy(`
+	xserver_xdm_manage_spool(plymouthd_t)
+	xserver_read_state_xdm(plymouthd_t)
 ')
 
 ########################################
 #
-# Client local policy
+# Plymouth private policy
 #
 
 allow plymouth_t self:process signal;
-allow plymouth_t self:fifo_file rw_fifo_file_perms;
+allow plymouth_t self:fifo_file rw_file_perms;
 allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
 
-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
-
 kernel_read_system_state(plymouth_t)
 kernel_stream_connect(plymouth_t)
 
 domain_use_interactive_fds(plymouth_t)
 
-files_read_etc_files(plymouth_t)
 
 term_use_ptmx(plymouth_t)
 
-miscfiles_read_localization(plymouth_t)
 
 sysnet_read_config(plymouth_t)
 
-ifdef(`hide_broken_symptoms',`
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms', `
 	optional_policy(`
 		hal_dontaudit_write_log(plymouth_t)
 		hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
index 9123f71529..232e28a758 100644
--- a/podsleuth.te
+++ b/podsleuth.te
@@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
 # Local policy
 #
 
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
 allow podsleuth_t self:fifo_file rw_fifo_file_perms;
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
 allow podsleuth_t self:sem create_sem_perms;
@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t)
 
 dev_read_urand(podsleuth_t)
 
-files_read_etc_files(podsleuth_t)
 
 fs_mount_dos_fs(podsleuth_t)
 fs_unmount_dos_fs(podsleuth_t)
@@ -76,13 +76,11 @@ fs_getattr_tmpfs(podsleuth_t)
 fs_list_tmpfs(podsleuth_t)
 fs_rw_removable_blk_files(podsleuth_t)
 
-miscfiles_read_localization(podsleuth_t)
-
 sysnet_dns_name_resolve(podsleuth_t)
 
 userdom_signal_unpriv_users(podsleuth_t)
 userdom_signull_unpriv_users(podsleuth_t)
-userdom_read_user_tmpfs_files(podsleuth_t)
+userdom_read_user_tmp_files(podsleuth_t)
 
 optional_policy(`
 	dbus_system_bus_client(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
index 1d76c7288a..93d09d92fa 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -1,23 +1,22 @@
-/usr/lib/polkit-1/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/polkit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-
-/usr/lib/policykit/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/lib/policykit/polkit-resolve-exe-helper.*	--	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/lib/policykit/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit-1/polkitd	--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/bin/pkla-check-authorization 	   --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.*   --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/polkit-1/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 
 /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
-/usr/libexec/polkit-resolve-exe-helper.*	--	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd.*	--	gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/libexec/polkit-1/polkit-agent-helper-1	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/libexec/polkit-1/polkitd.*	--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd.*			--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1  --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/kde4/polkit-kde-authentication-agent-1 --  gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.*		--	gen_context(system_u:object_r:policykit_exec_t,s0)
 
-/var/lib/misc/PolicyKit.reload	gen_context(system_u:object_r:policykit_reload_t,s0)
-/var/lib/PolicyKit(/.*)?	gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/polkit-1(/.*)?	gen_context(system_u:object_r:policykit_var_lib_t,s0)
-/var/lib/PolicyKit-public(/.*)?	gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)?				gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
 
-/var/run/PolicyKit(/.*)?	gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policykit.if b/policykit.if
index 032a84d1c4..be00a65f17 100644
--- a/policykit.if
+++ b/policykit.if
@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',`
 		class dbus send_msg;
 	')
 
+	ps_process_pattern(policykit_t, $1)
+
 	allow $1 policykit_t:dbus send_msg;
 	allow policykit_t $1:dbus send_msg;
 ')
@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
-##	policykit auth over dbus.
+##	policykit over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',`
 		class dbus send_msg;
 	')
 
+	ps_process_pattern(policykit_auth_t, $1)
+
 	allow $1 policykit_auth_t:dbus send_msg;
 	allow policykit_auth_t $1:dbus send_msg;
 ')
@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',`
 ##	Execute a domain transition to run polkit_auth.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`policykit_domtrans_auth',`
@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',`
 		type policykit_auth_t, policykit_auth_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a policy_auth in the policy
-##	auth domain, and allow the specified
-##	role the policy auth domain.
+##	Execute a policy_auth in the policy_auth domain, and
+##	allow the specified role the policy_auth domain,
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`policykit_run_auth',`
 	gen_require(`
-		attribute_role policykit_auth_roles;
+		type policykit_auth_t;
 	')
 
 	policykit_domtrans_auth($1)
-	roleattribute $2 policykit_auth_roles;
+	role $2 types policykit_auth_t;
+
+	allow $1 policykit_auth_t:process signal;
+	ps_process_pattern(policykit_auth_t, $1)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run polkit grant.
+##	Execute a domain transition to run polkit_grant.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`policykit_domtrans_grant',`
@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',`
 		type policykit_grant_t, policykit_grant_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a policy_grant in the policy
-##	grant domain, and allow the specified
-##	role the policy grant domain.
+##	Execute a policy_grant in the policy_grant domain, and
+##	allow the specified role the policy_grant domain,
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',`
 #
 interface(`policykit_run_grant',`
 	gen_require(`
-		attribute_role policykit_grant_roles;
+		type policykit_grant_t;
 	')
 
 	policykit_domtrans_grant($1)
-	roleattribute $2 policykit_grant_roles;
+	role $2 types policykit_grant_t;
+
+	allow $1 policykit_grant_t:process signal;
+
+	ps_process_pattern(policykit_grant_t, $1)
 ')
 
 ########################################
 ## <summary>
-##	Read policykit reload files.
+##	read policykit reload files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -154,7 +162,7 @@ interface(`policykit_read_reload',`
 
 ########################################
 ## <summary>
-##	Read and write policykit reload files.
+##	rw policykit reload files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',`
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run polkit resolve.
+##	Execute a domain transition to run polkit_resolve.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`policykit_domtrans_resolve',`
@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',`
 		type policykit_resolve_t, policykit_resolve_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+	ps_process_pattern(policykit_resolve_t, $1)
 ')
 
 ########################################
@@ -205,13 +214,13 @@ interface(`policykit_search_lib',`
 		type policykit_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	allow $1 policykit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
 ## <summary>
-##	Read policykit lib files.
+##	read policykit lib files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -226,4 +235,50 @@ interface(`policykit_read_lib',`
 
 	files_search_var_lib($1)
 	read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+	optional_policy(`
+		# Broken placement
+		cron_read_system_job_lib_files($1)
+	')
+')
+
+#######################################
+## <summary>
+##	The per role template for the policykit module.
+## </summary>
+## <param name="user_role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+template(`policykit_role',`
+	policykit_run_auth($2, $1)
+	policykit_run_grant($2, $1)
+	policykit_read_lib($2)
+	policykit_read_reload($2)
+	policykit_dbus_chat($2)
+')
+
+########################################
+## <summary>
+##	Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+	gen_require(`
+		type policykit_auth_t;
+	')
+
+	allow $1 policykit_auth_t:process signal;
 ')
diff --git a/policykit.te b/policykit.te
index ee91778f72..5e92592f0b 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
 
 attribute policykit_domain;
 
-attribute_role policykit_auth_roles;
-attribute_role policykit_grant_roles;
-
 type policykit_t, policykit_domain;
 type policykit_exec_t;
 init_daemon_domain(policykit_t, policykit_exec_t)
@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t)
 type policykit_auth_t, policykit_domain;
 type policykit_auth_exec_t;
 init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
-role policykit_auth_roles types policykit_auth_t;
 
 type policykit_grant_t, policykit_domain;
 type policykit_grant_exec_t;
 init_system_domain(policykit_grant_t, policykit_grant_exec_t)
-role policykit_grant_roles types policykit_grant_t;
 
 type policykit_resolve_t, policykit_domain;
 type policykit_resolve_exec_t;
@@ -42,63 +37,74 @@ files_pid_file(policykit_var_run_t)
 
 #######################################
 #
-# Common policykit domain local policy
+# policykit_domain local policy
 #
 
 allow policykit_domain self:process { execmem getattr };
 allow policykit_domain self:fifo_file rw_fifo_file_perms;
 
-kernel_search_proc(policykit_domain)
-
-corecmd_exec_bin(policykit_domain)
-
 dev_read_sysfs(policykit_domain)
 
-files_read_usr_files(policykit_domain)
-
-logging_send_syslog_msg(policykit_domain)
-
-miscfiles_read_localization(policykit_domain)
-
 ########################################
 #
-# Local policy
+# policykit local policy
 #
 
 allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
 allow policykit_t self:process { getsched setsched signal };
-allow policykit_t self:unix_stream_socket { accept connectto listen };
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+policykit_domtrans_auth(policykit_t)
+allow policykit_t policykit_auth_exec_t:file map;
+
+allow policykit_t policykit_auth_t:process signal;
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+dev_read_sysfs(policykit_t)
 
 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
 
+policykit_domtrans_resolve(policykit_t)
+
 manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
 
 manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
 
-can_exec(policykit_t, policykit_exec_t)
-
-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
-
-kernel_read_kernel_sysctls(policykit_t)
 kernel_read_system_state(policykit_t)
+kernel_read_kernel_sysctls(policykit_t)
 
 domain_read_all_domains_state(policykit_t)
 
 files_dontaudit_search_all_mountpoints(policykit_t)
 
+fs_getattr_all_fs(policykit_t)
 fs_list_inotifyfs(policykit_t)
+fs_list_cgroup_dirs(policykit_t)
 
 auth_use_nsswitch(policykit_t)
 
+init_list_pid_dirs(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+systemd_machined_read_pid_files(policykit_t)
+
 userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
 
+	init_dbus_chat(policykit_t)
+
+    sysnet_dbus_chat_dhcpc(policykit_t)
+
 	optional_policy(`
 		consolekit_dbus_chat(policykit_t)
 	')
@@ -109,29 +115,43 @@ optional_policy(`
 ')
 
 optional_policy(`
+	consolekit_list_pid_files(policykit_t)
 	consolekit_read_pid_files(policykit_t)
 ')
 
 optional_policy(`
-	gnome_read_generic_home_content(policykit_t)
+	kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
+	kerberos_manage_host_rcache(policykit_t)
 ')
 
 optional_policy(`
-	kerberos_manage_host_rcache(policykit_t)
-	kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
+	gnome_read_config(policykit_t)
+')
+
+optional_policy(`
+	systemd_read_logind_sessions_files(policykit_t)
+	systemd_login_list_pid_dirs(policykit_t)
+	systemd_login_read_pid_files(policykit_t)
 ')
 
 ########################################
 #
-# Auth local policy
+# polkit_auth local policy
 #
 
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
 dontaudit policykit_auth_t self:capability sys_tty_config;
-allow policykit_auth_t self:process { getsched setsched signal };
-allow policykit_auth_t self:unix_stream_socket { accept listen };
+allow policykit_auth_t self:process { setsched getsched signal };
 
-ps_process_pattern(policykit_auth_t, policykit_domain)
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_exec_bin(policykit_auth_t)
 
 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
 
@@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
 
-can_exec(policykit_auth_t, policykit_auth_exec_t)
-
-kernel_read_system_state(policykit_auth_t)
 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
 
 dev_read_video_dev(policykit_auth_t)
 
 files_read_etc_runtime_files(policykit_auth_t)
 files_search_home(policykit_auth_t)
+files_dontaudit_access_check_home_dir(policykit_auth_t)
 
 fs_getattr_all_fs(policykit_auth_t)
 fs_search_tmpfs(policykit_auth_t)
+fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
 
 auth_rw_var_auth(policykit_auth_t)
 auth_use_nsswitch(policykit_auth_t)
 auth_domtrans_chk_passwd(policykit_auth_t)
 
+logging_send_syslog_msg(policykit_auth_t)
+
 miscfiles_read_fonts(policykit_auth_t)
 miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
 
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_dontaudit_access_check_user_content(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
 
 optional_policy(`
-	dbus_system_domain(policykit_auth_t, policykit_auth_exec_t)
-	dbus_all_session_bus_client(policykit_auth_t)
+	dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
+	dbus_session_bus_client(policykit_auth_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(policykit_auth_t)
 	')
+')
 
-	optional_policy(`
-		policykit_dbus_chat(policykit_auth_t)
-	')
+optional_policy(`
+    gnome_read_config(policykit_auth_t)
+    gnome_access_check_usr_config(policykit_auth_t)
 ')
 
 optional_policy(`
+	kernel_search_proc(policykit_auth_t)
 	hal_read_state(policykit_auth_t)
 ')
 
 optional_policy(`
-	kerberos_manage_host_rcache(policykit_auth_t)
-	kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
+        kerberos_manage_host_rcache(policykit_auth_t)
 ')
 
 optional_policy(`
 	xserver_stream_connect(policykit_auth_t)
+	xserver_xdm_append_log(policykit_auth_t)
 	xserver_read_xdm_pid(policykit_auth_t)
+	xserver_search_xdm_lib(policykit_auth_t)
+	xserver_create_xdm_tmp_sockets(policykit_auth_t)
 ')
 
 ########################################
 #
-# Grant local policy
+# polkit_grant local policy
 #
 
 allow policykit_grant_t self:capability setuid;
+
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
 
-ps_process_pattern(policykit_grant_t, policykit_domain)
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
 
 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
 
@@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
 
 manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
 
-can_exec(policykit_grant_t, policykit_grant_exec_t)
-
-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
 
 auth_domtrans_chk_passwd(policykit_grant_t)
 auth_use_nsswitch(policykit_grant_t)
 
+logging_send_syslog_msg(policykit_grant_t)
+
 userdom_read_all_users_state(policykit_grant_t)
 
 optional_policy(`
 	cron_manage_system_job_lib_files(policykit_grant_t)
 ')
 
-optional_policy(`
+	optional_policy(`
 	dbus_system_bus_client(policykit_grant_t)
-
 	optional_policy(`
 		consolekit_dbus_chat(policykit_grant_t)
 	')
@@ -235,26 +267,28 @@ optional_policy(`
 
 ########################################
 #
-# Resolve local policy
+# polkit_resolve local policy
 #
 
 allow policykit_resolve_t self:capability { setuid sys_nice };
-allow policykit_resolve_t self:unix_stream_socket { accept listen };
 
-ps_process_pattern(policykit_resolve_t, policykit_domain)
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
 
 read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
 
 read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
 
 can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
 
-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-
-mcs_ptrace_all(policykit_resolve_t)
 
 auth_use_nsswitch(policykit_resolve_t)
 
+logging_send_syslog_msg(policykit_resolve_t)
+
 userdom_read_all_users_state(policykit_resolve_t)
 
 optional_policy(`
@@ -266,6 +300,6 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kernel_search_proc(policykit_resolve_t)
 	hal_read_state(policykit_resolve_t)
 ')
-
diff --git a/polipo.fc b/polipo.fc
index d35614b78a..11f77ee326 100644
--- a/polipo.fc
+++ b/polipo.fc
@@ -1,15 +1,16 @@
-HOME_DIR/\.forbidden	--	gen_context(system_u:object_r:polipo_config_home_t,s0)
 HOME_DIR/\.polipo	--	gen_context(system_u:object_r:polipo_config_home_t,s0)
 HOME_DIR/\.polipo-cache(/.*)?	gen_context(system_u:object_r:polipo_cache_home_t,s0)
 
-/etc/polipo(/.*)?	gen_context(system_u:object_r:polipo_conf_t,s0)
+/etc/polipo(/.*)?	gen_context(system_u:object_r:polipo_etc_t,s0)
 
 /etc/rc\.d/init\.d/polipo	--	gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/polipo.*  --              gen_context(system_u:object_r:polipo_unit_file_t,s0)
+
 /usr/bin/polipo	--	gen_context(system_u:object_r:polipo_exec_t,s0)
 
 /var/cache/polipo(/.*)?	gen_context(system_u:object_r:polipo_cache_t,s0)
 
 /var/log/polipo.*	--	gen_context(system_u:object_r:polipo_log_t,s0)
 
-/var/run/polipo(/.*)?	gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)?	gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
index ae27bb7fec..10a778780c 100644
--- a/polipo.if
+++ b/polipo.if
@@ -1,8 +1,8 @@
-## <summary>Lightweight forwarding and caching proxy server.</summary>
+## <summary>Caching web proxy.</summary>
 
 ########################################
 ## <summary>
-##	Role access for Polipo session.
+##	Role access for polipo session.
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -11,14 +11,13 @@
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 template(`polipo_role',`
 	gen_require(`
-		type polipo_session_t, polipo_exec_t, polipo_config_home_t;
-		type polipo_cache_home_t;
+		type polipo_session_t, polipo_exec_t;
 	')
 
 	########################################
@@ -33,15 +32,11 @@ template(`polipo_role',`
 	# Policy
 	#
 
-	allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
-
-	userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
-	userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
-	userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
-
-	allow $2 polipo_session_t:process { ptrace signal_perms };
+	allow $2 polipo_session_t:process signal_perms;
 	ps_process_pattern($2, polipo_session_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 polipo_session_t:process ptrace;
+	')
 
 	tunable_policy(`polipo_session_users',`
 		domtrans_pattern($2, polipo_exec_t, polipo_session_t)
@@ -52,57 +47,130 @@ template(`polipo_role',`
 
 ########################################
 ## <summary>
-##	Execute Polipo in the Polipo
-##	system domain.
+##	Create configuration files in user
+##	home directories with a named file
+##	type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`polipo_initrc_domtrans',`
+interface(`polipo_named_filetrans_config_home_files',`
 	gen_require(`
-		type polipo_initrc_exec_t;
+		type polipo_config_home_t;
 	')
 
-	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+	userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+## <summary>
+##	Create cache directories in user
+##	home directories with a named file
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polipo_named_filetrans_cache_home_dirs',`
+	gen_require(`
+		type polipo_cache_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	log directories with the polipo
-##	log file type.
+##	Create configuration files in admin
+##	home directories with a named file
+##	type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
+#
+interface(`polipo_named_filetrans_admin_config_home_files',`
+	gen_require(`
+		type polipo_config_home_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
+########################################
+## <summary>
+##	Create cache directories in admin
+##	home directories with a named file
+##	type transition.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Class of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
+	gen_require(`
+		type polipo_cache_home_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
+')
+
+########################################
+## <summary>
+##	Create log files with a named file
+##	type transition.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`polipo_log_filetrans_log',`
+interface(`polipo_named_filetrans_log_files',`
 	gen_require(`
 		type polipo_log_t;
 	')
 
-	logging_log_filetrans($1, polipo_log_t, $2, $3)
+	logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
+')
+
+########################################
+## <summary>
+##	Execute polipo server in the polipo domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`polipo_systemctl',`
+	gen_require(`
+		type polipo_t;
+		type polipo_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 polipo_unit_file_t:file read_file_perms;
+	allow $1 polipo_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, polipo_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an polipo environment.
+##	Administrate an polipo environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -118,27 +186,35 @@ interface(`polipo_log_filetrans_log',`
 #
 interface(`polipo_admin',`
 	gen_require(`
-		type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
-		type polipo_conf_t, polipo_log_t, polipo_var_run_t;
+		type polipo_t, polipo_pid_t, polipo_cache_t;
+		type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+		type polipo_unit_file_t;
 	')
 
-	allow $1 polipo_system_t:process { ptrace signal_perms };
-	ps_process_pattern($1, polipo_system_t)
+	allow $1 polipo_t:process signal_perms;
+	ps_process_pattern($1, polipo_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 polipo_t:process ptrace;
+	')
 
-	polipo_initrc_domtrans($1)
+	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 polipo_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var($1)
-	admin_pattern($1, polipo_cache_t)
-
-	files_search_etc($1)
-	admin_pattern($1, polipo_conf_t)
+	files_list_etc($1)
+	admin_pattern($1, polipo_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, polipo_log_t)
 
-	files_search_pids($1)
-	admin_pattern($1, polipo_var_run_t)
+	files_list_var($1)
+	admin_pattern($1, polipo_cache_t)
+
+	files_list_pids($1)
+	admin_pattern($1, polipo_pid_t)
+
+	polipo_systemctl($1)
+	admin_pattern($1, polipo_unit_file_t)
+	allow $1 polipo_unit_file_t:service all_service_perms;
 ')
diff --git a/polipo.te b/polipo.te
index 9764bfef85..8870de7133 100644
--- a/polipo.te
+++ b/polipo.te
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
 
 ## <desc>
 ##	<p>
-##	Determine whether Polipo system
-##	daemon can access CIFS file systems.
+##	Determine whether polipo can
+##	access cifs file systems.
 ##	</p>
 ## </desc>
-gen_tunable(polipo_system_use_cifs, false)
+gen_tunable(polipo_use_cifs, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether Polipo system
-##	daemon can access NFS file systems.
+##	Determine whether Polipo can
+##	access nfs file systems.
 ##	</p>
 ## </desc>
-gen_tunable(polipo_system_use_nfs, false)
+gen_tunable(polipo_use_nfs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Polipo session daemon
+##	can bind tcp sockets to all unreserved ports.
+##	</p>
+## </desc>
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
 
 ## <desc>
 ##	<p>
@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false)
 gen_tunable(polipo_session_users, false)
 
 ## <desc>
-##	<p>
-##	Determine whether Polipo session daemon
-##	can send syslog messages.
-##	</p>
+## <p>
+## Allow polipo to connect to all ports > 1023
+## </p>
 ## </desc>
-gen_tunable(polipo_session_send_syslog_msg, false)
+gen_tunable(polipo_connect_all_unreserved, false)
 
 attribute polipo_daemon;
 
-type polipo_system_t, polipo_daemon;
+type polipo_t, polipo_daemon;
 type polipo_exec_t;
-init_daemon_domain(polipo_system_t, polipo_exec_t)
+init_daemon_domain(polipo_t, polipo_exec_t)
 
 type polipo_initrc_exec_t;
 init_script_file(polipo_initrc_exec_t)
 
-type polipo_conf_t;
-files_config_file(polipo_conf_t)
+type polipo_etc_t;
+files_config_file(polipo_etc_t)
 
 type polipo_cache_t;
 files_type(polipo_cache_t)
@@ -56,116 +63,104 @@ files_type(polipo_cache_t)
 type polipo_log_t;
 logging_log_file(polipo_log_t)
 
-type polipo_var_run_t;
-files_pid_file(polipo_var_run_t)
+type polipo_pid_t;
+files_pid_file(polipo_pid_t)
 
 type polipo_session_t, polipo_daemon;
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
+application_domain(polipo_session_t, polipo_exec_t)
+ubac_constrained(polipo_session_t)
+
+type polipo_config_home_t;
+userdom_user_home_content(polipo_config_home_t)
 
 type polipo_cache_home_t;
 userdom_user_home_content(polipo_cache_home_t)
 
-type polipo_config_home_t;
-userdom_user_home_content(polipo_config_home_t)
+type polipo_unit_file_t;
+systemd_unit_file(polipo_unit_file_t)
 
 ########################################
 #
-# Session local policy
+# Global local policy
 #
 
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
-
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
-
-auth_use_nsswitch(polipo_session_t)
-
-userdom_use_user_terminals(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
 
-tunable_policy(`polipo_session_send_syslog_msg',`
-	logging_send_syslog_msg(polipo_session_t)
-')
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
+corenet_tcp_connect_http_cache_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_flash_port(polipo_daemon)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(polipo_session_t)
-',`
-	fs_dontaudit_read_nfs_files(polipo_session_t)
-')
+fs_search_auto_mountpoints(polipo_daemon)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(polipo_session_t)
-',`
-	fs_dontaudit_read_cifs_files(polipo_session_t)
-')
 
 ########################################
 #
-# System local policy
+# Polipo local policy
 #
 
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
 
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
+files_var_filetrans(polipo_t, polipo_cache_t, dir)
 
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
+logging_log_filetrans(polipo_t, polipo_log_t, file)
 
-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t)
-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file)
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
+files_pid_filetrans(polipo_t, polipo_pid_t, file)
 
-auth_use_nsswitch(polipo_system_t)
+auth_use_nsswitch(polipo_t)
 
-logging_send_syslog_msg(polipo_system_t)
+logging_send_syslog_msg(polipo_t)
 
 optional_policy(`
-	cron_system_entry(polipo_system_t, polipo_exec_t)
+	cron_system_entry(polipo_t, polipo_exec_t)
+')
+
+tunable_policy(`polipo_connect_all_unreserved',`
+    corenet_tcp_connect_all_unreserved_ports(polipo_t)
 ')
 
-tunable_policy(`polipo_system_use_cifs',`
-	fs_manage_cifs_files(polipo_system_t)
-',`
-	fs_dontaudit_read_cifs_files(polipo_system_t)
+tunable_policy(`polipo_use_cifs',`
+	fs_manage_cifs_files(polipo_t)
 ')
 
-tunable_policy(`polipo_system_use_nfs',`
-	fs_manage_nfs_files(polipo_system_t)
-',`
-	fs_dontaudit_read_nfs_files(polipo_system_t)
+tunable_policy(`polipo_use_nfs',`
+	fs_manage_nfs_files(polipo_t)
 ')
 
 ########################################
 #
-# Polipo global local policy
+# Polipo session local policy
 #
 
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
-allow polipo_daemon self:tcp_socket { listen accept };
-
-corenet_all_recvfrom_unlabeled(polipo_daemon)
-corenet_all_recvfrom_netlabel(polipo_daemon)
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
-corenet_tcp_bind_generic_node(polipo_daemon)
+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
 
-corenet_sendrecv_http_client_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_port(polipo_daemon)
-corenet_tcp_connect_http_port(polipo_daemon)
+auth_use_nsswitch(polipo_session_t)
 
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
-corenet_tcp_bind_http_cache_port(polipo_daemon)
+userdom_use_user_terminals(polipo_session_t)
 
 corenet_sendrecv_tor_client_packets(polipo_daemon)
 corenet_tcp_sendrecv_tor_port(polipo_daemon)
 corenet_tcp_connect_tor_port(polipo_daemon)
+corenet_tcp_connect_all_ephemeral_ports(polipo_daemon)
 
-files_read_usr_files(polipo_daemon)
+logging_send_syslog_msg(polipo_session_t)
 
-fs_search_auto_mountpoints(polipo_daemon)
+userdom_home_manager(polipo_session_t)
+
+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
+	corenet_tcp_sendrecv_all_ports(polipo_session_t)
+	corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
+')
 
-miscfiles_read_localization(polipo_daemon)
diff --git a/portage.if b/portage.if
index 67e8c12c49..058c994812 100644
--- a/portage.if
+++ b/portage.if
@@ -67,9 +67,10 @@ interface(`portage_compile_domain',`
 		class dbus send_msg;
 		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
 		type portage_tmpfs_t;
+		type portage_sandbox_t;
 	')
 
-	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw };
 	dontaudit $1 self:capability sys_chroot;
 	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
 	allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/portage.te b/portage.te
index b410c67c19..f1ec41d393 100644
--- a/portage.te
+++ b/portage.te
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
 
 files_manage_etc_files(gcc_config_t)
 files_rw_etc_runtime_files(gcc_config_t)
-files_read_usr_files(gcc_config_t)
 files_search_var_lib(gcc_config_t)
 files_search_pids(gcc_config_t)
 # complains loudly about not being able to list
@@ -239,7 +238,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
 #
 
 allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown };
 allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
 allow portage_fetch_t self:tcp_socket { accept listen };
 allow portage_fetch_t self:unix_stream_socket create_socket_perms;
@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
 domain_use_interactive_fds(portage_fetch_t)
 
 files_read_etc_runtime_files(portage_fetch_t)
-files_read_usr_files(portage_fetch_t)
 files_dontaudit_search_pids(portage_fetch_t)
 
 fs_search_auto_mountpoints(portage_fetch_t)
diff --git a/portmap.fc b/portmap.fc
index cd45831ca8..69406ee171 100644
--- a/portmap.fc
+++ b/portmap.fc
@@ -4,9 +4,14 @@
 /sbin/pmap_set	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
 /sbin/portmap	--	gen_context(system_u:object_r:portmap_exec_t,s0)
 
+ifdef(`distro_debian',`
+/sbin/pmap_dump		--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set		--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
 /usr/sbin/pmap_dump	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
 /usr/sbin/pmap_set	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
 /usr/sbin/portmap	--	gen_context(system_u:object_r:portmap_exec_t,s0)
+')
 
 /var/run/portmap\.upgrade-state	--	gen_context(system_u:object_r:portmap_var_run_t,s0)
 /var/run/portmap_mapping	--	gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
index 18b255e7a4..e75c4ec240 100644
--- a/portmap.te
+++ b/portmap.te
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
 kernel_read_system_state(portmap_t)
 kernel_read_kernel_sysctls(portmap_t)
 
-corenet_all_recvfrom_unlabeled(portmap_t)
 corenet_all_recvfrom_netlabel(portmap_t)
 corenet_tcp_sendrecv_generic_if(portmap_t)
 corenet_udp_sendrecv_generic_if(portmap_t)
@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t)
 
 domain_use_interactive_fds(portmap_t)
 
+auth_use_nsswitch(portmap_t)
+
 logging_send_syslog_msg(portmap_t)
 
-miscfiles_read_localization(portmap_t)
+sysnet_read_config(portmap_t)
 
 userdom_dontaudit_use_unpriv_user_fds(portmap_t)
 userdom_dontaudit_search_user_home_dirs(portmap_t)
@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen };
 allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
 files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
 
-corenet_all_recvfrom_unlabeled(portmap_helper_t)
 corenet_all_recvfrom_netlabel(portmap_helper_t)
 corenet_tcp_sendrecv_generic_if(portmap_helper_t)
 corenet_udp_sendrecv_generic_if(portmap_helper_t)
@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t)
 
 logging_send_syslog_msg(portmap_helper_t)
 
-userdom_use_user_terminals(portmap_helper_t)
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_inherited_user_terminals(portmap_helper_t)
 userdom_dontaudit_use_all_users_fds(portmap_helper_t)
diff --git a/portreserve.fc b/portreserve.fc
index 1b2b4f908f..575b7d69bf 100644
--- a/portreserve.fc
+++ b/portreserve.fc
@@ -1,6 +1,6 @@
 /etc/portreserve(/.*)?	gen_context(system_u:object_r:portreserve_etc_t,s0)
 
-/etc/rc\.d/init\.d/portreserve	--	gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/portreserve    --  gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
 
 /sbin/portreserve	--	gen_context(system_u:object_r:portreserve_exec_t,s0)
 
diff --git a/portreserve.if b/portreserve.if
index 5ad5291544..7f1ae2a784 100644
--- a/portreserve.if
+++ b/portreserve.if
@@ -105,8 +105,11 @@ interface(`portreserve_admin',`
 		type portreserve_initrc_exec_t;
 	')
 
-	allow $1 portreserve_t:process { ptrace signal_perms };
+	allow $1 portreserve_t:process signal_perms;
 	ps_process_pattern($1, portreserve_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 portreserve_t:process ptrace;
+	')
 
 	portreserve_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
index 00b01e2ea2..10b45127a5 100644
--- a/portreserve.te
+++ b/portreserve.te
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
 
 corecmd_getattr_bin_files(portreserve_t)
 
-corenet_all_recvfrom_unlabeled(portreserve_t)
 corenet_all_recvfrom_netlabel(portreserve_t)
 corenet_tcp_sendrecv_generic_if(portreserve_t)
 corenet_udp_sendrecv_generic_if(portreserve_t)
@@ -56,6 +55,7 @@ corenet_sendrecv_all_server_packets(portreserve_t)
 corenet_tcp_bind_all_ports(portreserve_t)
 corenet_udp_bind_all_ports(portreserve_t)
 
-files_read_etc_files(portreserve_t)
-
 userdom_dontaudit_search_user_home_content(portreserve_t)
+
+auth_use_nsswitch(portreserve_t)
+
diff --git a/portslave.te b/portslave.te
index cbe36c1d0b..8ebeb87d25 100644
--- a/portslave.te
+++ b/portslave.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
 corecmd_exec_bin(portslave_t)
 corecmd_exec_shell(portslave_t)
 
-corenet_all_recvfrom_unlabeled(portslave_t)
 corenet_all_recvfrom_netlabel(portslave_t)
 corenet_tcp_sendrecv_generic_if(portslave_t)
 corenet_udp_sendrecv_generic_if(portslave_t)
@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t)
 
 term_use_unallocated_ttys(portslave_t)
 term_setattr_unallocated_ttys(portslave_t)
-term_use_all_ttys(portslave_t)
+term_use_all_inherited_ttys(portslave_t)
 term_search_ptys(portslave_t)
 
 auth_domtrans_chk_passwd(portslave_t)
diff --git a/postfix.fc b/postfix.fc
index c0e878537c..3070aa0669 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,38 +1,38 @@
-/etc/postfix.*	gen_context(system_u:object_r:postfix_etc_t,s0)
-/etc/postfix/postfix-script.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
-
-/etc/rc\.d/init\.d/postfix	--	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
-
+# postfix
+/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local --	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master --	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup --	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq --	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache --	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
 /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 /usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 /usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr	--	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
 /usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
 /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual	--	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
-/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr	--	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual	--	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
@@ -44,14 +44,14 @@
 /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
 /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 
-/var/lib/postfix.*	gen_context(system_u:object_r:postfix_data_t,s0)
+/var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
 
-/var/spool/postfix.*	gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/deferred(/.*)?	-d	gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/defer(/.*)?	gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/maildrop(/.*)?	gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
-/var/spool/postfix/private(/.*)?	gen_context(system_u:object_r:postfix_private_t,s0)
-/var/spool/postfix/public(/.*)?	gen_context(system_u:object_r:postfix_public_t,s0)
-/var/spool/postfix/bounce(/.*)?	gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-/var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_flush_t,s0)
+/var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/defer(/.*)? 	  gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/postfix.if b/postfix.if
index ded95ec3a4..137ae2d3d2 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
-## <summary>Postfix email server.</summary>
+## <summary>Postfix email server</summary>
 
 ########################################
 ## <summary>
@@ -16,13 +16,14 @@ interface(`postfix_stub',`
 	')
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a postfix domain.
+##	Creates types and rules for a basic
+##	postfix process domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
@@ -31,73 +32,69 @@ template(`postfix_domain_template',`
 		attribute postfix_domain;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	type postfix_$1_t, postfix_domain;
 	type postfix_$1_exec_t;
 	domain_type(postfix_$1_t)
 	domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
 	role system_r types postfix_$1_t;
 
-	########################################
-	#
-	# Policy
-	#
-
-	can_exec(postfix_$1_t, postfix_$1_exec_t)
+	kernel_read_system_state(postfix_$1_t)
 
 	auth_use_nsswitch(postfix_$1_t)
+
+	logging_send_syslog_msg(postfix_$1_t)
+
+	can_exec(postfix_$1_t, postfix_$1_exec_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a postfix server domain.
+##	Creates a postfix server process domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix of the domain.
 ##	</summary>
 ## </param>
 #
 template(`postfix_server_domain_template',`
-	gen_require(`
-		attribute postfix_server_domain, postfix_server_tmp_content;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
 	postfix_domain_template($1)
 
-	typeattribute postfix_$1_t postfix_server_domain;
-
-	type postfix_$1_tmp_t, postfix_server_tmp_content;
+	type postfix_$1_tmp_t;
 	files_tmp_file(postfix_$1_tmp_t)
 
-	########################################
-	#
-	# Declarations
-	#
+	allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search dac_override };
+	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+	allow postfix_$1_t self:tcp_socket create_socket_perms;
+	allow postfix_$1_t self:udp_socket create_socket_perms;
 
 	manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
 	manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
 	files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
 
 	domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+	corenet_all_recvfrom_netlabel(postfix_$1_t)
+	corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+	corenet_udp_sendrecv_generic_if(postfix_$1_t)
+	corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+	corenet_udp_sendrecv_generic_node(postfix_$1_t)
+	corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+	corenet_udp_sendrecv_all_ports(postfix_$1_t)
+	corenet_tcp_bind_generic_node(postfix_$1_t)
+	corenet_udp_bind_generic_node(postfix_$1_t)
+	corenet_tcp_connect_all_ports(postfix_$1_t)
+	corenet_sendrecv_all_client_packets(postfix_$1_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a postfix user domain.
+##	Creates a process domain for programs
+##	that are ran by users.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix of the domain.
 ##	</summary>
 ## </param>
 #
@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',`
 		attribute postfix_user_domains, postfix_user_domtrans;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	postfix_domain_template($1)
 
 	typeattribute postfix_$1_t postfix_user_domains;
 
-	########################################
-	#
-	# Policy
-	#
-
-	allow postfix_$1_t self:capability dac_override;
+	allow postfix_$1_t self:capability { dac_read_search dac_override };
 
 	domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
 
 	domain_use_interactive_fds(postfix_$1_t)
+
+	application_domain(postfix_$1_t, postfix_$1_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Read postfix configuration content.
+##	Read postfix configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
 		type postfix_etc_t;
 	')
 
+	read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+	read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
 	files_search_etc($1)
-	allow $1 postfix_etc_t:dir list_dir_perms;
-	allow $1 postfix_etc_t:file read_file_perms;
-	allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create specified object in postfix
-##	etc directories with a type transition.
+##	Create files with the specified type in
+##	the postfix configuration directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
 		type postfix_etc_t;
 	')
 
+	files_search_etc($1)
 	filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
 ')
 
@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Read and write postfix local pipes.
+##	Allow read/write postfix local pipes
+##	TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
 	allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Read postfix local process state files.
+##  Allow read/write postfix public pipes
+##  TCP sockets.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`postfix_read_local_state',`
-	gen_require(`
-		type postfix_local_t;
-	')
+interface(`postfix_rw_public_pipes',`
+    gen_require(`
+        type postfix_public_t;
+    ')
 
-	kernel_search_proc($1)
-	allow $1 postfix_local_t:dir list_dir_perms;
-	allow $1 postfix_local_t:file read_file_perms;
-	allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
+    allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write inherited postfix master pipes.
+##	Allow domain to read postfix local process state
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
 ##	</summary>
 ## </param>
 #
-interface(`postfix_rw_inherited_master_pipes',`
+interface(`postfix_read_local_state',`
 	gen_require(`
-		type postfix_master_t;
+		type postfix_local_t;
 	')
 
-	allow $1 postfix_master_t:fd use;
-	allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
+	kernel_search_proc($1)
+	ps_process_pattern($1, postfix_local_t)
 ')
 
 ########################################
 ## <summary>
-##	Read postfix master process state files.
+##	Allow domain to read postfix master process state
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
 	')
 
 	kernel_search_proc($1)
-	allow $1 postfix_master_t:dir list_dir_perms;
-	allow $1 postfix_master_t:file read_file_perms;
-	allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
+	ps_process_pattern($1, postfix_master_t)
 ')
 
 ########################################
 ## <summary>
-##	Use postfix master file descriptors.
+##	Use postfix master process file
+##	file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
 		type postfix_map_t, postfix_map_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute postfix map in the postfix
-##	map domain, and allow the specified
-##	role the postfix_map domain.
+##	Execute postfix_map in the postfix_map domain, and
+##	allow the specified role the postfix_map domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
 #
 interface(`postfix_run_map',`
 	gen_require(`
-		attribute_role postfix_map_roles;
+		type postfix_map_t;
 	')
 
 	postfix_domtrans_map($1)
-	roleattribute $2 postfix_map_roles;
+	role $2 types postfix_map_t;
 ')
 
 ########################################
 ## <summary>
-##	Execute the master postfix program
-##	in the postfix_master domain.
+##	Execute the master postfix program in the
+##	postfix_master domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -380,16 +365,36 @@ interface(`postfix_run_map',`
 interface(`postfix_domtrans_master',`
 	gen_require(`
 		type postfix_master_t, postfix_master_exec_t;
+		attribute postfix_domain;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+    allow $1 postfix_master_exec_t:file map;
 ')
 
+
 ########################################
 ## <summary>
-##	Execute the master postfix program
-##	in the caller domain.
+##	Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_initrc_domtrans',`
+	gen_require(`
+		type postfix_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute the master postfix program in the
+##	caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -402,21 +407,18 @@ interface(`postfix_exec_master',`
 		type postfix_master_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, postfix_master_exec_t)
 ')
 
 #######################################
 ## <summary>
-##	Connect to postfix master process
-##	using a unix domain stream socket.
+##	Connect to postfix master process using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`postfix_stream_connect_master',`
 	gen_require(`
@@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',`
 
 ########################################
 ## <summary>
-##	Read and write postfix master
-##	unnamed pipes.  (Deprecated)
+##	Allow read/write postfix master pipes
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -437,15 +438,18 @@ interface(`postfix_stream_connect_master',`
 ##	</summary>
 ## </param>
 #
-interface(`postfix_rw_master_pipes',`
-	refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
-	postfix_rw_inherited_master_pipes($1)
+interface(`postfix_rw_inherited_master_pipes',`
+	gen_require(`
+		type postfix_master_t;
+	')
+
+	allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Execute the master postdrop in the
-##	postfix postdrop domain.
+##	postfix_postdrop domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -458,14 +462,14 @@ interface(`postfix_domtrans_postdrop',`
 		type postfix_postdrop_t, postfix_postdrop_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+    allow $1 postfix_postdrop_exec_t:file map;
 ')
 
 ########################################
 ## <summary>
 ##	Execute the master postqueue in the
-##	postfix postqueue domain.
+##	postfix_postqueue domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -478,30 +482,85 @@ interface(`postfix_domtrans_postqueue',`
 		type postfix_postqueue_t, postfix_postqueue_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Execute the master postqueue in
-##	the caller domain.  (Deprecated)
+##	Execute the master postqueue in the
+##	postfix_postdrop domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the iptables domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+
+interface(`postfix_run_postqueue',`
+	gen_require(`
+		type postfix_postqueue_t;
+	')
+
+	postfix_domtrans_postqueue($1)
+	role $2 types postfix_postqueue_t;
+	allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
+')
+
+########################################
+## <summary>
+##	Execute postfix_postgqueue in the postfix_postgqueue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`postfix_domtrans_postgqueue',`
+    gen_require(`
+            type postfix_postgqueue_t;
+            type postfix_postgqueue_exec_t;
+    ')
+        domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
+')
+
+########################################
+## <summary>
+##	Execute postfix_postgqueue in the postfix_postgqueue domain, and
+##	allow the specified role the postfix_postgqueue domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`posftix_exec_postqueue',`
-	refpolicywarn(`$0($*) has been deprecated.')
-	postfix_exec_postqueue($1)
+interface(`postfix_run_postgqueue',`
+	gen_require(`
+		type postfix_postgqueue_t;
+	')
+
+	postfix_domtrans_postgqueue($1)
+	role $2 types postfix_postgqueue_t;
 ')
 
+
 #######################################
 ## <summary>
-##	Execute postfix postqueue in
-##	the caller domain.
+##	Execute the master postqueue in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -514,13 +573,12 @@ interface(`postfix_exec_postqueue',`
 		type postfix_postqueue_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, postfix_postqueue_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Create postfix private sock files.
+##	Create a named socket in a postfix private directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -533,13 +591,13 @@ interface(`postfix_create_private_sockets',`
 		type postfix_private_t;
 	')
 
+	allow $1 postfix_private_t:dir list_dir_perms;
 	create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	postfix private sock files.
+##	manage named socket in a postfix private directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -552,13 +610,14 @@ interface(`postfix_manage_private_sockets',`
 		type postfix_private_t;
 	')
 
+	allow $1 postfix_private_t:dir list_dir_perms;
 	manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the smtp postfix program
-##	in the postfix smtp domain.
+##	Execute the master postfix program in the
+##	postfix_master domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -571,14 +630,12 @@ interface(`postfix_domtrans_smtp',`
 		type postfix_smtp_t, postfix_smtp_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
 ')
 
 ########################################
 ## <summary>
-##	Get attributes of all postfix mail
-##	spool files.
+##	Getattr postfix mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -586,7 +643,7 @@ interface(`postfix_domtrans_smtp',`
 ##	</summary>
 ## </param>
 #
-interface(`postfix_getattr_all_spool_files',`
+interface(`postfix_getattr_spool_files',`
 	gen_require(`
 		attribute postfix_spool_type;
 	')
@@ -607,11 +664,11 @@ interface(`postfix_getattr_all_spool_files',`
 #
 interface(`postfix_search_spool',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
 	')
 
+	allow $1 postfix_spool_type:dir search_dir_perms;
 	files_search_spool($1)
-	allow $1 postfix_spool_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -626,11 +683,11 @@ interface(`postfix_search_spool',`
 #
 interface(`postfix_list_spool',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
 	')
 
+	allow $1 postfix_spool_type:dir list_dir_perms;
 	files_search_spool($1)
-	allow $1 postfix_spool_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -645,17 +702,16 @@ interface(`postfix_list_spool',`
 #
 interface(`postfix_read_spool_files',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
 	')
 
 	files_search_spool($1)
-	read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+	read_files_pattern($1, postfix_spool_type, postfix_spool_type)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	postfix mail spool files.
+##	Create, read, write, and delete postfix mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -665,11 +721,50 @@ interface(`postfix_read_spool_files',`
 #
 interface(`postfix_manage_spool_files',`
 	gen_require(`
-		type postfix_spool_t;
+		attribute postfix_spool_type;
 	')
 
 	files_search_spool($1)
-	manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+	manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+#######################################
+## <summary>
+##  Read, write, and delete postfix maildrop spool files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`postfix_rw_spool_maildrop_files',`
+    gen_require(`
+        type postfix_spool_maildrop_t;
+    ')
+
+    files_search_spool($1)
+    rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+')
+
+#######################################
+## <summary>
+##  Create, read, write, and delete postfix maildrop spool files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`postfix_manage_spool_maildrop_files',`
+    gen_require(`
+        type postfix_spool_maildrop_t;
+    ')
+
+    files_search_spool($1)
+    manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+    manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 ')
 
 ########################################
@@ -693,8 +788,8 @@ interface(`postfix_domtrans_user_mail_handler',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an postfix environment.
+##	All of the rules required to administrate
+##	an postfix environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -710,38 +805,137 @@ interface(`postfix_domtrans_user_mail_handler',`
 #
 interface(`postfix_admin',`
 	gen_require(`
-		attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
-		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
-		type postfix_data_t, postfix_var_run_t, postfix_public_t;
-		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
-		type postfix_keytab_t;
+		attribute postfix_spool_type;
+		type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+		type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+		type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+		type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+		type postfix_smtpd_t, postfix_var_run_t;
+	')
+
+	allow $1 postfix_bounce_t:process signal_perms;
+	ps_process_pattern($1, postfix_bounce_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 postfix_bounce_t:process ptrace;
 	')
 
-	allow $1 postfix_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, postfix_domain)
+	allow $1 postfix_cleanup_t:process signal_perms;
+	ps_process_pattern($1, postfix_cleanup_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 postfix_cleanup_t:process ptrace;
+		allow $1 postfix_local_t:process ptrace;
+		allow $1 postfix_master_t:process ptrace;
+		allow $1 postfix_pickup_t:process ptrace;
+		allow $1 postfix_qmgr_t:process ptrace;
+		allow $1 postfix_smtpd_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+	allow $1 postfix_local_t:process signal_perms;
+	ps_process_pattern($1, postfix_local_t)
+
+	allow $1 postfix_master_t:process signal_perms;
+	ps_process_pattern($1, postfix_master_t)
+
+	allow $1 postfix_pickup_t:process signal_perms;
+	ps_process_pattern($1, postfix_pickup_t)
+
+	allow $1 postfix_qmgr_t:process signal_perms;
+	ps_process_pattern($1, postfix_qmgr_t)
+
+	allow $1 postfix_smtpd_t:process signal_perms;
+	ps_process_pattern($1, postfix_smtpd_t)
+
+	postfix_run_map($1, $2)
+	postfix_run_postdrop($1, $2)
+	postfix_run_postqueue($1, $2)
+
+	postfix_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 postfix_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
-	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+	admin_pattern($1, postfix_data_t) 
 
-	files_search_spool($1)
-	admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+	files_list_etc($1)
+	admin_pattern($1, postfix_etc_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, postfix_data_t)
+	files_list_spool($1)
+	admin_pattern($1, postfix_spool_type)
 
-	files_search_pids($1)
 	admin_pattern($1, postfix_var_run_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
+	files_list_tmp($1)
+	admin_pattern($1, postfix_map_tmp_t)
+	
+	admin_pattern($1, postfix_prng_t)
 
-	postfix_exec_master($1)
-	postfix_exec_postqueue($1)
-	postfix_stream_connect_master($1)
-	postfix_run_map($1, $2)
+	admin_pattern($1, postfix_public_t)
+
+	postfix_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+##	Execute the master postdrop in the
+##	postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the iptables domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run_postdrop',`
+	gen_require(`
+		type postfix_postdrop_t;
+	')
+
+	postfix_domtrans_postdrop($1)
+	role $2 types postfix_postdrop_t;
+	allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
+')
+
+
+########################################
+## <summary>
+##	Execute postfix exec in the users domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_exec',`
+	gen_require(`
+		type postfix_exec_t;
+	')
+
+	can_exec($1, postfix_exec_t)
+')
+
+########################################
+## <summary>
+##	Transition to postfix named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_filetrans_named_content',`
+	gen_require(`
+		type postfix_exec_t;
+		type postfix_prng_t;
+	')
+
+	postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
+	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 ')
diff --git a/postfix.te b/postfix.te
index 5cfb83eca2..921fcfe701 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether postfix local
-##	can manage mail spool content.
-##	</p>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## </p>
 ## </desc>
 gen_tunable(postfix_local_write_mail_spool, true)
 
 attribute postfix_domain;
-attribute postfix_server_domain;
-attribute postfix_server_tmp_content;
 attribute postfix_spool_type;
 attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
 attribute postfix_user_domtrans;
 
-attribute_role postfix_map_roles;
-roleattribute system_r postfix_map_roles;
-
 postfix_server_domain_template(bounce)
 
 type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
+files_spool_file(postfix_spool_bounce_t)
 
 postfix_server_domain_template(cleanup)
 
@@ -42,16 +38,19 @@ files_type(postfix_keytab_t)
 postfix_server_domain_template(local)
 mta_mailserver_delivery(postfix_local_t)
 
+# Program for creating database files
 type postfix_map_t;
 type postfix_map_exec_t;
 application_domain(postfix_map_t, postfix_map_exec_t)
-role postfix_map_roles types postfix_map_t;
+role system_r types postfix_map_t;
 
 type postfix_map_tmp_t;
 files_tmp_file(postfix_map_tmp_t)
 
 postfix_domain_template(master)
 typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
 mta_mailserver(postfix_t, postfix_master_exec_t)
 
 type postfix_initrc_exec_t;
@@ -63,6 +62,7 @@ postfix_server_domain_template(pipe)
 
 postfix_user_domain_template(postdrop)
 mta_mailserver_user_agent(postfix_postdrop_t)
+mta_agent_executable(postfix_postdrop_t)
 
 postfix_user_domain_template(postqueue)
 mta_mailserver_user_agent(postfix_postqueue_t)
@@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t)
 postfix_server_domain_template(smtpd)
 
 type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
 
-type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
+typealias postfix_spool_t alias postfix_spool_maildrop_t;
+files_spool_file(postfix_spool_maildrop_t)
 
-type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
+typealias postfix_spool_t alias postfix_spool_flush_t;
+files_spool_file(postfix_spool_flush_t)
 
 type postfix_public_t;
 files_type(postfix_public_t)
@@ -97,6 +97,7 @@ files_type(postfix_public_t)
 type postfix_var_run_t;
 files_pid_file(postfix_var_run_t)
 
+# the data_directory config parameter
 type postfix_data_t;
 files_type(postfix_data_t)
 
@@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t)
 
 ########################################
 #
-# Common postfix domain local policy
-#
-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
-allow postfix_domain self:fifo_file rw_fifo_file_perms;
-allow postfix_domain self:unix_stream_socket { accept connectto listen };
-
-allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
-
-allow postfix_domain postfix_master_t:file read_file_perms;
-
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
-
-allow postfix_domain postfix_master_t:process sigchld;
-
-allow postfix_domain postfix_spool_t:dir list_dir_perms;
-
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
-
-kernel_read_system_state(postfix_domain)
-kernel_read_network_state(postfix_domain)
-kernel_read_all_sysctls(postfix_domain)
-
-dev_read_sysfs(postfix_domain)
-dev_read_rand(postfix_domain)
-dev_read_urand(postfix_domain)
-
-fs_search_auto_mountpoints(postfix_domain)
-fs_getattr_all_fs(postfix_domain)
-fs_rw_anon_inodefs_files(postfix_domain)
-
-term_dontaudit_use_console(postfix_domain)
-
-corecmd_exec_shell(postfix_domain)
-
-files_read_etc_runtime_files(postfix_domain)
-files_read_usr_files(postfix_domain)
-files_search_spool(postfix_domain)
-files_getattr_tmp_dirs(postfix_domain)
-files_search_all_mountpoints(postfix_domain)
-
-init_dontaudit_use_fds(postfix_domain)
-init_sigchld(postfix_domain)
-
-logging_send_syslog_msg(postfix_domain)
-
-miscfiles_read_localization(postfix_domain)
-miscfiles_read_generic_certs(postfix_domain)
-
-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
-
-optional_policy(`
-	udev_read_db(postfix_domain)
-')
-
-########################################
-#
-# Common postfix server domain local policy
+# Postfix master process local policy
 #
 
-allow postfix_server_domain self:capability { setuid setgid dac_override };
-
-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-corenet_all_recvfrom_unlabeled(postfix_server_domain)
-corenet_all_recvfrom_netlabel(postfix_server_domain)
-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
-
-corenet_sendrecv_all_client_packets(postfix_server_domain)
-corenet_tcp_connect_all_ports(postfix_server_domain)
-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
-
-########################################
-#
-# Common postfix user domain local policy
-#
-
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
-
-########################################
-#
-# Master local policy
-#
-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+dontaudit postfix_master_t self:capability { net_admin };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_read_search dac_override kill setgid setuid net_bind_service sys_tty_config };
 allow postfix_master_t self:capability2 block_suspend;
+
 allow postfix_master_t self:process setrlimit;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
 
-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
-allow postfix_master_t postfix_domain:process signal;
-
 allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+can_exec(postfix_master_t, postfix_exec_t)
 
 allow postfix_master_t postfix_data_t:dir manage_dir_perms;
 allow postfix_master_t postfix_data_t:file manage_file_perms;
@@ -216,34 +131,36 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
 
 allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
 
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 
 allow postfix_master_t postfix_prng_t:file rw_file_perms;
 
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+allow postfix_master_t postfix_cleanup_exec_t:file map;
+allow postfix_master_t postfix_showq_exec_t:file map;
+allow postfix_master_t postfix_smtp_exec_t:file map;
+
+# allow access to deferred queue and allow removing bogus incoming entries
 manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
 files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
 
 allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
 allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
 
 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
 
 create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -253,16 +170,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
 filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
 
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-
-can_exec(postfix_master_t, postfix_exec_t)
-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+kernel_read_all_sysctls(postfix_master_t)
 
-corenet_all_recvfrom_unlabeled(postfix_master_t)
 corenet_all_recvfrom_netlabel(postfix_master_t)
 corenet_tcp_sendrecv_generic_if(postfix_master_t)
 corenet_udp_sendrecv_generic_if(postfix_master_t)
@@ -270,50 +179,47 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
 corenet_udp_sendrecv_generic_node(postfix_master_t)
 corenet_tcp_sendrecv_all_ports(postfix_master_t)
 corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
 corenet_tcp_bind_generic_node(postfix_master_t)
-
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
-
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
 corenet_tcp_bind_smtp_port(postfix_master_t)
-
-corenet_sendrecv_spamd_server_packets(postfix_master_t)
-corenet_tcp_bind_spamd_port(postfix_master_t)
-
-corenet_sendrecv_all_client_packets(postfix_master_t)
 corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+# for spampd
+corenet_tcp_bind_spamd_port(postfix_master_t)
 
-# Can this be conditional?
-corenet_sendrecv_all_server_packets(postfix_master_t)
-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
-
+# for a find command
 selinux_dontaudit_search_fs(postfix_master_t)
 
+corecmd_exec_shell(postfix_master_t)
 corecmd_exec_bin(postfix_master_t)
 
 domain_use_interactive_fds(postfix_master_t)
 
+files_search_var_lib(postfix_master_t)
 files_search_tmp(postfix_master_t)
 
-mcs_file_read_all(postfix_master_t)
 
-term_dontaudit_search_ptys(postfix_master_t)
+init_stream_connect(postfix_master_t)
 
-miscfiles_read_man_pages(postfix_master_t)
+term_dontaudit_search_ptys(postfix_master_t)
 
 seutil_sigchld_newrole(postfix_master_t)
-seutil_dontaudit_search_config(postfix_master_t)
 
-mta_manage_aliases(postfix_master_t)
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
+mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 mta_getattr_spool(postfix_master_t)
 
+ifdef(`distro_redhat',`
+	# for newer main.cf that uses /etc/aliases
+	mta_manage_aliases(postfix_master_t)
+	mta_etc_filetrans_aliases(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -323,14 +229,6 @@ optional_policy(`
 	kerberos_use(postfix_master_t)
 ')
 
-optional_policy(`
-	mailman_manage_data_files(postfix_master_t)
-')
-
-optional_policy(`
-	mysql_stream_connect(postfix_master_t)
-')
-
 optional_policy(`
 	postgrey_search_spool(postfix_master_t)
 ')
@@ -341,12 +239,14 @@ optional_policy(`
 
 ########################################
 #
-# Bounce local policy
+# Postfix bounce local policy
 #
 
 allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
 
-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
 
 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -363,74 +263,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
 
 ########################################
 #
-# Cleanup local policy
+# Postfix cleanup local policy
 #
 
 allow postfix_cleanup_t self:process setrlimit;
-
 allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
-
-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
+# connect to master process
 stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
 
 rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
 write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
 
 manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
 manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
 files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
 
+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
 
 corecmd_exec_bin(postfix_cleanup_t)
 
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
-
-mta_read_aliases(postfix_cleanup_t)
+# allow postfix to connect to sqlgrey
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
 
 optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')
 
+optional_policy(`
+	milter_stream_connect_all(postfix_cleanup_t)
+')
+
 ########################################
 #
-# Local local policy
+# Postfix local local policy
 #
 
-allow postfix_local_t self:capability chown;
-allow postfix_local_t self:process setrlimit;
+allow postfix_local_t self:process { setsched setrlimit };
 
+# connect to master process
 stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
 
+# for .forward - maybe we need a new type for it?
 rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
 domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
 
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
 corecmd_exec_bin(postfix_local_t)
 
 logging_dontaudit_search_logs(postfix_local_t)
 
 mta_delete_spool(postfix_local_t)
-mta_read_aliases(postfix_local_t)
-mta_read_config(postfix_local_t)
+# Handle vacation script
 mta_send_mail(postfix_local_t)
 
+userdom_read_user_home_content_files(postfix_local_t)
+userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_exec_nfs_files(postfix_local_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_exec_cifs_files(postfix_local_t)
+')
+
 tunable_policy(`postfix_local_write_mail_spool',`
 	mta_manage_spool(postfix_local_t)
 ')
 
 optional_policy(`
-	clamav_search_lib(postfix_local_t)
-	clamav_exec_clamscan(postfix_local_t)
+	antivirus_search_db(postfix_local_t)
+	antivirus_exec(postfix_local_t)
+	antivirus_stream_connect(postfix_domain)
 ')
 
 optional_policy(`
@@ -442,15 +357,24 @@ optional_policy(`
 ')
 
 optional_policy(`
+#	for postalias
 	mailman_manage_data_files(postfix_local_t)
 	mailman_append_log(postfix_local_t)
 	mailman_read_log(postfix_local_t)
 ')
 
+optional_policy(`
+    munin_search_lib(postfix_local_t)
+')
+
 optional_policy(`
 	nagios_search_spool(postfix_local_t)
 ')
 
+optional_policy(`
+	openshift_search_lib(postfix_local_t)
+')
+
 optional_policy(`
 	procmail_domtrans(postfix_local_t)
 ')
@@ -466,15 +390,17 @@ optional_policy(`
 
 ########################################
 #
-# Map local policy
+# Postfix map local policy
 #
+allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
 
-allow postfix_map_t self:capability { dac_override setgid setuid };
-allow postfix_map_t self:tcp_socket { accept listen };
-
-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
 
 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
 manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@@ -484,14 +410,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
-corenet_all_recvfrom_unlabeled(postfix_map_t)
 corenet_all_recvfrom_netlabel(postfix_map_t)
 corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
 corenet_tcp_sendrecv_generic_node(postfix_map_t)
-
-corenet_sendrecv_all_client_packets(postfix_map_t)
-corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
 corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
 
 corecmd_list_bin(postfix_map_t)
 corecmd_read_bin_symlinks(postfix_map_t)
@@ -500,7 +427,6 @@ corecmd_read_bin_pipes(postfix_map_t)
 corecmd_read_bin_sockets(postfix_map_t)
 
 files_list_home(postfix_map_t)
-files_read_usr_files(postfix_map_t)
 files_read_etc_runtime_files(postfix_map_t)
 files_dontaudit_search_var(postfix_map_t)
 
@@ -508,21 +434,24 @@ auth_use_nsswitch(postfix_map_t)
 
 logging_send_syslog_msg(postfix_map_t)
 
-miscfiles_read_localization(postfix_map_t)
-
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
 optional_policy(`
+#	for postalias
 	mailman_manage_data_files(postfix_map_t)
 ')
 
 ########################################
 #
-# Pickup local policy
+# Postfix pickup local policy
 #
 
+dontaudit postfix_pickup_t self:capability net_admin;
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
 
 rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -532,21 +461,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
 
+postfix_list_spool(postfix_pickup_t)
+
 allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
 ########################################
 #
-# Pipe local policy
+# Postfix pipe local policy
 #
 
 allow postfix_pipe_t self:process setrlimit;
 
 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
 
 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
 
@@ -556,6 +485,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
 
 corecmd_exec_bin(postfix_pipe_t)
 
+optional_policy(`
+    cyrus_stream_connect(postfix_pipe_t)
+')
+
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
@@ -584,19 +517,28 @@ optional_policy(`
 
 ########################################
 #
-# Postdrop local policy
+# Postfix postdrop local policy
 #
 
+# usually it does not need a UDP socket
 allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
 
 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 
-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t)
 
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+postfix_list_spool(postfix_postdrop_t)
+manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
 
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -611,10 +553,7 @@ optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')
 
-optional_policy(`
-	fail2ban_dontaudit_use_fds(postfix_postdrop_t)
-')
-
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
 optional_policy(`
 	fstools_read_pipes(postfix_postdrop_t)
 ')
@@ -629,17 +568,24 @@ optional_policy(`
 
 #######################################
 #
-# Postqueue local policy
+# Postfix postqueue local policy
 #
 
+allow postfix_postqueue_t self:capability2 block_suspend;
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
 stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
 
+# write to /var/spool/postfix/public/qmgr
 write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
 
 domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
 
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
+# to write the mailq output, it really should not need read access!
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
 
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
@@ -655,69 +601,84 @@ optional_policy(`
 
 ########################################
 #
-# Qmgr local policy
+# Postfix qmgr local policy
 #
 
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+dontaudit postfix_qmgr_t self:capability { net_admin };
 
 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
 rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
 
-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
+# for /var/spool/postfix/active
 manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
 manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
 files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
 corecmd_exec_bin(postfix_qmgr_t)
 
 ########################################
 #
-# Showq local policy
+# Postfix showq local policy
 #
 
 allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
 
 allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
 
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
 allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
-allow postfix_showq_t postfix_spool_t:file read_file_perms;
-
-mcs_file_read_all(postfix_showq_t)
-
+# to write the mailq output, it really should not need read access!
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
+optional_policy(`
+    logwatch_dontaudit_leaks(postfix_showq_t)
+')
+
 ########################################
 #
-# Smtp delivery local policy
+# Postfix smtp delivery local policy
 #
 
+# connect to master process
 allow postfix_smtp_t self:capability sys_chroot;
-
 stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
 
 rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
 corenet_tcp_bind_generic_node(postfix_smtp_t)
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+
+files_search_all_mountpoints(postfix_smtp_t)
 
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
 
 optional_policy(`
-	dovecot_stream_connect(postfix_smtp_t)
+    dovecot_stream_connect(postfix_smtp_t)
 ')
 
 optional_policy(`
@@ -730,28 +691,32 @@ optional_policy(`
 
 ########################################
 #
-# Smtpd local policy
+# Postfix smtpd local policy
 #
-
 allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
 
+# connect to master process
 stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
 manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
 manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
 
-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
-
 corecmd_exec_bin(postfix_smtpd_t)
 
+# for OpenSSL certificates
+
+# postfix checks the size of all mounted file systems
 fs_getattr_all_dirs(postfix_smtpd_t)
-fs_getattr_all_fs(postfix_smtpd_t)
 
-mta_read_aliases(postfix_smtpd_t)
+optional_policy(`
+    antivirus_stream_connect(postfix_smtpd_t)
+')
 
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -764,6 +729,7 @@ optional_policy(`
 
 optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
+	spamassassin_read_pid_files(postfix_smtpd_t)
 ')
 
 optional_policy(`
@@ -774,31 +740,105 @@ optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
 
-optional_policy(`
-	spamassassin_read_spamd_pid_files(postfix_smtpd_t)
-	spamassassin_stream_connect_spamd(postfix_smtpd_t)
-')
-
 ########################################
 #
-# Virtual local policy
+# Postfix virtual local policy
 #
 
-allow postfix_virtual_t self:process setrlimit;
+allow postfix_virtual_t self:process { setsched setrlimit };
 
-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t)
 
+# connect to master process
 stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
+corecmd_exec_shell(postfix_virtual_t)
 corecmd_exec_bin(postfix_virtual_t)
 
-mta_read_aliases(postfix_virtual_t)
 mta_delete_spool(postfix_virtual_t)
-mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
 
 userdom_manage_user_home_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
-userdom_manage_user_home_content_files(postfix_virtual_t)
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_filetrans_home_content(postfix_virtual_t)
+
+########################################
+#
+# postfix_domain common policy
+#
+allow postfix_domain self:capability { sys_nice sys_chroot };
+dontaudit postfix_domain self:capability sys_tty_config;
+allow postfix_domain self:process { signal_perms setpgid setsched };
+allow postfix_domain self:unix_dgram_socket create_socket_perms;
+allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
+allow postfix_domain self:unix_stream_socket connectto;
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
+
+allow postfix_master_t postfix_domain:fifo_file { read write };
+allow postfix_master_t postfix_domain:process signal;
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+allow postfix_domain postfix_master_t:file read;
+allow postfix_domain postfix_etc_t:dir list_dir_perms;
+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
+
+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+
+allow postfix_domain postfix_pickup_exec_t:file map;
+allow postfix_domain postfix_qmgr_exec_t:file map;
+
+allow postfix_domain postfix_master_t:process sigchld;
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
+kernel_read_all_sysctls(postfix_domain)
+kernel_dontaudit_request_load_module(postfix_domain)
+
+dev_read_sysfs(postfix_domain)
+dev_read_rand(postfix_domain)
+dev_read_urand(postfix_domain)
+
+fs_search_auto_mountpoints(postfix_domain)
+fs_getattr_all_fs(postfix_domain)
+fs_rw_anon_inodefs_files(postfix_domain)
+
+term_dontaudit_use_console(postfix_domain)
+
+corecmd_exec_shell(postfix_domain)
+corecmd_getattr_all_executables(postfix_domain)
+
+files_read_etc_runtime_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
+files_search_spool(postfix_domain)
+files_list_tmp(postfix_domain)
+files_search_all_mountpoints(postfix_domain)
+
+init_dontaudit_use_fds(postfix_domain)
+init_sigchld(postfix_domain)
+init_dontaudit_rw_stream_socket(postfix_domain)
+
+# For reading spamassasin
+mta_read_config(postfix_domain)
+mta_read_aliases(postfix_domain)
+
+miscfiles_read_generic_certs(postfix_domain)
+
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+
+optional_policy(`
+	mysql_stream_connect(postfix_domain)
+    mysql_rw_db_sockets(postfix_domain)
+')
+
+optional_policy(`
+	spamd_stream_connect(postfix_domain)
+	spamassassin_domtrans_client(postfix_domain)
+')
+
+optional_policy(`
+	udev_read_db(postfix_domain)
+')
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
index 5de817368f..985b877ab9 100644
--- a/postfixpolicyd.if
+++ b/postfixpolicyd.if
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
 		type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
 	')
 
-	allow $1 postfix_policyd_t:process { ptrace signal_perms };
+	allow $1 postfix_policyd_t:process signal_perms;
 	ps_process_pattern($1, postfix_policyd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 postfix_policyd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
index ea1582a3a9..0c1a05983c 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
 files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
 
-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
 corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
 corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
 corenet_tcp_bind_generic_node(postfix_policyd_t)
@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
 corenet_tcp_bind_mysqld_port(postfix_policyd_t)
 corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
 
-files_read_etc_files(postfix_policyd_t)
-files_read_usr_files(postfix_policyd_t)
 
 logging_send_syslog_msg(postfix_policyd_t)
 
-miscfiles_read_localization(postfix_policyd_t)
-
 sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/postgrey.if b/postgrey.if
index b9e71b5373..a7502cd0e7 100644
--- a/postgrey.if
+++ b/postgrey.if
@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',`
 		type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
 	')
 
+	stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
 	files_search_pids($1)
 	files_search_spool($1)
-	stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
 ')
 
 ########################################
@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',`
 #
 interface(`postgrey_admin',`
 	gen_require(`
-		type postgrey_t, postgrey_etc_t, postgrey_spool_t;
-		type postgrey_var_lib_t, postgrey_var_run_t;
-		type postgrey_initrc_exec_t;
+		type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+		type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
 	')
 
-	allow $1 postgrey_t:process { ptrace signal_perms };
+	allow $1 postgrey_t:process signal_perms;
 	ps_process_pattern($1, postgrey_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 postgrey_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
index fd58805e54..fbb01fc232 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
 init_script_file(postgrey_initrc_exec_t)
 
 type postgrey_spool_t;
-files_type(postgrey_spool_t)
+files_spool_file(postgrey_spool_t)
 
 type postgrey_var_lib_t;
 files_type(postgrey_var_lib_t)
@@ -29,7 +29,7 @@ files_pid_file(postgrey_var_run_t)
 # Local policy
 #
 
-allow postgrey_t self:capability { chown dac_override setgid setuid };
+allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid };
 dontaudit postgrey_t self:capability sys_tty_config;
 allow postgrey_t self:process signal_perms;
 allow postgrey_t self:fifo_file create_fifo_file_perms;
@@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+allow postgrey_t postgrey_spool_t:file map;
 
 manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
 kernel_read_system_state(postgrey_t)
 kernel_read_kernel_sysctls(postgrey_t)
 
-corecmd_search_bin(postgrey_t)
+auth_use_nsswitch(postgrey_t)
+
+corecmd_exec_bin(postgrey_t)
 
-corenet_all_recvfrom_unlabeled(postgrey_t)
 corenet_all_recvfrom_netlabel(postgrey_t)
 corenet_tcp_sendrecv_generic_if(postgrey_t)
 corenet_tcp_sendrecv_generic_node(postgrey_t)
@@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t)
 
 domain_use_interactive_fds(postgrey_t)
 
-files_read_etc_files(postgrey_t)
 files_read_etc_runtime_files(postgrey_t)
-files_read_usr_files(postgrey_t)
 files_getattr_tmp_dirs(postgrey_t)
 
 fs_getattr_all_fs(postgrey_t)
 fs_search_auto_mountpoints(postgrey_t)
 
-logging_send_syslog_msg(postgrey_t)
+auth_read_passwd(postgrey_t)
 
-miscfiles_read_localization(postgrey_t)
+logging_send_syslog_msg(postgrey_t)
 
 sysnet_read_config(postgrey_t)
 
diff --git a/ppp.fc b/ppp.fc
index efcb6532d3..ff2c96adb5 100644
--- a/ppp.fc
+++ b/ppp.fc
@@ -1,30 +1,45 @@
-HOME_DIR/\.ppprc	--	gen_context(system_u:object_r:ppp_home_t,s0)
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp		--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
-/etc/rc\.d/init\.d/ppp	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
-/etc/ppp	-d	gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp(/.*)?	--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/peers(/.*)?	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/.*secrets	--	gen_context(system_u:object_r:pppd_secret_t,s0)
-/etc/ppp/resolv\.conf	--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/lib/systemd/system/ppp.*	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
 
-/sbin/ppp-watch	--	gen_context(system_u:object_r:pppd_exec_t,s0)
-/sbin/pppoe-server	--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/root/.ppprc			--	gen_context(system_u:object_r:pppd_etc_t,s0)
 
-/usr/sbin/ipppd	--	gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/ppp-watch	--	gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppd	--	gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pppoe-server	--	gen_context(system_u:object_r:pppd_exec_t,s0)
-/usr/sbin/pptp	--	gen_context(system_u:object_r:pptp_exec_t,s0)
+#
+# /sbin
+#
+/sbin/pppoe-server      --  gen_context(system_u:object_r:pppd_exec_t,s0)
+/sbin/ppp-watch		--  gen_context(system_u:object_r:pppd_exec_t,s0)
 
-/var/lock/ppp(/.*)?	gen_context(system_u:object_r:pppd_lock_t,s0)
-
-/var/log/ppp-connect-errors.*	--	gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/ppp/.*	--	gen_context(system_u:object_r:pppd_log_t,s0)
-/var/log/pptp.*	--	gen_context(system_u:object_r:pptp_log_t,s0)
+#
+# /usr
+#
+/usr/sbin/ipppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/ppp-watch		--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppoe-server		--	gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp 			--	gen_context(system_u:object_r:pptp_exec_t,s0)
 
+#
+# /var
+#
 /var/run/(i)?ppp.*pid[^/]*	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
 /var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/ppp(/.*)?	gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/pptp(/.*)?	gen_context(system_u:object_r:pptp_var_run_t,s0)
+/var/run/ppp(/.*)?			gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)?			gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/lock/ppp(/.*)?		gen_context(system_u:object_r:pppd_lock_t,s0)
+
+/var/log/ppp-connect-errors.*	--	gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)?	gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
index cd8b8b9cbd..ad8424ba33 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
-## <summary>Point to Point Protocol daemon creates links in ppp networks.</summary>
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
 
-########################################
-## <summary>
-##	Role access for ppp.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`ppp_role',`
-	refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
+#######################################
 ## <summary>
-##	Create, read, write, and delete
-##	ppp home files.
+##  Create, read, write, and delete
+##  ppp home files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`ppp_manage_home_files',`
-	gen_require(`
-		type ppp_home_t;
-	')
+    gen_require(`
+        type ppp_home_t;
+    ')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 ppp_home_t:file manage_file_perms;
+    userdom_search_user_home_dirs($1)
+    allow $1 ppp_home_t:file manage_file_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Read ppp user home content files.
+##  Read ppp user home content files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`ppp_read_home_files',`
-	gen_require(`
-		type ppp_home_t;
+    gen_require(`
+        type ppp_home_t;
 
-	')
+    ')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 ppp_home_t:file read_file_perms;
+    userdom_search_user_home_dirs($1)
+    allow $1 ppp_home_t:file read_file_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Relabel ppp home files.
+##  Relabel ppp home files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`ppp_relabel_home_files',`
-	gen_require(`
-		type ppp_home_t;
-	')
+    gen_require(`
+        type ppp_home_t;
+    ')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 ppp_home_t:file relabel_file_perms;
+    userdom_search_user_home_dirs($1)
+    allow $1 ppp_home_t:file relabel_file_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Create objects in user home
-##	directories with the ppp home type.
+##  Create objects in user home
+##  directories with the ppp home type.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 ## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
+##  <summary>
+##  Class of the object being created.
+##  </summary>
 ## </param>
 ## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
+##  <summary>
+##  The name of the object being created.
+##  </summary>
 ## </param>
 #
 interface(`ppp_home_filetrans_ppp_home',`
-	gen_require(`
-		type ppp_home_t;
-	')
+    gen_require(`
+        type ppp_home_t;
+    ')
 
-	userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
+    userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
 ')
 
 ########################################
@@ -128,7 +109,7 @@ interface(`ppp_use_fds',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit
-##	and use ppp file discriptors.
+##	and use PPP file discriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to ppp.
+##	Send a SIGCHLD signal to PPP.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -165,7 +146,7 @@ interface(`ppp_sigchld',`
 
 ########################################
 ## <summary>
-##	Send kill signals to ppp.
+##	Send ppp a kill signal
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -173,7 +154,6 @@ interface(`ppp_sigchld',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`ppp_kill',`
 	gen_require(`
 		type pppd_t;
@@ -184,7 +164,7 @@ interface(`ppp_kill',`
 
 ########################################
 ## <summary>
-##	Send generic signals to ppp.
+##	Send a generic signal to PPP.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -202,7 +182,7 @@ interface(`ppp_signal',`
 
 ########################################
 ## <summary>
-##	Send null signals to ppp.
+##	Send a generic signull to PPP.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -220,7 +200,7 @@ interface(`ppp_signull',`
 
 ########################################
 ## <summary>
-##	 Execute pppd in the pppd domain.
+##	 Execute domain in the ppp domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -239,8 +219,7 @@ interface(`ppp_domtrans',`
 
 ########################################
 ## <summary>
-##	Conditionally execute pppd on
-##	behalf of a user or staff type.
+##	 Conditionally execute ppp daemon on behalf of a user or staff type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -249,7 +228,7 @@ interface(`ppp_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the ppp domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -268,8 +247,7 @@ interface(`ppp_run_cond',`
 
 ########################################
 ## <summary>
-##	Unconditionally execute ppp daemon
-##	on behalf of a user or staff type.
+##	 Unconditionally execute ppp daemon on behalf of a user or staff type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -278,7 +256,7 @@ interface(`ppp_run_cond',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the ppp domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -294,7 +272,7 @@ interface(`ppp_run',`
 
 ########################################
 ## <summary>
-##	 Execute domain in the caller domain.
+##	 Execute domain in the ppp caller.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -326,13 +304,13 @@ interface(`ppp_read_config',`
 		type pppd_etc_t;
 	')
 
-	files_search_etc($1)
 	read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+	files_search_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Read ppp writable configuration content.
+##	Read PPP-writable configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',`
 		type pppd_etc_t, pppd_etc_rw_t;
 	')
 
-	files_search_etc($1)
-	allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms;
+	allow $1 pppd_etc_t:dir list_dir_perms;
 	allow $1 pppd_etc_rw_t:file read_file_perms;
-	allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms;
+	files_search_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Read ppp secret files.
+##	Read PPP secrets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',`
 		type pppd_etc_t, pppd_secret_t;
 	')
 
-	files_search_etc($1)
 	allow $1 pppd_etc_t:dir list_dir_perms;
 	allow $1 pppd_secret_t:file read_file_perms;
-	allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
+	files_search_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Read ppp pid files.
+##	Read PPP pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',`
 	')
 
 	files_search_pids($1)
-	allow $1 pppd_var_run_t:file read_file_perms;
+	read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	ppp pid files.
+##	Create, read, write, and delete PPP pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
 	')
 
 	files_search_pids($1)
-	allow $1 pppd_var_run_t:file manage_file_perms;
+	manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Create specified pppd pid objects
-##	with a type transition.
+##	Create, read, write, and delete PPP pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
 interface(`ppp_pid_filetrans',`
 	gen_require(`
 		type pppd_var_run_t;
 	')
 
-	files_pid_filetrans($1, pppd_var_run_t, $2, $3)
+	files_pid_filetrans($1, pppd_var_run_t, file)
 ')
 
 ########################################
 ## <summary>
-##	Execute pppd init script in
-##	the initrc domain.
+##	Execute ppp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -461,31 +424,82 @@ interface(`ppp_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ppp environment.
+##	Execute pppd server in the pppd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`ppp_systemctl',`
+	gen_require(`
+		type pppd_unit_file_t;
+		type pppd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 pppd_unit_file_t:file read_file_perms;
+	allow $1 pppd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, pppd_t)
+')
+
+
+########################################
+## <summary>
+##	Transition to ppp named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`ppp_filetrans_named_content',`
+    gen_require(`
+        type pppd_lock_t;
+    ')
+
+    files_lock_filetrans($1, pppd_lock_t, dir, "ppp")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ppp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
 ## <rolecap/>
 #
 interface(`ppp_admin',`
 	gen_require(`
 		type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
-		type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t;
-		type pppd_var_run_t, pppd_initrc_exec_t;
+		type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
 		type pptp_t, pptp_log_t, pptp_var_run_t;
+		type pppd_initrc_exec_t, pppd_etc_rw_t;
+		type pppd_unit_file_t;
+	')
+
+	allow $1 pppd_t:process signal_perms;
+	ps_process_pattern($1, pppd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 pppd_t:process ptrace;
+		allow $1 pptp_t:process ptrace;
 	')
 
-	allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { pptp_t pppd_t })
+	allow $1 pptp_t:process signal_perms;
+	ps_process_pattern($1, pptp_t)
 
 	ppp_initrc_domtrans($1)
 	domain_system_change_exemption($1)
@@ -496,14 +510,26 @@ interface(`ppp_admin',`
 	admin_pattern($1, pppd_tmp_t)
 
 	logging_list_logs($1)
-	admin_pattern($1, { pptp_log_t pppd_log_t })
+	admin_pattern($1, pppd_log_t)
 
 	files_list_locks($1)
 	admin_pattern($1, pppd_lock_t)
 
 	files_list_etc($1)
-	admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t })
+	admin_pattern($1, pppd_etc_t)
+
+	admin_pattern($1, pppd_etc_rw_t)
+
+	admin_pattern($1, pppd_secret_t)
 
 	files_list_pids($1)
-	admin_pattern($1, { pptp_var_run_t pppd_var_run_t })
+	admin_pattern($1, pppd_var_run_t)
+
+	admin_pattern($1, pptp_log_t)
+
+	admin_pattern($1, pptp_var_run_t)
+
+	ppp_systemctl($1)
+	admin_pattern($1, pppd_unit_file_t)
+	allow $1 pppd_unit_file_t:service all_service_perms;
 ')
diff --git a/ppp.te b/ppp.te
index d616ca3e38..7910fb8895 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether pppd can
-##	load kernel modules.
-##	</p>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
 ## </desc>
 gen_tunable(pppd_can_insmod, false)
 
 ## <desc>
-##	<p>
-##	Determine whether common users can
-##	run pppd with a domain transition.
-##	</p>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
 ## </desc>
 gen_tunable(pppd_for_user, false)
 
 attribute_role pppd_roles;
-attribute_role pptp_roles;
 
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
 type pppd_t;
 type pppd_exec_t;
 init_daemon_domain(pppd_t, pppd_exec_t)
 role pppd_roles types pppd_t;
+role system_r types pppd_t;
 
 type pppd_devpts_t;
 term_pty(pppd_devpts_t)
 
+# Define a separate type for /etc/ppp
 type pppd_etc_t;
 files_config_file(pppd_etc_t)
 
+# Define a separate type for writable files under /etc/ppp
 type pppd_etc_rw_t;
 files_type(pppd_etc_rw_t)
 
 type pppd_initrc_exec_t alias pppd_script_exec_t;
 init_script_file(pppd_initrc_exec_t)
 
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
+# pppd_secret_t is the type of the pap and chap password files
 type pppd_secret_t;
 files_type(pppd_secret_t)
 
@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t)
 type pptp_t;
 type pptp_exec_t;
 init_daemon_domain(pptp_t, pptp_exec_t)
-role pptp_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
 
 type pptp_log_t;
 logging_log_file(pptp_log_t)
@@ -67,54 +74,61 @@ logging_log_file(pptp_log_t)
 type pptp_var_run_t;
 files_pid_file(pptp_var_run_t)
 
-type ppp_home_t;
-userdom_user_home_content(ppp_home_t)
-
 ########################################
 #
-# PPPD local policy
+# PPPD Local policy
 #
 
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot };
 dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
+allow pppd_t self:process { getsched setsched signal_perms };
 allow pppd_t self:fifo_file rw_fifo_file_perms;
 allow pppd_t self:socket create_socket_perms;
-allow pppd_t self:netlink_route_socket nlmsg_write;
-allow pppd_t self:tcp_socket { accept listen };
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket { connectto create_socket_perms };
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
 allow pppd_t self:packet_socket create_socket_perms;
 
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
 allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 
 allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
 allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
 
 manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
 filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
 
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_lock_filetrans(pppd_t, pppd_lock_t, dir)
+files_search_locks(pppd_t)
 
-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
 logging_log_filetrans(pppd_t, pppd_log_t, file)
 
 manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
 manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
 
 manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
 manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
 files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
-
-can_exec(pppd_t, pppd_exec_t)
-
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+allow pppd_t pppd_var_run_t:file map;
 
 allow pppd_t pptp_t:process signal;
 
+# for SSP
+# Access secret files
 allow pppd_t pppd_secret_t:file read_file_perms;
 
+ppp_initrc_domtrans(pppd_t)
+
 kernel_read_kernel_sysctls(pppd_t)
 kernel_read_system_state(pppd_t)
 kernel_rw_net_sysctls(pppd_t)
@@ -122,10 +136,10 @@ kernel_read_network_state(pppd_t)
 kernel_request_load_module(pppd_t)
 
 dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
 dev_read_sysfs(pppd_t)
 dev_rw_modem(pppd_t)
 
-corenet_all_recvfrom_unlabeled(pppd_t)
 corenet_all_recvfrom_netlabel(pppd_t)
 corenet_tcp_sendrecv_generic_if(pppd_t)
 corenet_raw_sendrecv_generic_if(pppd_t)
@@ -135,9 +149,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
 corenet_udp_sendrecv_generic_node(pppd_t)
 corenet_tcp_sendrecv_all_ports(pppd_t)
 corenet_udp_sendrecv_all_ports(pppd_t)
-
+corenet_tcp_connect_http_port(pppd_t)
+# Access /dev/ppp.
 corenet_rw_ppp_dev(pppd_t)
 
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_use_usb_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+term_use_generic_ptys(pppd_t)
+
+# allow running ip-up and ip-down scripts and running chat.
 corecmd_exec_bin(pppd_t)
 corecmd_exec_shell(pppd_t)
 
@@ -147,36 +174,31 @@ files_exec_etc_files(pppd_t)
 files_manage_etc_runtime_files(pppd_t)
 files_dontaudit_write_etc_files(pppd_t)
 
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
+# for scripts
 
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
 init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
 
-auth_run_chk_passwd(pppd_t, pppd_roles)
 auth_use_nsswitch(pppd_t)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
 auth_write_login_records(pppd_t)
 
 logging_send_syslog_msg(pppd_t)
 logging_send_audit_msgs(pppd_t)
 
-miscfiles_read_localization(pppd_t)
-
 sysnet_exec_ifconfig(pppd_t)
 sysnet_manage_config(pppd_t)
 sysnet_etc_filetrans_config(pppd_t)
+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
 
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
 userdom_dontaudit_use_unpriv_user_fds(pppd_t)
 userdom_search_user_home_dirs(pppd_t)
+userdom_search_admin_dir(pppd_t)
+
+ppp_exec(pppd_t)
 
 optional_policy(`
 	ddclient_run(pppd_t, pppd_roles)
@@ -186,11 +208,13 @@ optional_policy(`
 	l2tpd_dgram_send(pppd_t)
 	l2tpd_rw_socket(pppd_t)
 	l2tpd_stream_connect(pppd_t)
+    l2tpd_read_pid_files(pppd_t)
+    l2tpd_dbus_chat(pppd_t)
 ')
 
 optional_policy(`
 	tunable_policy(`pppd_can_insmod',`
-		modutils_domtrans_insmod(pppd_t)
+		modutils_domtrans_insmod_uncond(pppd_t)
 	')
 ')
 
@@ -218,16 +242,19 @@ optional_policy(`
 
 ########################################
 #
-# PPTP local policy
+# PPTP Local policy
 #
 
 allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
 dontaudit pptp_t self:capability sys_tty_config;
 allow pptp_t self:process signal;
 allow pptp_t self:fifo_file rw_fifo_file_perms;
-allow pptp_t self:unix_stream_socket { accept connectto listen };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:netlink_route_socket nlmsg_write;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow pptp_t pppd_etc_t:dir list_dir_perms;
 allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +263,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
 allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
 allow pptp_t pppd_etc_rw_t:file read_file_perms;
 allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
 
+# Allow pptp to append to pppd log files
 allow pptp_t pppd_log_t:file append_file_perms;
 
-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow pptp_t pptp_log_t:file manage_file_perms;
 logging_log_filetrans(pptp_t, pptp_log_t, file)
 
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
 manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
 manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
-
-can_exec(pptp_t, pppd_etc_rw_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
 
+kernel_list_proc(pptp_t)
 kernel_read_kernel_sysctls(pptp_t)
 kernel_read_network_state(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
 kernel_read_system_state(pptp_t)
 kernel_signal(pptp_t)
 
+dev_read_sysfs(pptp_t)
+
 corecmd_exec_shell(pptp_t)
 corecmd_read_bin_symlinks(pptp_t)
 
-corenet_all_recvfrom_unlabeled(pptp_t)
 corenet_all_recvfrom_netlabel(pptp_t)
 corenet_tcp_sendrecv_generic_if(pptp_t)
 corenet_raw_sendrecv_generic_if(pptp_t)
 corenet_tcp_sendrecv_generic_node(pptp_t)
 corenet_raw_sendrecv_generic_node(pptp_t)
 corenet_tcp_sendrecv_all_ports(pptp_t)
-
-corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
 corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
 corenet_sendrecv_generic_client_packets(pptp_t)
-
-corenet_sendrecv_pptp_client_packets(pptp_t)
 corenet_tcp_connect_pptp_port(pptp_t)
 
-dev_read_sysfs(pptp_t)
-
-domain_use_interactive_fds(pptp_t)
-
 fs_getattr_all_fs(pptp_t)
 fs_search_auto_mountpoints(pptp_t)
 
@@ -282,12 +307,12 @@ term_ioctl_generic_ptys(pptp_t)
 term_search_ptys(pptp_t)
 term_use_ptmx(pptp_t)
 
+domain_use_interactive_fds(pptp_t)
+
 auth_use_nsswitch(pptp_t)
 
 logging_send_syslog_msg(pptp_t)
 
-miscfiles_read_localization(pptp_t)
-
 sysnet_exec_ifconfig(pptp_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -298,6 +323,10 @@ optional_policy(`
 	consoletype_exec(pppd_t)
 ')
 
+optional_policy(`
+    gnome_dontaudit_search_config(pppd_t)
+')
+
 optional_policy(`
 	dbus_system_domain(pppd_t, pppd_exec_t)
 
diff --git a/prelink.fc b/prelink.fc
index a90d6231f5..62af9a4a03 100644
--- a/prelink.fc
+++ b/prelink.fc
@@ -1,11 +1,11 @@
 /etc/cron\.daily/prelink	--	gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
 
-/etc/prelink\.cache	--	gen_context(system_u:object_r:prelink_cache_t,s0)
+/etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
 
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
 
-/var/log/prelink\.log.*	--	gen_context(system_u:object_r:prelink_log_t,s0)
-/var/log/prelink(/.*)?	gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink\.log.*		--	gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)?			gen_context(system_u:object_r:prelink_log_t,s0)
 
-/var/lib/misc/prelink.*	--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
-/var/lib/prelink(/.*)?	gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/misc/prelink.*		--	gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)?			gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.if b/prelink.if
index 20d469793f..e6605c1008 100644
--- a/prelink.if
+++ b/prelink.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute prelink in the prelink domain.
+##	Execute the prelink program in the prelink domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -18,15 +18,15 @@ interface(`prelink_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, prelink_exec_t, prelink_t)
 
-	ifdef(`hide_broken_symptoms',`
+	ifdef(`hide_broken_symptoms', `
 		dontaudit prelink_t $1:socket_class_set { read write };
-		dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
+		dontaudit prelink_t $1:fifo_file setattr;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Execute prelink in the caller domain.
+##	Execute the prelink program in the current domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -45,9 +45,7 @@ interface(`prelink_exec',`
 
 ########################################
 ## <summary>
-##	Execute prelink in the prelink
-##	domain, and allow the specified role
-##	the prelink domain.
+##	Execute the prelink program in the prelink domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -56,18 +54,18 @@ interface(`prelink_exec',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the prelink domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`prelink_run',`
 	gen_require(`
-		attribute_role prelink_roles;
+		type prelink_t;
 	')
 
 	prelink_domtrans($1)
-	roleattribute $2 prelink_roles;
+	role $2 types prelink_t;
 ')
 
 ########################################
@@ -80,6 +78,7 @@ interface(`prelink_run',`
 ##	</summary>
 ## </param>
 #
+# cjp: added for misc non-entrypoint objects
 interface(`prelink_object_file',`
 	gen_require(`
 		attribute prelink_object;
@@ -90,7 +89,7 @@ interface(`prelink_object_file',`
 
 ########################################
 ## <summary>
-##	Read prelink cache files.
+##	Read the prelink cache.
 ## </summary>
 ## <param name="file_type">
 ##	<summary>
@@ -109,7 +108,7 @@ interface(`prelink_read_cache',`
 
 ########################################
 ## <summary>
-##	Delete prelink cache files.
+##	Delete the prelink cache.
 ## </summary>
 ## <param name="file_type">
 ##	<summary>
@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',`
 		type prelink_cache_t;
 	')
 
+	allow $1 prelink_cache_t:file unlink;
 	files_rw_etc_dirs($1)
-	allow $1 prelink_cache_t:file delete_file_perms;
 ')
 
 ########################################
@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',`
 
 ########################################
 ## <summary>
-##	Relabel from prelink lib files.
+##	Relabel from files in the /boot directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',`
 
 ########################################
 ## <summary>
-##	Relabel prelink lib files.
+##	Relabel from files in the /boot directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',`
 	files_search_var_lib($1)
 	relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Transition to prelink named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prelink_filetrans_named_content',`
+	gen_require(`
+		type prelink_cache_t;
+	')
+
+	files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
index 8e262163b3..6facb34654 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
 
 attribute prelink_object;
 
-attribute_role prelink_roles;
-
 type prelink_t;
 type prelink_exec_t;
 init_system_domain(prelink_t, prelink_exec_t)
 domain_obj_id_change_exemption(prelink_t)
-role prelink_roles types prelink_t;
 
 type prelink_cache_t;
 files_type(prelink_cache_t)
@@ -40,31 +37,34 @@ files_type(prelink_var_lib_t)
 # Local policy
 #
 
-allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
+allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource };
 allow prelink_t self:process { execheap execmem execstack signal };
 allow prelink_t self:fifo_file rw_fifo_file_perms;
 
 allow prelink_t prelink_cache_t:file manage_file_perms;
 files_etc_filetrans(prelink_t, prelink_cache_t, file)
 
-allow prelink_t prelink_log_t:dir setattr_dir_perms;
+allow prelink_t prelink_log_t:dir setattr;
 create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
 
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
 fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
 
 manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
 
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
 
 kernel_read_system_state(prelink_t)
 kernel_read_kernel_sysctls(prelink_t)
@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t)
 corecmd_read_bin_symlinks(prelink_t)
 
 dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
 
-files_getattr_all_files(prelink_t)
 files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
 files_manage_usr_files(prelink_t)
 files_manage_var_files(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
 files_relabelfrom_usr_files(prelink_t)
-files_search_var_lib(prelink_t)
-files_write_non_security_dirs(prelink_t)
-files_dontaudit_read_all_symlinks(prelink_t)
 
-fs_getattr_all_fs(prelink_t)
-fs_search_auto_mountpoints(prelink_t)
-
-selinux_get_enforce_mode(prelink_t)
+fs_getattr_xattr_fs(prelink_t)
 
 storage_getattr_fixed_disk_dev(prelink_t)
 
+selinux_get_enforce_mode(prelink_t)
+
 libs_exec_ld_so(prelink_t)
 libs_legacy_use_shared_libs(prelink_t)
 libs_manage_ld_so(prelink_t)
@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t)
 libs_relabel_shared_libs(prelink_t)
 libs_delete_lib_symlinks(prelink_t)
 
-miscfiles_read_localization(prelink_t)
 
-userdom_use_user_terminals(prelink_t)
-userdom_manage_user_home_content_files(prelink_t)
-# pending
-# userdom_relabel_user_home_content_files(prelink_t)
-# userdom_execmod_user_home_content_files(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
 userdom_exec_user_home_content_files(prelink_t)
 
-ifdef(`hide_broken_symptoms',`
-	miscfiles_read_man_pages(prelink_t)
+systemd_read_unit_files(prelink_t)
 
-	optional_policy(`
-		dbus_read_config(prelink_t)
-	')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_exec_nfs_files(prelink_t)
-	fs_manage_nfs_files(prelink_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_exec_cifs_files(prelink_t)
-	fs_manage_cifs_files(prelink_t)
-')
+term_use_all_inherited_terms(prelink_t)
 
 optional_policy(`
 	amanda_manage_lib(prelink_t)
@@ -138,11 +120,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_dontaudit_read_config(prelink_t)
 	gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
 ')
 
 optional_policy(`
-	mozilla_manage_plugin_rw_files(prelink_t)
+	mozilla_plugin_manage_rw_files(prelink_t)
 ')
 
 optional_policy(`
@@ -155,17 +138,18 @@ optional_policy(`
 
 ########################################
 #
-# Cron system local policy
+# Prelink Cron system Policy
 #
 
 optional_policy(`
 	allow prelink_cron_system_t self:capability setuid;
 	allow prelink_cron_system_t self:process { setsched setfscreate signal };
 	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
-	allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
+	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
 
 	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
-	allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
+	allow prelink_cron_system_t prelink_cache_t:file unlink;
+	files_delete_etc_dir_entry(prelink_cron_system_t)
 
 	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
 	allow prelink_cron_system_t prelink_t:process noatsecure;
@@ -174,7 +158,7 @@ optional_policy(`
 
 	manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
 	files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
-	allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms;
+	allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
 
 	kernel_read_system_state(prelink_cron_system_t)
 
@@ -184,23 +168,36 @@ optional_policy(`
 	dev_list_sysfs(prelink_cron_system_t)
 	dev_read_sysfs(prelink_cron_system_t)
 
-	files_rw_etc_dirs(prelink_cron_system_t)
 	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+	files_search_var_lib(prelink_cron_system_t)
+	files_dontaudit_list_non_security(prelink_cron_system_t)
+
+	fs_search_cgroup_dirs(prelink_cron_system_t)
 
 	auth_use_nsswitch(prelink_cron_system_t)
 
 	init_telinit(prelink_cron_system_t)
 	init_exec(prelink_cron_system_t)
+	init_reload_services(prelink_cron_system_t)
 
 	libs_exec_ld_so(prelink_cron_system_t)
 
 	logging_search_logs(prelink_cron_system_t)
 
-	miscfiles_read_localization(prelink_cron_system_t)
+	init_stream_connect(prelink_cron_system_t)
+
 
 	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
 
+	userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
 	optional_policy(`
 		rpm_read_db(prelink_cron_system_t)
 	')
 ')
+
+ifdef(`hide_broken_symptoms', `
+	optional_policy(`
+	      dbus_read_config(prelink_t)
+	')
+')
diff --git a/prelude.fc b/prelude.fc
index 8dbc763724..b580f852b4 100644
--- a/prelude.fc
+++ b/prelude.fc
@@ -12,7 +12,7 @@
 
 /usr/sbin/audisp-prelude	--	gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
 
-/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:prewikka_script_exec_t,s0)
 
 /var/lib/prelude-lml(/.*)?	gen_context(system_u:object_r:prelude_var_lib_t,s0)
 
diff --git a/prelude.if b/prelude.if
index c83a838d76..f41a4f7dd9 100644
--- a/prelude.if
+++ b/prelude.if
@@ -1,13 +1,13 @@
-## <summary>Prelude hybrid intrusion detection system.</summary>
+## <summary>Prelude hybrid intrusion detection system</summary>
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run prelude.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`prelude_domtrans',`
@@ -15,19 +15,17 @@ interface(`prelude_domtrans',`
 		type prelude_t, prelude_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, prelude_exec_t, prelude_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run prelude audisp.
+##	Execute a domain transition to run prelude_audisp.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`prelude_domtrans_audisp',`
@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',`
 		type prelude_audisp_t, prelude_audisp_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to prelude audisp.
+##	Signal the prelude_audisp domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+## <summary>
+##	Domain allowed acccess.
+## </summary>
 ## </param>
 #
 interface(`prelude_signal_audisp',`
@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',`
 
 ########################################
 ## <summary>
-##	Read prelude spool files.
+##	Read the prelude spool files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -78,13 +75,12 @@ interface(`prelude_read_spool',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	prelude manager spool files.
+##	Manage to prelude-manager spool files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`prelude_manage_spool',`
@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an prelude environment.
+##	All of the rules required to administrate 
+##	an prelude environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',`
 #
 interface(`prelude_admin',`
 	gen_require(`
-		type prelude_t, prelude_spool_t, prelude_lml_var_run_t;
-		type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
-		type prelude_audisp_t, prelude_audisp_var_run_t;
-		type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+		type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+		type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+		type prelude_lml_t;
 	')
 
-	allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
+	allow $1 prelude_t:process signal_perms;
+	ps_process_pattern($1, prelude_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 prelude_t:process ptrace;
+		allow $1 prelude_audisp_t:process ptrace;
+		allow $1 prelude_lml_t:process ptrace;
+	')
+
+	allow $1 prelude_audisp_t:process signal_perms;
+	ps_process_pattern($1, prelude_audisp_t)
+
+	allow $1 prelude_lml_t:process signal_perms;
+	ps_process_pattern($1, prelude_lml_t)
 
 	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 prelude_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_spool($1)
+	files_list_spool($1)
 	admin_pattern($1, prelude_spool_t)
 
-	logging_search_logs($1)
-	admin_pattern($1, prelude_log_t)
-
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, prelude_var_lib_t)
 
-	files_search_pids($1)
-	admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t })
+	files_list_pids($1)
+	admin_pattern($1, prelude_var_run_t)
+	admin_pattern($1, prelude_audisp_var_run_t)
+	admin_pattern($1, prelude_lml_var_run_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, prelude_lml_tmp_t)
 ')
diff --git a/prelude.te b/prelude.te
index 8f44609286..dd70653563 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
 init_script_file(prelude_initrc_exec_t)
 
 type prelude_spool_t;
-files_type(prelude_spool_t)
+files_spool_file(prelude_spool_t)
 
 type prelude_log_t;
 logging_log_file(prelude_log_t)
@@ -54,7 +54,7 @@ files_pid_file(prelude_lml_var_run_t)
 # Prelude local policy
 #
 
-allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:capability { dac_read_search dac_override sys_tty_config };
 allow prelude_t self:fifo_file rw_fifo_file_perms;
 allow prelude_t self:unix_stream_socket { accept listen };
 allow prelude_t self:tcp_socket { accept listen };
@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
 
 corecmd_search_bin(prelude_t)
 
-corenet_all_recvfrom_unlabeled(prelude_t)
 corenet_all_recvfrom_netlabel(prelude_t)
 corenet_tcp_sendrecv_generic_if(prelude_t)
 corenet_tcp_sendrecv_generic_node(prelude_t)
@@ -97,7 +96,6 @@ dev_read_rand(prelude_t)
 dev_read_urand(prelude_t)
 
 files_read_etc_runtime_files(prelude_t)
-files_read_usr_files(prelude_t)
 files_search_spool(prelude_t)
 files_search_tmp(prelude_t)
 
@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t)
 logging_send_audit_msgs(prelude_t)
 logging_send_syslog_msg(prelude_t)
 
-miscfiles_read_localization(prelude_t)
-
 optional_policy(`
 	mysql_stream_connect(prelude_t)
 	mysql_tcp_connect(prelude_t)
@@ -125,7 +121,7 @@ optional_policy(`
 # Audisp local policy
 #
 
-allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap };
 allow prelude_audisp_t self:process { getcap setcap };
 allow prelude_audisp_t self:fifo_file rw_fifo_file_perms;
 allow prelude_audisp_t self:unix_stream_socket { accept listen };
@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
 
 corecmd_search_bin(prelude_audisp_t)
 
-corenet_all_recvfrom_unlabeled(prelude_audisp_t)
 corenet_all_recvfrom_netlabel(prelude_audisp_t)
 corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
 corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t)
 
 domain_use_interactive_fds(prelude_audisp_t)
 
-files_read_etc_files(prelude_audisp_t)
 files_read_etc_runtime_files(prelude_audisp_t)
 files_search_spool(prelude_audisp_t)
 files_search_tmp(prelude_audisp_t)
 
 logging_send_syslog_msg(prelude_audisp_t)
 
-miscfiles_read_localization(prelude_audisp_t)
-
 sysnet_dns_name_resolve(prelude_audisp_t)
 
 ########################################
@@ -171,7 +163,7 @@ sysnet_dns_name_resolve(prelude_audisp_t)
 # Correlator local policy
 #
 
-allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:capability { dac_read_search dac_override };
 allow prelude_correlator_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t)
@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
 
 corecmd_search_bin(prelude_correlator_t)
 
-corenet_all_recvfrom_unlabeled(prelude_correlator_t)
 corenet_all_recvfrom_netlabel(prelude_correlator_t)
 corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
 corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
 dev_read_rand(prelude_correlator_t)
 dev_read_urand(prelude_correlator_t)
 
-files_read_etc_files(prelude_correlator_t)
-files_read_usr_files(prelude_correlator_t)
 files_search_spool(prelude_correlator_t)
 
 logging_send_syslog_msg(prelude_correlator_t)
 
-miscfiles_read_localization(prelude_correlator_t)
-
 sysnet_dns_name_resolve(prelude_correlator_t)
 
 ########################################
@@ -211,7 +198,9 @@ sysnet_dns_name_resolve(prelude_correlator_t)
 # Lml local declarations
 #
 
-allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:capability { dac_read_search dac_override };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
 allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
 allow prelude_lml_t self:unix_stream_socket connectto;
 
@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t)
 logging_send_syslog_msg(prelude_lml_t)
 logging_read_generic_logs(prelude_lml_t)
 
-miscfiles_read_localization(prelude_lml_t)
-
 userdom_read_all_users_state(prelude_lml_t)
 
 optional_policy(`
@@ -278,27 +265,28 @@ optional_policy(`
 
 optional_policy(`
 	apache_content_template(prewikka)
+	apache_content_alias_template(prewikka, prewikka)
 
-	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+	can_exec(prewikka_script_t, prewikka_script_exec_t)
 
-	files_search_tmp(httpd_prewikka_script_t)
+	files_search_tmp(prewikka_script_t)
 
-	kernel_read_sysctl(httpd_prewikka_script_t)
-	kernel_search_network_sysctl(httpd_prewikka_script_t)
+	kernel_read_sysctl(prewikka_script_t)
+	kernel_search_network_sysctl(prewikka_script_t)
 
-	auth_use_nsswitch(httpd_prewikka_script_t)
+	auth_use_nsswitch(prewikka_script_t)
 
-	logging_send_syslog_msg(httpd_prewikka_script_t)
+	logging_send_syslog_msg(prewikka_script_t)
 
-	apache_search_sys_content(httpd_prewikka_script_t)
+	apache_search_sys_content(prewikka_script_t)
 
 	optional_policy(`
-		mysql_stream_connect(httpd_prewikka_script_t)
-		mysql_tcp_connect(httpd_prewikka_script_t)
+		mysql_stream_connect(prewikka_script_t)
+		mysql_tcp_connect(prewikka_script_t)
 	')
 
 	optional_policy(`
-		postgresql_stream_connect(httpd_prewikka_script_t)
-		postgresql_tcp_connect(httpd_prewikka_script_t)
+		postgresql_stream_connect(prewikka_script_t)
+		postgresql_tcp_connect(prewikka_script_t)
 	')
 ')
diff --git a/privoxy.if b/privoxy.if
index bdcee30f54..34f3143441 100644
--- a/privoxy.if
+++ b/privoxy.if
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
 		type privoxy_etc_rw_t, privoxy_var_run_t;
 	')
 
-	allow $1 privoxy_t:process { ptrace signal_perms };
+	allow $1 privoxy_t:process signal_perms;
 	ps_process_pattern($1, privoxy_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 privoxy_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
index ec21f80d77..a9f650a1f3 100644
--- a/privoxy.te
+++ b/privoxy.te
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
 corenet_tcp_connect_tor_port(privoxy_t)
 corenet_tcp_sendrecv_tor_port(privoxy_t)
 
+
 dev_read_sysfs(privoxy_t)
 
 domain_use_interactive_fds(privoxy_t)
@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t)
 
 logging_send_syslog_msg(privoxy_t)
 
-miscfiles_read_localization(privoxy_t)
-
 userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
 userdom_dontaudit_search_user_home_dirs(privoxy_t)
 
diff --git a/procmail.fc b/procmail.fc
index bdff6c931f..4b36a13de3 100644
--- a/procmail.fc
+++ b/procmail.fc
@@ -1,6 +1,7 @@
-HOME_DIR/\.procmailrc	--	gen_context(system_u:object_r:procmail_home_t,s0)
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
 
 /usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
 
-/var/log/procmail\.log.*	--	gen_context(system_u:object_r:procmail_log_t,s0)
-/var/log/procmail(/.*)?	gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail\.log.* --	gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)?		gen_context(system_u:object_r:procmail_log_t,s0) 
diff --git a/procmail.if b/procmail.if
index 00edeab17d..cb6c0edbfd 100644
--- a/procmail.if
+++ b/procmail.if
@@ -1,4 +1,4 @@
-## <summary>Procmail mail delivery agent.</summary>
+## <summary>Procmail mail delivery agent</summary>
 
 ########################################
 ## <summary>
@@ -15,8 +15,11 @@ interface(`procmail_domtrans',`
 		type procmail_exec_t, procmail_t;
 	')
 
+	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, procmail_exec_t, procmail_t)
+
+    allow $1 procmail_exec_t:file map;
 ')
 
 ########################################
@@ -34,101 +37,33 @@ interface(`procmail_exec',`
 		type procmail_exec_t;
 	')
 
+	files_search_usr($1)
 	corecmd_search_bin($1)
 	can_exec($1, procmail_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	procmail home files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`procmail_manage_home_files',`
-	gen_require(`
-		type procmail_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 procmail_home_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-##	Read procmail user home content files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`procmail_read_home_files',`
-	gen_require(`
-		type procmail_home_t;
-
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 procmail_home_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Relabel procmail home files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`procmail_relabel_home_files',`
-	gen_require(`
-		type ppp_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 procmail_home_t:file relabel_file_perms;
-')
-
-########################################
-## <summary>
-##	Create objects in user home
-##	directories with the procmail home type.
+##	Read procmail tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`procmail_home_filetrans_procmail_home',`
+interface(`procmail_read_tmp_files',`
 	gen_require(`
-		type procmail_home_t;
+		type procmail_tmp_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3)
+	files_search_tmp($1)
+	allow $1 procmail_tmp_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read procmail tmp files.
+##	Read/write procmail tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -136,18 +71,18 @@ interface(`procmail_home_filetrans_procmail_home',`
 ##	</summary>
 ## </param>
 #
-interface(`procmail_read_tmp_files',`
+interface(`procmail_rw_tmp_files',`
 	gen_require(`
 		type procmail_tmp_t;
 	')
 
 	files_search_tmp($1)
-	allow $1 procmail_tmp_t:file read_file_perms;
+	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write procmail tmp files.
+##	Read procmail home directory content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -155,11 +90,11 @@ interface(`procmail_read_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`procmail_rw_tmp_files',`
+interface(`procmail_read_home_files',`
 	gen_require(`
-		type procmail_tmp_t;
+		type procmail_home_t;
 	')
 
-	files_search_tmp($1)
-	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, procmail_home_t, procmail_home_t)
 ')
diff --git a/procmail.te b/procmail.te
index cc426e62ad..91a1f537eb 100644
--- a/procmail.te
+++ b/procmail.te
@@ -14,7 +14,7 @@ type procmail_home_t;
 userdom_user_home_content(procmail_home_t)
 
 type procmail_log_t;
-logging_log_file(procmail_log_t)
+logging_log_file(procmail_log_t) 
 
 type procmail_tmp_t;
 files_tmp_file(procmail_tmp_t)
@@ -24,13 +24,17 @@ files_tmp_file(procmail_tmp_t)
 # Local policy
 #
 
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override };
 allow procmail_t self:process { setsched signal signull };
 allow procmail_t self:fifo_file rw_fifo_file_perms;
-allow procmail_t self:tcp_socket { accept listen };
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
 
-allow procmail_t procmail_home_t:file read_file_perms;
+can_exec(procmail_t, procmail_exec_t)
 
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
 allow procmail_t procmail_log_t:dir setattr_dir_perms;
 create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
 append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
 allow procmail_t procmail_tmp_t:file manage_file_perms;
 files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
 
-can_exec(procmail_t, procmail_exec_t)
-
+kernel_read_network_state(procmail_t)
 kernel_read_system_state(procmail_t)
 kernel_read_kernel_sysctls(procmail_t)
 
-corenet_all_recvfrom_unlabeled(procmail_t)
 corenet_all_recvfrom_netlabel(procmail_t)
 corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
 corenet_tcp_sendrecv_generic_node(procmail_t)
-
-corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
 corenet_tcp_connect_spamd_port(procmail_t)
-corenet_tcp_sendrecv_spamd_port(procmail_t)
-
+corenet_sendrecv_spamd_client_packets(procmail_t)
 corenet_sendrecv_comsat_client_packets(procmail_t)
-corenet_tcp_connect_comsat_port(procmail_t)
-corenet_tcp_sendrecv_comsat_port(procmail_t)
-
-corecmd_exec_bin(procmail_t)
-corecmd_exec_shell(procmail_t)
 
+dev_read_rand(procmail_t)
 dev_read_urand(procmail_t)
 
-fs_getattr_all_fs(procmail_t)
+fs_getattr_xattr_fs(procmail_t)
 fs_search_auto_mountpoints(procmail_t)
 fs_rw_anon_inodefs_files(procmail_t)
 
 auth_use_nsswitch(procmail_t)
 
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+
 files_read_etc_runtime_files(procmail_t)
-files_read_usr_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
 
-logging_send_syslog_msg(procmail_t)
+application_exec_all(procmail_t)
 
-miscfiles_read_localization(procmail_t)
+init_read_utmp(procmail_t)
 
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
+
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
 userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(procmail_t)
-	fs_manage_nfs_files(procmail_t)
-	fs_manage_nfs_symlinks(procmail_t)
-')
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_filetrans_home_content(procmail_t)
+
+userdom_manage_user_tmp_dirs(procmail_t)
+userdom_manage_user_tmp_files(procmail_t)
+userdom_manage_user_tmp_symlinks(procmail_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(procmail_t)
-	fs_manage_cifs_files(procmail_t)
-	fs_manage_cifs_symlinks(procmail_t)
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+	mta_dontaudit_rw_queue(procmail_t)
 ')
 
+userdom_home_manager(procmail_t)
+
 optional_policy(`
-	clamav_domtrans_clamscan(procmail_t)
-	clamav_search_lib(procmail_t)
+	antivirus_domtrans(procmail_t)
+	antivirus_search_db(procmail_t)
 ')
 
 optional_policy(`
-	cyrus_stream_connect(procmail_t)
+	dovecot_stream_connect(procmail_t)
+	dovecot_read_config(procmail_t)
 ')
 
 optional_policy(`
-	mta_manage_spool(procmail_t)
-	mta_read_config(procmail_t)
-	mta_read_queue(procmail_t)
-	mta_manage_mail_home_rw_content(procmail_t)
-	mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
-	mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
+	cyrus_stream_connect(procmail_t)
 ')
 
 optional_policy(`
-	munin_dontaudit_search_lib(procmail_t)
+	gnome_manage_data(procmail_t)
 ')
 
 optional_policy(`
-	nagios_search_spool(procmail_t)
+	munin_dontaudit_search_lib(procmail_t)
 ')
 
 optional_policy(`
+	# for a bug in the postfix local program
 	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
 	postfix_dontaudit_use_fds(procmail_t)
 	postfix_read_spool_files(procmail_t)
@@ -125,12 +144,19 @@ optional_policy(`
 	postfix_rw_inherited_master_pipes(procmail_t)
 ')
 
+optional_policy(`
+	nagios_search_spool(procmail_t)
+')
+
 optional_policy(`
 	pyzor_domtrans(procmail_t)
 	pyzor_signal(procmail_t)
 ')
 
 optional_policy(`
+	mta_read_config(procmail_t)
+	mta_mailserver_delivery(procmail_t)
+	mta_manage_home_rw(procmail_t)
 	sendmail_domtrans(procmail_t)
 	sendmail_signal(procmail_t)
 	sendmail_dontaudit_rw_tcp_sockets(procmail_t)
@@ -145,3 +171,8 @@ optional_policy(`
 	spamassassin_domtrans_client(procmail_t)
 	spamassassin_read_lib_files(procmail_t)
 ')
+
+optional_policy(`
+    zarafa_stream_connect_server(procmail_t)
+    zarafa_domtrans_deliver(procmail_t)
+')
diff --git a/prosody.fc b/prosody.fc
new file mode 100644
index 0000000000..c056a2fb33
--- /dev/null
+++ b/prosody.fc
@@ -0,0 +1,10 @@
+/usr/bin/prosody		--	gen_context(system_u:object_r:prosody_exec_t,s0)
+/usr/bin/prosodyctl     --	gen_context(system_u:object_r:prosody_exec_t,s0)
+
+/usr/lib/systemd/system/prosody.service		--	gen_context(system_u:object_r:prosody_unit_file_t,s0)
+
+/var/lib/prosody(/.*)?		gen_context(system_u:object_r:prosody_var_lib_t,s0)
+
+/var/run/prosody(/.*)?		gen_context(system_u:object_r:prosody_var_run_t,s0)
+
+/var/log/prosody(/.*)?		gen_context(system_u:object_r:prosody_log_t,s0)
diff --git a/prosody.if b/prosody.if
new file mode 100644
index 0000000000..8231f4ff5e
--- /dev/null
+++ b/prosody.if
@@ -0,0 +1,255 @@
+
+## <summary>policy for prosody</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the prosody domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prosody_domtrans',`
+	gen_require(`
+		type prosody_t, prosody_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, prosody_exec_t, prosody_t)
+')
+
+########################################
+## <summary>
+##	Search prosody lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prosody_search_lib',`
+	gen_require(`
+		type prosody_var_lib_t;
+	')
+
+	allow $1 prosody_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read prosody lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prosody_read_lib_files',`
+	gen_require(`
+		type prosody_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage prosody lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prosody_manage_lib_files',`
+	gen_require(`
+		type prosody_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage prosody lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prosody_manage_lib_dirs',`
+	gen_require(`
+		type prosody_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read prosody PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prosody_read_pid_files',`
+	gen_require(`
+		type prosody_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute prosody server in the prosody domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`prosody_systemctl',`
+	gen_require(`
+		type prosody_t;
+		type prosody_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 prosody_unit_file_t:file read_file_perms;
+	allow $1 prosody_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, prosody_t)
+')
+
+
+########################################
+## <summary>
+##	Execute prosody in the prosody domain, and
+##	allow the specified role the prosody domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the prosody domain.
+##	</summary>
+## </param>
+#
+interface(`prosody_run',`
+	gen_require(`
+		type prosody_t;
+		attribute_role prosody_roles;
+	')
+
+	prosody_domtrans($1)
+	roleattribute $2 prosody_roles;
+')
+
+######################################
+## <summary>
+##	Connect to prosody with a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`prosody_stream_connect',`
+	gen_require(`
+		type prosody_t, prosody_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t)
+')
+
+########################################
+## <summary>
+##	Role access for prosody
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`prosody_role',`
+	gen_require(`
+		type prosody_t;
+		attribute_role prosody_roles;
+	')
+
+	roleattribute $1 prosody_roles;
+
+	prosody_domtrans($2)
+
+	ps_process_pattern($2, prosody_t)
+	allow $2 prosody_t:process { signull signal sigkill };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an prosody environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`prosody_admin',`
+	gen_require(`
+		type prosody_t;
+		type prosody_var_lib_t;
+		type prosody_var_run_t;
+	type prosody_unit_file_t;
+	')
+
+	allow $1 prosody_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prosody_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, prosody_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, prosody_var_run_t)
+
+	prosody_systemctl($1)
+	admin_pattern($1, prosody_unit_file_t)
+	allow $1 prosody_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
index 0000000000..5a9f1d42cd
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,99 @@
+policy_module(prosody, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Permit to prosody to bind apache port.
+##  Need to be activated to use BOSH.
+##  </p>
+## </desc>
+gen_tunable(prosody_bind_http_port, false)
+
+type prosody_t;
+type prosody_exec_t;
+init_daemon_domain(prosody_t, prosody_exec_t)
+
+type prosody_log_t;
+logging_log_file(prosody_log_t)
+
+type prosody_var_lib_t;
+files_type(prosody_var_lib_t)
+
+type prosody_var_run_t;
+files_pid_file(prosody_var_run_t)
+
+type prosody_tmp_t;
+files_tmp_file(prosody_tmp_t)
+
+type prosody_unit_file_t;
+systemd_unit_file(prosody_unit_file_t)
+
+########################################
+#
+# prosody local policy
+#
+allow prosody_t self:capability { setuid setgid dac_read_search dac_override };
+allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
+files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
+
+manage_dirs_pattern(prosody_t, prosody_log_t, prosody_log_t)
+manage_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
+
+manage_dirs_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+manage_files_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t)
+files_tmp_filetrans(prosody_t, prosody_tmp_t, { dir file })
+
+can_exec(prosody_t, prosody_exec_t)
+
+kernel_read_system_state(prosody_t)
+
+corecmd_exec_bin(prosody_t)
+corecmd_exec_shell(prosody_t)
+
+corenet_udp_bind_generic_node(prosody_t)
+corenet_tcp_connect_postgresql_port(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t)
+corenet_tcp_bind_prosody_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t)
+corenet_tcp_bind_commplex_main_port(prosody_t)
+corenet_tcp_bind_fac_restore_port(prosody_t)
+
+tunable_policy(`prosody_bind_http_port',`
+    corenet_tcp_bind_http_port(prosody_t)
+')
+
+dev_read_urand(prosody_t)
+
+domain_use_interactive_fds(prosody_t)
+
+files_read_etc_files(prosody_t)
+
+auth_use_nsswitch(prosody_t)
+sysnet_read_config(prosody_t)
+
+logging_send_syslog_msg(prosody_t)
+
+miscfiles_read_localization(prosody_t)
+
+optional_policy(`
+	sasl_connect(prosody_t)
+')
diff --git a/psad.if b/psad.if
index d4dcf782ce..3cce82e500 100644
--- a/psad.if
+++ b/psad.if
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 psad_etc_t:dir manage_dir_perms;
-	allow $1 psad_etc_t:file manage_file_perms;
-	allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
+	manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+	manage_files_pattern($1, psad_etc_t, psad_etc_t)
 ')
 
 ########################################
@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Read and write psad pid files.
+##	Read and write psad PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -177,6 +176,45 @@ interface(`psad_append_log',`
 	append_files_pattern($1, psad_var_log_t, psad_var_log_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to write to psad's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_write_log',`
+	gen_require(`
+		type psad_var_log_t;
+	')
+
+	logging_search_logs($1)
+	write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to setattr to psad's log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`psad_setattr_log',`
+    gen_require(`
+        type psad_var_log_t;
+    ')
+
+    logging_search_logs($1)
+    setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write psad fifo files.
@@ -196,6 +234,45 @@ interface(`psad_rw_fifo_file',`
 	rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##  Allow setattr to psad fifo files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`psad_setattr_fifo_file',`
+    gen_require(`
+        type psad_t, psad_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+	allow $1 psad_var_lib_t:fifo_file setattr;
+    search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Allow search to psad lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`psad_search_lib_files',`
+    gen_require(`
+        type psad_t, psad_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
 #######################################
 ## <summary>
 ##	Read and write psad temporary files.
@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
 interface(`psad_admin',`
 	gen_require(`
 		type psad_t, psad_var_run_t, psad_var_log_t;
-		type psad_initrc_exec_t, psad_var_lib_t;
+		type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
 		type psad_tmp_t;
 	')
 
-	allow $1 psad_t:process { ptrace signal_perms };
+	allow $1 psad_t:process signal_perms;
 	ps_process_pattern($1, psad_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 psad_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, psad_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 psad_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, psad_etc_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, psad_var_run_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, psad_var_log_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, psad_var_lib_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, psad_tmp_t)
 ')
diff --git a/psad.te b/psad.te
index b5d717b091..e716d9d2c5 100644
--- a/psad.te
+++ b/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
 # Local policy
 #
 
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override };
 dontaudit psad_t self:capability sys_tty_config;
 allow psad_t self:process signal_perms;
 allow psad_t self:fifo_file rw_fifo_file_perms;
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
 corecmd_exec_bin(psad_t)
 corecmd_exec_shell(psad_t)
 
-corenet_all_recvfrom_unlabeled(psad_t)
 corenet_all_recvfrom_netlabel(psad_t)
 corenet_tcp_sendrecv_generic_if(psad_t)
 corenet_tcp_sendrecv_generic_node(psad_t)
@@ -77,8 +76,9 @@ corenet_tcp_sendrecv_whois_port(psad_t)
 
 dev_read_urand(psad_t)
 
+domain_read_all_domains_state(psad_t)
+
 files_read_etc_runtime_files(psad_t)
-files_read_usr_files(psad_t)
 
 fs_getattr_all_fs(psad_t)
 
@@ -88,8 +88,6 @@ logging_read_generic_logs(psad_t)
 logging_read_syslog_config(psad_t)
 logging_send_syslog_msg(psad_t)
 
-miscfiles_read_localization(psad_t)
-
 sysnet_exec_ifconfig(psad_t)
 
 optional_policy(`
diff --git a/ptchown.te b/ptchown.te
index 28d2abc03b..c2cfb5eaab 100644
--- a/ptchown.te
+++ b/ptchown.te
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
 allow ptchown_t self:capability { chown fowner fsetid setuid };
 allow ptchown_t self:process { getcap setcap };
 
-files_read_etc_files(ptchown_t)
 
 fs_rw_anon_inodefs_files(ptchown_t)
 
@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t)
 term_use_generic_ptys(ptchown_t)
 term_use_ptmx(ptchown_t)
 
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
diff --git a/publicfile.te b/publicfile.te
index 3246befff7..dd66a21cbb 100644
--- a/publicfile.te
+++ b/publicfile.te
@@ -17,7 +17,7 @@ files_type(publicfile_content_t)
 # Local policy
 #
 
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t self:capability { dac_read_search  dac_override setgid setuid sys_chroot };
 
 allow publicfile_t publicfile_content_t:dir list_dir_perms;
 allow publicfile_t publicfile_content_t:file read_file_perms;
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479a79..0e7d875135 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,9 +1,14 @@
 HOME_DIR/\.esd_auth	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 
-/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+/root/\.esd_auth	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.config/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 
-/var/lib/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 
-/var/run/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
index 45843b55c2..4d1adace56 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,43 +2,47 @@
 
 ########################################
 ## <summary>
-##	Role access for pulseaudio.
+##	Role access for pulseaudio
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`pulseaudio_role',`
 	gen_require(`
-		attribute pulseaudio_tmpfsfile;
-		type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
-		type pulseaudio_tmp_t;
+        attribute pulseaudio_tmpfsfile;
+		type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
+		class dbus { acquire_svc send_msg };
 	')
 
-	pulseaudio_run($2, $1)
+	role $1 types pulseaudio_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
 
-	allow $2 pulseaudio_t:process { ptrace signal_perms };
 	ps_process_pattern($2, pulseaudio_t)
 
-	allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow pulseaudio_t $2:process { signal signull };
+	allow $2 pulseaudio_t:process { signal signull sigkill };
+	ps_process_pattern(pulseaudio_t, $2)
+
+	allow pulseaudio_t $2:unix_stream_socket connectto;
+	allow $2 pulseaudio_t:unix_stream_socket connectto;
 
 	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
 
-	allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
-	allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	userdom_manage_tmp_role($1, pulseaudio_t)
 
-	allow pulseaudio_t $2:unix_stream_socket connectto;
+	allow $2 pulseaudio_t:dbus send_msg;
+	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
 ')
 
 ########################################
@@ -65,9 +69,8 @@ interface(`pulseaudio_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute pulseaudio in the pulseaudio
-##	domain, and allow the specified role
-##	the pulseaudio domain.
+##	Execute pulseaudio in the pulseaudio domain, and
+##	allow the specified role the pulseaudio domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -82,16 +85,16 @@ interface(`pulseaudio_domtrans',`
 #
 interface(`pulseaudio_run',`
 	gen_require(`
-		attribute_role pulseaudio_roles;
+		type pulseaudio_t;
 	')
 
 	pulseaudio_domtrans($1)
-	roleattribute $2 pulseaudio_roles;
+	role $2 types pulseaudio_t;
 ')
 
 ########################################
 ## <summary>
-##	Execute pulseaudio in the caller domain.
+##	Execute a pulseaudio in the current domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -104,13 +107,12 @@ interface(`pulseaudio_exec',`
 		type pulseaudio_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, pulseaudio_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to execute pulseaudio.
+##	Do not audit to execute a pulseaudio.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -128,7 +130,7 @@ interface(`pulseaudio_dontaudit_exec',`
 
 ########################################
 ## <summary>
-##	Send null signals to pulseaudio.
+##	Send signull signal to pulseaudio
 ##	processes.
 ## </summary>
 ## <param name="domain">
@@ -147,8 +149,8 @@ interface(`pulseaudio_signull',`
 
 #####################################
 ## <summary>
-##	Connect to pulseaudio with a unix
-##	domain stream socket.
+##	Connect to pulseaudio over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -158,11 +160,15 @@ interface(`pulseaudio_signull',`
 #
 interface(`pulseaudio_stream_connect',`
 	gen_require(`
-		type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
+		type pulseaudio_t, pulseaudio_var_run_t;
+		type pulseaudio_home_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
+	allow $1 pulseaudio_t:process signull;
+	allow pulseaudio_t $1:process signull;
+	stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+	stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
 ')
 
 ########################################
@@ -188,9 +194,9 @@ interface(`pulseaudio_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Set attributes of pulseaudio home directories.
+##	Set the attributes of the pulseaudio homedir.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
@@ -201,148 +207,190 @@ interface(`pulseaudio_setattr_home_dir',`
 		type pulseaudio_home_t;
 	')
 
-	allow $1 pulseaudio_home_t:dir setattr_dir_perms;
+	allow $1 pulseaudio_home_t:dir setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read pulseaudio home content.
+##	Read pulseaudio homedir files.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`pulseaudio_read_home_files',`
-	refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
-	pulseaudio_read_home($1)
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Read pulseaudio home content.
+##	Read and write Pulse Audio files.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_read_home',`
+interface(`pulseaudio_rw_home_files',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
+	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 pulseaudio_home_t:dir list_dir_perms;
-	allow $1 pulseaudio_home_t:file read_file_perms;
-	allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write Pulse Audio files.
+##	Create, read, write, and delete pulseaudio
+##	home directories.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_rw_home_files',`
+interface(`pulseaudio_manage_home_dirs',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	pulseaudio home content.
+##	Create, read, write, and delete pulseaudio
+##	home directory files.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`pulseaudio_manage_home_files',`
-	refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
-	pulseaudio_manage_home($1)
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	pulseaudio_filetrans_home_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	pulseaudio home content.
+##	Create, read, write, and delete pulseaudio
+##	home directory symlinks.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_manage_home',`
+interface(`pulseaudio_manage_home_symlinks',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	allow $1 pulseaudio_home_t:dir manage_dir_perms;
-	allow $1 pulseaudio_home_t:file manage_file_perms;
-	allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+	manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the pulseaudio
-##	home type.
+##	Create pulseaudio content in the user home directory
+##	with an correct label.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
+#
+interface(`pulseaudio_filetrans_home_content',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+	optional_policy(`
+		gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
+	')
+')
+
+########################################
+## <summary>
+##	Create pulseaudio content in the admin home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+interface(`pulseaudio_filetrans_admin_home_content',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
+	userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+	userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+	userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Make the specified tmpfs file type
-##	pulseaudio tmpfs content.
+##  Make the specified tmpfs file type
+##  pulseaudio tmpfs content.
 ## </summary>
 ## <param name="file_type">
+##  <summary>
+##  File type to make pulseaudio tmpfs content.
+##  </summary>
+## </param>
+#
+interface(`pulseaudio_tmpfs_content',`
+    gen_require(`
+        attribute pulseaudio_tmpfsfile;
+    ')
+
+    typeattribute $1 pulseaudio_tmpfsfile;
+')
+
+########################################
+## <summary>
+##	Allow the domain to read pulseaudio state files in /proc.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	File type to make pulseaudio tmpfs content.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_tmpfs_content',`
+interface(`pulseaudio_read_state',`
 	gen_require(`
-		attribute pulseaudio_tmpfsfile;
+		type pulseaudio_t;
 	')
 
-	typeattribute $1 pulseaudio_tmpfsfile;
+	kernel_search_proc($1)
+	ps_process_pattern($1, pulseaudio_t)
 ')
diff --git a/pulseaudio.te b/pulseaudio.te
index 6643b49c2a..6c374240b0 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -8,61 +8,51 @@ policy_module(pulseaudio, 1.6.0)
 attribute pulseaudio_client;
 attribute pulseaudio_tmpfsfile;
 
-attribute_role pulseaudio_roles;
-
 type pulseaudio_t;
 type pulseaudio_exec_t;
 # init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
 userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role pulseaudio_roles types pulseaudio_t;
+role system_r types pulseaudio_t;
 
 type pulseaudio_home_t;
 userdom_user_home_content(pulseaudio_home_t)
 
-type pulseaudio_tmp_t;
-userdom_user_tmp_file(pulseaudio_tmp_t)
-
 type pulseaudio_tmpfs_t;
 userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
 
 type pulseaudio_var_lib_t;
 files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
 
 type pulseaudio_var_run_t;
 files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
 
 ########################################
 #
-# Local policy
+# pulseaudio local policy
 #
 
 allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
 allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
-allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
-allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
-allow pulseaudio_t self:unix_dgram_socket sendto;
-allow pulseaudio_t self:tcp_socket { accept listen };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
-
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
-
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+pulseaudio_filetrans_home_content(pulseaudio_t)
+allow pulseaudio_t pulseaudio_home_t:file map;
 
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
+userdom_map_tmp_files(pulseaudio_t)
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -72,10 +62,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
-
-allow pulseaudio_t pulseaudio_client:process signull;
-ps_process_pattern(pulseaudio_t, pulseaudio_client)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
 
 can_exec(pulseaudio_t, pulseaudio_exec_t)
 
@@ -85,62 +72,58 @@ kernel_read_kernel_sysctls(pulseaudio_t)
 
 corecmd_exec_bin(pulseaudio_t)
 
-corenet_all_recvfrom_unlabeled(pulseaudio_t)
 corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_udp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_sendrecv_generic_node(pulseaudio_t)
-
-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
 corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
-
-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
 corenet_tcp_bind_soundd_port(pulseaudio_t)
-corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
-
-corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
 corenet_udp_bind_sap_port(pulseaudio_t)
-corenet_udp_sendrecv_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
 
 dev_read_sound(pulseaudio_t)
 dev_write_sound(pulseaudio_t)
 dev_read_sysfs(pulseaudio_t)
 dev_read_urand(pulseaudio_t)
 
-files_read_usr_files(pulseaudio_t)
 
+fs_rw_anon_inodefs_files(pulseaudio_t)
 fs_getattr_tmpfs(pulseaudio_t)
-fs_getattr_all_fs(pulseaudio_t)
 fs_list_inotifyfs(pulseaudio_t)
-fs_rw_anon_inodefs_files(pulseaudio_t)
-fs_search_auto_mountpoints(pulseaudio_t)
 
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
+term_use_all_inherited_ttys(pulseaudio_t)
+term_use_all_inherited_ptys(pulseaudio_t)
 
 auth_use_nsswitch(pulseaudio_t)
 
 logging_send_syslog_msg(pulseaudio_t)
 
-miscfiles_read_localization(pulseaudio_t)
-
-userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_read_user_tmp_files(pulseaudio_t)
 
 userdom_search_user_home_dirs(pulseaudio_t)
 userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_manage_user_tmp_files(pulseaudio_t)
+userdom_execute_user_tmp_files(pulseaudio_t)
 
 tunable_policy(`use_nfs_home_dirs',`
+	fs_mount_nfs(pulseaudio_t)
+	fs_mounton_nfs(pulseaudio_t)
 	fs_manage_nfs_dirs(pulseaudio_t)
 	fs_manage_nfs_files(pulseaudio_t)
 	fs_manage_nfs_symlinks(pulseaudio_t)
+	fs_manage_nfs_named_sockets(pulseaudio_t)
+	fs_manage_nfs_named_pipes(pulseaudio_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+	fs_mount_cifs(pulseaudio_t)
+	fs_mounton_cifs(pulseaudio_t)
 	fs_manage_cifs_dirs(pulseaudio_t)
 	fs_manage_cifs_files(pulseaudio_t)
 	fs_manage_cifs_symlinks(pulseaudio_t)
+	fs_manage_cifs_named_sockets(pulseaudio_t)
+	fs_manage_cifs_named_pipes(pulseaudio_t)
 ')
 
 optional_policy(`
@@ -153,8 +136,9 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
-	dbus_all_session_bus_client(pulseaudio_t)
-	dbus_connect_all_session_bus(pulseaudio_t)
+	dbus_system_bus_client(pulseaudio_t)
+	dbus_session_bus_client(pulseaudio_t)
+	dbus_connect_session_bus(pulseaudio_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(pulseaudio_t)
@@ -173,16 +157,33 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	gnome_read_gkeyringd_state(pulseaudio_t)
+	gnome_signull_gkeyringd(pulseaudio_t)
+	gnome_manage_gstreamer_home_files(pulseaudio_t)
+	gnome_exec_gstreamer_home_files(pulseaudio_t)
+')
+
 optional_policy(`
 	rtkit_scheduled(pulseaudio_t)
 ')
 
+optional_policy(`
+	mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
+	mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
 optional_policy(`
 	policykit_domtrans_auth(pulseaudio_t)
 	policykit_read_lib(pulseaudio_t)
 	policykit_read_reload(pulseaudio_t)
 ')
 
+optional_policy(`
+	systemd_read_logind_sessions_files(pulseaudio_t)
+	systemd_login_read_pid_files(pulseaudio_t)
+')
+
 optional_policy(`
 	udev_read_state(pulseaudio_t)
 	udev_read_db(pulseaudio_t)
@@ -190,13 +191,16 @@ optional_policy(`
 
 optional_policy(`
 	xserver_stream_connect(pulseaudio_t)
-	xserver_manage_xdm_tmp_files(pulseaudio_t)
 	xserver_read_xdm_lib_files(pulseaudio_t)
 	xserver_read_xdm_pid(pulseaudio_t)
 	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
 ')
 
-########################################
+optional_policy(`
+	virt_manage_tmpfs_files(pulseaudio_t)
+')
+
+#######################################
 #
 # Client local policy
 #
@@ -210,8 +214,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
 
 fs_getattr_tmpfs(pulseaudio_client)
 
-corenet_all_recvfrom_unlabeled(pulseaudio_client)
-corenet_all_recvfrom_netlabel(pulseaudio_client)
 corenet_tcp_sendrecv_generic_if(pulseaudio_client)
 corenet_tcp_sendrecv_generic_node(pulseaudio_client)
 
@@ -220,38 +222,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
 corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
 
 pulseaudio_stream_connect(pulseaudio_client)
-pulseaudio_manage_home(pulseaudio_client)
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
+pulseaudio_manage_home_files(pulseaudio_client)
 pulseaudio_signull(pulseaudio_client)
 
-# TODO: ~/.cache
 userdom_manage_user_home_content_files(pulseaudio_client)
 
-userdom_read_user_tmpfs_files(pulseaudio_client)
-# userdom_delete_user_tmpfs_files(pulseaudio_client)
+userdom_read_user_tmp_files(pulseaudio_client)
 
 tunable_policy(`use_nfs_home_dirs',`
-	fs_getattr_nfs(pulseaudio_client)
-	fs_manage_nfs_dirs(pulseaudio_client)
-	fs_manage_nfs_files(pulseaudio_client)
-	fs_read_nfs_symlinks(pulseaudio_client)
+    fs_getattr_nfs(pulseaudio_client)
+    fs_manage_nfs_dirs(pulseaudio_client)
+    fs_manage_nfs_files(pulseaudio_client)
+    fs_read_nfs_symlinks(pulseaudio_client)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
-	fs_getattr_cifs(pulseaudio_client)
-	fs_manage_cifs_dirs(pulseaudio_client)
-	fs_manage_cifs_files(pulseaudio_client)
-	fs_read_cifs_symlinks(pulseaudio_client)
+    fs_getattr_cifs(pulseaudio_client)
+    fs_manage_cifs_dirs(pulseaudio_client)
+    fs_manage_cifs_files(pulseaudio_client)
+    fs_read_cifs_symlinks(pulseaudio_client)
 ')
 
 optional_policy(`
-	pulseaudio_dbus_chat(pulseaudio_client)
+    pulseaudio_dbus_chat(pulseaudio_client)
 ')
 
 optional_policy(`
-	rtkit_scheduled(pulseaudio_client)
+    rtkit_scheduled(pulseaudio_client)
 ')
 
 optional_policy(`
diff --git a/puppet.fc b/puppet.fc
index d68e26d1fe..3b08cfd9d8 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -1,18 +1,23 @@
-/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppetlabs(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
 
-/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppet	    --	gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
 
-/usr/bin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent       --  gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master      --  gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/start-puppet-ca          --    gen_context(system_u:object_r:puppetca_exec_t,s0)
 
-/usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppet	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
-/var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/usr/sbin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
-/var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
-
-/var/run/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_run_t,s0)
+/var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
index 7cb8b1f9c9..173bc5b0e5 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,52 @@
-## <summary>Configuration management system.</summary>
+## <summary>Puppet client daemon</summary>
+## <desc>
+##	<p>
+##	Puppet is a configuration management system written in Ruby.
+##	The client daemon is responsible for periodically requesting the
+##	desired system state from the server and ensuring the state of
+##	the client system matches.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute puppet_master in the puppet_master
+##	domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`puppet_domtrans_master',`
+	gen_require(`
+		type puppetmaster_t, puppetmaster_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
+
+########################################
+## <summary>
+##	Execute puppet in the puppet
+##	domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`puppet_domtrans',`
+	gen_require(`
+		type puppet_t, puppet_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, puppet_exec_t, puppet_t)
+')
 
 ########################################
 ## <summary>
@@ -22,7 +70,7 @@ interface(`puppet_domtrans_puppetca',`
 
 #####################################
 ## <summary>
-##	Execute puppetca in the puppetca
+##	Execute puppet in the puppet
 ##	domain and allow the specified
 ##	role the puppetca domain.
 ## </summary>
@@ -38,39 +86,49 @@ interface(`puppet_domtrans_puppetca',`
 ## </param>
 ## <rolecap/>
 #
-interface(`puppet_run_puppetca',`
+interface(`puppet_run',`
 	gen_require(`
-		attribute_role puppetca_roles;
+		type puppet_t, puppet_exec_t;
 	')
 
-	puppet_domtrans_puppetca($1)
-	roleattribute $2 puppetca_roles;
+	puppet_domtrans($1)
+	role $2 types puppet_t;
 ')
 
-####################################
+#####################################
 ## <summary>
-##	Read puppet configuration content.
+##	Execute puppetca in the puppetca
+##	domain and allow the specified
+##	role the puppetca domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
 #
-interface(`puppet_read_config',`
+interface(`puppet_run_puppetca',`
 	gen_require(`
-		type puppet_etc_t;
+		type puppetca_t, puppetca_exec_t;
 	')
 
-	files_search_etc($1)
-	allow $1 puppet_etc_t:dir list_dir_perms;
-	allow $1 puppet_etc_t:file read_file_perms;
-	allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
+	puppet_domtrans_puppetca($1)
+	role $2 types puppetca_t;
 ')
 
+
 ################################################
 ## <summary>
-##	Read Puppet lib files.
+##	Read / Write to Puppet temp files.  Puppet uses
+##	some system binaries (groupadd, etc) that run in
+##	a non-puppet domain and redirects output into temp
+##	files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -78,19 +136,18 @@ interface(`puppet_read_config',`
 ##	</summary>
 ## </param>
 #
-interface(`puppet_read_lib_files',`
+interface(`puppet_rw_tmp', `
 	gen_require(`
-		type puppet_var_lib_t;
+		type puppet_tmp_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+	allow $1 puppet_tmp_t:file rw_inherited_file_perms;
+	files_search_tmp($1)
 ')
 
-###############################################
+################################################
 ## <summary>
-##	Create, read, write, and delete
-##	puppet lib files.
+##	Read Puppet lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -98,138 +155,164 @@ interface(`puppet_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`puppet_manage_lib_files',`
+interface(`puppet_read_lib',`
 	gen_require(`
 		type puppet_var_lib_t;
 	')
 
+	read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
 	files_search_var_lib($1)
-	manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
 ')
 
-#####################################
+###############################################
 ## <summary>
-##	Append puppet log files.
+##  Manage Puppet lib files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`puppet_append_log_files',`
-	gen_require(`
-		type puppet_log_t;
-	')
+interface(`puppet_manage_lib',`
+    gen_require(`
+        type puppet_var_lib_t;
+    ')
 
-	logging_search_logs($1)
-	append_files_pattern($1, puppet_log_t, puppet_log_t)
+    manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+    files_search_var_lib($1)
 ')
 
-#####################################
+######################################
 ## <summary>
-##	Create puppet log files.
+##  Allow the specified domain to search puppet's log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`puppet_create_log_files',`
-	gen_require(`
-		type puppet_log_t;
-	')
+interface(`puppet_search_log',`
+    gen_require(`
+        type puppet_log_t;
+    ')
 
-	logging_search_logs($1)
-	create_files_pattern($1, puppet_log_t, puppet_log_t)
+    logging_search_logs($1)
+    allow $1 puppet_log_t:dir search_dir_perms;
 ')
 
 #####################################
 ## <summary>
-##	Read puppet log files.
+##  Allow the specified domain to read puppet's log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`puppet_read_log_files',`
-	gen_require(`
-		type puppet_log_t;
-	')
+interface(`puppet_read_log',`
+    gen_require(`
+        type puppet_log_t;
+    ')
 
-	logging_search_logs($1)
+    logging_search_logs($1)
 	read_files_pattern($1, puppet_log_t, puppet_log_t)
 ')
 
-################################################
+#####################################
 ## <summary>
-##	Read and write to puppet tempoprary files.
+##  Allow the specified domain to create puppet's log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`puppet_rw_tmp', `
-	gen_require(`
-		type puppet_tmp_t;
-	')
+interface(`puppet_create_log',`
+    gen_require(`
+        type puppet_log_t;
+    ')
 
-	files_search_tmp($1)
-	allow $1 puppet_tmp_t:file rw_file_perms;
+    logging_search_logs($1)
+    create_files_pattern($1, puppet_log_t, puppet_log_t)
 ')
 
-########################################
+####################################
 ## <summary>
-##	All of the rules required to
-##	administrate an puppet environment.
+##  Allow the specified domain to append puppet's log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`puppet_admin',`
-	gen_require(`
-		type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t;
-		type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t;
-		type puppet_var_run_t, puppetmaster_tmp_t;
-		type puppet_t, puppetca_t, puppetmaster_t;
-	')
+interface(`puppet_append_log',`
+    gen_require(`
+        type puppet_log_t;
+    ')
 
-	allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
+    logging_search_logs($1)
+    append_files_pattern($1, puppet_log_t, puppet_log_t)
+')
 
-	init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
-	allow $2 system_r;
+####################################
+## <summary>
+##  Allow the specified domain to manage puppet's log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`puppet_manage_log',`
+    gen_require(`
+        type puppet_log_t;
+    ')
 
-	files_search_etc($1)
-	admin_pattern($1, puppet_etc_t)
+    logging_search_logs($1)
+    manage_files_pattern($1, puppet_log_t, puppet_log_t)
+')
 
-	logging_search_logs($1)
-	admin_pattern($1, puppet_log_t)
+####################################
+## <summary>
+##  Allow the specified domain to read puppet's config files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`puppet_read_config',`
+    gen_require(`
+        type puppet_etc_t;
+    ')
 
-	files_search_var_lib($1)
-	admin_pattern($1, puppet_var_lib_t)
+    files_search_etc($1)
+	list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+    read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
 
+#####################################
+## <summary>
+##  Allow the specified domain to search puppet's pid files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`puppet_search_pid',`
+    gen_require(`
+        type puppet_var_run_t;
+    ')
+	
 	files_search_pids($1)
-	admin_pattern($1, puppet_var_run_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t })
-
-	puppet_run_puppetca($1, $2)
+    allow $1 puppet_var_run_t:dir search_dir_perms;
 ')
diff --git a/puppet.te b/puppet.te
index 618dcfeedb..6bd7543ae9 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether puppet can
-##	manage all non-security files.
-##	</p>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
 ## </desc>
-gen_tunable(puppet_manage_all_files, false)
+gen_tunable(puppetagent_manage_all_files, false)
 
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
+## <desc>
+## <p>
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
+## </p>
+## </desc>
+gen_tunable(puppetmaster_use_db, false)
 
-type puppet_t;
-type puppet_exec_t;
-init_daemon_domain(puppet_t, puppet_exec_t)
+type puppetagent_t;
+type puppetagent_exec_t;
+typealias puppetagent_exec_t alias puppet_exec_t;
+typealias puppetagent_t alias puppet_t;
+init_daemon_domain(puppetagent_t, puppetagent_exec_t)
 
 type puppet_etc_t;
 files_config_file(puppet_etc_t)
 
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
+type puppetagent_initrc_exec_t;
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
+init_script_file(puppetagent_initrc_exec_t)
 
 type puppet_log_t;
 logging_log_file(puppet_log_t)
@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
 
 type puppet_var_run_t;
 files_pid_file(puppet_var_run_t)
-init_daemon_run_dir(puppet_var_run_t, "puppet")
 
 type puppetca_t;
 type puppetca_exec_t;
 application_domain(puppetca_t, puppetca_exec_t)
-role puppetca_roles types puppetca_t;
+role system_r types puppetca_t;
 
 type puppetmaster_t;
 type puppetmaster_exec_t;
@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t)
 
 ########################################
 #
-# Local policy
+# Puppet personal policy
 #
 
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
-allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
-allow puppet_t self:udp_socket create_socket_perms;
-
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
-
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
-
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
-
-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
-
-dev_read_rand(puppet_t)
-dev_read_sysfs(puppet_t)
-dev_read_urand(puppet_t)
-
-domain_interactive_fd(puppet_t)
-domain_read_all_domains_state(puppet_t)
-
-files_manage_config_files(puppet_t)
-files_manage_config_dirs(puppet_t)
-files_manage_etc_dirs(puppet_t)
-files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
-files_read_usr_symlinks(puppet_t)
-files_relabel_config_dirs(puppet_t)
-files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
-
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_ttys(puppet_t)
-
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
-
-logging_send_syslog_msg(puppet_t)
-
-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
-
-seutil_domtrans_setfiles(puppet_t)
-seutil_domtrans_semanage(puppet_t)
-
-sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
-
-tunable_policy(`puppet_manage_all_files',`
-	files_manage_non_auth_files(puppet_t)
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search dac_override sys_nice sys_tty_config };
+allow puppetagent_t self:process { signal signull getsched setsched };
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetagent_t self:tcp_socket create_stream_socket_perms;
+allow puppetagent_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppetagent_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
+create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppetagent_t)
+kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
+kernel_read_system_state(puppetagent_t)
+kernel_read_crypto_sysctls(puppetagent_t)
+kernel_read_kernel_sysctls(puppetagent_t)
+
+corecmd_read_all_executables(puppetagent_t)
+corecmd_dontaudit_access_all_executables(puppetagent_t)
+corecmd_exec_bin(puppetagent_t)
+corecmd_exec_shell(puppetagent_t)
+
+corenet_all_recvfrom_netlabel(puppetagent_t)
+corenet_tcp_sendrecv_generic_if(puppetagent_t)
+corenet_tcp_sendrecv_generic_node(puppetagent_t)
+corenet_tcp_bind_generic_node(puppetagent_t)
+corenet_tcp_connect_puppet_port(puppetagent_t)
+corenet_sendrecv_puppet_client_packets(puppetagent_t)
+
+dev_read_rand(puppetagent_t)
+dev_read_sysfs(puppetagent_t)
+dev_read_urand(puppetagent_t)
+
+domain_read_all_domains_state(puppetagent_t)
+domain_interactive_fd(puppetagent_t)
+domain_named_filetrans(puppetagent_t)
+
+files_manage_config_files(puppetagent_t)
+files_manage_config_dirs(puppetagent_t)
+files_manage_etc_dirs(puppetagent_t)
+files_manage_etc_files(puppetagent_t)
+files_read_usr_symlinks(puppetagent_t)
+files_relabel_config_dirs(puppetagent_t)
+files_relabel_config_files(puppetagent_t)
+
+selinux_set_all_booleans(puppetagent_t)
+selinux_set_generic_booleans(puppetagent_t)
+selinux_validate_context(puppetagent_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
+term_dontaudit_getattr_all_ttys(puppetagent_t)
+
+auth_use_nsswitch(puppetagent_t)
+
+init_all_labeled_script_domtrans(puppetagent_t)
+init_domtrans_script(puppetagent_t)
+init_read_utmp(puppetagent_t)
+init_signull_script(puppetagent_t)
+
+logging_send_syslog_msg(puppetagent_t)
+
+miscfiles_read_hwdata(puppetagent_t)
+
+seutil_domtrans_setfiles(puppetagent_t)
+seutil_domtrans_semanage(puppetagent_t)
+seutil_read_file_contexts(puppetagent_t)
+
+sysnet_run_ifconfig(puppetagent_t, system_r)
+
+usermanage_access_check_groupadd(puppetagent_t)
+usermanage_access_check_passwd(puppetagent_t)
+usermanage_access_check_useradd(puppetagent_t)
+
+tunable_policy(`puppetagent_manage_all_files',`
+	files_manage_non_security_files(puppetagent_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(puppetagent_t)
+')
+
+optional_policy(`
+    postgresql_stream_connect(puppetagent_t)
+')
+
+optional_policy(`
+	cfengine_read_lib_files(puppetagent_t)
+')
+
+optional_policy(`
+	consoletype_exec(puppetagent_t)
 ')
 
 optional_policy(`
-	cfengine_read_lib_files(puppet_t)
+	hostname_exec(puppetagent_t)
 ')
 
 optional_policy(`
-	consoletype_exec(puppet_t)
+	mount_domtrans(puppetagent_t)
 ')
 
 optional_policy(`
-	hostname_exec(puppet_t)
+	mta_send_mail(puppetagent_t)
 ')
 
 optional_policy(`
-	mount_domtrans(puppet_t)
+	networkmanager_dbus_chat(puppetagent_t)
 ')
 
 optional_policy(`
-	mta_send_mail(puppet_t)
+        firewalld_dbus_chat(puppetagent_t)
 ')
 
 optional_policy(`
-	portage_domtrans(puppet_t)
-	portage_domtrans_fetch(puppet_t)
-	portage_domtrans_gcc_config(puppet_t)
+	portage_domtrans(puppetagent_t)
+	portage_domtrans_fetch(puppetagent_t)
+	portage_domtrans_gcc_config(puppetagent_t)
 ')
 
 optional_policy(`
-	files_rw_var_files(puppet_t)
+	files_rw_var_files(puppetagent_t)
 
-	rpm_domtrans(puppet_t)
-	rpm_manage_db(puppet_t)
-	rpm_manage_log(puppet_t)
+	rpm_domtrans(puppetagent_t)
+	rpm_manage_db(puppetagent_t)
+	rpm_manage_log(puppetagent_t)
 ')
 
 optional_policy(`
-	unconfined_domain(puppet_t)
+    unconfined_domain_noaudit(puppetagent_t)
 ')
 
 optional_policy(`
-	usermanage_domtrans_groupadd(puppet_t)
-	usermanage_domtrans_useradd(puppet_t)
+    rhsmcertd_dbus_chat(puppetagent_t)
 ')
 
 ########################################
 #
-# Ca local policy
+# PuppetCA personal policy
 #
 
-allow puppetca_t self:capability { dac_override setgid setuid };
+allow puppetca_t self:capability { dac_read_search dac_override setgid setuid };
 allow puppetca_t self:fifo_file rw_fifo_file_perms;
 
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
 
 allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
 manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
 allow puppetca_t puppet_var_run_t:dir search_dir_perms;
 
 kernel_read_system_state(puppetca_t)
+# Maybe dontaudit this like we did with other puppet domains?
 kernel_read_kernel_sysctls(puppetca_t)
 
 corecmd_exec_bin(puppetca_t)
@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t)
 dev_read_urand(puppetca_t)
 dev_search_sysfs(puppetca_t)
 
-files_read_etc_files(puppetca_t)
-files_search_pids(puppetca_t)
 files_search_var_lib(puppetca_t)
 
 selinux_validate_context(puppetca_t)
 
 logging_search_logs(puppetca_t)
 
-miscfiles_read_localization(puppetca_t)
 miscfiles_read_generic_certs(puppetca_t)
 
 seutil_read_file_contexts(puppetca_t)
@@ -246,38 +259,50 @@ optional_policy(`
 	hostname_exec(puppetca_t)
 ')
 
+optional_policy(`
+	mta_sendmail_access_check(puppetca_t)
+')
+
+
 ########################################
 #
-# Master local policy
+# Pupper master personal policy
 #
 
 allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
 allow puppetmaster_t self:process { signal_perms getsched setsched };
 allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppetmaster_t self:socket create;
-allow puppetmaster_t self:tcp_socket { accept listen };
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
 
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
+domtrans_pattern(puppetmaster_t, puppetagent_exec_t, puppetagent_t)
 
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_lnk_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
 
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
 
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
 
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
 
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_network_state(puppetmaster_t)
@@ -289,23 +314,24 @@ corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 
 corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
 corenet_tcp_sendrecv_generic_if(puppetmaster_t)
 corenet_tcp_sendrecv_generic_node(puppetmaster_t)
 corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
 corenet_tcp_bind_puppet_port(puppetmaster_t)
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+corenet_tcp_connect_ntop_port(puppetmaster_t)
+
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
+corenet_udp_bind_generic_node(puppetmaster_t)
+corenet_udp_bind_generic_port(puppetmaster_t)
 
 dev_read_rand(puppetmaster_t)
 dev_read_urand(puppetmaster_t)
 dev_search_sysfs(puppetmaster_t)
 
-domain_obj_id_change_exemption(puppetmaster_t)
 domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
 
-files_read_usr_files(puppetmaster_t)
 
 selinux_validate_context(puppetmaster_t)
 
@@ -314,26 +340,32 @@ auth_use_nsswitch(puppetmaster_t)
 logging_send_syslog_msg(puppetmaster_t)
 
 miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
 
 seutil_read_file_contexts(puppetmaster_t)
 
 sysnet_run_ifconfig(puppetmaster_t, system_r)
 
+mta_send_mail(puppetmaster_t)
+
 optional_policy(`
-	hostname_exec(puppetmaster_t)
+	tunable_policy(`puppetmaster_use_db',`
+		mysql_stream_connect(puppetmaster_t)
+	')
 ')
 
 optional_policy(`
-	mta_send_mail(puppetmaster_t)
+	tunable_policy(`puppetmaster_use_db',`
+		postgresql_stream_connect(puppetmaster_t)
+	')
 ')
 
 optional_policy(`
-	mysql_stream_connect(puppetmaster_t)
+    systemd_dbus_chat_timedated(puppetagent_t)
+	systemd_dbus_chat_timedated(puppetmaster_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(puppetmaster_t)
+	hostname_exec(puppetmaster_t)
 ')
 
 optional_policy(`
@@ -342,3 +374,9 @@ optional_policy(`
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
+
+optional_policy(`
+	usermanage_access_check_groupadd(puppetmaster_t)
+	usermanage_access_check_passwd(puppetmaster_t)
+	usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/pwauth.fc b/pwauth.fc
index 7e7b44434e..e2f8687dbd 100644
--- a/pwauth.fc
+++ b/pwauth.fc
@@ -1,3 +1,3 @@
-/usr/bin/pwauth	--	gen_context(system_u:object_r:pwauth_exec_t,s0)
+/usr/bin/pwauth		--	gen_context(system_u:object_r:pwauth_exec_t,s0)
 
-/var/run/pwauth\.lock	--	gen_context(system_u:object_r:pwauth_var_run_t,s0)
+/var/run/pwauth.lock	--	gen_context(system_u:object_r:pwauth_var_run_t,s0)
diff --git a/pwauth.if b/pwauth.if
index 1148dce1ae..86d25ea260 100644
--- a/pwauth.if
+++ b/pwauth.if
@@ -1,72 +1,74 @@
-## <summary>External plugin for mod_authnz_external authenticator.</summary>
+
+## <summary>policy for pwauth</summary>
 
 ########################################
 ## <summary>
-##	Role access for pwauth.
+##	Transition to pwauth.
 ## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
 ## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
+## <summary>
+##	Domain allowed to transition.
+## </summary>
 ## </param>
 #
-interface(`pwauth_role',`
+interface(`pwauth_domtrans',`
 	gen_require(`
-		type pwauth_t;
+		type pwauth_t, pwauth_exec_t;
 	')
 
-	pwauth_run($2, $1)
-
-	ps_process_pattern($2, pwauth_t)
-	allow $2 pwauth_t:process { ptrace signal_perms };
+	corecmd_search_bin($1)
+	domtrans_pattern($1, pwauth_exec_t, pwauth_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute pwauth in the pwauth domain.
+##	Execute pwauth in the pwauth domain, and
+##	allow the specified role the pwauth domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the pwauth domain.
 ##	</summary>
 ## </param>
 #
-interface(`pwauth_domtrans',`
+interface(`pwauth_run',`
 	gen_require(`
-		type pwauth_t, pwauth_exec_t;
+		type pwauth_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, pwauth_exec_t, pwauth_t)
+	pwauth_domtrans($1)
+	role $2 types pwauth_t;
 ')
 
 ########################################
 ## <summary>
-##	Execute pwauth in the pwauth
-##	domain, and allow the specified
-##	role the pwauth domain.
+##	Role access for pwauth
 ## </summary>
-## <param name="domain">
+## <param name="role">
 ##	<summary>
-##	Domain allowed to transition.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-interface(`pwauth_run',`
+interface(`pwauth_role',`
 	gen_require(`
-		attribute_role pwauth_roles;
+		type pwauth_t;
 	')
 
-	pwauth_domtrans($1)
-	roleattribute $2 pwauth_roles;
+	role $1 types pwauth_t;
+
+	pwauth_domtrans($2)
+
+	ps_process_pattern($2, pwauth_t)
+	allow $2 pwauth_t:process signal;
 ')
diff --git a/pwauth.te b/pwauth.te
index 3078e349e4..215df880c5 100644
--- a/pwauth.te
+++ b/pwauth.te
@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
 # Declarations
 #
 
-attribute_role pwauth_roles;
-roleattribute system_r pwauth_roles;
-
 type pwauth_t;
 type pwauth_exec_t;
 application_domain(pwauth_t, pwauth_exec_t)
-role pwauth_roles types pwauth_t;
+role system_r types pwauth_t;
 
 type pwauth_var_run_t;
 files_pid_file(pwauth_var_run_t)
 
 ########################################
 #
-# Local policy
+# pwauth local policy
 #
-
 allow pwauth_t self:capability setuid;
 allow pwauth_t self:process setrlimit;
+
 allow pwauth_t self:fifo_file manage_fifo_file_perms;
-allow pwauth_t self:unix_stream_socket { accept listen };
+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
 files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
 
 auth_domtrans_chkpwd(pwauth_t)
 auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t)
+auth_rw_lastlog(pwauth_t)
 
 init_read_utmp(pwauth_t)
 
 logging_send_syslog_msg(pwauth_t)
 logging_send_audit_msgs(pwauth_t)
-
-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
index 06bec9ba91..1b32632dcc 100644
--- a/pxe.te
+++ b/pxe.te
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
 
 domain_use_interactive_fds(pxe_t)
 
-files_read_etc_files(pxe_t)
 
 fs_getattr_all_fs(pxe_t)
 fs_search_auto_mountpoints(pxe_t)
 
 logging_send_syslog_msg(pxe_t)
 
-miscfiles_read_localization(pxe_t)
-
 userdom_dontaudit_use_unpriv_user_fds(pxe_t)
 userdom_dontaudit_search_user_home_dirs(pxe_t)
 
diff --git a/pyicqt.fc b/pyicqt.fc
deleted file mode 100644
index 0c143e3e87..0000000000
--- a/pyicqt.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/pyicq-t(/.*)?	gen_context(system_u:object_r:pyicqt_conf_t,s0)
-
-/etc/rc\.d/init\.d/pyicq-t	--	gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
-
-/usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)
-
-/var/log/pyicq-t\.log.*	--	gen_context(system_u:object_r:pyicqt_log_t,s0)
-
-/var/run/pyicq-t(/.*)?	gen_context(system_u:object_r:pyicqt_var_run_t,s0)
-
-/var/spool/pyicq-t(/.*)?	gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/pyicqt.if b/pyicqt.if
deleted file mode 100644
index 0ccea828aa..0000000000
--- a/pyicqt.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## <summary>ICQ transport for XMPP server.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an pyicqt environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`pyicqt_admin',`
-	gen_require(`
-		type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
-		type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
-	')
-
-	allow $1 pyicqt_t:process { ptrace signal_perms };
-	ps_process_pattern($1, pyicqt_t)
-
-	init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 pyicqt_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_etc($1)
-	admin_pattern($1, pyicqt_conf_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, pyicqt_log_t)
-
-	files_search_spool($1)
-	admin_pattern($1, pyicqt_spool_t)
-
-	files_search_pids($1)
-	admin_pattern($1, pyicqt_var_run_t)
-')
diff --git a/pyicqt.te b/pyicqt.te
deleted file mode 100644
index f2863ded4a..0000000000
--- a/pyicqt.te
+++ /dev/null
@@ -1,92 +0,0 @@
-policy_module(pyicqt, 1.1.0)
-
-########################################
-#
-# Declarations
-#
-
-type pyicqt_t;
-type pyicqt_exec_t;
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
-
-type pyicqt_initrc_exec_t;
-init_script_file(pyicqt_initrc_exec_t)
-
-type pyicqt_conf_t;
-files_config_file(pyicqt_conf_t)
-
-type pyicqt_log_t;
-logging_log_file(pyicqt_log_t)
-
-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-
-type pyicqt_var_run_t;
-files_pid_file(pyicqt_var_run_t)
-
-########################################
-#
-# Local policy
-#
-
-allow pyicqt_t self:process signal_perms;
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
-allow pyicqt_t self:tcp_socket { accept listen };
-
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
-
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
-
-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
-
-kernel_read_system_state(pyicqt_t)
-
-corecmd_exec_bin(pyicqt_t)
-
-corenet_all_recvfrom_unlabeled(pyicqt_t)
-corenet_all_recvfrom_netlabel(pyicqt_t)
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
-corenet_tcp_bind_generic_node(pyicqt_t)
-
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t)
-
-dev_read_sysfs(pyicqt_t)
-dev_read_urand(pyicqt_t)
-
-files_read_usr_files(pyicqt_t)
-
-fs_getattr_all_fs(pyicqt_t)
-
-auth_use_nsswitch(pyicqt_t)
-
-libs_read_lib_files(pyicqt_t)
-
-logging_send_syslog_msg(pyicqt_t)
-
-miscfiles_read_localization(pyicqt_t)
-
-optional_policy(`
-	jabber_manage_lib_files(pyicqt_t)
-')
-
-optional_policy(`
-	mysql_stream_connect(pyicqt_t)
-	mysql_tcp_connect(pyicqt_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(pyicqt_t)
-')
diff --git a/pyzor.fc b/pyzor.fc
index af13139a14..a927c5a156 100644
--- a/pyzor.fc
+++ b/pyzor.fc
@@ -1,12 +1,13 @@
-HOME_DIR/\.pyzor(/.*)?	gen_context(system_u:object_r:pyzor_home_t,s0)
-
-/etc/pyzor(/.*)?	gen_context(system_u:object_r:pyzor_etc_t, s0)
-
+/etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 /etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
 
-/usr/bin/pyzor	--	gen_context(system_u:object_r:pyzor_exec_t,s0)
-/usr/bin/pyzord	--	gen_context(system_u:object_r:pyzord_exec_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 
-/var/lib/pyzord(/.*)?	gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
 
+/var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
 /var/log/pyzord\.log.*	--	gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/pyzor.if b/pyzor.if
index 593c03d098..2c411af3ee 100644
--- a/pyzor.if
+++ b/pyzor.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Role access for pyzor.
+##	Role access for pyzor
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -14,31 +14,30 @@
 ##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`pyzor_role',`
 	gen_require(`
-		attribute_role pyzor_roles;
-		type pyzor_t, pyzor_exec_t, pyzor_home_t;
-		type pyzor_tmp_t;
+		type pyzor_t, pyzor_exec_t;
+		type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
 	')
 
-	roleattribute $1 pyzor_roles;
+	role $1 types pyzor_t;
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, pyzor_exec_t, pyzor_t)
 
-	allow $2 pyzor_t:process { ptrace signal_perms };
+	# allow ps to show pyzor and allow the user to kill it 
 	ps_process_pattern($2, pyzor_t)
-
-	allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2  { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
+	allow $2 pyzor_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 pyzor_t:process ptrace;
+	')
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to pyzor.
+##	Send generic signals to pyzor
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',`
 		type pyzor_exec_t, pyzor_t;
 	')
 
+	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, pyzor_exec_t, pyzor_t)
 ')
@@ -88,14 +88,15 @@ interface(`pyzor_exec',`
 		type pyzor_exec_t;
 	')
 
+	files_search_usr($1)
 	corecmd_search_bin($1)
 	can_exec($1, pyzor_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an pyzor environment.
+##	All of the rules required to administrate
+##	an pyzor environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,33 +105,37 @@ interface(`pyzor_exec',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the pyzor domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`pyzor_admin',`
 	gen_require(`
-		type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
-		type pyzor_var_lib_t, pyzor_etc_t;
+		type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+		type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
 	')
 
-	allow $1 pyzord_t:process { ptrace signal_perms };
+	allow $1 pyzord_t:process signal_perms;
 	ps_process_pattern($1, pyzord_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 pyzord_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 pyzord_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
-	admin_pattern($1, pyzor_etc_t)
+	files_list_tmp($1)
+	admin_pattern($1, pyzor_tmp_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, pyzord_log_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, pyzor_var_lib_t)
+	files_list_etc($1)
+	admin_pattern($1, pyzor_etc_t)
 
-	pyzor_role($2, $1)
+	files_list_var_lib($1)
+	admin_pattern($1, pyzor_var_lib_t)
 ')
diff --git a/pyzor.te b/pyzor.te
index 2439d1304e..d7bd6e9a10 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0)
 # Declarations
 #
 
-attribute_role pyzor_roles;
-roleattribute system_r pyzor_roles;
-
-type pyzor_t;
-type pyzor_exec_t;
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
-role pyzor_roles types pyzor_t;
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
-
-type pyzor_home_t;
-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
-userdom_user_home_content(pyzor_home_t)
-
-type pyzor_tmp_t;
-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
-userdom_user_tmp_file(pyzor_tmp_t)
-
-type pyzor_var_lib_t;
-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
-files_type(pyzor_var_lib_t)
-ubac_constrained(pyzor_var_lib_t)
-
-type pyzord_t;
-type pyzord_exec_t;
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
-type pyzord_initrc_exec_t;
-init_script_file(pyzord_initrc_exec_t)
-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
+	gen_require(`
+		type spamc_t, spamc_exec_t, spamd_t;
+		type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
+		type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
+		type spamc_tmp_t, spamc_home_t;
+	')
+
+	typealias spamc_t alias pyzor_t;
+	typealias spamc_exec_t alias pyzor_exec_t;
+	typealias spamd_t alias pyzord_t;
+	typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+	typealias spamd_exec_t alias pyzord_exec_t;
+	typealias spamc_tmp_t alias pyzor_tmp_t;
+	typealias spamd_log_t alias pyzor_log_t;
+	typealias spamd_log_t alias pyzord_log_t;
+	typealias spamd_var_lib_t alias pyzor_var_lib_t;
+	typealias spamd_etc_t alias pyzor_etc_t;
+	typealias spamc_home_t alias pyzor_home_t;
+	typealias spamc_home_t alias user_pyzor_home_t;
+',`
+	type pyzor_t;
+	type pyzor_exec_t;
+	typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+	typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+	application_domain(pyzor_t, pyzor_exec_t)
+	ubac_constrained(pyzor_t)
+	role system_r types pyzor_t;
+
+	type pyzor_etc_t;
+	files_config_file(pyzor_etc_t)
+
+	type pyzor_home_t;
+	typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+	typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+	userdom_user_home_content(pyzor_home_t)
+
+	type pyzor_tmp_t;
+	typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+	typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+	files_tmp_file(pyzor_tmp_t)
+	ubac_constrained(pyzor_tmp_t)
+
+	type pyzor_var_lib_t;
+	typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+	typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+	files_type(pyzor_var_lib_t)
+	ubac_constrained(pyzor_var_lib_t)
+
+	type pyzord_t;
+	type pyzord_exec_t;
+	init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+	type pyzord_log_t;
+	logging_log_file(pyzord_log_t)
+')
 
 ########################################
 #
-# Local policy
+# Pyzor client local policy
 #
 
+allow pyzor_t self:udp_socket create_socket_perms;
+
 manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
 manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
 manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor")
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
 
 allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
 read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
 
 manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
 manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t)
 corecmd_list_bin(pyzor_t)
 corecmd_getattr_bin_files(pyzor_t)
 
-corenet_all_recvfrom_unlabeled(pyzor_t)
-corenet_all_recvfrom_netlabel(pyzor_t)
 corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
 corenet_tcp_sendrecv_generic_node(pyzor_t)
-
-corenet_sendrecv_http_client_packets(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
 corenet_tcp_connect_http_port(pyzor_t)
-corenet_tcp_sendrecv_http_port(pyzor_t)
 
 dev_read_urand(pyzor_t)
 
-fs_getattr_all_fs(pyzor_t)
-fs_search_auto_mountpoints(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
 
 auth_use_nsswitch(pyzor_t)
 
-miscfiles_read_localization(pyzor_t)
 
 mta_read_queue(pyzor_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(pyzor_t)
-	fs_manage_nfs_files(pyzor_t)
-	fs_manage_nfs_symlinks(pyzor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(pyzor_t)
-	fs_manage_cifs_files(pyzor_t)
-	fs_manage_cifs_symlinks(pyzor_t)
-')
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
 
 optional_policy(`
-	amavis_manage_lib_files(pyzor_t)
-	amavis_manage_spool_files(pyzor_t)
+	antivirus_manage_db(pyzor_t)
 ')
 
 optional_policy(`
@@ -111,25 +119,24 @@ optional_policy(`
 
 ########################################
 #
-# Daemon local policy
+# Pyzor server local policy
 #
 
-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms;
+allow pyzord_t self:udp_socket create_socket_perms;
+
 manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
 files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
 
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
 allow pyzord_t pyzor_etc_t:dir list_dir_perms;
-allow pyzord_t pyzor_etc_t:file read_file_perms;
-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms;
 
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
 allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
 logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
 
-can_exec(pyzord_t, pyzor_exec_t)
-
 kernel_read_kernel_sysctls(pyzord_t)
 kernel_read_system_state(pyzord_t)
 
@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t)
 
 corecmd_exec_bin(pyzord_t)
 
-corenet_all_recvfrom_unlabeled(pyzord_t)
 corenet_all_recvfrom_netlabel(pyzord_t)
 corenet_udp_sendrecv_generic_if(pyzord_t)
 corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
 corenet_udp_bind_generic_node(pyzord_t)
-
-corenet_sendrecv_pyzor_server_packets(pyzord_t)
 corenet_udp_bind_pyzor_port(pyzord_t)
-corenet_udp_sendrecv_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
 
-auth_use_nsswitch(pyzord_t)
 
-logging_send_syslog_msg(pyzord_t)
+auth_use_nsswitch(pyzord_t)
 
 locallogin_dontaudit_use_fds(pyzord_t)
 
-miscfiles_read_localization(pyzord_t)
 
+# Do not audit attempts to access /root.
 userdom_dontaudit_search_user_home_dirs(pyzord_t)
 
 mta_manage_spool(pyzord_t)
+
+optional_policy(`
+	logging_send_syslog_msg(pyzord_t)
+')
diff --git a/qemu.fc b/qemu.fc
index 86ea53ce18..a2dcf7bb2f 100644
--- a/qemu.fc
+++ b/qemu.fc
@@ -1,4 +1,4 @@
-/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
 /usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 /usr/bin/kvm		--	gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
index eaf56b8b02..8894726888 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
-## <summary>QEMU machine emulator and virtualizer.</summary>
+## <summary>QEMU machine emulator and virtualizer</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a qemu domain.
+##	Creates types and rules for a basic
+##	qemu process domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
 template(`qemu_domain_template',`
+
 	##############################
 	#
-	# Declarations
+	# Local Policy
 	#
 
 	type $1_t;
@@ -22,9 +24,12 @@ template(`qemu_domain_template',`
 	type $1_tmp_t;
 	files_tmp_file($1_tmp_t)
 
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
 	##############################
 	#
-	# Policy
+	# Local Policy
 	#
 
 	allow $1_t self:capability { dac_read_search dac_override };
@@ -39,9 +44,12 @@ template(`qemu_domain_template',`
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
 
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
+
 	kernel_read_system_state($1_t)
 
-	corenet_all_recvfrom_unlabeled($1_t)
 	corenet_all_recvfrom_netlabel($1_t)
 	corenet_tcp_sendrecv_generic_if($1_t)
 	corenet_tcp_sendrecv_generic_node($1_t)
@@ -61,7 +69,6 @@ template(`qemu_domain_template',`
 
 	fs_list_inotifyfs($1_t)
 	fs_rw_anon_inodefs_files($1_t)
-	fs_rw_tmpfs_files($1_t)
 
 	storage_raw_write_removable_device($1_t)
 	storage_raw_read_removable_device($1_t)
@@ -70,11 +77,10 @@ template(`qemu_domain_template',`
 	term_getattr_pty_fs($1_t)
 	term_use_generic_ptys($1_t)
 
-	miscfiles_read_localization($1_t)
 
 	sysnet_read_config($1_t)
 
-	userdom_use_user_terminals($1_t)
+	userdom_use_inherited_user_terminals($1_t)
 	userdom_attach_admin_tun_iface($1_t)
 
 	optional_policy(`
@@ -96,40 +102,14 @@ template(`qemu_domain_template',`
 	')
 ')
 
-########################################
-## <summary>
-##	Role access for qemu.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-template(`qemu_role',`
-	gen_require(`
-		type qemu_t;
-	')
-
-	qemu_run($2, $1)
-
-	allow $2 qemu_t:process { ptrace signal_perms };
-	ps_process_pattern($2, qemu_t)
-')
-
 ########################################
 ## <summary>
 ##	Execute a domain transition to run qemu.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`qemu_domtrans',`
@@ -137,18 +117,17 @@ interface(`qemu_domtrans',`
 		type qemu_t, qemu_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, qemu_exec_t, qemu_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a qemu in the caller domain.
+##	Execute a qemu in the callers domain
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`qemu_exec',`
@@ -156,15 +135,12 @@ interface(`qemu_exec',`
 		type qemu_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, qemu_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute qemu in the qemu domain,
-##	and allow the specified role the
-##	qemu domain.
+##	Execute qemu in the qemu domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -173,23 +149,25 @@ interface(`qemu_exec',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the qemu domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`qemu_run',`
 	gen_require(`
-		attribute_role qemu_roles;
+		type qemu_t;
 	')
 
 	qemu_domtrans($1)
-	roleattribute $2 qemu_roles;
+	role $2 types qemu_t;
+	allow qemu_t $1:process signull;
+	allow $1 qemu_t:process signull;
 ')
 
 ########################################
 ## <summary>
-##	Read qemu process state files.
+##	Allow the domain to read state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -202,15 +180,12 @@ interface(`qemu_read_state',`
 		type qemu_t;
 	')
 
-	kernel_search_proc($1)
-	allow $1 qemu_t:dir list_dir_perms;
-	allow $1 qemu_t:file read_file_perms;
-	allow $1 qemu_t:lnk_file read_lnk_file_perms;
+	read_files_pattern($1, qemu_t, qemu_t)
 ')
 
 ########################################
 ## <summary>
-##	Set qemu scheduler.
+##	Set the schedule on qemu.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -228,7 +203,7 @@ interface(`qemu_setsched',`
 
 ########################################
 ## <summary>
-##	Send generic signals to qemu.
+##	Send a signal to qemu.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -246,7 +221,7 @@ interface(`qemu_signal',`
 
 ########################################
 ## <summary>
-##	Send kill signals to qemu.
+##	Send a sigill to qemu
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -264,28 +239,68 @@ interface(`qemu_kill',`
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run qemu unconfined.
+##	Execute qemu_exec_t 
+##	in the specified domain but do not
+##	do it automatically. This is an explicit
+##	transition, requiring the caller to use setexeccon().
 ## </summary>
+## <desc>
+##	<p>
+##	Execute qemu_exec_t 
+##	in the specified domain.  This allows
+##	the specified domain to qemu programs
+##	on these filesystems in the specified
+##	domain.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
 ##	</summary>
 ## </param>
 #
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_spec_domtrans',`
 	gen_require(`
-		type unconfined_qemu_t, qemu_exec_t;
+		type qemu_exec_t;
 	')
+  
+	read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+	domain_transition_pattern($1, qemu_exec_t, $2)
+  	domain_entry_file($2,qemu_exec_t)
+	can_exec($1,qemu_exec_t)
+
+	allow $2 $1:fd use;
+	allow $2 $1:fifo_file rw_fifo_file_perms;
+	allow $2 $1:process sigchld;
+')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+########################################
+## <summary>
+##	Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the qemu unconfined domain.
+##	</summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+	gen_require(`
+		type unconfined_qemu_t;
+		type qemu_t;
+	')
+	role $1 types unconfined_qemu_t;
+	role $1 types qemu_t;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	qemu temporary directories.
+##	Manage qemu temporary dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',`
 		type qemu_tmp_t;
 	')
 
-	files_search_tmp($1)
 	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	qemu temporary files.
+##	Manage qemu temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',`
 		type qemu_tmp_t;
 	')
 
-	files_search_tmp($1)
 	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute qemu in a specified domain.
+##     Make qemu_exec_t an entrypoint for
+##     the specified domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Execute qemu in a specified domain.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-## </desc>
-## <param name="source_domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="target_domain">
-##	<summary>
-##	Domain to transition to.
-##	</summary>
+## <param name="domain">
+##     <summary>
+##     The domain for which qemu_exec_t is an entrypoint.
+##     </summary>
 ## </param>
 #
-interface(`qemu_spec_domtrans',`
+interface(`qemu_entry_type',`
 	gen_require(`
 		type qemu_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domain_auto_trans($1, qemu_exec_t, $2)
+	domain_entry_file($1, qemu_exec_t)
 ')
 
-######################################
+#######################################
 ## <summary>
-##	Make qemu executable files an
-##	entrypoint for the specified domain.
+##  Getattr on qemu executable.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	The domain for which qemu_exec_t is an entrypoint.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
-interface(`qemu_entry_type',`
-	gen_require(`
-		type qemu_exec_t;
-	')
+interface(`qemu_getattr_exec',`
+    gen_require(`
+        type qemu_exec_t;
+    ')
 
-	domain_entry_file($1, qemu_exec_t)
+	allow $1 qemu_exec_t:file getattr;
 ')
diff --git a/qemu.te b/qemu.te
index 4f90743435..958c0ef1e1 100644
--- a/qemu.te
+++ b/qemu.te
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether qemu has full
-##	access to the network.
-##	</p>
+## <p>
+## Allow qemu to connect fully to the network
+## </p>
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
-attribute_role qemu_roles;
-roleattribute system_r qemu_roles;
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
 
-type qemu_exec_t;
-application_executable_file(qemu_exec_t)
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
 
 virt_domain_template(qemu)
-role qemu_roles types qemu_t;
+role system_r types qemu_t;
 
 ########################################
 #
-# Local policy
+# qemu local policy
 #
 
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmp_files(qemu_t)
+userdom_stream_connect(qemu_t)
+
 tunable_policy(`qemu_full_network',`
+	allow qemu_t self:udp_socket create_socket_perms;
+
 	corenet_udp_sendrecv_generic_if(qemu_t)
 	corenet_udp_sendrecv_generic_node(qemu_t)
 	corenet_udp_sendrecv_all_ports(qemu_t)
@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',`
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+	fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+	term_use_unallocated_ttys(qemu_t)
+	dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_dirs(qemu_t)
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+	dev_rw_usbfs(qemu_t)
+	fs_manage_dos_dirs(qemu_t)
+	fs_manage_dos_files(qemu_t)
+')
+
 optional_policy(`
-	xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
+	dbus_read_lib_files(qemu_t)
 ')
 
-########################################
-#
-# Unconfined local policy
-#
+optional_policy(`
+	pulseaudio_manage_home_files(qemu_t)
+	pulseaudio_stream_connect(qemu_t)
+')
+
+optional_policy(`
+	tunable_policy(`qemu_use_cifs',`
+		samba_domtrans_smbd(qemu_t)
+	')
+')
 
 optional_policy(`
-	type unconfined_qemu_t;
-	typealias unconfined_qemu_t alias qemu_unconfined_t;
-	application_type(unconfined_qemu_t)
-	unconfined_domain(unconfined_qemu_t)
+	virt_domtrans_bridgehelper(qemu_t)
+')
+
+optional_policy(`
+	virt_manage_home_files(qemu_t)
+	virt_manage_images(qemu_t)
+	virt_append_log(qemu_t)
+')
 
-	allow unconfined_qemu_t self:process { execstack execmem };
-	allow unconfined_qemu_t qemu_exec_t:file execmod;
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(qemu_t)
+	xserver_stream_connect(qemu_t)
 ')
diff --git a/qmail.fc b/qmail.fc
index e53fe5a975..edee505d72 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -1,22 +1,6 @@
-/etc/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
-
-/usr/bin/tcp-env	--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
-/usr/sbin/qmail-clean	--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
-/usr/sbin/qmail-getpw	--	gen_context(system_u:object_r:qmail_exec_t,s0)
-/usr/sbin/qmail-inject	--	gen_context(system_u:object_r:qmail_inject_exec_t,s0)
-/usr/sbin/qmail-local	--	gen_context(system_u:object_r:qmail_local_exec_t,s0)
-/usr/sbin/qmail-lspawn	--	gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
-/usr/sbin/qmail-queue	--	gen_context(system_u:object_r:qmail_queue_exec_t,s0)
-/usr/sbin/qmail-remote	--	gen_context(system_u:object_r:qmail_remote_exec_t,s0)
-/usr/sbin/qmail-rspawn	--	gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
-/usr/sbin/qmail-send	--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
-/usr/sbin/qmail-smtpd	--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
-/usr/sbin/qmail-start	--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/usr/sbin/splogger	--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-
-/var/qmail/alias	-d	gen_context(system_u:object_r:qmail_alias_home_t,s0)
-/var/qmail/alias(/.*)?	gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/alias		-d	gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)?			gen_context(system_u:object_r:qmail_alias_home_t,s0)
 
 /var/qmail/bin/qmail-clean	--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
 /var/qmail/bin/qmail-getpw	--	gen_context(system_u:object_r:qmail_exec_t,s0)
@@ -29,9 +13,36 @@
 /var/qmail/bin/qmail-send	--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
 /var/qmail/bin/qmail-smtpd	--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
 /var/qmail/bin/qmail-start	--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
-/var/qmail/bin/splogger	--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
-/var/qmail/bin/tcp-env	--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+/var/qmail/bin/splogger		--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)?		gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/owners(/.*)?		gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)?			gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/bin/serialmail/.*	--	gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean		--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw		--	gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject		--	gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local		--	gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn		--	gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue		--	gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote		--	gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn		--	gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send		--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd		--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start		--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger		--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)?			gen_context(system_u:object_r:qmail_etc_t,s0)
 
-/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/spool/qmail(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+')
 
-/var/spool/qmail(/.*)?	gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/qmail.if b/qmail.if
index e4f0000e5e..05e219e13d 100644
--- a/qmail.if
+++ b/qmail.if
@@ -1,12 +1,12 @@
-## <summary>Qmail Mail Server.</summary>
+## <summary>Qmail Mail Server</summary>
 
 ########################################
 ## <summary>
-##	Template for qmail parent/sub-domain pairs.
+##	Template for qmail parent/sub-domain pairs
 ## </summary>
 ## <param name="child_prefix">
 ##	<summary>
-##	The prefix of the child domain.
+##	The prefix of the child domain
 ##	</summary>
 ## </param>
 ## <param name="parent_domain">
@@ -16,35 +16,39 @@
 ## </param>
 #
 template(`qmail_child_domain_template',`
-	gen_require(`
-		attribute qmail_child_domain;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_t, qmail_child_domain;
-	type $1_exec_t;
+	type $1_t;
 	domain_type($1_t)
+	type $1_exec_t;
 	domain_entry_file($1_t, $1_exec_t)
-
+	domain_auto_trans($2, $1_exec_t, $1_t)
 	role system_r types $1_t;
 
-	########################################
-	#
-	# Policy
-	#
+	allow $1_t self:process signal_perms;
+
+	allow $1_t $2:fd use;
+	allow $1_t $2:fifo_file rw_file_perms;
+	allow $1_t $2:process sigchld;
+
+	allow $1_t qmail_etc_t:dir list_dir_perms;
+	allow $1_t qmail_etc_t:file read_file_perms;
+	allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+	allow $1_t qmail_start_t:fd use;
+
+	kernel_list_proc($2)
+	kernel_read_proc_symlinks($2)
 
-	domtrans_pattern($2, $1_exec_t, $1_t)
+	corecmd_search_bin($1_t)
+
+	files_search_var($1_t)
+
+	fs_getattr_xattr_fs($1_t)
 
-	kernel_read_system_state($2)
 ')
 
 ########################################
 ## <summary>
-##	Transition to qmail_inject_t.
+##	Transition to qmail_inject_t
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',`
 		type qmail_inject_t, qmail_inject_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)
-		corecmd_search_bin($1)
 	',`
 		files_search_var($1)
 	')
@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',`
 
 ########################################
 ## <summary>
-##	Transition to qmail_queue_t.
+##	Transition to qmail_queue_t
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',`
 		type qmail_queue_t, qmail_queue_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)
-		corecmd_search_bin($1)
 	',`
 		files_search_var($1)
 	')
@@ -108,20 +112,21 @@ interface(`qmail_read_config',`
 		type qmail_etc_t;
 	')
 
-	files_search_var($1)
 	allow $1 qmail_etc_t:dir list_dir_perms;
 	allow $1 qmail_etc_t:file read_file_perms;
 	allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+	files_search_var($1)
 
 	ifdef(`distro_debian',`
+		# handle /etc/qmail
 		files_search_etc($1)
 	')
 ')
 
 ########################################
 ## <summary>
-##	Define the specified domain as a
-##	qmail-smtp service.
+##	Define the specified domain as a qmail-smtp service. 
+##	Needed by antivirus/antispam filters.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
 
 	domtrans_pattern(qmail_smtpd_t, $2, $1)
 ')
+
+########################################
+## <summary>
+##      Create, read, write, and delete qmail
+##      spool directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`qmail_manage_spool_dirs',`
+        gen_require(`
+                type qmail_spool_t;
+        ')
+
+        manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+## <summary>
+##      Create, read, write, and delete qmail
+##      spool files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`qmail_manage_spool_files',`
+        gen_require(`
+                type qmail_spool_t;
+        ')
+
+        manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
+')
+
+########################################
+## <summary>
+##      Read and write to qmail spool pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`qmail_rw_spool_pipes',`
+        gen_require(`
+                type qmail_spool_t;
+        ')
+
+        allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
index 87429441ca..53a2fe597d 100644
--- a/qmail.te
+++ b/qmail.te
@@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1)
 # Declarations
 #
 
-attribute qmail_child_domain;
+attribute qmail_user_domains;
 
 type qmail_alias_home_t;
 files_type(qmail_alias_home_t)
@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t)
 type qmail_exec_t;
 files_type(qmail_exec_t)
 
-type qmail_inject_t;
+type qmail_inject_t, qmail_user_domains;
 type qmail_inject_exec_t;
 domain_type(qmail_inject_t)
 domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
@@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
 mta_mailserver_delivery(qmail_lspawn_t)
 
 qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
 mta_mailserver_user_agent(qmail_queue_t)
 
 qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
 mta_mailserver_sender(qmail_remote_t)
 
 qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
 qmail_child_domain_template(qmail_send, qmail_start_t)
+
 qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
 qmail_child_domain_template(qmail_splogger, qmail_start_t)
 
 type qmail_keytab_t;
 files_type(qmail_keytab_t)
 
 type qmail_spool_t;
-files_type(qmail_spool_t)
+files_spool_file(qmail_spool_t)
 
 type qmail_start_t;
 type qmail_start_exec_t;
@@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
 
 ########################################
 #
-# Common qmail child domain local policy
-#
-
-allow qmail_child_domain self:process signal_perms;
-
-allow qmail_child_domain qmail_etc_t:dir list_dir_perms;
-allow qmail_child_domain qmail_etc_t:file read_file_perms;
-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms;
-
-allow qmail_child_domain qmail_start_t:fd use;
-
-corecmd_search_bin(qmail_child_domain)
-
-files_search_var(qmail_child_domain)
-
-fs_getattr_xattr_fs(qmail_child_domain)
-
-miscfiles_read_localization(qmail_child_domain)
-
-########################################
-#
-# Clean local policy
+# qmail-clean local policy
+#	this component cleans up the queue directory
 #
 
 read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
@@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
 
 ########################################
 #
-# Inject local policy
+# qmail-inject local policy
+#	this component preprocesses mail from stdin and invokes qmail-queue
 #
 
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
 allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
 
 allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
 
@@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t)
 
 files_search_var(qmail_inject_t)
 
-miscfiles_read_localization(qmail_inject_t)
 
 qmail_read_config(qmail_inject_t)
 
 ########################################
 #
-# Local local policy
+# qmail-local local policy
+#	this component delivers a mail message
 #
 
-allow qmail_local_t self:fifo_file write_fifo_file_perms;
 allow qmail_local_t self:process signal_perms;
-allow qmail_local_t self:unix_stream_socket { accept listen };
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
 manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
@@ -136,13 +121,18 @@ mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
 
+optional_policy(`
+	uucp_domtrans(qmail_local_t)
+')
+
 optional_policy(`
 	spamassassin_domtrans_client(qmail_local_t)
 ')
 
 ########################################
 #
-# Lspawn local policy
+# qmail-lspawn local policy
+#	this component schedules local deliveries
 #
 
 allow qmail_lspawn_t self:capability { setuid setgid };
@@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
 
 read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
 
-files_read_etc_files(qmail_lspawn_t)
+corecmd_search_bin(qmail_lspawn_t)
+
 files_search_pids(qmail_lspawn_t)
 files_search_tmp(qmail_lspawn_t)
 
 ########################################
 #
-# Queue local policy
+# qmail-queue local policy
+#	this component places a mail in a delivery queue, later to be processed by qmail-send
 #
 
 allow qmail_queue_t qmail_lspawn_t:fd use;
 allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
 
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
 allow qmail_queue_t qmail_smtpd_t:fd use;
 allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
 
 manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -186,28 +178,34 @@ optional_policy(`
 
 ########################################
 #
-# Remote local policy
+# qmail-remote local policy
+#	this component sends mail via SMTP
 #
 
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
 rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
 
-corenet_all_recvfrom_unlabeled(qmail_remote_t)
 corenet_all_recvfrom_netlabel(qmail_remote_t)
 corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
 corenet_tcp_sendrecv_generic_node(qmail_remote_t)
-
-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
-corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
 corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
 
 dev_read_rand(qmail_remote_t)
 dev_read_urand(qmail_remote_t)
 
-sysnet_dns_name_resolve(qmail_remote_t)
+sysnet_read_config(qmail_remote_t)
 
 ########################################
 #
-# Rspawn local policy
+# qmail-rspawn local policy
+#	this component scedules remote deliveries
 #
 
 allow qmail_rspawn_t self:process signal_perms;
@@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
 
 rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
 
+corecmd_search_bin(qmail_rspawn_t)
+
 ########################################
 #
-# Send local policy
+# qmail-send local policy
+#	this component delivers mail messages from the queue
 #
 
 allow qmail_send_t self:process signal_perms;
@@ -237,7 +238,8 @@ optional_policy(`
 
 ########################################
 #
-# Smtpd local policy
+# qmail-smtpd local policy
+#	this component receives mails via SMTP
 #
 
 allow qmail_smtpd_t self:process signal_perms;
@@ -268,26 +270,26 @@ optional_policy(`
 
 ########################################
 #
-# Splogger local policy
+# splogger local policy
+#	this component creates entries in syslog
 #
 
 allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
 
-files_read_etc_files(qmail_splogger_t)
 
 init_dontaudit_use_script_fds(qmail_splogger_t)
 
-miscfiles_read_localization(qmail_splogger_t)
 
 ########################################
 #
-# Start local policy
+# qmail-start local policy
+#	this component starts up the mail delivery component
 #
 
 allow qmail_start_t self:capability { setgid setuid };
 dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
 allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
 
 can_exec(qmail_start_t, qmail_start_exec_t)
 
@@ -304,7 +306,8 @@ optional_policy(`
 
 ########################################
 #
-# Tcp-env local policy
+# tcp-env local policy
+#	this component sets up TCP-related environment variables
 #
 
 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
diff --git a/qpid.if b/qpid.if
index fe2adf8ae7..f7e9c70b02 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
-## <summary>Apache QPID AMQP messaging server.</summary>
+## <summary>policy for qpidd</summary>
 
 ########################################
 ## <summary>
@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',`
 		type qpidd_t, qpidd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, qpidd_exec_t, qpidd_t)
 ')
 
-#####################################
+########################################
 ## <summary>
-##	Read and write access qpidd semaphores.
+##	Execute qpidd server in the qpidd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_rw_semaphores',`
+interface(`qpidd_initrc_domtrans',`
 	gen_require(`
-		type qpidd_t;
+		type qpidd_initrc_exec_t;
 	')
 
-	allow $1 qpidd_t:sem rw_sem_perms;
+	init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write qpidd shared memory.
+##	Read qpidd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_rw_shm',`
+interface(`qpidd_read_pid_files',`
 	gen_require(`
-		type qpidd_t;
+		type qpidd_var_run_t;
 	')
 
-	allow $1 qpidd_t:shm rw_shm_perms;
+	files_search_pids($1)
+	allow $1 qpidd_var_run_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Execute qpidd init script in
-##	the initrc domain.
+##	Manage qpidd var_run files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_initrc_domtrans',`
+interface(`qpidd_manage_var_run',`
 	gen_require(`
-		type qpidd_initrc_exec_t;
+		type qpidd_var_run_t;
 	')
 
-	init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+	files_search_pids($1)
+	manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+	manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+	manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Read qpidd pid files.
+##	Search qpidd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_read_pid_files',`
+interface(`qpidd_search_lib',`
 	gen_require(`
-		type qpidd_var_run_t;
+		type qpidd_var_lib_t;
 	')
 
-	files_search_pids($1)
-	allow $1 qpidd_var_run_t:file read_file_perms;
+	allow $1 qpidd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
 ## <summary>
-##	Search qpidd lib directories.
+##	Read qpidd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_search_lib',`
+interface(`qpidd_read_lib_files',`
 	gen_require(`
 		type qpidd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
-	allow $1 qpidd_var_lib_t:dir search_dir_perms;
+	read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read qpidd lib files.
+##	Create, read, write, and delete
+##	qpidd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',`
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_read_lib_files',`
+interface(`qpidd_manage_lib_files',`
 	gen_require(`
 		type qpidd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
-	read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+	manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	qpidd lib files.
+##	Manage qpidd var_lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`qpidd_manage_lib_files',`
+interface(`qpidd_manage_var_lib',`
 	gen_require(`
 		type qpidd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
+	manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
 	manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+	manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
 ')
 
-########################################
+#####################################
 ## <summary>
-##	All of the rules required to
-##	administrate an qpidd environment.
+##	Allow read and write access to qpidd semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`qpidd_rw_semaphores',`
+	gen_require(`
+		type qpidd_t;
+	')
+
+	allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+	gen_require(`
+		type qpidd_t;
+		type qpidd_tmpfs_t;
+	')
+
+	allow $1 qpidd_t:shm rw_shm_perms;
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
+')
+
+#######################################
+## <summary>
+##  All of the rules required to
+##  administrate an qpidd environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`qpidd_admin',`
-	gen_require(`
-		type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
-		type qpidd_var_run_t;
-	')
+    gen_require(`
+        type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
+        type qpidd_var_run_t;
+    ')
 
-	allow $1 qpidd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, qpidd_t)
+    allow $1 qpidd_t:process { signal_perms };
+    ps_process_pattern($1, qpidd_t)
 
-	qpidd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 qpidd_initrc_exec_t system_r;
-	allow $2 system_r;
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 qpidd_t:process ptrace;
+    ')
 
-	files_search_var_lib($1)
-	admin_pattern($1, qpidd_var_lib_t)
+    qpidd_initrc_domtrans($1)
+    domain_system_change_exemption($1)
+    role_transition $2 qpidd_initrc_exec_t system_r;
+    allow $2 system_r;
 
-	files_search_pids($1)
-	admin_pattern($1, qpidd_var_run_t)
+    files_search_var_lib($1)
+    admin_pattern($1, qpidd_var_lib_t)
+
+    files_search_pids($1)
+    admin_pattern($1, qpidd_var_run_t)
 ')
diff --git a/qpid.te b/qpid.te
index 83eb09ef63..a5e7068f6a 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
 type qpidd_initrc_exec_t;
 init_script_file(qpidd_initrc_exec_t)
 
+type qpidd_tmp_t;
+files_tmp_file(qpidd_tmp_t)
+
 type qpidd_tmpfs_t;
 files_tmpfs_file(qpidd_tmpfs_t)
 
@@ -33,41 +36,58 @@ allow qpidd_t self:shm create_shm_perms;
 allow qpidd_t self:tcp_socket { accept listen };
 allow qpidd_t self:unix_stream_socket { accept listen };
 
+manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
+files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
+
 manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
 manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
 fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
 
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
+manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file })
+allow qpidd_t qpidd_var_lib_t:file map;
 
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t,  qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t,  qpidd_var_run_t)
 files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
 
 kernel_read_system_state(qpidd_t)
+kernel_read_network_state(qpidd_t)
+
+auth_read_passwd(qpidd_t)
 
-corenet_all_recvfrom_unlabeled(qpidd_t)
 corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
 corenet_tcp_sendrecv_generic_if(qpidd_t)
 corenet_tcp_sendrecv_generic_node(qpidd_t)
-corenet_tcp_bind_generic_node(qpidd_t)
 
 corenet_sendrecv_amqp_server_packets(qpidd_t)
 corenet_tcp_bind_amqp_port(qpidd_t)
 corenet_tcp_sendrecv_amqp_port(qpidd_t)
+corenet_tcp_connect_amqp_port(qpidd_t)
+
+corenet_tcp_bind_matahari_port(qpidd_t)
+corenet_tcp_connect_matahari_port(qpidd_t)
 
 dev_read_sysfs(qpidd_t)
 dev_read_urand(qpidd_t)
+dev_read_rand(qpidd_t)
 
-files_read_etc_files(qpidd_t)
+# needed by ssl
+files_list_tmp(qpidd_t)
 
 logging_send_syslog_msg(qpidd_t)
 
-miscfiles_read_localization(qpidd_t)
-
 sysnet_dns_name_resolve(qpidd_t)
 
 optional_policy(`
-	corosync_stream_connect(qpidd_t)
+    kerberos_use(qpidd_t)
 ')
+
+optional_policy(`
+	rhcs_stream_connect_cluster(qpidd_t)
+')
+
diff --git a/quantum.fc b/quantum.fc
index 70ab68b02f..b985b65703 100644
--- a/quantum.fc
+++ b/quantum.fc
@@ -1,10 +1,34 @@
-/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.*	--	gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
 
-/usr/bin/quantum-server	--	gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-linuxbridge-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
-/usr/bin/quantum-ryu-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
+/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-lbaas-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-metadata-agent    --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-netns-cleanup --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ns-metadata-proxy --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-rootwrap	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ovs-cleanup    --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ryu-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-server	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-l3-agent       --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-linuxbridge-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ovs-cleanup    --  gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-ryu-agent	--	gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/quantum-server	--	gen_context(system_u:object_r:neutron_exec_t,s0)
 
-/var/lib/quantum(/.*)?	gen_context(system_u:object_r:quantum_var_lib_t,s0)
+/usr/lib/systemd/system/neutron.*	--	gen_context(system_u:object_r:neutron_unit_file_t,s0)
+/usr/lib/systemd/system/quantum.*	--	gen_context(system_u:object_r:neutron_unit_file_t,s0)
 
-/var/log/quantum(/.*)?	gen_context(system_u:object_r:quantum_log_t,s0)
+/var/lib/neutron(/.*)?	gen_context(system_u:object_r:neutron_var_lib_t,s0)
+/var/lib/quantum(/.*)?	gen_context(system_u:object_r:neutron_var_lib_t,s0)
+
+/var/log/neutron(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
+/var/log/quantum(/.*)?	gen_context(system_u:object_r:neutron_log_t,s0)
+
+/var/run/neutron(/.*)?	gen_context(system_u:object_r:neutron_var_run_t,s0)
+/var/run/quantum(/.*)?	gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
index afc00688df..e974fad4b5 100644
--- a/quantum.if
+++ b/quantum.if
@@ -2,41 +2,314 @@
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an quantum environment.
+##	Transition to neutron.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`neutron_domtrans',`
+	gen_require(`
+		type neutron_t, neutron_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, neutron_exec_t, neutron_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write neutron pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_rw_inherited_pipes',`
+	gen_require(`
+		type neutron_t;
+	')
+
+	allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send sigchld to neutron.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+#
+interface(`neutron_sigchld',`
+	gen_require(`
+		type neutron_t;
+	')
+
+    allow $1 neutron_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read neutron's log files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-interface(`quantum_admin',`
+interface(`neutron_read_log',`
+	gen_require(`
+		type neutron_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
+##	Append to neutron log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_append_log',`
+	gen_require(`
+		type neutron_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
+##	Manage neutron log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_manage_log',`
+	gen_require(`
+		type neutron_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
+	manage_files_pattern($1, neutron_log_t, neutron_log_t)
+	manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
+')
+
+########################################
+## <summary>
+##	Search neutron lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_search_lib',`
+	gen_require(`
+		type neutron_var_lib_t;
+	')
+
+	allow $1 neutron_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read neutron lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_read_lib_files',`
 	gen_require(`
-		type quantum_t, quantum_initrc_exec_t, quantum_log_t;
-		type quantum_var_lib_t, quantum_tmp_t;
+		type neutron_var_lib_t;
 	')
 
-	allow $1 quantum_t:process { ptrace signal_perms };
-	ps_process_pattern($1, quantum_t)
+	files_search_var_lib($1)
+	read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage neutron lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_manage_lib_files',`
+	gen_require(`
+		type neutron_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+    manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage neutron lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_manage_lib_dirs',`
+	gen_require(`
+		type neutron_var_lib_t;
+	')
 
-	init_labeled_script_domtrans($1, quantum_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 quantum_initrc_exec_t system_r;
-	allow $2 system_r;
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read and write neutron fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_rw_fifo_file',`
+	gen_require(`
+		type neutron_t;
+	')
+
+	allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+## <summary>
+##	Connect to neutron over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_stream_connect',`
+	gen_require(`
+        type neutron_t;
+		type neutron_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
+')
+
+########################################
+## <summary>
+##	Execute neutron server in the neutron domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`neutron_systemctl',`
+	gen_require(`
+		type neutron_t;
+		type neutron_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 neutron_unit_file_t:file read_file_perms;
+	allow $1 neutron_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, neutron_t)
+')
+
+#######################################
+## <summary>
+##	Read neutron process state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_read_state',`
+	gen_require(`
+		type neutron_t;
+	')
+
+	allow $1 neutron_t:dir search_dir_perms;
+	allow $1 neutron_t:file read_file_perms;
+	allow $1 neutron_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an neutron environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`neutron_admin',`
+	gen_require(`
+		type neutron_t;
+		type neutron_log_t;
+		type neutron_var_lib_t;
+		type neutron_unit_file_t;
+	')
+
+	allow $1 neutron_t:process { ptrace signal_perms };
+	ps_process_pattern($1, neutron_t)
 
 	logging_search_logs($1)
-	admin_pattern($1, quantum_log_t)
+	admin_pattern($1, neutron_log_t)
 
 	files_search_var_lib($1)
-	admin_pattern($1, quantum_var_lib_t)
+	admin_pattern($1, neutron_var_lib_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, quantum_tmp_t)
+	neutron_systemctl($1)
+	admin_pattern($1, neutron_unit_file_t)
+	allow $1 neutron_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/quantum.te b/quantum.te
index 8644d8b3fb..6c415e8b98 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,185 @@ policy_module(quantum, 1.1.0)
 # Declarations
 #
 
-type quantum_t;
-type quantum_exec_t;
-init_daemon_domain(quantum_t, quantum_exec_t)
+## <desc>
+##  <p>
+##	Determine whether neutron can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(neutron_can_network, false)
 
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
+type neutron_t alias quantum_t;
+type neutron_exec_t alias quantum_exec_t;
+init_daemon_domain(neutron_t, neutron_exec_t)
 
-type quantum_log_t;
-logging_log_file(quantum_log_t)
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
+init_script_file(neutron_initrc_exec_t)
 
-type quantum_tmp_t;
-files_tmp_file(quantum_tmp_t)
+type neutron_log_t alias quantum_log_t;
+logging_log_file(neutron_log_t)
 
-type quantum_var_lib_t;
-files_type(quantum_var_lib_t)
+type neutron_tmp_t alias quantum_tmp_t;
+files_tmp_file(neutron_tmp_t)
+
+type neutron_var_lib_t alias quantum_var_lib_t;
+files_type(neutron_var_lib_t)
+
+type neutron_var_run_t alias quantum_var_run_t;
+files_pid_file(neutron_var_run_t)
+
+type neutron_unit_file_t alias quantum_unit_file_t;
+systemd_unit_file(neutron_unit_file_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow quantum_t self:capability { setgid setuid sys_resource };
-allow quantum_t self:process { setsched setrlimit };
-allow quantum_t self:fifo_file rw_fifo_file_perms;
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
-
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
-
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
-
-can_exec(quantum_t, quantum_tmp_t)
-
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
-
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
-
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
-
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
+allow neutron_t self:capability { chown dac_read_search dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen connectto };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
+allow neutron_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+
+manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
+
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
+
+can_exec(neutron_t, neutron_tmp_t)
+
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
+
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
+
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
+corenet_tcp_sendrecv_generic_node(neutron_t)
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
+
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
+
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
+
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
+
+files_mounton_non_security(neutron_t)
+
+auth_use_pam(neutron_t)
+
+init_rw_utmp(neutron_t)
+
+libs_exec_ldconfig(neutron_t)
+
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
+
+netutils_exec(neutron_t)
+
+# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
+
+tunable_policy(`neutron_can_network',`
+	corenet_sendrecv_all_client_packets(neutron_t)
+	corenet_tcp_connect_all_ports(neutron_t)
+	corenet_tcp_sendrecv_all_ports(neutron_t)
+')
 
-files_read_usr_files(quantum_t)
+optional_policy(`
+    dbus_system_bus_client(neutron_t)
+')
 
-auth_use_nsswitch(quantum_t)
+optional_policy(`
+	brctl_domtrans(neutron_t)
+')
 
-libs_exec_ldconfig(quantum_t)
+optional_policy(`
+    dnsmasq_domtrans(neutron_t)
+    dnsmasq_signal(neutron_t)
+    dnsmasq_kill(neutron_t)
+    dnsmasq_read_state(neutron_t)
+')
 
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+optional_policy(`
+    rhcs_domtrans_haproxy(neutron_t)
+    rhcs_stream_connect_haproxy(neutron_t)
+')
 
-miscfiles_read_localization(quantum_t)
+optional_policy(`
+    iptables_domtrans(neutron_t)
+')
 
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
+    modutils_domtrans_insmod(neutron_t)
+')
 
 optional_policy(`
-	brctl_domtrans(quantum_t)
+	mysql_stream_connect(neutron_t)
+    mysql_read_db_lnk_files(neutron_t)
+	mysql_read_config(neutron_t)
+	mysql_tcp_connect(neutron_t)
 ')
 
 optional_policy(`
-	mysql_stream_connect(quantum_t)
-	mysql_read_config(quantum_t)
+	postgresql_stream_connect(neutron_t)
+	postgresql_unpriv_client(neutron_t)
+	postgresql_tcp_connect(neutron_t)
+')
 
-	mysql_tcp_connect(quantum_t)
+optional_policy(`
+    openvswitch_domtrans(neutron_t)
+    openvswitch_stream_connect(neutron_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(quantum_t)
-	postgresql_unpriv_client(quantum_t)
+    rpm_exec(neutron_t)
+    rpm_read_db(neutron_t)
+')
 
-	postgresql_tcp_connect(quantum_t)
+optional_policy(`
+	sudo_exec(neutron_t)
 ')
+
+optional_policy(`
+    udev_domtrans(neutron_t)
+')  
diff --git a/quota.fc b/quota.fc
index cadabe3605..54ba01d0d4 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,6 +1,5 @@
 HOME_ROOT/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
-
-HOME_DIR/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+HOME_DIR/a?quota\.(user|group) --  gen_context(system_u:object_r:quota_db_t,s0)
 
 /a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 
@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 
 /etc/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 
-/etc/rc\.d/init\.d/quota_nld	--	gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
-
-/sbin/convertquota	--	gen_context(system_u:object_r:quota_exec_t,s0)
-/sbin/quota(check|on)	--	gen_context(system_u:object_r:quota_exec_t,s0)
+/sbin/quota(check|on)		--	gen_context(system_u:object_r:quota_exec_t,s0)
 
-/usr/sbin/convertquota	--	gen_context(system_u:object_r:quota_exec_t,s0)
 /usr/sbin/quota(check|on)	--	gen_context(system_u:object_r:quota_exec_t,s0)
-/usr/sbin/quota_nld	--	gen_context(system_u:object_r:quota_nld_exec_t,s0)
 
 /var/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)?			gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/cron/a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
 
-/var/lib/quota(/.*)?	gen_context(system_u:object_r:quota_flag_t,s0)
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota		--	gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota		--	gen_context(system_u:object_r:quota_exec_t,s0)
+')
 
-/var/run/quota_nld\.pid	--	gen_context(system_u:object_r:quota_nld_var_run_t,s0)
+/usr/sbin/quota_nld     --  gen_context(system_u:object_r:quota_nld_exec_t,s0)
 
-/var/spool/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/stickshift/a?quota\.(user|group)    --    gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/openshift/a?quota\.(user|group)    --    gen_context(system_u:object_r:quota_db_t,s0)
 
-/var/spool/imap/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/(client)?mqueue/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mqueue\.in/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
-/var/spool/mail/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+/var/run/quota_nld\.pid --  gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/quota.if b/quota.if
index da6421861b..3fb8575ca8 100644
--- a/quota.if
+++ b/quota.if
@@ -1,4 +1,4 @@
-## <summary>File system quota management.</summary>
+## <summary>File system quota management</summary>
 
 ########################################
 ## <summary>
@@ -21,9 +21,8 @@ interface(`quota_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute quota management tools in
-##	the quota domain, and allow the
-##	specified role the quota domain.
+##	Execute quota management tools in the quota domain, and
+##	allow the specified role the quota domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,90 +38,54 @@ interface(`quota_domtrans',`
 #
 interface(`quota_run',`
 	gen_require(`
-		attribute_role quota_roles;
+		type quota_t;
 	')
 
 	quota_domtrans($1)
-	roleattribute $2 quota_roles;
+	role $2 types quota_t;
 ')
 
 #######################################
 ## <summary>
-##	Execute quota nld in the quota nld domain.
+##  Alow to read of filesystem quota data files.
 ## </summary>
 ## <param name="domain">
-## <summary>
-##  Domain allowed to transition.
-## </summary>
+##  <summary>
+##  Domain to not audit.
+##  </summary>
 ## </param>
 #
-interface(`quota_domtrans_nld',`
-	gen_require(`
-		type quota_nld_t, quota_nld_exec_t;
-	')
+interface(`quota_read_db',`
+    gen_require(`
+        type quota_db_t;
+    ')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+    allow $1 quota_db_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	quota db files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`quota_manage_db_files',`
-	gen_require(`
-		type quota_db_t;
-	')
-
-	allow $1 quota_db_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the quota db file type.
+##	Do not audit attempts to get the attributes
+##	of filesystem quota data files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
-##	<summary>
-##	The object class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`quota_spec_filetrans_db',`
+interface(`quota_dontaudit_getattr_db',`
 	gen_require(`
 		type quota_db_t;
 	')
 
-	filetrans_pattern($1, $2, quota_db_t, $3, $4)
+	dontaudit $1 quota_db_t:file getattr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get attributes
-##	of filesystem quota data files.
+##	Create, read, write, and delete quota
+##	db files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',`
 ##	</summary>
 ## </param>
 #
-interface(`quota_dontaudit_getattr_db',`
+interface(`quota_manage_db',`
 	gen_require(`
 		type quota_db_t;
 	')
 
-	dontaudit $1 quota_db_t:file getattr_file_perms;
+	allow $1 quota_db_t:file manage_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	quota flag files.
+##	Create, read, write, and delete quota
+##	flag files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -160,37 +123,56 @@ interface(`quota_manage_flags',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an quota environment.
+##	Transition to quota named content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`quota_admin',`
+interface(`quota_filetrans_named_content',`
 	gen_require(`
-		type quota_nld_t, quota_t, quota_db_t;
-		type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t;
+		type quota_db_t;
 	')
 
-	allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { quota_nld_t quota_t })
-
-	init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 quota_nld_initrc_exec_t system_r;
-	allow $2 system_r;
+	files_root_filetrans($1, quota_db_t, file, "aquota.user")
+	files_root_filetrans($1, quota_db_t, file, "aquota.group")
+	files_boot_filetrans($1, quota_db_t, file, "aquota.user")
+	files_boot_filetrans($1, quota_db_t, file, "aquota.group")
+	files_etc_filetrans($1, quota_db_t, file, "aquota.user")
+	files_etc_filetrans($1, quota_db_t, file, "aquota.group")
+	files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
+	files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
+	files_home_filetrans($1, quota_db_t, file, "aquota.user")
+	files_home_filetrans($1, quota_db_t, file, "aquota.group")
+	files_usr_filetrans($1, quota_db_t, file, "aquota.user")
+	files_usr_filetrans($1, quota_db_t, file, "aquota.group")
+	files_var_filetrans($1, quota_db_t, file, "aquota.user")
+	files_var_filetrans($1, quota_db_t, file, "aquota.group")
+	files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+	files_spool_filetrans($1, quota_db_t, file, "aquota.group")
+	mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
+	mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
+	mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
+	mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
+')
 
-	files_list_all($1)
-	admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+#######################################
+## <summary>
+##  Transition to quota_nld.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`quota_domtrans_nld',`
+    gen_require(`
+        type quota_nld_t, quota_nld_exec_t;
+    ')
 
-	quota_run($1, $2)
+    corecmd_search_bin($1)
+    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
 ')
diff --git a/quota.te b/quota.te
index f47c8e81fc..0f0b0b43f4 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
 # Declarations
 #
 
-attribute_role quota_roles;
-
 type quota_t;
 type quota_exec_t;
-init_system_domain(quota_t, quota_exec_t)
-role quota_roles types quota_t;
+application_domain(quota_t, quota_exec_t)
+#init_system_domain(quota_t, quota_exec_t)
 
 type quota_db_t;
 files_type(quota_db_t)
@@ -22,9 +20,6 @@ type quota_nld_t;
 type quota_nld_exec_t;
 init_daemon_domain(quota_nld_t, quota_nld_exec_t)
 
-type quota_nld_initrc_exec_t;
-init_script_file(quota_nld_initrc_exec_t)
-
 type quota_nld_var_run_t;
 files_pid_file(quota_nld_var_run_t)
 
@@ -33,10 +28,11 @@ files_pid_file(quota_nld_var_run_t)
 # Local policy
 #
 
-allow quota_t self:capability { sys_admin dac_override };
+allow quota_t self:capability { sys_admin dac_read_search dac_override };
 dontaudit quota_t self:capability sys_tty_config;
 allow quota_t self:process signal_perms;
 
+# for /quota.*
 allow quota_t quota_db_t:file { manage_file_perms quotaon };
 files_root_filetrans(quota_t, quota_db_t, file)
 files_boot_filetrans(quota_t, quota_db_t, file)
@@ -48,24 +44,15 @@ files_var_filetrans(quota_t, quota_db_t, file)
 files_spool_filetrans(quota_t, quota_db_t, file)
 userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
 
-kernel_request_load_module(quota_t)
 kernel_list_proc(quota_t)
 kernel_read_proc_symlinks(quota_t)
 kernel_read_kernel_sysctls(quota_t)
-kernel_setsched(quota_t)
+kernel_dontaudit_setsched(quota_t)
 
 dev_read_sysfs(quota_t)
 dev_getattr_all_blk_files(quota_t)
 dev_getattr_all_chr_files(quota_t)
 
-files_list_all(quota_t)
-files_read_all_files(quota_t)
-files_read_all_symlinks(quota_t)
-files_getattr_all_pipes(quota_t)
-files_getattr_all_sockets(quota_t)
-files_getattr_all_file_type_fs(quota_t)
-files_read_etc_runtime_files(quota_t)
-
 fs_get_xattr_fs_quotas(quota_t)
 fs_set_xattr_fs_quotas(quota_t)
 fs_getattr_xattr_fs(quota_t)
@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
 
 domain_use_interactive_fds(quota_t)
 
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
 init_use_fds(quota_t)
 init_use_script_ptys(quota_t)
 
 logging_send_syslog_msg(quota_t)
 
-userdom_use_user_terminals(quota_t)
+mta_spool_filetrans(quota_t, quota_db_t, file)
+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+
+userdom_use_inherited_user_terminals(quota_t)
 userdom_dontaudit_use_unpriv_user_fds(quota_t)
 
 optional_policy(`
-	mta_queue_filetrans(quota_t, quota_db_t, file)
-	mta_spool_filetrans(quota_t, quota_db_t, file)
+	openshift_lib_filetrans(quota_t, quota_db_t, file)
 ')
 
 optional_policy(`
@@ -103,12 +101,13 @@ optional_policy(`
 
 #######################################
 #
-# Nld local policy
+# Local policy
 #
 
 allow quota_nld_t self:fifo_file rw_fifo_file_perms;
 allow quota_nld_t self:netlink_socket create_socket_perms;
-allow quota_nld_t self:unix_stream_socket { accept listen };
+allow quota_nld_t self:netlink_generic_socket create_socket_perms;
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
 files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
 
 logging_send_syslog_msg(quota_nld_t)
 
-miscfiles_read_localization(quota_nld_t)
-
 userdom_use_user_terminals(quota_nld_t)
 
 optional_policy(`
-	dbus_system_bus_client(quota_nld_t)
-	dbus_connect_system_bus(quota_nld_t)
+    dbus_system_bus_client(quota_nld_t)
+    dbus_connect_system_bus(quota_nld_t)
 ')
diff --git a/rabbitmq.fc b/rabbitmq.fc
index c5ad6de765..af2d46f13d 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
@@ -1,10 +1,18 @@
 /etc/rc\.d/init\.d/rabbitmq-server	--	gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
 
-/usr/lib/erlang/erts.*/bin/beam.*	--	gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/epmd	--	gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+/usr/lib/systemd/system/rabbitmq-server.*   --  gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+/usr/lib/systemd/system/ejabberd.*          --  gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server   --  gen_context(system_u:object_r:rabbitmq_exec_t,s0)
+
+/usr/bin/ejabberdctl    --      gen_context(system_u:object_r:rabbitmq_exec_t,s0)
 
 /var/lib/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+/var/lib/ejabberd(/.*)?	gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+
+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
 
 /var/log/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/var/log/ejabberd(/.*)?	gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
 
 /var/run/rabbitmq(/.*)?	gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
diff --git a/rabbitmq.if b/rabbitmq.if
index 2c3d338961..7d49554ebe 100644
--- a/rabbitmq.if
+++ b/rabbitmq.if
@@ -38,12 +38,12 @@ interface(`rabbitmq_domtrans',`
 #
 interface(`rabbitmq_admin',`
 	gen_require(`
-		type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t;
+		type rabbitmq_t, rabbitmq_initrc_exec_t;
 		type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
 	')
 
-	allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t })
+	allow $1 { rabbitmq_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, rabbitmq_t)
 
 	init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
index dc3b0ed876..f14522964a 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
 # Declarations
 #
 
-type rabbitmq_epmd_t;
-type rabbitmq_epmd_exec_t;
-init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
+type rabbitmq_t;
+type rabbitmq_exec_t;
+init_daemon_domain(rabbitmq_t, rabbitmq_exec_t)
 
-type rabbitmq_beam_t;
-type rabbitmq_beam_exec_t;
-init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+typealias rabbitmq_t alias {rabbitmq_beam_t rabbitmq_epmd_t};
+
+type rabbitmq_unit_file_t;
+systemd_unit_file(rabbitmq_unit_file_t)
 
 type rabbitmq_initrc_exec_t;
 init_script_file(rabbitmq_initrc_exec_t)
@@ -19,106 +20,111 @@ init_script_file(rabbitmq_initrc_exec_t)
 type rabbitmq_var_lib_t;
 files_type(rabbitmq_var_lib_t)
 
+type rabbitmq_var_lock_t;
+files_lock_file(rabbitmq_var_lock_t)
+
 type rabbitmq_var_log_t;
 logging_log_file(rabbitmq_var_log_t)
 
 type rabbitmq_var_run_t;
 files_pid_file(rabbitmq_var_run_t)
 
-######################################
-#
-# Beam local policy
-#
-
-allow rabbitmq_beam_t self:process { setsched signal signull };
-allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_beam_t self:tcp_socket { accept listen };
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-
-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-
-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-
-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-
-kernel_read_system_state(rabbitmq_beam_t)
-kernel_read_fs_sysctls(rabbitmq_beam_t)
-
-corecmd_exec_bin(rabbitmq_beam_t)
-corecmd_exec_shell(rabbitmq_beam_t)
-
-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-
-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
-
-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+type rabbitmq_tmp_t;
+files_tmp_file(rabbitmq_tmp_t)
 
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
-
-dev_read_sysfs(rabbitmq_beam_t)
-dev_read_urand(rabbitmq_beam_t)
-
-fs_getattr_all_fs(rabbitmq_beam_t)
-fs_search_cgroup_dirs(rabbitmq_beam_t)
-
-files_read_etc_files(rabbitmq_beam_t)
-
-storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
-
-miscfiles_read_localization(rabbitmq_beam_t)
-
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
- optional_policy(`
-	couchdb_manage_lib_files(rabbitmq_beam_t)
-	couchdb_read_conf_files(rabbitmq_beam_t)
-	couchdb_read_log_files(rabbitmq_beam_t)
-	couchdb_read_pid_files(rabbitmq_beam_t)
- ')
-
-########################################
+######################################
 #
-# Epmd local policy
+# Rabbitmq local policy
 #
 
+allow rabbitmq_t self:capability setuid;
+
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
+manage_dirs_pattern(rabbitmq_t, rabbitmq_tmp_t, rabbitmq_tmp_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_tmp_t, rabbitmq_tmp_t)
+files_tmp_filetrans(rabbitmq_t, rabbitmq_tmp_t, { file dir })
+
+kernel_read_system_state(rabbitmq_t)
+kernel_read_fs_sysctls(rabbitmq_t)
+
+corecmd_exec_bin(rabbitmq_t)
+corecmd_exec_shell(rabbitmq_t)
+
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_udp_bind_generic_node(rabbitmq_t)
+corenet_all_recvfrom_unlabeled(rabbitmq_t)
+corenet_all_recvfrom_netlabel(rabbitmq_t)
+corenet_tcp_sendrecv_generic_if(rabbitmq_t)
+corenet_tcp_sendrecv_generic_node(rabbitmq_t)
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_t)
+corenet_tcp_bind_all_ephemeral_ports(rabbitmq_t)
+corenet_sendrecv_amqp_server_packets(rabbitmq_t)
+corenet_sendrecv_epmd_client_packets(rabbitmq_t)
+corenet_tcp_sendrecv_amqp_port(rabbitmq_t)
+corenet_tcp_bind_amqp_port(rabbitmq_t)
+corenet_tcp_bind_epmd_port(rabbitmq_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
+corenet_tcp_connect_amqp_port(rabbitmq_t)
+corenet_tcp_connect_epmd_port(rabbitmq_t)
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_t)
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
+corenet_tcp_connect_http_port(rabbitmq_t)
+corenet_tcp_connect_rabbitmq_port(rabbitmq_t)
+
+domain_read_all_domains_state(rabbitmq_t)
+
+auth_read_passwd(rabbitmq_t)
+auth_use_pam(rabbitmq_t)
+files_getattr_all_mountpoints(rabbitmq_t)
+
+fs_getattr_all_fs(rabbitmq_t)
+fs_getattr_all_dirs(rabbitmq_t)
+fs_getattr_cgroup(rabbitmq_t)
+fs_search_cgroup_dirs(rabbitmq_t)
+
+dev_read_sysfs(rabbitmq_t)
+dev_read_urand(rabbitmq_t)
+
+storage_getattr_fixed_disk_dev(rabbitmq_t)
+
+sysnet_dns_name_resolve(rabbitmq_t)
+
+logging_send_syslog_msg(rabbitmq_t)
+
+optional_policy(`
+    dbus_system_bus_client(rabbitmq_t)
+')
+
+optional_policy(`
+	hostname_exec(rabbitmq_t)
+')
+
+optional_policy(`
+    rpc_read_nfs_state_data(rabbitmq_t)
+')
 
-allow rabbitmq_epmd_t self:process signal;
-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
-
-corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
-corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
-corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-
-corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
-corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
-
-files_read_etc_files(rabbitmq_epmd_t)
-
-logging_send_syslog_msg(rabbitmq_epmd_t)
-
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
index d447e85488..76ed794ce2 100644
--- a/radius.fc
+++ b/radius.fc
@@ -9,7 +9,9 @@
 /usr/sbin/radiusd	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
 /usr/sbin/freeradius	--	gen_context(system_u:object_r:radiusd_exec_t,s0)
 
-/var/lib/radiousd(/.*)?	gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+/usr/lib/systemd/system/radiusd.* --  gen_context(system_u:object_r:radiusd_unit_file_t,s0)
+
+/var/lib/radiusd(/.*)?	gen_context(system_u:object_r:radiusd_var_lib_t,s0)
 
 /var/log/freeradius(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
 /var/log/radacct(/.*)?	gen_context(system_u:object_r:radiusd_log_t,s0)
diff --git a/radius.if b/radius.if
index 44605825c5..4c66c2502f 100644
--- a/radius.if
+++ b/radius.if
@@ -14,6 +14,30 @@ interface(`radius_use',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+#######################################
+## <summary>
+##  Execute radiusd server in the radiusd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`radiusd_systemctl',`
+    gen_require(`
+        type radiusd_unit_file_t;
+        type radiusd_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 radiusd_unit_file_t:file read_file_perms;
+    allow $1 radiusd_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, radiusd_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -35,11 +59,14 @@ interface(`radius_admin',`
 	gen_require(`
 		type radiusd_t, radiusd_etc_t, radiusd_log_t;
 		type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
-		type radiusd_initrc_exec_t;
+		type radiusd_initrc_exec_t, radiusd_unit_file_t;
 	')
 
-	allow $1 radiusd_t:process { ptrace signal_perms };
+	allow $1 radiusd_t:process signal_perms;
 	ps_process_pattern($1, radiusd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 radiusd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -57,4 +84,9 @@ interface(`radius_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, radiusd_var_run_t)
+
+    admin_pattern($1, radiusd_unit_file_t)
+    bind_systemctl($1)
+    allow $1 radiusd_unit_file_t:service all_service_perms;
+
 ')
diff --git a/radius.te b/radius.te
index 403a4fed12..9de0a3d776 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
 # Declarations
 #
 
+## <desc>
+##      <p>
+##      Determine whether radius can use JIT compiler.
+##      </p>
+## </desc>
+gen_tunable(radius_use_jit, false)
+
 type radiusd_t;
 type radiusd_exec_t;
 init_daemon_domain(radiusd_t, radiusd_exec_t)
@@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t)
 type radiusd_var_run_t;
 files_pid_file(radiusd_var_run_t)
 
+type radiusd_unit_file_t;
+systemd_unit_file(radiusd_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
 dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal};
 allow radiusd_t self:fifo_file rw_fifo_file_perms;
 allow radiusd_t self:unix_stream_socket { accept listen };
 allow radiusd_t self:tcp_socket { accept listen };
@@ -43,15 +53,18 @@ allow radiusd_t radiusd_etc_t:dir list_dir_perms;
 allow radiusd_t radiusd_etc_t:file read_file_perms;
 allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms;
 
+tunable_policy(`deny_ptrace',`',`
+	allow radiusd_t self:process ptrace;
+')
+
 manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
 manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
 manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
 filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
+allow radiusd_t radiusd_etc_rw_t:file map;
 
 manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
-setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
 logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir })
 
 manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
@@ -60,11 +73,13 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+files_dontaudit_list_tmp(radiusd_t)
 
 kernel_read_kernel_sysctls(radiusd_t)
 kernel_read_system_state(radiusd_t)
+kernel_read_net_sysctls(radiusd_t)
+kernel_search_network_sysctl(radiusd_t)
 
-corenet_all_recvfrom_unlabeled(radiusd_t)
 corenet_all_recvfrom_netlabel(radiusd_t)
 corenet_tcp_sendrecv_generic_if(radiusd_t)
 corenet_udp_sendrecv_generic_if(radiusd_t)
@@ -74,12 +89,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
 corenet_udp_sendrecv_all_ports(radiusd_t)
 corenet_udp_bind_generic_node(radiusd_t)
 
+corenet_tcp_connect_postgresql_port(radiusd_t)
+corenet_tcp_connect_http_port(radiusd_t)
+
 corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_tcp_bind_radacct_port(radiusd_t)
 corenet_udp_bind_radacct_port(radiusd_t)
 
 corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_tcp_bind_radius_port(radiusd_t)
 corenet_udp_bind_radius_port(radiusd_t)
 
+corenet_sendrecv_radsec_server_packets(radiusd_t)
+corenet_tcp_bind_radsec_port(radiusd_t)
+corenet_udp_bind_radsec_port(radiusd_t)
+corenet_tcp_connect_radsec_port(radiusd_t)
+
 corenet_sendrecv_snmp_client_packets(radiusd_t)
 corenet_tcp_connect_snmp_port(radiusd_t)
 
@@ -97,7 +122,6 @@ domain_use_interactive_fds(radiusd_t)
 fs_getattr_all_fs(radiusd_t)
 fs_search_auto_mountpoints(radiusd_t)
 
-files_read_usr_files(radiusd_t)
 files_read_etc_runtime_files(radiusd_t)
 files_dontaudit_list_tmp(radiusd_t)
 
@@ -109,7 +133,6 @@ libs_exec_lib_files(radiusd_t)
 
 logging_send_syslog_msg(radiusd_t)
 
-miscfiles_read_localization(radiusd_t)
 miscfiles_read_generic_certs(radiusd_t)
 
 sysnet_use_ldap(radiusd_t)
@@ -117,10 +140,21 @@ sysnet_use_ldap(radiusd_t)
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
 userdom_dontaudit_search_user_home_dirs(radiusd_t)
 
+tunable_policy(`radius_use_jit',`
+    allow radiusd_t self:process execmem;
+',`
+    dontaudit radiusd_t self:process execmem;
+')
+
 optional_policy(`
 	cron_system_entry(radiusd_t, radiusd_exec_t)
 ')
 
+optional_policy(`
+    kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
+    kerberos_manage_host_rcache(radiusd_t)
+')
+
 optional_policy(`
 	logrotate_exec(radiusd_t)
 ')
@@ -131,6 +165,11 @@ optional_policy(`
 	mysql_tcp_connect(radiusd_t)
 ')
 
+optional_policy(`
+    postgresql_stream_connect(radiusd_t)
+    postgresql_tcp_connect(radiusd_t)
+')
+
 optional_policy(`
 	samba_domtrans_winbind_helper(radiusd_t)
 ')
@@ -139,6 +178,11 @@ optional_policy(`
 	seutil_sigchld_newrole(radiusd_t)
 ')
 
+optional_policy(`
+    snmp_read_snmp_var_lib_files(radiusd_t)
+    snmp_read_snmp_var_lib_files(radiusd_t)
+')
+
 optional_policy(`
 	udev_read_db(radiusd_t)
 ')
diff --git a/radvd.if b/radvd.if
index ac7058d1e8..48739ac1bf 100644
--- a/radvd.if
+++ b/radvd.if
@@ -1,5 +1,24 @@
 ## <summary>IPv6 router advertisement daemon.</summary>
 
+######################################
+## <summary>
+##	Read radvd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`radvd_read_pid_files',`
+	gen_require(`
+		type radvd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -23,8 +42,11 @@ interface(`radvd_admin',`
 		type radvd_var_run_t;
 	')
 
-	allow $1 radvd_t:process { ptrace signal_perms };
+	allow $1 radvd_t:process signal_perms;
 	ps_process_pattern($1, radvd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 radvd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
index 6d162e4e64..889c0ed5f4 100644
--- a/radvd.te
+++ b/radvd.te
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
 
 logging_send_syslog_msg(radvd_t)
 
-miscfiles_read_localization(radvd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(radvd_t)
 userdom_dontaudit_search_user_home_dirs(radvd_t)
 
diff --git a/raid.fc b/raid.fc
index 5806046b13..2a4769ff4f 100644
--- a/raid.fc
+++ b/raid.fc
@@ -3,6 +3,12 @@
 
 /etc/rc\.d/init\.d/mdmonitor	--	gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
 
+/etc/mdadm\.conf    --  gen_context(system_u:object_r:mdadm_conf_t,s0)
+/etc/mdadm\.conf\.anacbak    --  gen_context(system_u:object_r:mdadm_conf_t,s0)
+
+/usr/lib/systemd/system/mdmon@.* --  gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* --  gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+
 /sbin/iprdump	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /sbin/iprinit	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -16,6 +22,10 @@
 /usr/sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /usr/sbin/mdadm	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /usr/sbin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/mdmon	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /usr/sbin/raid-check	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 
+/var/log/iprdbg             --  gen_context(system_u:object_r:mdadm_log_t,s0)
+/var/log/iprdump.*          --  gen_context(system_u:object_r:mdadm_log_t,s0)
+
 /var/run/mdadm(/.*)?	gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
index 951db7f1be..00e699da47 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
-## <summary>RAID array management tools.</summary>
+## <summary>RAID array management tools</summary>
 
 ########################################
 ## <summary>
-##	Execute software raid tools in
-##	the mdadm domain.
+##	Execute software raid tools in the mdadm domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -22,34 +21,57 @@ interface(`raid_domtrans_mdadm',`
 
 ######################################
 ## <summary>
-##	Execute mdadm in the mdadm
-##	domain, and allow the specified
-##	role the mdadm domain.
+##	Execute a domain transition to mdadm_t for the
+##	specified role, allowing it to use the mdadm_t
+##	domain
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed to access mdadm_t domain
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed to transition to mdadm_t
 ##	</summary>
 ## </param>
 #
 interface(`raid_run_mdadm',`
 	gen_require(`
-		attribute_role mdadm_roles;
+		type mdadm_t;
 	')
 
+	role $1 types mdadm_t;
 	raid_domtrans_mdadm($2)
-	roleattribute $1 mdadm_roles;
+')
+
+######################################
+## <summary>
+##	Execute mdadm server in the mdadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mdadm_systemctl',`
+	gen_require(`
+		type mdadm_t;
+		type mdadm_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 mdadm_unit_file_t:file read_file_perms;
+	allow $1 mdadm_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, mdadm_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	mdadm pid files.
+##	read the mdadm pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
 ##	</summary>
 ## </param>
 #
-interface(`raid_manage_mdadm_pid',`
+interface(`raid_read_mdadm_pid',`
 	gen_require(`
 		type mdadm_var_run_t;
 	')
 
-	files_search_pids($1)
-	allow $1 mdadm_var_run_t:file manage_file_perms;
+	read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an mdadm environment.
+##	Create, read, write, and delete the mdadm pid files.
 ## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete the mdadm pid files.
+##	</p>
+##	<p>
+##	Added for use in the init module.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`raid_manage_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	# FIXME: maybe should have a type_transition.  not
+	# clear what this is doing, from the original
+	# mdadm policy
+	allow $1 mdadm_var_run_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Check access to the mdadm executable.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`raid_access_check_mdadm',`
+	gen_require(`
+		type mdadm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
+')
+
+########################################
+## <summary>
+##	Read mdadm config files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`raid_admin_mdadm',`
+interface(`raid_read_conf_files',`
 	gen_require(`
-		type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
+		type mdadm_conf_t;
 	')
 
-	allow $1 mdadm_t:process { ptrace signal_perms };
-	ps_process_pattern($1, mdadm_t)
+    read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage mdadm config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_manage_conf_files',`
+	gen_require(`
+		type mdadm_conf_t;
+	')
 
-	init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 mdadm_initrc_exec_t system_r;
-	allow $2 system_r;
+    manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
+')
 
-	files_search_pids($1)
-	admin_pattern($1, mdadm_var_run_t)
+########################################
+## <summary>
+##	Transition to mdadm named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_filetrans_named_content',`
+	gen_require(`
+		type mdadm_conf_t;
+	')
 
-	raid_run_mdadm($2, $1)
+    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
+    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
 ')
diff --git a/raid.te b/raid.te
index c99753f2c5..55294acec9 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
 type mdadm_initrc_exec_t;
 init_script_file(mdadm_initrc_exec_t)
 
+type mdadm_conf_t;
+files_config_file(mdadm_conf_t)
+
+type mdadm_unit_file_t;
+systemd_unit_file(mdadm_unit_file_t)
+
+type mdadm_tmp_t;
+files_tmp_file(mdadm_tmp_t)
+
+type mdadm_tmpfs_t;
+files_tmpfs_file(mdadm_tmpfs_t)
+
 type mdadm_var_run_t alias mdadm_map_t;
 files_pid_file(mdadm_var_run_t)
 dev_associate(mdadm_var_run_t)
 
+type mdadm_log_t;
+logging_log_file(mdadm_log_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { getsched setsched signal_perms };
+allow mdadm_t self:capability { dac_read_search dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
 allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf.anacbak")
+
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
+
+manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
+fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file })
 
 manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
 manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
 manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
 manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-dev_filetrans(mdadm_t, mdadm_var_run_t, file)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
+manage_files_pattern(mdadm_t, mdadm_log_t, mdadm_log_t)
+logging_log_filetrans(mdadm_t, mdadm_log_t, file)
+
+can_exec(mdadm_t, mdadm_exec_t)
 
 kernel_getattr_core_if(mdadm_t)
 kernel_read_system_state(mdadm_t)
 kernel_read_kernel_sysctls(mdadm_t)
 kernel_request_load_module(mdadm_t)
 kernel_rw_software_raid_state(mdadm_t)
+kernel_dontaudit_setsched(mdadm_t)
+kernel_signal(mdadm_t)
+kernel_signull(mdadm_t)
+kernel_stream_connect(mdadm_t)
 
 corecmd_exec_bin(mdadm_t)
 corecmd_exec_shell(mdadm_t)
 
 dev_rw_sysfs(mdadm_t)
-dev_dontaudit_getattr_all_blk_files(mdadm_t)
-dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_read_all_blk_files(mdadm_t)
+dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_getattr_all(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 dev_read_raw_memory(mdadm_t)
-
+dev_read_kvm(mdadm_t)
+dev_read_mei(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+dev_read_generic_usb_dev(mdadm_t)
+dev_read_urand(mdadm_t)
+dev_read_rand(mdadm_t)
+dev_rw_nvme(mdadm_t)
+
+domain_read_all_domains_state(mdadm_t)
 domain_use_interactive_fds(mdadm_t)
 
-files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
 
 fs_getattr_all_fs(mdadm_t)
 fs_list_auto_mountpoints(mdadm_t)
 fs_list_hugetlbfs(mdadm_t)
 fs_rw_cgroup_files(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
+fs_read_efivarfs_files(mdadm_t)
 
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)
+storage_raw_read_removable_device(mdadm_t)
+storage_tmp_filetrans_fixed_disk(mdadm_t)
 
 term_dontaudit_list_ptys(mdadm_t)
 term_dontaudit_use_unallocated_ttys(mdadm_t)
 
+auth_use_nsswitch(mdadm_t)
+
 init_dontaudit_getattr_initctl(mdadm_t)
+init_getattr_script_status_files(mdadm_t)
 
+logging_dontaudit_getattr_all_logs(mdadm_t)
 logging_send_syslog_msg(mdadm_t)
 
-miscfiles_read_localization(mdadm_t)
+systemd_exec_systemctl(mdadm_t)
+systemd_start_systemd_services(mdadm_t)
+
+term_use_generic_ptys(mdadm_t)
+term_use_unallocated_ttys(mdadm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -89,14 +149,27 @@ optional_policy(`
 	cron_system_entry(mdadm_t, mdadm_exec_t)
 ')
 
+optional_policy(`
+    dbus_system_bus_client(mdadm_t)
+')
+
 optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
 ')
 
+optional_policy(`
+    kdump_manage_kdumpctl_tmp_files(mdadm_t)
+    kdump_rw_lock(mdadm_t)
+')
+
 optional_policy(`
 	mta_send_mail(mdadm_t)
 ')
 
+optional_policy(`
+    mdadm_systemctl(mdadm_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mdadm_t)
 ')
@@ -104,3 +177,11 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(mdadm_t)
 ')
+
+optional_policy(`
+	virt_read_blk_images(mdadm_t)
+')
+
+optional_policy(`
+	xserver_dontaudit_search_log(mdadm_t)
+')
diff --git a/rasdaemon.fc b/rasdaemon.fc
new file mode 100644
index 0000000000..8e31dd0426
--- /dev/null
+++ b/rasdaemon.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/ras-mc-ctl.*		--	gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/lib/systemd/system/rasdaemon.*		--	gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
+
+/usr/sbin/rasdaemon		--	gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/usr/sbin/ras-mc-ctl		--	gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+
+/var/lib/rasdaemon(/.*)?		gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
diff --git a/rasdaemon.if b/rasdaemon.if
new file mode 100644
index 0000000000..d57006d9cf
--- /dev/null
+++ b/rasdaemon.if
@@ -0,0 +1,157 @@
+
+## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the rasdaemon domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rasdaemon_domtrans',`
+	gen_require(`
+		type rasdaemon_t, rasdaemon_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
+')
+
+########################################
+## <summary>
+##	Search rasdaemon lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rasdaemon_search_lib',`
+	gen_require(`
+		type rasdaemon_var_lib_t;
+	')
+
+	allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read rasdaemon lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rasdaemon_read_lib_files',`
+	gen_require(`
+		type rasdaemon_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rasdaemon lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rasdaemon_manage_lib_files',`
+	gen_require(`
+		type rasdaemon_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rasdaemon lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rasdaemon_manage_lib_dirs',`
+	gen_require(`
+		type rasdaemon_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute rasdaemon server in the rasdaemon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rasdaemon_systemctl',`
+	gen_require(`
+		type rasdaemon_t;
+		type rasdaemon_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 rasdaemon_unit_file_t:file read_file_perms;
+	allow $1 rasdaemon_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, rasdaemon_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rasdaemon environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rasdaemon_admin',`
+	gen_require(`
+		type rasdaemon_t;
+		type rasdaemon_var_lib_t;
+	type rasdaemon_unit_file_t;
+	')
+
+	allow $1 rasdaemon_t:process { ptrace signal_perms };
+	ps_process_pattern($1, rasdaemon_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, rasdaemon_var_lib_t)
+
+	rasdaemon_systemctl($1)
+	admin_pattern($1, rasdaemon_unit_file_t)
+	allow $1 rasdaemon_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/rasdaemon.te b/rasdaemon.te
new file mode 100644
index 0000000000..dcdca44483
--- /dev/null
+++ b/rasdaemon.te
@@ -0,0 +1,51 @@
+policy_module(rasdaemon, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_lib_t;
+files_type(rasdaemon_var_lib_t)
+
+type rasdaemon_unit_file_t;
+systemd_unit_file(rasdaemon_unit_file_t)
+
+########################################
+#
+# rasdaemon local policy
+#
+allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
+allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
+files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file  })
+
+kernel_read_system_state(rasdaemon_t)
+kernel_manage_debugfs(rasdaemon_t)
+
+dev_read_raw_memory(rasdaemon_t)
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+fs_rw_tracefs_files(rasdaemon_t)
+fs_manage_tracefs_dirs(rasdaemon_t)
+fs_mount_tracefs(rasdaemon_t)
+fs_unmount_tracefs(rasdaemon_t)
+
+modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
+
+auth_use_nsswitch(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+
+optional_policy(`
+    dmidecode_exec(rasdaemon_t)
+')
+
diff --git a/razor.fc b/razor.fc
index 6723f4d3bc..6e2667392d 100644
--- a/razor.fc
+++ b/razor.fc
@@ -1,9 +1,9 @@
-HOME_DIR/\.razor(/.*)?	gen_context(system_u:object_r:razor_home_t,s0)
+#/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
+#HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
 
-/etc/razor(/.*)?	gen_context(system_u:object_r:razor_etc_t,s0)
+#/etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
 
-/usr/bin/razor.*	--	gen_context(system_u:object_r:razor_exec_t,s0)
+#/usr/bin/razor.*	--	gen_context(system_u:object_r:razor_exec_t,s0)
 
-/var/lib/razor(/.*)?	gen_context(system_u:object_r:razor_var_lib_t,s0)
-
-/var/log/razor-agent\.log.*	--	gen_context(system_u:object_r:razor_log_t,s0)
+#/var/lib/razor(/.*)?		gen_context(system_u:object_r:razor_var_lib_t,s0)
+#/var/log/razor-agent\.log.*	--	gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/razor.if b/razor.if
index 1e4b523bf7..fee3b7cd16 100644
--- a/razor.if
+++ b/razor.if
@@ -1,72 +1,147 @@
 ## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
+## <desc>
+##	<p>
+##	A distributed, collaborative, spam detection and filtering network.
+##	</p>
+##	<p>
+##	This policy will work with either the ATrpms provided config
+##	file in /etc/razor, or with the default of dumping everything into
+##	$HOME/.razor.
+##	</p>
+## </desc>
 
 #######################################
 ## <summary>
-##	The template to define a razor domain.
+##	Template to create types and rules common to
+##	all razor domains.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
 ##	</summary>
 ## </param>
 #
 template(`razor_common_domain_template',`
 	gen_require(`
-		attribute razor_domain;
-		type razor_exec_t;
+		type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_t, razor_domain;
+	type $1_t;
 	domain_type($1_t)
 	domain_entry_file($1_t, razor_exec_t)
 
-	########################################
-	#
-	# Declarations
-	#
-
-	auth_use_nsswitch($1_t)
+	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_t self:fd use;
+	allow $1_t self:fifo_file rw_fifo_file_perms;
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:unix_dgram_socket sendto;
+	allow $1_t self:unix_stream_socket connectto;
+	allow $1_t self:shm create_shm_perms;
+	allow $1_t self:sem create_sem_perms;
+	allow $1_t self:msgq create_msgq_perms;
+	allow $1_t self:msg { send receive };
+	allow $1_t self:tcp_socket create_socket_perms;
+
+	# Read system config file
+	allow $1_t razor_etc_t:dir list_dir_perms;
+	allow $1_t razor_etc_t:file read_file_perms;
+	allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+	manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+	manage_files_pattern($1_t, razor_log_t, razor_log_t)
+	manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+	logging_log_filetrans($1_t, razor_log_t, file)
+
+	manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+	manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+	manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+	files_search_var_lib($1_t)
+
+	# Razor is one executable and several symlinks
+	allow $1_t razor_exec_t:file read_file_perms;
+	allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_software_raid_state($1_t)
+	kernel_getattr_core_if($1_t)
+	kernel_getattr_message_if($1_t)
+	kernel_read_kernel_sysctls($1_t)
+
+	corecmd_exec_bin($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_raw_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_generic_node($1_t)
+	corenet_raw_sendrecv_generic_node($1_t)
+	corenet_tcp_sendrecv_razor_port($1_t)
+
+	# mktemp and other randoms
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	files_search_pids($1_t)
+	# Allow access to various files in the /etc/directory including mtab
+	# and nsswitch
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+
+	fs_search_auto_mountpoints($1_t)
+
+	libs_read_lib_files($1_t)
+
+
+	sysnet_read_config($1_t)
+	sysnet_dns_name_resolve($1_t)
+
+	optional_policy(`
+		nis_use_ypbind($1_t)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for razor.
+##	Role access for razor
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`razor_role',`
 	gen_require(`
-		attribute_role razor_roles;
 		type razor_t, razor_exec_t, razor_home_t;
-		type razor_tmp_t;
 	')
 
-	roleattribute $1 razor_roles;
+	role $1 types razor_t;
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, razor_exec_t, razor_t)
 
+	# allow ps to show razor and allow the user to kill it 
 	ps_process_pattern($2, razor_t)
-	allow $2 razor_t:process signal;
-
-	allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 razor_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 razor_t:process ptrace;
+	')
 
-	userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
+	manage_dirs_pattern($2, razor_home_t, razor_home_t)
+	manage_files_pattern($2, razor_home_t, razor_home_t)
+	manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+	relabel_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
 ')
 
 ########################################
@@ -81,17 +156,16 @@ interface(`razor_role',`
 #
 interface(`razor_domtrans',`
 	gen_require(`
-		type system_razor_t, razor_exec_t;
+		type razor_t, razor_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, razor_exec_t, system_razor_t)
+	domtrans_pattern($1, razor_exec_t, razor_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	razor home content.
+##	Create, read, write, and delete razor files
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,20 +173,19 @@ interface(`razor_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`razor_manage_home_content',`
+interface(`razor_manage_user_home_files',`
 	gen_require(`
 		type razor_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	allow $1 razor_home_t:dir manage_dir_perms;
-	allow $1 razor_home_t:file manage_file_perms;
-	allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
+	manage_files_pattern($1, razor_home_t, razor_home_t)
+	read_lnk_files_pattern($1, razor_home_t, razor_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Read razor lib files.
+##	read razor lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/razor.te b/razor.te
index 68455f9093..38f69685c2 100644
--- a/razor.te
+++ b/razor.te
@@ -5,135 +5,124 @@ policy_module(razor, 2.4.0)
 # Declarations
 #
 
-attribute razor_domain;
+ifdef(`distro_redhat',`
+	gen_require(`
+		type spamc_t, spamc_exec_t, spamd_log_t;
+		type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+		type spamc_home_t, spamc_tmp_t;
+	')
+
+	typealias spamc_t alias razor_t;
+	typealias spamc_exec_t alias razor_exec_t;
+	typealias spamd_log_t alias razor_log_t;
+	typealias spamd_var_lib_t alias razor_var_lib_t;
+	typealias spamd_etc_t alias razor_etc_t;
+	typealias spamc_home_t alias razor_home_t;
+	typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+	typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+	typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+	type razor_exec_t;
+	corecmd_executable_file(razor_exec_t)
+
+	type razor_etc_t;
+	files_config_file(razor_etc_t)
+
+	type razor_home_t;
+	typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+	typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+	userdom_user_home_content(razor_home_t)
+
+	type razor_log_t;
+	logging_log_file(razor_log_t)
+
+	type razor_tmp_t;
+	typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+	typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+	files_tmp_file(razor_tmp_t)
+	ubac_constrained(razor_tmp_t)
+
+	type razor_var_lib_t;
+	files_type(razor_var_lib_t)
+
+	# these are here due to ordering issues:
+	razor_common_domain_template(razor)
+	typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+	typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+	ubac_constrained(razor_t)
+
+	razor_common_domain_template(system_razor)
+	role system_r types system_razor_t;
+
+	########################################
+	#
+	# System razor local policy
+	#
+
+	# this version of razor is invoked typically
+	# via the system spam filter
+
+	allow system_razor_t self:tcp_socket create_socket_perms;
+
+	manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+	manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+	manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+	files_search_etc(system_razor_t)
+
+	allow system_razor_t razor_log_t:file manage_file_perms;
+	logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+	manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+	files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+	corenet_all_recvfrom_netlabel(system_razor_t)
+	corenet_tcp_sendrecv_generic_if(system_razor_t)
+	corenet_raw_sendrecv_generic_if(system_razor_t)
+	corenet_tcp_sendrecv_generic_node(system_razor_t)
+	corenet_raw_sendrecv_generic_node(system_razor_t)
+	corenet_tcp_sendrecv_razor_port(system_razor_t)
+	corenet_tcp_connect_razor_port(system_razor_t)
+	corenet_sendrecv_razor_client_packets(system_razor_t)
+
+	auth_use_nsswitch(system_razor_t)
+
+	# cjp: this shouldn't be needed
+	userdom_use_unpriv_users_fds(system_razor_t)
+
+	optional_policy(`
+		logging_send_syslog_msg(system_razor_t)
+	')
+
+	########################################
+	#
+	# User razor local policy
+	#
+
+	# Allow razor to be run by hand.  Needed by any action other than
+	# invocation from a spam filter.
+
+	allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+	manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+	manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+	manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+	userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+	manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+	manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+	files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+	auth_use_nsswitch(razor_t)
 
-attribute_role razor_roles;
+	logging_send_syslog_msg(razor_t)
 
-type razor_exec_t;
-corecmd_executable_file(razor_exec_t)
+	userdom_search_user_home_dirs(razor_t)
+	userdom_use_inherited_user_terminals(razor_t)
 
-type razor_etc_t;
-files_config_file(razor_etc_t)
+	userdom_home_manager(razor_t)
 
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
-
-type razor_log_t;
-logging_log_file(razor_log_t)
-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-userdom_user_tmp_file(razor_tmp_t)
-
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-userdom_user_application_type(razor_t)
-role razor_roles types razor_t;
-
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
-# Common razor domain local policy
-#
-
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow razor_domain self:fd use;
-allow razor_domain self:fifo_file rw_fifo_file_perms;
-allow razor_domain self:unix_dgram_socket sendto;
-allow razor_domain self:unix_stream_socket { accept connectto listen };
-
-allow razor_domain razor_etc_t:dir list_dir_perms;
-allow razor_domain razor_etc_t:file read_file_perms;
-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms;
-
-allow razor_domain razor_exec_t:file read_file_perms;
-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms;
-
-kernel_read_system_state(razor_domain)
-kernel_read_network_state(razor_domain)
-kernel_read_software_raid_state(razor_domain)
-kernel_getattr_core_if(razor_domain)
-kernel_getattr_message_if(razor_domain)
-kernel_read_kernel_sysctls(razor_domain)
-
-corecmd_exec_bin(razor_domain)
-
-corenet_all_recvfrom_unlabeled(razor_domain)
-corenet_all_recvfrom_netlabel(razor_domain)
-corenet_tcp_sendrecv_generic_if(razor_domain)
-corenet_tcp_sendrecv_generic_node(razor_domain)
-
-corenet_tcp_sendrecv_razor_port(razor_domain)
-corenet_tcp_connect_razor_port(razor_domain)
-corenet_sendrecv_razor_client_packets(razor_domain)
-
-dev_read_rand(razor_domain)
-dev_read_urand(razor_domain)
-
-files_read_etc_runtime_files(razor_domain)
-
-libs_read_lib_files(razor_domain)
-
-miscfiles_read_localization(razor_domain)
-
-########################################
-#
-# System local policy
-#
-
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
-
-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t)
-append_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-create_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t)
-logging_log_filetrans(system_razor_t, razor_log_t, file)
-
-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-
-########################################
-#
-# Session local policy
-#
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor")
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
-fs_getattr_all_fs(razor_t)
-fs_search_auto_mountpoints(razor_t)
-
-userdom_use_unpriv_users_fds(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(razor_t)
-	fs_manage_nfs_files(razor_t)
-	fs_manage_nfs_symlinks(razor_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(razor_t)
-	fs_manage_cifs_files(razor_t)
-	fs_manage_cifs_symlinks(razor_t)
+	optional_policy(`
+		milter_manage_spamass_state(razor_t)
+	')
 ')
diff --git a/rdisc.fc b/rdisc.fc
index e9765c0f22..ea21331d80 100644
--- a/rdisc.fc
+++ b/rdisc.fc
@@ -1,3 +1,3 @@
-/sbin/rdisc	--	gen_context(system_u:object_r:rdisc_exec_t,s0)
+/usr/lib/systemd/system/rdisc.*         --      gen_context(system_u:object_r:rdisc_unit_file_t,s0)
 
 /usr/sbin/rdisc	--	gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.if b/rdisc.if
index 170ef52fbe..28ccc4a75c 100644
--- a/rdisc.if
+++ b/rdisc.if
@@ -18,3 +18,58 @@ interface(`rdisc_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, rdisc_exec_t)
 ')
+
+########################################
+## <summary>
+##      Execute rdisc server in the rdisc domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`rdisc_systemctl',`
+        gen_require(`
+                type rdisc_t;
+                type rdisc_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 rdisc_unit_file_t:file read_file_perms;
+        allow $1 rdisc_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, rdisc_t)
+')
+
+########################################
+## <summary>
+##      All of the rules required to administrate
+##      an rdisc environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rdisc_admin',`
+        gen_require(`
+            type rdisc_t;
+            type rdisc_unit_file_t;
+        ')
+
+        allow $1 rdisc_t:process { ptrace signal_perms };
+        ps_process_pattern($1, rdisc_t)
+
+        rdisc_systemctl($1)
+        admin_pattern($1, rdisc_unit_file_t)
+        allow $1 rdisc_unit_file_t:service all_service_perms;
+        optional_policy(`
+                systemd_passwd_agent_exec($1)
+                systemd_read_fifo_file_passwd_run($1)
+        ')
+')
diff --git a/rdisc.te b/rdisc.te
index 9196c1dbb4..b7759316f7 100644
--- a/rdisc.te
+++ b/rdisc.te
@@ -9,6 +9,9 @@ type rdisc_t;
 type rdisc_exec_t;
 init_daemon_domain(rdisc_t, rdisc_exec_t)
 
+type rdisc_unit_file_t;
+systemd_unit_file(rdisc_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
 kernel_read_proc_symlinks(rdisc_t)
 kernel_read_kernel_sysctls(rdisc_t)
 
-corenet_all_recvfrom_unlabeled(rdisc_t)
 corenet_all_recvfrom_netlabel(rdisc_t)
 corenet_udp_sendrecv_generic_if(rdisc_t)
 corenet_raw_sendrecv_generic_if(rdisc_t)
@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
 
 domain_use_interactive_fds(rdisc_t)
 
-files_read_etc_files(rdisc_t)
 
 logging_send_syslog_msg(rdisc_t)
 
-miscfiles_read_localization(rdisc_t)
-
 sysnet_read_config(rdisc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
index f01b32fe20..46279e853b 100644
--- a/readahead.fc
+++ b/readahead.fc
@@ -1,7 +1,11 @@
-/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_run_t,s0)
 
+/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 
+/usr/lib/systemd/systemd-readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
+
 /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
 
+/var/run/systemd/readahead(/.*)?  gen_context(system_u:object_r:readahead_var_run_t,s0)
 /var/run/readahead.*	gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
index 661bb88fda..06f69c4ada 100644
--- a/readahead.if
+++ b/readahead.if
@@ -19,3 +19,27 @@ interface(`readahead_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, readahead_exec_t, readahead_t)
 ')
+
+########################################
+## <summary>
+##	Manage readahead var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`readahead_manage_pid_files',`
+	gen_require(`
+		type readahead_var_run_t;
+	')
+
+	manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
+	manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
+	dev_filetrans($1, readahead_var_run_t, { dir  file })
+	init_pid_filetrans($1, readahead_var_run_t, { dir file })
+	files_search_pids($1)	
+	init_search_pid_dirs($1)
+')
+
diff --git a/readahead.te b/readahead.te
index c0b02c91c1..f4705559c6 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
 
 type readahead_var_run_t;
 files_pid_file(readahead_var_run_t)
+dev_associate(readahead_var_run_t)
 init_daemon_run_dir(readahead_var_run_t, "readahead")
 
 ########################################
@@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
 
 manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
 manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
 files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+allow readahead_t readahead_var_run_t:file map;
 
 kernel_read_all_sysctls(readahead_t)
 kernel_read_system_state(readahead_t)
 kernel_dontaudit_getattr_core_if(readahead_t)
+kernel_list_all_proc(readahead_t)
 
-dev_read_sysfs(readahead_t)
+dev_rw_sysfs(readahead_t)
+dev_read_kmsg(readahead_t)
+dev_read_urand(readahead_t)
+dev_write_kmsg(readahead_t)
 dev_getattr_generic_chr_files(readahead_t)
 dev_getattr_generic_blk_files(readahead_t)
 dev_getattr_all_chr_files(readahead_t)
@@ -51,12 +58,22 @@ domain_use_interactive_fds(readahead_t)
 domain_read_all_domains_state(readahead_t)
 
 files_create_boot_flag(readahead_t)
+files_delete_root_files(readahead_t)
 files_getattr_all_pipes(readahead_t)
 files_list_non_security(readahead_t)
 files_read_non_security_files(readahead_t)
 files_search_var_lib(readahead_t)
 files_dontaudit_getattr_all_sockets(readahead_t)
 files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
+files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+      files_dontaudit_write_all_files(readahead_t)
+      dev_dontaudit_write_all_chr_files(readahead_t)
+      dev_dontaudit_write_all_blk_files(readahead_t)
+')
 
 fs_getattr_all_fs(readahead_t)
 fs_search_auto_mountpoints(readahead_t)
@@ -66,13 +83,12 @@ fs_read_cgroup_files(readahead_t)
 fs_read_tmpfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
 fs_dontaudit_search_ramfs(readahead_t)
 fs_dontaudit_read_ramfs_pipes(readahead_t)
 fs_dontaudit_read_ramfs_files(readahead_t)
 fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
 
-mcs_file_read_all(readahead_t)
-
 mls_file_read_all_levels(readahead_t)
 
 storage_raw_read_fixed_disk(readahead_t)
@@ -84,13 +100,15 @@ auth_dontaudit_read_shadow(readahead_t)
 init_use_fds(readahead_t)
 init_use_script_ptys(readahead_t)
 init_getattr_initctl(readahead_t)
+# needs to write to /run/systemd/notify
+init_write_pid_socket(readahead_t)
+init_create_pid_dirs(readahead_t)
+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead")
 
 logging_send_syslog_msg(readahead_t)
 logging_set_audit_parameters(readahead_t)
 logging_dontaudit_search_audit_config(readahead_t)
 
-miscfiles_read_localization(readahead_t)
-
 userdom_dontaudit_use_unpriv_user_fds(readahead_t)
 userdom_dontaudit_search_user_home_dirs(readahead_t)
 
diff --git a/realmd.fc b/realmd.fc
index 04babe3d5b..3b92679bbb 100644
--- a/realmd.fc
+++ b/realmd.fc
@@ -1 +1,5 @@
-/usr/lib/realmd/realmd	--	gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd		--	gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)?			gen_context(system_u:object_r:realmd_var_cache_t,s0)
+
+/var/lib/ipa-client(/.*)?		gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31dfd2a..1663054d93 100644
--- a/realmd.if
+++ b/realmd.if
@@ -1,8 +1,9 @@
-## <summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary>
+
+## <summary>dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA</summary>
 
 ########################################
 ## <summary>
-##	Execute realmd in the realmd domain.
+##	Execute realmd in the realmd_t domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -39,3 +40,120 @@ interface(`realmd_dbus_chat',`
 	allow $1 realmd_t:dbus send_msg;
 	allow realmd_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Search realmd cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`realmd_search_cache',`
+	gen_require(`
+		type realmd_var_cache_t;
+	')
+
+	allow $1 realmd_var_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read realmd cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`realmd_read_cache_files',`
+	gen_require(`
+		type realmd_var_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	realmd cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`realmd_manage_cache_files',`
+	gen_require(`
+		type realmd_var_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage realmd cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`realmd_manage_cache_dirs',`
+	gen_require(`
+		type realmd_var_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
+')
+
+
+########################################
+## <summary>
+##	Read realmd tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`realmd_read_tmp_files',`
+	gen_require(`
+		type realmd_tmp_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
+')
+
+#######################################
+## <summary>
+##	Read realmd library files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`realmd_read_var_lib',`
+	gen_require(`
+		type realmd_var_lib_t;
+	')
+
+	list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
+	read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
+
+')
diff --git a/realmd.te b/realmd.te
index 5bc878b29d..573620309b 100644
--- a/realmd.te
+++ b/realmd.te
@@ -7,46 +7,88 @@ policy_module(realmd, 1.1.0)
 
 type realmd_t;
 type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
+init_daemon_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
+type realmd_tmp_t;
+files_tmp_file(realmd_tmp_t)
+
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
+
+type realmd_var_lib_t;
+files_type(realmd_var_lib_t)
 
 ########################################
 #
-# Local policy
+# realmd local policy
 #
 
-allow realmd_t self:capability sys_nice;
+allow realmd_t self:capability { sys_nice };
+allow realmd_t self:capability2 block_suspend;
 allow realmd_t self:process setsched;
+allow realmd_t self:key manage_key_perms;
+
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
+
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
 
 kernel_read_system_state(realmd_t)
+kernel_read_network_state(realmd_t)
 
 corecmd_exec_bin(realmd_t)
 corecmd_exec_shell(realmd_t)
 
-corenet_all_recvfrom_unlabeled(realmd_t)
-corenet_all_recvfrom_netlabel(realmd_t)
-corenet_tcp_sendrecv_generic_if(realmd_t)
-corenet_tcp_sendrecv_generic_node(realmd_t)
-
-corenet_sendrecv_http_client_packets(realmd_t)
 corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
+corenet_tcp_connect_ldap_port(realmd_t)
+corenet_tcp_connect_smbd_port(realmd_t)
 
 domain_use_interactive_fds(realmd_t)
 
 dev_read_rand(realmd_t)
 dev_read_urand(realmd_t)
 
-fs_getattr_all_fs(realmd_t)
+files_manage_etc_files(realmd_t)
 
-files_read_usr_files(realmd_t)
+fs_getattr_all_fs(realmd_t)
 
 auth_use_nsswitch(realmd_t)
 
+init_filetrans_named_content(realmd_t)
+
+logging_manage_generic_logs(realmd_t)
 logging_send_syslog_msg(realmd_t)
 
+miscfiles_manage_generic_cert_files(realmd_t)
+
+seutil_domtrans_setfiles(realmd_t)
+seutil_read_file_contexts(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
+
+optional_policy(`
+	authconfig_domtrans(realmd_t)
+')
+
 optional_policy(`
 	dbus_system_domain(realmd_t, realmd_exec_t)
 
+	optional_policy(`
+		certmonger_dbus_chat(realmd_t)
+	')
+
 	optional_policy(`
 		networkmanager_dbus_chat(realmd_t)
 	')
@@ -63,21 +105,40 @@ optional_policy(`
 optional_policy(`
 	kerberos_use(realmd_t)
 	kerberos_rw_keytab(realmd_t)
+	kerberos_rw_config(realmd_t)
+	kerberos_filetrans_named_content(realmd_t)
+')
+
+optional_policy(`
+	ntp_domtrans_ntpdate(realmd_t)
+')
+
+optional_policy(`
+	ssh_domtrans(realmd_t)
+	ssh_systemctl(realmd_t)
 ')
 
 optional_policy(`
 	nis_exec_ypbind(realmd_t)
-	nis_initrc_domtrans(realmd_t)
+	nis_systemctl_ypbind(realmd_t)
 ')
 
 optional_policy(`
-	gnome_read_generic_home_content(realmd_t)
+	gnome_read_config(realmd_t)
+	gnome_read_generic_cache_files(realmd_t)
+	gnome_write_generic_cache_files(realmd_t)
+	gnome_manage_cache_home_dir(realmd_t)
+
 ')
 
 optional_policy(`
 	samba_domtrans_net(realmd_t)
 	samba_manage_config(realmd_t)
-	samba_getattr_winbind_exec(realmd_t)
+	samba_getattr_winbind(realmd_t)
+')
+
+optional_policy(`
+	rpm_dbus_chat(realmd_t)
 ')
 
 optional_policy(`
@@ -86,5 +147,27 @@ optional_policy(`
 	sssd_manage_lib_files(realmd_t)
 	sssd_manage_public_files(realmd_t)
 	sssd_read_pid_files(realmd_t)
-	sssd_initrc_domtrans(realmd_t)
+	sssd_systemctl(realmd_t)
+')
+
+optional_policy(`
+	xserver_read_state_xdm(realmd_t)
+')
+
+optional_policy(`
+	unconfined_domain(realmd_t)
+')
+
+#####################################
+#
+# realmd consolehelper local policy
+#
+
+optional_policy(`
+    userhelper_console_role_template(realmd, system_r, realmd_t)
+	authconfig_manage_lib_files(realmd_consolehelper_t)
+
+	oddjob_systemctl(realmd_consolehelper_t)	
+
+	unconfined_domain_noaudit(realmd_consolehelper_t)
 ')
diff --git a/redis.fc b/redis.fc
index e240ac99cc..83edd1be24 100644
--- a/redis.fc
+++ b/redis.fc
@@ -1,9 +1,16 @@
 /etc/rc\.d/init\.d/redis	--	gen_context(system_u:object_r:redis_initrc_exec_t,s0)
 
-/usr/sbin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
+/etc/redis-sentinel.*		--	gen_context(system_u:object_r:redis_conf_t,s0)
 
-/var/lib/redis(/.*)?	gen_context(system_u:object_r:redis_var_lib_t,s0)
+/usr/lib/systemd/system/redis.*		--	gen_context(system_u:object_r:redis_unit_file_t,s0)
 
-/var/log/redis(/.*)?	gen_context(system_u:object_r:redis_log_t,s0)
+/usr/bin/redis-server		--	gen_context(system_u:object_r:redis_exec_t,s0)
 
-/var/run/redis(/.*)?	gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/lib/redis(/.*)?		gen_context(system_u:object_r:redis_var_lib_t,s0)
+
+/var/log/redis(/.*)?		gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
+
+
+/var/opt/rh/rh-redis32/redis(/.*)?		--	gen_context(system_u:object_r:redis_exec_t,s0)
diff --git a/redis.if b/redis.if
index 16c8ecbe3d..4e021eca71 100644
--- a/redis.if
+++ b/redis.if
@@ -1,9 +1,225 @@
-## <summary>Advanced key-value store.</summary>
+## <summary>Advanced key-value store</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an redis environment.
+##	Execute redis server in the redis domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_domtrans',`
+	gen_require(`
+		type redis_t, redis_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, redis_exec_t, redis_t)
+')
+
+########################################
+## <summary>
+##	Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_initrc_domtrans',`
+	gen_require(`
+		type redis_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read redis's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_read_log',`
+	gen_require(`
+		type redis_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+##	Append to redis log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_append_log',`
+	gen_require(`
+		type redis_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+##	Manage redis log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_manage_log',`
+	gen_require(`
+		type redis_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, redis_log_t, redis_log_t)
+	manage_files_pattern($1, redis_log_t, redis_log_t)
+	manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+##	Search redis lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_search_lib',`
+	gen_require(`
+		type redis_var_lib_t;
+	')
+
+	allow $1 redis_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read redis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_read_lib_files',`
+	gen_require(`
+		type redis_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage redis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_manage_lib_files',`
+	gen_require(`
+		type redis_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage redis lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_manage_lib_dirs',`
+	gen_require(`
+		type redis_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read redis PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`redis_read_pid_files',`
+	gen_require(`
+		type redis_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, redis_var_run_t, redis_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`redis_systemctl',`
+	gen_require(`
+		type redis_t;
+		type redis_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 redis_unit_file_t:file read_file_perms;
+	allow $1 redis_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, redis_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an redis environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -20,7 +236,7 @@
 interface(`redis_admin',`
 	gen_require(`
 		type redis_t, redis_initrc_exec_t, redis_var_lib_t;
-		type redis_log_t, redis_var_run_t;
+		type redis_log_t, redis_var_run_t, redis_unit_file_t;
 	')
 
 	allow $1 redis_t:process { ptrace signal_perms };
@@ -32,11 +248,20 @@ interface(`redis_admin',`
 	allow $2 system_r;
 
 	logging_search_logs($1)
-	admin_pattern($!, redis_log_t)
+	admin_pattern($1, redis_log_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, redis_var_lib_t)
 
 	files_search_pids($1)
 	admin_pattern($1, redis_var_run_t)
+
+	redis_systemctl($1)
+	admin_pattern($1, redis_unit_file_t)
+	allow $1 redis_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/redis.te b/redis.te
index 25cd4175fe..bbf421ec39 100644
--- a/redis.te
+++ b/redis.te
@@ -5,6 +5,13 @@ policy_module(redis, 1.0.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow Redis to run redis-sentinal notification scripts.
+## </p>
+## </desc>
+gen_tunable(redis_enable_notify, false)
+
 type redis_t;
 type redis_exec_t;
 init_daemon_domain(redis_t, redis_exec_t)
@@ -12,6 +19,9 @@ init_daemon_domain(redis_t, redis_exec_t)
 type redis_initrc_exec_t;
 init_script_file(redis_initrc_exec_t)
 
+type redis_conf_t;
+files_config_file(redis_conf_t)
+
 type redis_log_t;
 logging_log_file(redis_log_t)
 
@@ -21,6 +31,12 @@ files_type(redis_var_lib_t)
 type redis_var_run_t;
 files_pid_file(redis_var_run_t)
 
+type redis_tmp_t;
+files_tmp_file(redis_tmp_t)
+
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -31,6 +47,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
 allow redis_t self:unix_stream_socket create_stream_socket_perms;
 allow redis_t self:tcp_socket create_stream_socket_perms;
 
+manage_files_pattern(redis_t, redis_conf_t, redis_conf_t)
+
 manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
 manage_files_pattern(redis_t, redis_log_t, redis_log_t)
 manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
@@ -42,14 +60,22 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+
+
+manage_dirs_pattern(redis_t, redis_tmp_t, redis_tmp_t)
+manage_files_pattern(redis_t, redis_tmp_t, redis_tmp_t)
+files_tmp_filetrans(redis_t, redis_tmp_t, { dir file })
 
 kernel_read_system_state(redis_t)
+kernel_read_net_sysctls(redis_t)
 
 corenet_all_recvfrom_unlabeled(redis_t)
 corenet_all_recvfrom_netlabel(redis_t)
 corenet_tcp_sendrecv_generic_if(redis_t)
 corenet_tcp_sendrecv_generic_node(redis_t)
 corenet_tcp_bind_generic_node(redis_t)
+corenet_tcp_connect_redis_port(redis_t)
 
 corenet_sendrecv_redis_server_packets(redis_t)
 corenet_tcp_bind_redis_port(redis_t)
@@ -60,6 +86,28 @@ dev_read_urand(redis_t)
 
 logging_send_syslog_msg(redis_t)
 
-miscfiles_read_localization(redis_t)
-
 sysnet_dns_name_resolve(redis_t)
+
+tunable_policy(`redis_enable_notify',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(redis_t)
+	corenet_sendrecv_smtp_client_packets(redis_t)
+	corenet_tcp_connect_pop_port(redis_t)
+    corenet_sendrecv_pop_client_packets(redis_t)
+
+    corecmd_exec_bin(redis_t)
+    corecmd_exec_shell(redis_t)
+')
+
+optional_policy(`
+    tunable_policy(`redis_enable_notify',`
+	    mta_send_mail(redis_t)
+	    mta_signal_system_mail(redis_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`redis_enable_notify',`
+        postfix_rw_spool_maildrop_files(redis_t)
+    ')
+')
diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf059e..d8691bd142 100644
--- a/remotelogin.fc
+++ b/remotelogin.fc
@@ -1 +1,2 @@
+
 # Remote login currently has no file contexts.
diff --git a/remotelogin.if b/remotelogin.if
index a9ce68e339..92520aa921 100644
--- a/remotelogin.if
+++ b/remotelogin.if
@@ -1,4 +1,4 @@
-## <summary>Rshd, rlogind, and telnetd.</summary>
+## <summary>Policy for rshd, rlogind, and telnetd.</summary>
 
 ########################################
 ## <summary>
@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',`
 		type remote_login_t;
 	')
 
-	corecmd_search_bin($1)
 	auth_domtrans_login_program($1, remote_login_t)
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to remote login.
+##	allow Domain to signal remote login domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	remote login temporary content.
+##	allow Domain to signal remote login domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
 ##	</summary>
 ## </param>
 #
-interface(`remotelogin_manage_tmp_content',`
+interface(`remotelogin_signull',`
 	gen_require(`
-		type remote_login_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 remote_login_tmp_t:dir manage_dir_perms;
-	allow $1 remote_login_tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-##	Relabel remote login temporary content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`remotelogin_relabel_tmp_content',`
-	gen_require(`
-		type remote_login_tmp_t;
+		type remote_login_t;
 	')
 
-	files_search_tmp($1)
-	allow $1 remote_login_tmp_t:dir relabel_dir_perms;
-	allow $1 remote_login_tmp_t:file relabel_file_perms;
+	allow $1 remote_login_t:process signull;
 ')
diff --git a/remotelogin.te b/remotelogin.te
index ae308717f5..15a669cd42 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t)
 auth_login_pgm_domain(remote_login_t)
 auth_login_entry_type(remote_login_t)
 
-type remote_login_tmp_t;
-files_tmp_file(remote_login_tmp_t)
-
 ########################################
 #
-# Local policy
+# Remote login remote policy
 #
 
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
 allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow remote_login_t self:process { setrlimit setexec };
 allow remote_login_t self:fd use;
 allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
 allow remote_login_t self:unix_dgram_socket sendto;
-allow remote_login_t self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
 
 kernel_read_system_state(remote_login_t)
 kernel_read_kernel_sysctls(remote_login_t)
 
 dev_getattr_mouse_dev(remote_login_t)
 dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
 
 fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
 
 term_relabel_all_ptys(remote_login_t)
 term_use_all_ptys(remote_login_t)
 term_setattr_all_ptys(remote_login_t)
 
-auth_manage_pam_console_data(remote_login_t)
-auth_domtrans_pam_console(remote_login_t)
 auth_rw_login_records(remote_login_t)
 auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
 
 corecmd_list_bin(remote_login_t)
 corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
 
 domain_read_all_entry_files(remote_login_t)
 
 files_read_etc_runtime_files(remote_login_t)
 files_list_home(remote_login_t)
-files_read_usr_files(remote_login_t)
 files_list_world_readable(remote_login_t)
 files_read_world_readable_files(remote_login_t)
 files_read_world_readable_symlinks(remote_login_t)
 files_read_world_readable_pipes(remote_login_t)
 files_read_world_readable_sockets(remote_login_t)
 files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
 files_read_var_symlinks(remote_login_t)
 
-miscfiles_read_localization(remote_login_t)
+auth_use_nsswitch(remote_login_t)
+
 
 userdom_use_unpriv_users_fds(remote_login_t)
 userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
 userdom_signal_unpriv_users(remote_login_t)
 userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(remote_login_t)
-	fs_read_nfs_symlinks(remote_login_t)
-')
+userdom_manage_user_tmp_dirs(remote_login_t)
+userdom_manage_user_tmp_files(remote_login_t)
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(remote_login_t)
-	fs_read_cifs_symlinks(remote_login_t)
-')
+userdom_home_reader(remote_login_t)
 
 optional_policy(`
 	alsa_domtrans(remote_login_t)
 ')
 
 optional_policy(`
+	# Search for mail spool file.
 	mta_getattr_spool(remote_login_t)
 ')
 
diff --git a/resmgr.te b/resmgr.te
index f6eb358ad3..b6319191cf 100644
--- a/resmgr.te
+++ b/resmgr.te
@@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t)
 # Local policy
 #
 
-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio };
 dontaudit resmgrd_t self:capability sys_tty_config;
 allow resmgrd_t self:process signal_perms;
 
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
 
 domain_use_interactive_fds(resmgrd_t)
 
-files_read_etc_files(resmgrd_t)
 
 fs_search_auto_mountpoints(resmgrd_t)
 
@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t)
 
 logging_send_syslog_msg(resmgrd_t)
 
-miscfiles_read_localization(resmgrd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
 
 optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
index 5421af0b68..91e69b8690 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
@@ -1,12 +1,22 @@
-/etc/rc\.d/init\.d/rgmanager	--	gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd         --  gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager          --  gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat    --  gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
 
-/usr/sbin/rgmanager	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cpglockd                      --      gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/rgmanager			--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
 
-/usr/sbin/ccs_tool	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
-/usr/sbin/cman_tool	--	gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/ccs_tool      --  gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cman_tool     --  gen_context(system_u:object_r:rgmanager_exec_t,s0)
 
-/var/log/cluster/rgmanager\.log.*	--	gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/usr/lib/heartbeat(/.*)?           gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat   --  gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)?               gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
 
-/var/run/cluster/rgmanager\.sk	-s	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/log/cluster/cpglockd\.log.*        --      gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.*		--	gen_context(system_u:object_r:rgmanager_var_log_t,s0)
 
-/var/run/rgmanager\.pid	--	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk		-s	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cpglockd\.pid                --      gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/heartbeat(/.*)?             gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid			--	gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
index 1c2f9aa127..a4133dc921 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
-## <summary>Resource Group Manager.</summary>
+## <summary>rgmanager - Resource Group Manager</summary>
 
 #######################################
 ## <summary>
 ##	Execute a domain transition to run rgmanager.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`rgmanager_domtrans',`
@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',`
 
 ########################################
 ## <summary>
-##	Connect to rgmanager with a unix
-##	domain stream socket.
+##	Connect to rgmanager over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
 	stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
 ')
 
+########################################
+## <summary>
+##	Manage rgmanager pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_manage_pid_files',`
+	gen_require(`
+		type rgmanager_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
+')
+
 ######################################
 ## <summary>
-##	Create, read, write, and delete
-##	rgmanager tmp files.
+##	Allow manage rgmanager tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
 
 ######################################
 ## <summary>
-##	Create, read, write, and delete
-##	rgmanager tmpfs files.
+##	Allow manage rgmanager tmpfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
 	manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
 ')
 
+#######################################
+## <summary>
+##	Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+	gen_require(`
+		type rgmanager_t;
+	')
+
+	allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
 ######################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rgmanager environment.
+##	All of the rules required to administrate
+##	an rgmanager environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the rgmanager domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
 		type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
 	')
 
-	allow $1 rgmanager_t:process { ptrace signal_perms };
+	allow $1 rgmanager_t:process signal_perms;
 	ps_process_pattern($1, rgmanager_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 rgmanager_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
 	files_list_pids($1)
 	admin_pattern($1, rgmanager_var_run_t)
 ')
+
+
+######################################
+## <summary>
+##  Allow the specified domain to manage rgmanager's lib/run files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rgmanager_manage_files',`
+    gen_require(`
+        type rgmanager_var_lib_t;
+        type rgmanager_var_run_t;
+    ')
+
+    files_list_var_lib($1)
+    admin_pattern($1, rgmanager_var_lib_t)
+
+    files_list_pids($1)
+    admin_pattern($1, rgmanager_var_run_t)
+')
+
+######################################
+## <summary>
+##  Allow the specified domain to execute rgmanager's lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rgmanager_execute_lib',`
+    gen_require(`
+        type rgmanager_var_lib_t;
+    ')
+
+    files_list_var_lib($1)
+    allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+    can_exec($1, rgmanager_var_lib_t)
+')
+
+######################################
+## <summary>
+##  Allow the specified domain to search rgmanager's lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rgmanager_search_lib',`
+    gen_require(`
+        type rgmanager_var_lib_t;
+    ')
+
+    files_list_var_lib($1)
+    allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
index c8a1e16e45..f9d6fb3412 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether rgmanager can
-##	connect to the network using TCP.
-##	</p>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
 ## </desc>
 gen_tunable(rgmanager_can_network_connect, false)
 
@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t)
 type rgmanager_tmpfs_t;
 files_tmpfs_file(rgmanager_tmpfs_t)
 
+type rgmanager_var_lib_t;
+files_type(rgmanager_var_lib_t)
+
 type rgmanager_var_log_t;
 logging_log_file(rgmanager_var_log_t)
 
@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t)
 
 ########################################
 #
-# Local policy
+# rgmanager local policy
 #
 
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
 allow rgmanager_t self:process { setsched signal };
+
 allow rgmanager_t self:fifo_file rw_fifo_file_perms;
-allow rgmanager_t self:unix_stream_socket { accept listen };
-allow rgmanager_t self:tcp_socket { accept listen };
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
 
 manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
 manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
 manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
 fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
 
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
+# var/lib files
+# # needed by hearbeat
+can_exec(rgmanager_t, rgmanager_var_lib_t)
+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
+
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
 
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
 
+kernel_kill(rgmanager_t)
 kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
 kernel_read_system_state(rgmanager_t)
 kernel_rw_rpc_sysctls(rgmanager_t)
 kernel_search_debugfs(rgmanager_t)
 kernel_search_network_state(rgmanager_t)
 
-corenet_all_recvfrom_unlabeled(rgmanager_t)
-corenet_all_recvfrom_netlabel(rgmanager_t)
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
-
 corecmd_exec_bin(rgmanager_t)
 corecmd_exec_shell(rgmanager_t)
 
+# need to write to /dev/misc/dlm-control
 dev_rw_dlm_control(rgmanager_t)
 dev_setattr_dlm_control(rgmanager_t)
 dev_search_sysfs(rgmanager_t)
 
 domain_read_all_domains_state(rgmanager_t)
 domain_getattr_all_domains(rgmanager_t)
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
 
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
 files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
 files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
 files_manage_isid_type_dirs(rgmanager_t)
-files_read_non_security_files(rgmanager_t)
 
+fs_getattr_xattr_fs(rgmanager_t)
 fs_getattr_all_fs(rgmanager_t)
 
 storage_raw_read_fixed_disk(rgmanager_t)
+storage_getattr_fixed_disk_dev(rgmanager_t)
 
 term_getattr_pty_fs(rgmanager_t)
 
+# needed by resources scripts
+files_read_non_security_files(rgmanager_t)
 auth_dontaudit_getattr_shadow(rgmanager_t)
 auth_use_nsswitch(rgmanager_t)
 
 init_domtrans_script(rgmanager_t)
+init_initrc_domain(rgmanager_t)
 
 logging_send_syslog_msg(rgmanager_t)
 
-miscfiles_read_localization(rgmanager_t)
+userdom_kill_all_users(rgmanager_t)
 
 tunable_policy(`rgmanager_can_network_connect',`
-	corenet_sendrecv_all_client_packets(rgmanager_t)
 	corenet_tcp_connect_all_ports(rgmanager_t)
-	corenet_tcp_sendrecv_all_ports(rgmanager_t)
 ')
 
+# rgmanager can run resource scripts
 optional_policy(`
 	aisexec_stream_connect(rgmanager_t)
+	corosync_stream_connect(rgmanager_t)
 ')
 
 optional_policy(`
-	consoletype_exec(rgmanager_t)
+	apache_domtrans(rgmanager_t)
+	apache_signal(rgmanager_t)
 ')
 
 optional_policy(`
-	corosync_stream_connect(rgmanager_t)
+	consoletype_exec(rgmanager_t)
 ')
 
 optional_policy(`
-	apache_domtrans(rgmanager_t)
-	apache_signal(rgmanager_t)
+    dbus_system_bus_client(rgmanager_t)
 ')
 
 optional_policy(`
@@ -130,7 +150,6 @@ optional_policy(`
 
 optional_policy(`
 	rhcs_stream_connect_groupd(rgmanager_t)
-	rhcs_stream_connect_gfs_controld(rgmanager_t)
 ')
 
 optional_policy(`
@@ -140,12 +159,19 @@ optional_policy(`
 optional_policy(`
 	ccs_manage_config(rgmanager_t)
 	ccs_stream_connect(rgmanager_t)
+	rhcs_stream_connect_gfs_controld(rgmanager_t)
 ')
 
 optional_policy(`
 	lvm_domtrans(rgmanager_t)
 ')
 
+optional_policy(`
+	ldap_initrc_domtrans(rgmanager_t)
+	ldap_systemctl(rgmanager_t)
+	ldap_domtrans(rgmanager_t)
+')
+
 optional_policy(`
 	mount_domtrans(rgmanager_t)
 ')
@@ -174,12 +200,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpc_initrc_domtrans_nfsd(rgmanager_t)
+	rpc_initrc_domtrans_rpcd(rgmanager_t)
+	rpc_systemctl_nfsd(rgmanager_t)
+	rpc_systemctl_rpcd(rgmanager_t)
+
 	rpc_domtrans_nfsd(rgmanager_t)
 	rpc_domtrans_rpcd(rgmanager_t)
 	rpc_manage_nfs_state_data(rgmanager_t)
 ')
 
 optional_policy(`
+	samba_initrc_domtrans(rgmanager_t)
 	samba_domtrans_smbd(rgmanager_t)
 	samba_domtrans_nmbd(rgmanager_t)
 	samba_manage_var_files(rgmanager_t)
@@ -200,6 +232,10 @@ optional_policy(`
 	virt_stream_connect(rgmanager_t)
 ')
 
+optional_policy(`
+	unconfined_domain(rgmanager_t)
+')
+
 optional_policy(`
 	xen_domtrans_xm(rgmanager_t)
 ')
diff --git a/rhcs.fc b/rhcs.fc
index 47de2d6813..c06395f39b 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -1,31 +1,107 @@
-/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced			    --	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node			--	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_sanlockd		--	gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool            --  gen_context(system_u:object_r:fenced_exec_t,s0) 
+/usr/sbin/fence_virtd 			--  gen_context(system_u:object_r:fenced_exec_t,s0) 
+/usr/sbin/gfs_controld			--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn               --  gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/groupd			    --	gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/haproxy               --  gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/haproxy-systemd-wrapper   --  gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/qdiskd			    --	gen_context(system_u:object_r:qdiskd_exec_t,s0)
 
-/usr/sbin/dlm_controld	--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_node	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/fence_tool	--	gen_context(system_u:object_r:fenced_exec_t,s0)
-/usr/sbin/foghorn	--	gen_context(system_u:object_r:foghorn_exec_t,s0)
-/usr/sbin/gfs_controld	--	gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd	--	gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd	--	gen_context(system_u:object_r:qdiskd_exec_t,s0)
+/usr/lib/systemd/system/haproxy.*     --  gen_context(system_u:object_r:haproxy_unit_file_t,s0)
 
-/var/lock/fence_manual\.lock	--	gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lock/fence_manual\.lock		--	gen_context(system_u:object_r:fenced_lock_t,s0)
 
-/var/lib/qdiskd(/.*)?	gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/lib/cluster(/.*)?				gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/haproxy(/.*)?              gen_context(system_u:object_r:haproxy_var_lib_t,s0)
+/var/lib/qdiskd(/.*)?				gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
 
-/var/log/cluster/.*\.*log	<<none>>
+/var/log/cluster/.*\.*log			<<none>>
 /var/log/cluster/dlm_controld\.log.*	--	gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.*	--	gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/fenced\.log.*		    --	gen_context(system_u:object_r:fenced_var_log_t,s0)
 /var/log/cluster/gfs_controld\.log.*	--	gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.*	--	gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)?	gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.*		    --	gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/log/dlm_controld(/.*)?	                gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
 
 /var/run/cluster/fenced_override	--	gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/cluster/fence_scsi.*	--	gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/dlm_controld\.pid	--	gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/dlm_controld(/.*)?	gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/fenced\.pid	--	gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/gfs_controld\.pid	--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-/var/run/groupd\.pid	--	gen_context(system_u:object_r:groupd_var_run_t,s0)
-/var/run/qdiskd\.pid	--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.*           --       gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/mpath\.devices     --  gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid		--	gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/dlm_controld(/.*)?		    gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.*				    gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid		--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid           --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/haproxy\.stat.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/haproxy\.sock.*        -s  gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
+/etc/rc\.d/init\.d/openais  --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd         --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/corosync --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager          --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat    --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pacemaker    --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/corosync.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/corosync-qnetd.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/corosync-qdevice.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/lib/systemd/system/pacemaker.* --  gen_context(system_u:object_r:cluster_unit_file_t,s0)
+/usr/lib/systemd/system/pcsd.*      --  gen_context(system_u:object_r:cluster_unit_file_t,s0)
+
+/usr/sbin/aisexec   		--  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync  		--  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/corosync-notifyd  --  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/bin/corosync-qnetd		--	gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cpglockd			--	gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool      	--  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool     	--  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ldirectord        --  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager         --  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd    	--  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemaker_remoted --  gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/corosync/corosync    --  gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/share/corosync/corosync-qdevice	--	gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/share/cluster/fence_scsi_check\.pl   --  gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check   --  gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_scsi_check_hardreboot     --  gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_mpath_check   --  gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/share/cluster/fence_mpath_check_hardreboot    --  gen_context(system_u:object_r:fenced_exec_t,s0)
+
+/usr/lib/pcsd/pcsd          --  gen_context(system_u:object_r:cluster_exec_t,s0)
+
+/usr/lib/heartbeat(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat   -- 	gen_context(system_u:object_r:cluster_exec_t,s0)
+/var/lib/heartbeat(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/corosync(/.*)? 			gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/openais(/.*)?  			gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pacemaker(/.*)?			gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pcsd(/.*)?                 gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/pengine(/.*)?				gen_context(system_u:object_r:cluster_var_lib_t,s0)
+
+/var/run/aisexec.*  				gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cman_.*    				-s  gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cluster/rgmanager\.sk      -s  gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/cpglockd\.pid			--	gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync\.pid 			--  gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/crm(/.*)?					gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/heartbeat(/.*)?            gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rgmanager\.pid         --  gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/rsctmp(/.*)?   			gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync-qdevice(/.*)?	gen_context(system_u:object_r:cluster_var_run_t,s0)
+/var/run/corosync-qnetd(/.*)?	gen_context(system_u:object_r:cluster_var_run_t,s0)
+
+
+/var/log/cluster/aisexec\.log.* --  gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/cpglockd\.log.*        --      gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/corosync\.log.*    --  gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pacemaker\.log.*           --  gen_context(system_u:object_r:cluster_var_log_t,s0) 
+/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
index c8bdea28d4..0f8b732c4c 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
-## <summary>Red Hat Cluster Suite.</summary>
+## <summary>RHCS - Red Hat Cluster Suite</summary>
 
 #######################################
 ## <summary>
-##	The template to define a rhcs domain.
+##	Creates types and rules for a basic
+##	rhcs init daemon domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
 template(`rhcs_domain_template',`
 	gen_require(`
-		attribute cluster_domain, cluster_pid, cluster_tmpfs;
-		attribute cluster_log;
+		attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
 	')
 
 	##############################
@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
 	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
 
-	manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-	manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
 	logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
 
 	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
@@ -56,20 +51,21 @@ template(`rhcs_domain_template',`
 	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
 	files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
 
-	optional_policy(`
-		dbus_system_bus_client($1_t)
-	')
+    kernel_read_system_state($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
 ')
 
 ######################################
 ## <summary>
-##	Execute a domain transition to
-##	run dlm_controld.
+##	Execute a domain transition to run dlm_controld.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`rhcs_domtrans_dlm_controld',`
@@ -83,8 +79,8 @@ interface(`rhcs_domtrans_dlm_controld',`
 
 #####################################
 ## <summary>
-##	Get attributes of fenced
-##	executable files.
+##	Connect to dlm_controld over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -92,18 +88,19 @@ interface(`rhcs_domtrans_dlm_controld',`
 ##	</summary>
 ## </param>
 #
-interface(`rhcs_getattr_fenced_exec_files',`
+interface(`rhcs_stream_connect_dlm_controld',`
 	gen_require(`
-		type fenced_exec_t;
+		type dlm_controld_t, dlm_controld_var_run_t;
 	')
 
-	allow $1 fenced_exec_t:file getattr_file_perms;
+	files_search_pids($1)
+	stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
 ')
 
 #####################################
 ## <summary>
-##	Connect to dlm_controld with a
-##	unix domain stream socket.
+##	Connect to haproxy over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -111,18 +108,36 @@ interface(`rhcs_getattr_fenced_exec_files',`
 ##	</summary>
 ## </param>
 #
-interface(`rhcs_stream_connect_dlm_controld',`
+interface(`rhcs_stream_connect_haproxy',`
 	gen_require(`
-		type dlm_controld_t, dlm_controld_var_run_t;
+		type haproxy_t, haproxy_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+	stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
+')
+
+########################################
+## <summary>
+##	Send a null signal to haproxy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_signull_haproxy',`
+	gen_require(`
+		type haproxy_t;
+	')
+
+	allow $1 haproxy_t:process signull;
 ')
 
 #####################################
 ## <summary>
-##	Read and write dlm_controld semaphores.
+##	Allow read and write access to dlm_controld semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -160,9 +175,27 @@ interface(`rhcs_domtrans_fenced',`
 	domtrans_pattern($1, fenced_exec_t, fenced_t)
 ')
 
+#####################################
+## <summary>
+##  Allow a domain to getattr on fenced executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`rhcs_getattr_fenced',`
+    gen_require(`
+        type fenced_t, fenced_exec_t;
+    ')
+
+	allow $1 fenced_exec_t:file getattr;
+')
+
 ######################################
 ## <summary>
-##	Read and write fenced semaphores.
+##	Allow read and write access to fenced semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -181,10 +214,9 @@ interface(`rhcs_rw_fenced_semaphores',`
 	manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
 ')
 
-####################################
+######################################
 ## <summary>
-##	Connect to all cluster domains
-##	with a unix domain stream socket.
+##	Read fenced PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -192,19 +224,18 @@ interface(`rhcs_rw_fenced_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`rhcs_stream_connect_cluster',`
+interface(`rhcs_read_fenced_pid_files',`
 	gen_require(`
-		attribute cluster_domain, cluster_pid;
+		type fenced_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+	read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
 ')
 
 ######################################
 ## <summary>
-##	Connect to fenced with an unix
-##	domain stream socket.
+##	Connect to fenced over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -221,10 +252,28 @@ interface(`rhcs_stream_connect_fenced',`
 	stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
 ')
 
+######################################
+## <summary>
+##	Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhcs_domtrans_haproxy',`
+	gen_require(`
+		type haproxy_t, haproxy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
 #####################################
 ## <summary>
-##	Execute a domain transition
-##	to run gfs_controld.
+##	Execute a domain transition to run gfs_controld.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -243,7 +292,7 @@ interface(`rhcs_domtrans_gfs_controld',`
 
 ####################################
 ## <summary>
-##	Read and write gfs_controld semaphores.
+##	Allow read and write access to gfs_controld semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -264,7 +313,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
 
 ########################################
 ## <summary>
-##	Read and write gfs_controld_t shared memory.
+##	Read and write to gfs_controld_t shared memory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -285,8 +334,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
 
 #####################################
 ## <summary>
-##	Connect to gfs_controld_t with
-##	a unix domain stream socket.
+##	Connect to gfs_controld_t over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -324,8 +372,8 @@ interface(`rhcs_domtrans_groupd',`
 
 #####################################
 ## <summary>
-##	Connect to groupd with a unix
-##	domain stream socket.
+##	Connect to groupd over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -342,10 +390,51 @@ interface(`rhcs_stream_connect_groupd',`
 	stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
 ')
 
+#####################################
+## <summary>
+##	Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_semaphores',`
+	gen_require(`
+		type groupd_t, groupd_tmpfs_t;
+	')
+
+	allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_shm',`
+	gen_require(`
+		type groupd_t, groupd_tmpfs_t;
+	')
+
+	allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+	fs_search_tmpfs($1)
+	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
 ########################################
 ## <summary>
-##	Read and write all cluster domains
-##	shared memory.
+##	Read and write to group shared memory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -362,12 +451,12 @@ interface(`rhcs_rw_cluster_shm',`
 
 	fs_search_tmpfs($1)
 	manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+    allow $1 cluster_tmpfs_t:file map;
 ')
 
 ####################################
 ## <summary>
-##	Read and write all cluster
-##	domains semaphores.
+##	Read and write access to cluster domains semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -383,9 +472,10 @@ interface(`rhcs_rw_cluster_semaphores',`
 	allow $1 cluster_domain:sem { rw_sem_perms destroy };
 ')
 
-#####################################
+####################################
 ## <summary>
-##	Read and write groupd semaphores.
+##	Connect to cluster domains over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -393,20 +483,44 @@ interface(`rhcs_rw_cluster_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`rhcs_rw_groupd_semaphores',`
+interface(`rhcs_stream_connect_cluster',`
 	gen_require(`
-		type groupd_t, groupd_tmpfs_t;
+		attribute cluster_domain, cluster_pid;
 	')
 
-	allow $1 groupd_t:sem { rw_sem_perms destroy };
+	files_search_pids($1)
+	stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+')
 
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+#####################################
+## <summary>
+##	Connect to cluster domains over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_stream_connect_cluster_to',`
+	gen_require(`
+		attribute cluster_domain;
+		attribute cluster_pid;
+	')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
 ')
 
 ########################################
 ## <summary>
-##	Read and write groupd shared memory.
+##	Send a null signal to cluster.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -414,15 +528,12 @@ interface(`rhcs_rw_groupd_semaphores',`
 ##	</summary>
 ## </param>
 #
-interface(`rhcs_rw_groupd_shm',`
+interface(`rhcs_signull_cluster',`
 	gen_require(`
-		type groupd_t, groupd_tmpfs_t;
+		type cluster_t;
 	')
 
-	allow $1 groupd_t:shm { rw_shm_perms destroy };
-
-	fs_search_tmpfs($1)
-	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+	allow $1 cluster_t:process signull;
 ')
 
 ######################################
@@ -446,52 +557,424 @@ interface(`rhcs_domtrans_qdiskd',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rhcs environment.
+##	Allow domain to read qdiskd tmpfs files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+	gen_require(`
+		type qdiskd_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+##	Allow domain to read cluster lib files
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`rhcs_admin',`
+interface(`rhcs_read_cluster_lib_files',`
 	gen_require(`
-		attribute cluster_domain, cluster_pid, cluster_tmpfs;
-		attribute cluster_log;
-		type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
-		type fenced_tmp_t, qdiskd_var_lib_t;
+		type cluster_var_lib_t;
 	')
 
-	allow $1 cluster_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, cluster_domain)
+	files_search_var_lib($1)
+	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
 
-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
-	domain_system_change_exemption($1)
-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
-	allow $2 system_r;
+#####################################
+## <summary>
+##  Allow domain to manage cluster lib files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_lib_files',`
+    gen_require(`
+        type cluster_var_lib_t;
+    ')
 
-	files_search_pids($1)
-	admin_pattern($1, cluster_pid)
+    files_search_var_lib($1)
+    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
 
-	files_search_locks($1)
-	admin_pattern($1, fenced_lock_t)
+####################################
+## <summary>
+##  Allow domain to relabel cluster lib files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_relabel_cluster_lib_files',`
+    gen_require(`
+        type cluster_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
 
-	files_search_tmp($1)
-	admin_pattern($1, fenced_tmp_t)
+######################################
+## <summary>
+##  Execute a domain transition to run cluster administrative domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`rhcs_domtrans_cluster',`
+    gen_require(`
+        type cluster_t, cluster_exec_t;
+    ')
 
-	files_search_var_lib($1)
-	admin_pattern($1, qdiskd_var_lib_t)
+    corecmd_search_bin($1)
+    domtrans_pattern($1, cluster_exec_t, cluster_t)
+')
 
-	fs_search_tmpfs($1)
-	admin_pattern($1, cluster_tmpfs)
+#######################################
+## <summary>
+##  Execute cluster init scripts in
+##  the init script domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`rhcs_initrc_domtrans_cluster',`
+    gen_require(`
+        type cluster_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+##  Execute cluster in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_exec_cluster',`
+    gen_require(`
+        type cluster_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    can_exec($1, cluster_exec_t)
+')
+
+######################################
+## <summary>
+##  Read cluster log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_read_log_cluster',`
+    gen_require(`
+        type cluster_var_log_t;
+    ')
+
+    logging_search_logs($1)
+    list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
+    read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
+')
+
+######################################
+## <summary>
+##  Setattr cluster log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_setattr_log_cluster',`
+    gen_require(`
+        type cluster_var_log_t;
+    ')
+
+    setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
+')
+
+#####################################
+## <summary>
+##  Allow the specified domain to read/write inherited cluster's tmpf files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_rw_inherited_cluster_tmp_files',`
+    gen_require(`
+        type cluster_tmp_t;
+    ')
+
+    allow $1 cluster_tmp_t:file rw_inherited_file_perms;
+')
+
+#####################################
+## <summary>
+##  Allow manage cluster tmp files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_tmp_files',`
+    gen_require(`
+        type cluster_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
+')
+
+#####################################
+## <summary>
+##  Allow the specified domain to read/write cluster's tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_tmpfs',`
+    gen_require(`
+        type cluster_tmpfs_t;
+    ')
+
+    rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+    delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+    allow $1 cluster_tmpfs_t:file map;
+')
+
+#####################################
+## <summary>
+##  Allow manage cluster tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_tmpfs_files',`
+    gen_require(`
+        type cluster_tmpfs_t;
+    ')
+
+    fs_search_tmpfs($1)
+    manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
+')
+
+#####################################
+## <summary>
+##  Allow read cluster pid files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_read_cluster_pid_files',`
+       gen_require(`
+               type cluster_var_run_t;
+       ')
+
+       files_search_pids($1)
+       read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+
+#####################################
+## <summary>
+##  Allow manage cluster pid files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_manage_cluster_pid_files',`
+       gen_require(`
+               type cluster_var_run_t;
+       ')
+
+       files_search_pids($1)
+       manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Execute cluster server in the cluster domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`rhcs_systemctl_cluster',`
+    gen_require(`
+        type cluster_t;
+        type cluster_unit_file_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 cluster_unit_file_t:file read_file_perms;
+    allow $1 cluster_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, cluster_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	a cluster service over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_dbus_chat_cluster',`
+	gen_require(`
+		type cluster_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cluster_t:dbus send_msg;
+	allow cluster_t $1:dbus send_msg;
+')
+
+
+
+#####################################
+## <summary>
+##  All of the rules required to administrate
+##  an cluster environment
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed to manage the rgmanager domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhcs_admin_cluster',`
+    gen_require(`
+        type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
+        type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
+		type cluster_unit_file_t;
+    ')
+
+    allow $1 cluster_t:process signal_perms;
+    ps_process_pattern($1, cluster_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 cluster_t:process ptrace;
+    ')
+
+    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 cluster_initrc_exec_t system_r;
+    allow $2 system_r;
+
+    files_list_tmp($1)
+    admin_pattern($1, cluster_tmp_t)
+
+    admin_pattern($1, cluster_tmpfs_t)
+
+    logging_list_logs($1)
+    admin_pattern($1, cluster_var_log_t)
+
+    files_list_pids($1)
+    admin_pattern($1, cluster_var_run_t)
+
+    rhcs_systemctl_cluster($1)
+    admin_pattern($1, cluster_unit_file_t)
+    allow $1 cluster_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Start haproxy unit files domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhcs_start_haproxy_services',`
+	gen_require(`
+		type haproxy_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 haproxy_unit_file_t:service {status start};
+')
+
+########################################
+## <summary>
+##	Create log files with a named file
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhcs_named_filetrans_log_dir',`
+	gen_require(`
+		type var_log_t;
+	')
 
-	logging_search_logs($1)
-	admin_pattern($1, cluster_log)
+	logging_log_named_filetrans($1, var_log_t, dir, "bundles")
 ')
diff --git a/rhcs.te b/rhcs.te
index 6cf79c449b..c029ccd715 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
 ## </desc>
 gen_tunable(fenced_can_ssh, false)
 
+## <desc>
+## <p>
+## Allow cluster administrative domains to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(cluster_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow cluster administrative domains to manage all files on a system.
+## </p>
+## </desc>
+gen_tunable(cluster_manage_all_files, false)
+
+## <desc>
+## <p>
+## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
+## </p>
+## </desc>
+gen_tunable(cluster_use_execmem, false)
+
+## <desc>
+##	<p>
+##	Determine whether haproxy can
+##	connect to all TCP ports.
+##	</p>
+## </desc>
+gen_tunable(haproxy_connect_any, false)
+
 attribute cluster_domain;
 attribute cluster_log;
 attribute cluster_pid;
@@ -44,34 +73,295 @@ type foghorn_initrc_exec_t;
 init_script_file(foghorn_initrc_exec_t)
 
 rhcs_domain_template(gfs_controld)
+rhcs_domain_template(haproxy)
+
+type haproxy_var_lib_t;
+files_type(haproxy_var_lib_t)
+
+type haproxy_unit_file_t;
+systemd_unit_file(haproxy_unit_file_t)
+
 rhcs_domain_template(groupd)
 rhcs_domain_template(qdiskd)
 
 type qdiskd_var_lib_t;
 files_type(qdiskd_var_lib_t)
 
+# cluster_t is a new domain for administrative generic cluster services 
+# (rgmanager, corosync, hearbeat, cman, pacemaker)
+rhcs_domain_template(cluster)
+
+typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
+typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t };
+typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t };
+typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t };
+typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
+
+type cluster_initrc_exec_t;
+typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t };
+init_script_file(cluster_initrc_exec_t)
+
+type cluster_tmp_t;
+typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t };
+files_tmp_file(cluster_tmp_t)
+
+type cluster_var_lib_t;
+typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t };
+files_type(cluster_var_lib_t)
+
+type cluster_unit_file_t;
+typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t };
+systemd_unit_file(cluster_unit_file_t)
+
 #####################################
 #
 # Common cluster domains local policy
 #
 
 allow cluster_domain self:capability sys_nice;
-allow cluster_domain self:process setsched;
+allow cluster_domain self:process { signal setsched };
 allow cluster_domain self:sem create_sem_perms;
 allow cluster_domain self:fifo_file rw_fifo_file_perms;
 allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
 allow cluster_domain self:unix_dgram_socket create_socket_perms;
 
-logging_send_syslog_msg(cluster_domain)
+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
+manage_files_pattern(cluster_domain, cluster_log, cluster_log)
+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
 
-miscfiles_read_localization(cluster_domain)
+tunable_policy(`cluster_use_execmem',`
+    allow cluster_domain self:process execmem;
+')
 
 optional_policy(`
 	ccs_stream_connect(cluster_domain)
 ')
 
 optional_policy(`
-	corosync_stream_connect(cluster_domain)
+	dbus_system_bus_client(cluster_domain)
+')
+
+#####################################
+#
+# cluster domain local policy
+#
+
+allow cluster_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
+# for hearbeat
+allow cluster_t self:capability { net_raw chown };
+allow cluster_t self:capability2 block_suspend;
+allow cluster_t self:process { setpgid setrlimit setsched signull };
+
+allow cluster_t self:tcp_socket create_stream_socket_perms;
+allow cluster_t self:shm create_shm_perms;
+
+manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
+manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
+files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir })
+
+can_exec(cluster_t, cluster_var_lib_t)
+manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
+files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file })
+
+can_exec(cluster_t, cluster_exec_t)
+
+kernel_kill(cluster_t)
+kernel_read_all_sysctls(cluster_t)
+kernel_rw_rpc_sysctls(cluster_t)
+kernel_search_debugfs(cluster_t)
+kernel_search_network_state(cluster_t)
+
+corecmd_exec_bin(cluster_t)
+corecmd_exec_shell(cluster_t)
+
+corenet_all_recvfrom_unlabeled(cluster_t)
+corenet_all_recvfrom_netlabel(cluster_t)
+corenet_udp_sendrecv_generic_if(cluster_t)
+corenet_udp_sendrecv_generic_node(cluster_t)
+corenet_udp_bind_generic_node(cluster_t)
+
+corenet_sendrecv_netsupport_server_packets(cluster_t)
+corenet_udp_bind_netsupport_port(cluster_t)
+corenet_udp_sendrecv_netsupport_port(cluster_t)
+
+corenet_sendrecv_cluster_server_packets(cluster_t)
+corenet_udp_bind_cluster_port(cluster_t)
+corenet_udp_sendrecv_cluster_port(cluster_t)
+
+# need to write to /dev/misc/dlm-contro
+dev_rw_dlm_control(cluster_t)
+dev_setattr_dlm_control(cluster_t)
+dev_read_sysfs(cluster_t)
+dev_read_rand(cluster_t)
+dev_read_urand(cluster_t)
+
+domain_read_all_domains_state(cluster_t)
+
+fs_getattr_xattr_fs(cluster_t)
+fs_getattr_all_fs(cluster_t)
+
+storage_raw_read_fixed_disk(cluster_t)
+
+term_getattr_pty_fs(cluster_t)
+
+files_manage_mounttab(cluster_t)
+# needed by resources scripts
+files_read_non_security_files(cluster_t)
+auth_dontaudit_getattr_shadow(cluster_t)
+
+init_domtrans_script(cluster_t)
+init_initrc_domain(cluster_t)
+init_read_script_state(cluster_t)
+init_rw_script_tmp_files(cluster_t)
+init_manage_script_status_files(cluster_t)
+
+systemd_dbus_chat_logind(cluster_t)
+
+userdom_delete_user_tmp_files(cluster_t)
+userdom_rw_user_tmp_files(cluster_t)
+userdom_kill_all_users(cluster_t)
+
+tunable_policy(`cluster_can_network_connect',`
+    corenet_tcp_connect_all_ports(cluster_t)
+')
+
+# we need to have dirs created with var_run_t in /run/cluster
+files_create_var_run_dirs(cluster_t)
+
+tunable_policy(`cluster_manage_all_files',`
+	files_getattr_all_symlinks(cluster_t)
+	files_list_all(cluster_t)
+	files_manage_mnt_dirs(cluster_t)
+	files_manage_mnt_files(cluster_t)
+	files_manage_mnt_symlinks(cluster_t)
+	files_manage_isid_type_files(cluster_t)
+	files_manage_isid_type_dirs(cluster_t)
+	fs_manage_tmpfs_files(cluster_t)
+')
+
+optional_policy(`
+    ccs_read_config(cluster_t)
+')
+
+optional_policy(`
+    cmirrord_rw_shm(cluster_t)
+')
+
+optional_policy(`
+    consoletype_exec(cluster_t)
+')
+
+optional_policy(`
+    lvm_domtrans(cluster_t)
+	lvm_rw_clvmd_tmpfs_files(cluster_t)
+    lvm_delete_clvmd_tmpfs_files(cluster_t)
+')
+
+optional_policy(`
+    fstools_domtrans(cluster_t)
+')
+
+optional_policy(`
+    ganesha_dbus_chat(cluster_t)
+')
+
+optional_policy(`
+    hostname_exec(cluster_t)
+')
+
+optional_policy(`
+    ccs_manage_config(cluster_t)
+    ccs_stream_connect(cluster_t)
+')
+
+optional_policy(`
+    fprintd_dbus_chat(cluster_t)
+')
+
+optional_policy(`
+    ldap_systemctl(cluster_t)
+')
+
+optional_policy(`
+    mount_domtrans(cluster_t)
+')
+
+optional_policy(`
+    mysql_domtrans_mysql_safe(cluster_t)
+    mysql_stream_connect(cluster_t)
+')
+
+optional_policy(`
+    netutils_domtrans(cluster_t)
+    netutils_domtrans_ping(cluster_t)
+')
+
+optional_policy(`
+    postgresql_signal(cluster_t)
+')
+
+optional_policy(`
+	rhcs_getattr_fenced(cluster_t)
+	rhcs_rw_cluster_shm(cluster_t)
+    rhcs_rw_cluster_semaphores(cluster_t)
+    rhcs_stream_connect_cluster(cluster_t)
+    rhcs_relabel_cluster_lib_files(cluster_t)
+')
+
+optional_policy(`
+    rdisc_exec(cluster_t)
+')
+
+optional_policy(`
+    ricci_dontaudit_rw_modcluster_pipes(cluster_t)
+')
+
+optional_policy(`
+    rhcs_named_filetrans_log_dir(cluster_t)
+')
+
+optional_policy(`
+    rpc_systemctl_nfsd(cluster_t)
+    rpc_systemctl_rpcd(cluster_t)
+
+    rpc_domtrans_nfsd(cluster_t)
+    rpc_domtrans_rpcd(cluster_t)
+    rpc_manage_nfs_state_data(cluster_t)
+	rpc_filetrans_var_lib_nfs_content(cluster_t)
+')
+
+optional_policy(`
+    samba_manage_var_files(cluster_t)
+    samba_rw_config(cluster_t)
+    samba_signal_smbd(cluster_t)
+    samba_signal_nmbd(cluster_t)
+')
+
+optional_policy(`
+    sysnet_domtrans_ifconfig(cluster_t)
+')
+
+optional_policy(`
+    udev_read_db(cluster_t)
+')
+
+optional_policy(`
+    virt_stream_connect(cluster_t)
+')
+
+optional_policy(`
+    unconfined_domain(cluster_t)
+')
+
+optional_policy(`
+    wdmd_rw_tmpfs(cluster_t)
+')
+
+optional_policy(`
+    xen_domtrans_xm(cluster_t)
 ')
 
 #####################################
@@ -79,13 +369,16 @@ optional_policy(`
 # dlm_controld local policy
 #
 
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+allow dlm_controld_t self:capability { dac_read_search dac_override net_admin sys_admin sys_resource };
 allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+allow dlm_controld_t cluster_t:process { signull };
+
+files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
+
 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
-kernel_read_system_state(dlm_controld_t)
 kernel_rw_net_sysctls(dlm_controld_t)
 
 corecmd_exec_bin(dlm_controld_t)
@@ -98,16 +391,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
 
 init_rw_script_tmp_files(dlm_controld_t)
 
+logging_send_syslog_msg(dlm_controld_t)
+
+optional_policy(`
+	rhcs_rw_cluster_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
+    rhcs_stream_connect_cluster(dlm_controld_t)
+')
+
 #######################################
 #
 # fenced local policy
 #
 
-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:capability { net_admin sys_boot sys_rawio sys_resource sys_admin };
+allow fenced_t self:process { getsched setcap setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
 allow fenced_t self:unix_stream_socket connectto;
 
+can_exec(fenced_t, fenced_exec_t)
+
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
 
@@ -118,9 +425,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
-can_exec(fenced_t, fenced_exec_t)
-
-kernel_read_system_state(fenced_t)
+kernel_read_network_state(fenced_t)
+kernel_read_fs_sysctls(fenced_t)
 
 corecmd_exec_bin(fenced_t)
 corecmd_exec_shell(fenced_t)
@@ -140,6 +446,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
 
 corenet_sendrecv_zented_server_packets(fenced_t)
 corenet_tcp_bind_zented_port(fenced_t)
+corenet_udp_bind_zented_port(fenced_t)
+corenet_tcp_connect_zented_port(fenced_t)
 corenet_tcp_sendrecv_zented_port(fenced_t)
 
 corenet_sendrecv_http_client_packets(fenced_t)
@@ -148,9 +456,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
 
 dev_read_sysfs(fenced_t)
 dev_read_urand(fenced_t)
-
-files_read_usr_files(fenced_t)
-files_read_usr_symlinks(fenced_t)
+dev_read_rand(fenced_t)
+dev_rw_lvm_control(fenced_t)
 
 storage_raw_read_fixed_disk(fenced_t)
 storage_raw_write_fixed_disk(fenced_t)
@@ -160,7 +467,7 @@ term_getattr_pty_fs(fenced_t)
 term_use_generic_ptys(fenced_t)
 term_use_ptmx(fenced_t)
 
-auth_use_nsswitch(fenced_t)
+logging_send_syslog_msg(fenced_t)
 
 tunable_policy(`fenced_can_network_connect',`
 	corenet_sendrecv_all_client_packets(fenced_t)
@@ -182,7 +489,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	corosync_exec(fenced_t)
+    rhcs_exec_cluster(fenced_t)
+    rhcs_rw_cluster_tmpfs(fenced_t)
 ')
 
 optional_policy(`
@@ -190,12 +498,17 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_read_generic_home_content(fenced_t)
+    libs_exec_ldconfig(fenced_t)
 ')
 
 optional_policy(`
 	lvm_domtrans(fenced_t)
 	lvm_read_config(fenced_t)
+    lvm_stream_connect(fenced_t)
+')
+
+optional_policy(`
+    sanlock_domtrans(fenced_t)
 ')
 
 optional_policy(`
@@ -203,6 +516,21 @@ optional_policy(`
 	snmp_manage_var_lib_dirs(fenced_t)
 ')
 
+optional_policy(`
+	virt_domtrans(fenced_t)
+	virt_read_config(fenced_t)
+	virt_read_pid_files(fenced_t)
+	virt_stream_connect(fenced_t)
+')
+
+optional_policy(`
+	watchdog_unconfined_exec_read_lnk_files(fenced_t)
+')
+
+optional_policy(`
+	gnome_dontaudit_search_config(fenced_t)
+')
+
 #######################################
 #
 # foghorn local policy
@@ -221,16 +549,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
 corenet_tcp_connect_agentx_port(foghorn_t)
 corenet_tcp_sendrecv_agentx_port(foghorn_t)
 
+corenet_tcp_connect_snmp_port(foghorn_t)
+
 dev_read_urand(foghorn_t)
 
-files_read_usr_files(foghorn_t)
+logging_send_syslog_msg(foghorn_t)
 
 optional_policy(`
 	dbus_connect_system_bus(foghorn_t)
 ')
 
 optional_policy(`
-	snmp_read_snmp_var_lib_files(foghorn_t)
+    snmp_manage_var_lib_files(foghorn_t)
 	snmp_stream_connect(foghorn_t)
 ')
 
@@ -247,16 +577,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
 stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
-kernel_read_system_state(gfs_controld_t)
 
 dev_rw_dlm_control(gfs_controld_t)
 dev_setattr_dlm_control(gfs_controld_t)
 dev_rw_sysfs(gfs_controld_t)
+storage_getattr_fixed_disk_dev(gfs_controld_t)
+
+fs_getattr_all_fs(gfs_controld_t)
 
 storage_getattr_removable_dev(gfs_controld_t)
 
 init_rw_script_tmp_files(gfs_controld_t)
 
+logging_send_syslog_msg(gfs_controld_t)
+
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +609,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 
 dev_list_sysfs(groupd_t)
 
-files_read_etc_files(groupd_t)
-
 init_rw_script_tmp_files(groupd_t)
 
+logging_send_syslog_msg(groupd_t)
+
+########################################
+#
+# haproxy local policy
+#
+
+# bug in haproxy and process vs pid owner
+allow haproxy_t self:capability { dac_read_search dac_override kill };
+
+allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw };
+allow haproxy_t self:capability2 block_suspend;
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
+allow haproxy_t self:tcp_socket create_stream_socket_perms;
+allow haproxy_t self: udp_socket create_socket_perms;
+
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
+can_exec(haproxy_t, haproxy_exec_t)
+
+corenet_sendrecv_unlabeled_packets(haproxy_t)
+
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
+corenet_tcp_bind_http_port(haproxy_t)
+corenet_tcp_bind_http_cache_port(haproxy_t)
+
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
+corenet_tcp_connect_http_port(haproxy_t)
+corenet_tcp_connect_http_cache_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
+dev_read_rand(haproxy_t)
+dev_read_urand(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+
+tunable_policy(`haproxy_connect_any',`
+	corenet_tcp_connect_all_ports(haproxy_t)
+	corenet_tcp_bind_all_ports(haproxy_t)
+	corenet_sendrecv_all_packets(haproxy_t)
+	corenet_tcp_sendrecv_all_ports(haproxy_t)
+')
+
 ######################################
 #
 # qdiskd local policy
@@ -292,7 +675,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
 files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
 
-kernel_read_system_state(qdiskd_t)
 kernel_read_software_raid_state(qdiskd_t)
 kernel_getattr_core_if(qdiskd_t)
 
@@ -321,6 +703,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 
 auth_use_nsswitch(qdiskd_t)
 
+logging_send_syslog_msg(qdiskd_t)
+
 optional_policy(`
 	netutils_domtrans_ping(qdiskd_t)
 ')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
index 0000000000..4b66adfddf
--- /dev/null
+++ b/rhev.fc
@@ -0,0 +1,13 @@
+/usr/share/rhev-agent/rhev-agentd\.py	--	gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent	--	 gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/share/rhev-agent/LockActiveSession\.py --  gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/LockActiveSession\.py  --  gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/lib/systemd/system/ovirt-guest-agent.*  --              gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid		--	gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+/var/run/ovirt-guest-agent\.pid --  gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
+
+/var/log/rhev-agent(/.*)?           gen_context(system_u:object_r:rhev_agentd_log_t,s0)
+/var/log/ovirt-guest-agent(/.*)?	gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/rhev.if b/rhev.if
new file mode 100644
index 0000000000..bf11e25630
--- /dev/null
+++ b/rhev.if
@@ -0,0 +1,76 @@
+## <summary>rhev polic module contains policies for rhev apps</summary>
+
+#####################################
+## <summary>
+##  Execute rhev-agentd in the rhev_agentd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhev_domtrans_agentd',`
+    gen_require(`
+        type rhev_agentd_t, rhev_agentd_exec_t;
+    ')
+
+    domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
+')
+
+####################################
+## <summary>
+##  Read rhev-agentd PID files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhev_read_pid_files_agentd',`
+    gen_require(`
+        type rhev_agentd_var_run_t;
+    ')
+
+	files_search_pids($1)
+    read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+')
+
+#####################################
+## <summary>
+##      Connect to rhev_agentd over a unix domain
+##      stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rhev_stream_connect_agentd',`
+        gen_require(`
+                type rhev_agentd_var_run_t, rhev_agentd_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
+')
+
+######################################
+## <summary>
+##  Send sigchld to rhev-agentd
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+#
+interface(`rhev_sigchld_agentd',`
+    gen_require(`
+              type rhev_agentd_t;
+    ')
+
+    allow $1 rhev_agentd_t:process sigchld;
+')
diff --git a/rhev.te b/rhev.te
new file mode 100644
index 0000000000..8b7aa12d8e
--- /dev/null
+++ b/rhev.te
@@ -0,0 +1,128 @@
+policy_module(rhev,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhev_agentd_t;
+type rhev_agentd_exec_t;
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
+
+type rhev_agentd_unit_file_t;
+systemd_unit_file(rhev_agentd_unit_file_t)
+
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
+type rhev_agentd_log_t;
+logging_log_file(rhev_agentd_log_t)
+
+########################################
+#
+# rhev_agentd_t local policy
+#
+
+allow rhev_agentd_t self:capability { setuid setgid sys_nice };
+allow rhev_agentd_t self:process setsched;
+
+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
+logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
+
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
+
+kernel_read_system_state(rhev_agentd_t)
+kernel_read_kernel_sysctls(rhev_agentd_t)
+
+corecmd_exec_bin(rhev_agentd_t)
+corecmd_exec_shell(rhev_agentd_t)
+
+dev_read_urand(rhev_agentd_t)
+
+term_use_virtio_console(rhev_agentd_t)
+
+fs_getattr_all_fs(rhev_agentd_t)
+
+files_getattr_all_mountpoints(rhev_agentd_t)
+files_search_all_mountpoints(rhev_agentd_t)
+
+auth_use_nsswitch(rhev_agentd_t)
+
+init_read_utmp(rhev_agentd_t)
+
+libs_exec_ldconfig(rhev_agentd_t)
+logging_send_syslog_msg(rhev_agentd_t)
+
+optional_policy(`
+	rpm_read_db(rhev_agentd_t)
+	rpm_dontaudit_manage_db(rhev_agentd_t)
+')
+
+optional_policy(`
+	ssh_signull(rhev_agentd_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(rhev_agentd_t)
+    dbus_connect_system_bus(rhev_agentd_t)
+	dbus_session_bus_client(rhev_agentd_t)
+
+    optional_policy(`
+        systemd_dbus_chat_logind(rhev_agentd_t)
+    ')
+
+    optional_policy(`
+        xserver_dbus_chat_xdm(rhev_agentd_t)
+    ')
+
+')
+
+optional_policy(`
+    udev_read_db(rhev_agentd_t)
+')
+
+optional_policy(`
+   xserver_stream_connect(rhev_agentd_t)
+')
+
+######################################
+#
+# rhev_agentd_t consolehelper local policy
+#
+
+optional_policy(`
+	userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+
+	allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
+	allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
+
+	can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
+	kernel_read_system_state(rhev_agentd_consolehelper_t)
+
+	term_use_virtio_console(rhev_agentd_consolehelper_t)
+
+	corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
+
+	optional_policy(`
+		dbus_session_bus_client(rhev_agentd_consolehelper_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_chat(rhev_agentd_consolehelper_t)
+	')
+')
diff --git a/rhgb.if b/rhgb.if
index 1a134a72ef..793a29f88c 100644
--- a/rhgb.if
+++ b/rhgb.if
@@ -1,4 +1,4 @@
-## <summary> Red Hat Graphical Boot.</summary>
+## <summary> Red Hat Graphical Boot </summary>
 
 ########################################
 ## <summary>
@@ -18,7 +18,7 @@ interface(`rhgb_stub',`
 
 ########################################
 ## <summary>
-##	Inherit and use rhgb file descriptors.
+##	Use a rhgb file descriptor.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',`
 
 ########################################
 ## <summary>
-##	Send generic signals to rhgb.
+##	Send a signal to rhgb.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -72,8 +72,7 @@ interface(`rhgb_signal',`
 
 ########################################
 ## <summary>
-##	Read and write inherited rhgb unix
-##	domain stream sockets.
+##	Read and write to unix stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
 
 ########################################
 ## <summary>
-##	Connected to rhgb with a unix
-##	domain stream socket.
+##	Connected to rhgb unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
 #
 interface(`rhgb_stream_connect',`
 	gen_require(`
-		type rhgb_t, rhgb_tmpfs_t;
+		type rhgb_t;
 	')
 
-	fs_search_tmpfs($1)
-	stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t)
+	allow $1 rhgb_t:unix_stream_socket connectto;
 ')
 
 ########################################
@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',`
 
 ########################################
 ## <summary>
-##	Read and write rhgb pty devices.
+##	Read from and write to the rhgb devpts.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',`
 		type rhgb_devpts_t;
 	')
 
-	dev_list_all_dev_nodes($1)
 	allow $1 rhgb_devpts_t:chr_file rw_term_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write rhgb pty devices.
+##	dontaudit Read from and write to the rhgb devpts.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',`
 
 ########################################
 ## <summary>
-##	Read and write to rhgb tmpfs files.
+##	Read and write to rhgb temporary file system.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
 		type rhgb_tmpfs_t;
 	')
 
-
 	fs_search_tmpfs($1)
 	allow $1 rhgb_tmpfs_t:file rw_file_perms;
 ')
diff --git a/rhgb.te b/rhgb.te
index 3f32e4bb36..f97ea42f88 100644
--- a/rhgb.te
+++ b/rhgb.te
@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t)
 corecmd_exec_bin(rhgb_t)
 corecmd_exec_shell(rhgb_t)
 
-corenet_all_recvfrom_unlabeled(rhgb_t)
 corenet_all_recvfrom_netlabel(rhgb_t)
 corenet_tcp_sendrecv_generic_if(rhgb_t)
 corenet_tcp_sendrecv_generic_node(rhgb_t)
@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t)
 
 domain_use_interactive_fds(rhgb_t)
 
-files_read_etc_files(rhgb_t)
 files_read_var_files(rhgb_t)
 files_read_etc_runtime_files(rhgb_t)
 files_search_tmp(rhgb_t)
-files_read_usr_files(rhgb_t)
 files_mounton_mnt(rhgb_t)
 files_dontaudit_rw_root_dir(rhgb_t)
 files_dontaudit_read_default_files(rhgb_t)
@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t)
 
 logging_send_syslog_msg(rhgb_t)
 
-miscfiles_read_localization(rhgb_t)
 miscfiles_read_fonts(rhgb_t)
 miscfiles_dontaudit_write_fonts(rhgb_t)
 
diff --git a/rhnsd.fc b/rhnsd.fc
new file mode 100644
index 0000000000..860a91df85
--- /dev/null
+++ b/rhnsd.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rhnsd	--	gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/rhnsd.* --  gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
+
+/usr/sbin/rhnsd		--	gen_context(system_u:object_r:rhnsd_exec_t,s0)
+
+/var/run/rhnsd\.pid		--	gen_context(system_u:object_r:rhnsd_var_run_t,s0)
+
+/etc/sysconfig/rhn(/.*)?		gen_context(system_u:object_r:rhnsd_conf_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
index 0000000000..a161c70f9f
--- /dev/null
+++ b/rhnsd.if
@@ -0,0 +1,120 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
+## <summary>
+##	Transition to rhnsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhnsd_domtrans',`
+	gen_require(`
+		type rhnsd_t, rhnsd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
+')
+
+########################################
+## <summary>
+##	Execute rhnsd server in the rhnsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhnsd_initrc_domtrans',`
+	gen_require(`
+		type rhnsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute rhnsd server in the rhnsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rhnsd_systemctl',`
+	gen_require(`
+		type rhnsd_t;
+		type rhnsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 rhnsd_unit_file_t:file read_file_perms;
+	allow $1 rhnsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, rhnsd_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## rhnsd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhnsd_manage_config',`
+    gen_require(`
+        type rhnsd_conf_t;
+    ')
+
+    files_search_etc($1)
+    manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
+    manage_lnk_files_pattern($1, rhnsd_conf_t, rhnsd_conf_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rhnsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhnsd_admin',`
+	gen_require(`
+		type rhnsd_t;
+		type rhnsd_initrc_exec_t;
+	')
+
+	allow $1 rhnsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, rhnsd_t)
+
+	rhnsd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 rhnsd_initrc_exec_t system_r;
+	allow $2 system_r;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/rhnsd.te b/rhnsd.te
new file mode 100644
index 0000000000..b947f092ac
--- /dev/null
+++ b/rhnsd.te
@@ -0,0 +1,48 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhnsd_t;
+type rhnsd_exec_t;
+init_daemon_domain(rhnsd_t, rhnsd_exec_t)
+
+type rhnsd_var_run_t;
+files_pid_file(rhnsd_var_run_t)
+
+type rhnsd_initrc_exec_t;
+init_script_file(rhnsd_initrc_exec_t)
+
+type rhnsd_unit_file_t;
+systemd_unit_file(rhnsd_unit_file_t)
+
+type rhnsd_conf_t;
+files_config_file(rhnsd_conf_t)
+
+########################################
+#
+# rhnsd local policy
+#
+
+allow rhnsd_t self:capability { kill };
+allow rhnsd_t self:process { fork signal };
+allow rhnsd_t self:fifo_file rw_fifo_file_perms;
+allow rhnsd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
+manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+manage_lnk_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
+
+corecmd_exec_bin(rhnsd_t)
+
+logging_send_syslog_msg(rhnsd_t)
+
+optional_policy(`
+    # execute rhn_check
+    rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.fc b/rhsmcertd.fc
index 8c02804181..92b10f62ab 100644
--- a/rhsmcertd.fc
+++ b/rhsmcertd.fc
@@ -1,7 +1,11 @@
 /etc/rc\.d/init\.d/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
 
+/etc/rhsm(/.*)?	gen_context(system_u:object_r:rhsmcertd_config_t,s0)
+
 /usr/bin/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
 
+/usr/libexec/rhsmd  --  gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
 /var/lib/rhsm(/.*)?	gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
 
 /var/lock/subsys/rhsmcertd	--	gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
diff --git a/rhsmcertd.if b/rhsmcertd.if
index 6dbc905b33..42e4306c83 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
-## <summary>Subscription Management Certificate Daemon.</summary>
+## <summary>Subscription Management Certificate Daemon policy</summary>
 
 ########################################
 ## <summary>
-##	Execute rhsmcertd in the rhsmcertd domain.
+##	Transition to rhsmcertd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute rhsmcertd init scripts
-##	in the initrc domain.
+##	Execute rhsmcertd server in the rhsmcertd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Read rhsmcertd log files.
+##	Read rhsmcertd's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',`
 
 ########################################
 ## <summary>
-##	Append rhsmcertd log files.
+##	Append to rhsmcertd log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rhsmcertd log files.
+##	Manage rhsmcertd log files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',`
 		type rhsmcertd_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rhsmcertd lib files.
+##	Manage rhsmcertd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rhsmcertd lib directories.
+##	Manage rhsmcertd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',`
 
 ########################################
 ## <summary>
-##	Read rhsmcertd pid files.
+##	Read rhsmcertd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',`
 	allow $1 rhsmcertd_var_run_t:file read_file_perms;
 ')
 
-####################################
+########################################
+## <summary>
+##	Read rhsmcertd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_manage_pid_files',`
+	gen_require(`
+		type rhsmcertd_var_run_t;
+	')
+
+	files_search_pids($1)
+    manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read/wirte inherited lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rhsmcertd_rw_inherited_lock_files',`
+	gen_require(`
+		type rhsmcertd_lock_t;
+	')
+
+	files_search_locks($1)
+	allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
+########################################
 ## <summary>
-##	Connect to rhsmcertd with a
-##	unix domain stream socket.
+##	Read/wirte lock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',`
 ##	</summary>
 ## </param>
 #
+interface(`rhsmcertd_rw_lock_files',`
+	gen_require(`
+		type rhsmcertd_lock_t;
+	')
+
+	files_search_locks($1)
+	allow $1 rhsmcertd_lock_t:file rw_file_perms;
+')
+
+####################################
+## <summary>
+##  Connect to rhsmcertd over a unix domain
+##  stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
 interface(`rhsmcertd_stream_connect',`
 	gen_require(`
 		type rhsmcertd_t, rhsmcertd_var_run_t;
@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',`
 
 ######################################
 ## <summary>
-##	Do not audit attempts to send
-##	and receive messages from
-##	rhsmcertd over dbus.
+##  Dontaudit Send and receive messages from
+##  rhsmcertd over dbus.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`rhsmcertd_dontaudit_dbus_chat',`
-	gen_require(`
-	type rhsmcertd_t;
-	class dbus send_msg;
-	')
+    gen_require(`
+        type rhsmcertd_t;
+        class dbus send_msg;
+    ')
 
-	dontaudit $1 rhsmcertd_t:dbus send_msg;
-	dontaudit rhsmcertd_t $1:dbus send_msg;
+    dontaudit $1 rhsmcertd_t:dbus send_msg;
+    dontaudit rhsmcertd_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rhsmcertd environment.
+##	All of the rules required to administrate
+##	an rhsmcertd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
 ##	</summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 ## <rolecap/>
 #
+
 interface(`rhsmcertd_admin',`
 	gen_require(`
 		type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
-		type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t;
+		type rhsmcertd_var_lib_t, rhsmcertd_lock_t,  rhsmcertd_var_run_t;
 	')
 
-	allow $1 rhsmcertd_t:process { ptrace signal_perms };
+	allow $1 rhsmcertd_t:process signal_perms;
 	ps_process_pattern($1, rhsmcertd_t)
 
-	rhsmcertd_initrc_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 rhsmcertd_initrc_exec_t system_r;
-	allow $2 system_r;
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 rhsmcertd_t:process ptrace;
+	')
 
-	logging_search_logs($1)
-	admin_pattern($1, rhsmcertd_log_t)
+    rhsmcertd_initrc_domtrans($1)
+    domain_system_change_exemption($1)
+    role_transition $2 rhsmcertd_initrc_exec_t system_r;
+    allow $2 system_r;
 
-	files_search_var_lib($1)
-	admin_pattern($1, rhsmcertd_var_lib_t)
+    logging_search_logs($1)
+    admin_pattern($1, rhsmcertd_log_t)
 
-	files_search_pids($1)
-	admin_pattern($1, rhsmcertd_var_run_t)
+    files_search_var_lib($1)
+    admin_pattern($1, rhsmcertd_var_lib_t)
+
+    files_search_pids($1)
+    admin_pattern($1, rhsmcertd_var_run_t)
+
+    files_search_locks($1)
+    admin_pattern($1, rhsmcertd_lock_t)
 
-	files_search_locks($1)
-	admin_pattern($1, rhsmcertd_lock_t)
 ')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2796..12c6f61ad2 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,30 +18,43 @@ logging_log_file(rhsmcertd_log_t)
 type rhsmcertd_lock_t;
 files_lock_file(rhsmcertd_lock_t)
 
+type rhsmcertd_tmp_t;
+files_tmp_file(rhsmcertd_tmp_t)
+
 type rhsmcertd_var_lib_t;
 files_type(rhsmcertd_var_lib_t)
 
 type rhsmcertd_var_run_t;
 files_pid_file(rhsmcertd_var_run_t)
 
+type rhsmcertd_config_t;
+files_config_file(rhsmcertd_config_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow rhsmcertd_t self:capability sys_nice;
-allow rhsmcertd_t self:process { signal setsched };
+allow rhsmcertd_t self:capability { kill sys_nice };
+allow rhsmcertd_t self:process { signal_perms setsched };
+
 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
 allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
 
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_config_t, rhsmcertd_config_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_config_t, rhsmcertd_config_t)
+files_etc_filetrans(rhsmcertd_t, rhsmcertd_config_t, { dir file })
+
 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
 
 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
 files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
 
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file })
+
 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
 
@@ -50,25 +63,82 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
 files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
 
 kernel_read_network_state(rhsmcertd_t)
+kernel_read_net_sysctls(rhsmcertd_t)
+kernel_read_state(rhsmcertd_t)
 kernel_read_system_state(rhsmcertd_t)
+kernel_read_sysctl(rhsmcertd_t)
+kernel_signull(rhsmcertd_t)
+
+corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t)
+corenet_tcp_connect_netport_port(rhsmcertd_t)
+corenet_tcp_connect_websm_port(rhsmcertd_t)
 
 corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
 
 dev_read_sysfs(rhsmcertd_t)
 dev_read_rand(rhsmcertd_t)
 dev_read_urand(rhsmcertd_t)
+dev_read_raw_memory(rhsmcertd_t)
 
+domain_read_all_domains_state(rhsmcertd_t)
+domain_signull_all_domains(rhsmcertd_t)
 files_list_tmp(rhsmcertd_t)
-files_read_etc_files(rhsmcertd_t)
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
+files_create_boot_flag(rhsmcertd_t)
+files_dontaudit_write_all_mountpoints(rhsmcertd_t)
+
+fs_dontaudit_write_configfs_dirs(rhsmcertd_t)
+fs_read_xenfs_files(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
+
+libs_exec_ldconfig(rhsmcertd_t)
 
 init_read_state(rhsmcertd_t)
 
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_manage_generic_cert_files(rhsmcertd_t)
+miscfiles_manage_generic_cert_dirs(rhsmcertd_t)
+
+nis_use_ypbind(rhsmcertd_t)
 
 sysnet_dns_name_resolve(rhsmcertd_t)
 
+ifdef(`hide_broken_symptoms',`
+    exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+    exec_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+')
+
+optional_policy(`
+    dbus_system_domain(rhsmcertd_t,rhsmcertd_exec_t)
+')
+
+optional_policy(`
+	dmidecode_domtrans(rhsmcertd_t)
+')
+
+optional_policy(`
+	gnome_dontaudit_search_config(rhsmcertd_t)
+')
+
+optional_policy(`
+    container_rw_config(rhsmcertd_t)
+')
+
+optional_policy(`
+	hostname_exec(rhsmcertd_t)
+')
+
+optional_policy(`
+    rhnsd_manage_config(rhsmcertd_t)
+')
+
 optional_policy(`
-	rpm_read_db(rhsmcertd_t)
+	rpm_manage_db(rhsmcertd_t)
+    rpm_read_log(rhsmcertd_t)
 ')
diff --git a/ricci.if b/ricci.if
index 2ab3ed1d4c..23d579cde4 100644
--- a/ricci.if
+++ b/ricci.if
@@ -1,13 +1,13 @@
-## <summary>Ricci cluster management agent.</summary>
+## <summary>Ricci cluster management agent</summary>
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run ricci.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`ricci_domtrans',`
@@ -15,19 +15,35 @@ interface(`ricci_domtrans',`
 		type ricci_t, ricci_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, ricci_exec_t, ricci_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute a domain transition to
-##	run ricci modcluster.
+##	Execute ricci server in the ricci domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ricci_initrc_domtrans',`
+	gen_require(`
+		type ricci_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
+########################################
 ## <summary>
-##	Domain allowed to transition.
+##	Execute a domain transition to run ricci_modcluster.
 ## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
 ## </param>
 #
 interface(`ricci_domtrans_modcluster',`
@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',`
 		type ricci_modcluster_t, ricci_modcluster_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to use
-##	ricci modcluster file descriptors.
+##	ricci_modcluster file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to read write
-##	ricci modcluster unamed pipes.
+##	ricci_modcluster unamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
 		type ricci_modcluster_t;
 	')
 
-	dontaudit $1 ricci_modcluster_t:fifo_file { read write };
+	dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Connect to ricci_modclusterd with
-##	a unix domain stream socket.
+##	Connect to ricci_modclusterd over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',`
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run ricci modlog.
+##	Read and write to ricci_modcluserd temporary file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ricci_rw_modclusterd_tmpfs_files',`
+	gen_require(`
+		type ricci_modclusterd_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run ricci_modlog.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',`
 		type ricci_modlog_t, ricci_modlog_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run ricci modrpm.
+##	Execute a domain transition to run ricci_modrpm.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',`
 		type ricci_modrpm_t, ricci_modrpm_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run ricci modservice.
+##	Execute a domain transition to run ricci_modservice.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',`
 		type ricci_modservice_t, ricci_modservice_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run ricci modstorage.
+##	Execute a domain transition to run ricci_modstorage.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',`
 		type ricci_modstorage_t, ricci_modstorage_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
 ')
 
+####################################
+## <summary>
+##	Allow the specified domain to manage ricci's lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ricci_manage_lib_files',`
+	gen_require(`
+		type ricci_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+	manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ricci environment.
+##	All of the rules required to administrate
+##	an ricci environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -200,10 +245,13 @@ interface(`ricci_admin',`
 		type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
 	')
 
-	allow $1 ricci_t:process { ptrace signal_perms };
+	allow $1 ricci_t:process signal_perms;
 	ps_process_pattern($1, ricci_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ricci_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+	ricci_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 ricci_initrc_exec_t system_r;
 	allow $2 system_r;
diff --git a/ricci.te b/ricci.te
index 0ba2569a5f..161850d419 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
 
 corecmd_exec_bin(ricci_t)
 
-corenet_all_recvfrom_unlabeled(ricci_t)
 corenet_all_recvfrom_netlabel(ricci_t)
 corenet_tcp_sendrecv_generic_if(ricci_t)
 corenet_tcp_sendrecv_generic_node(ricci_t)
@@ -136,7 +135,6 @@ dev_read_urand(ricci_t)
 
 domain_read_all_domains_state(ricci_t)
 
-files_read_etc_files(ricci_t)
 files_read_etc_runtime_files(ricci_t)
 files_create_boot_flag(ricci_t)
 
@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t)
 
 logging_send_syslog_msg(ricci_t)
 
-miscfiles_read_localization(ricci_t)
+systemd_start_power_services(ricci_t)
 
 sysnet_dns_name_resolve(ricci_t)
 
@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t)
 
 logging_send_syslog_msg(ricci_modcluster_t)
 
-miscfiles_read_localization(ricci_modcluster_t)
-
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
-
 optional_policy(`
-	aisexec_stream_connect(ricci_modcluster_t)
-	corosync_stream_connect(ricci_modcluster_t)
+	ricci_stream_connect_modclusterd(ricci_modcluster_t)
 ')
 
 optional_policy(`
@@ -271,7 +264,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rgmanager_stream_connect(ricci_modcluster_t)
+	rhcs_stream_connect_cluster(ricci_modcluster_t)
 ')
 
 ########################################
@@ -336,15 +329,8 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
 
 logging_send_syslog_msg(ricci_modclusterd_t)
 
-miscfiles_read_localization(ricci_modclusterd_t)
-
 sysnet_domtrans_ifconfig(ricci_modclusterd_t)
 
-optional_policy(`
-	aisexec_stream_connect(ricci_modclusterd_t)
-	corosync_stream_connect(ricci_modclusterd_t)
-')
-
 optional_policy(`
 	ccs_domtrans(ricci_modclusterd_t)
 	ccs_stream_connect(ricci_modclusterd_t)
@@ -352,7 +338,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rgmanager_stream_connect(ricci_modclusterd_t)
+	rhcs_stream_connect_cluster(ricci_modclusterd_t)
 ')
 
 optional_policy(`
@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t)
 
 domain_read_all_domains_state(ricci_modlog_t)
 
-files_read_etc_files(ricci_modlog_t)
 files_search_usr(ricci_modlog_t)
 
 logging_read_generic_logs(ricci_modlog_t)
 
-miscfiles_read_localization(ricci_modlog_t)
 
 optional_policy(`
 	nscd_dontaudit_search_pid(ricci_modlog_t)
@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
 corecmd_exec_bin(ricci_modrpm_t)
 
 files_search_usr(ricci_modrpm_t)
-files_read_etc_files(ricci_modrpm_t)
 
-miscfiles_read_localization(ricci_modrpm_t)
+logging_send_syslog_msg(ricci_modrpm_t)
 
 optional_policy(`
 	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
@@ -418,7 +401,7 @@ optional_policy(`
 # Modservice local policy
 #
 
-allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:capability {dac_read_search  dac_override sys_nice };
 allow ricci_modservice_t self:process setsched;
 allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
 
@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
 corecmd_exec_bin(ricci_modservice_t)
 corecmd_exec_shell(ricci_modservice_t)
 
-files_read_etc_files(ricci_modservice_t)
 files_read_etc_runtime_files(ricci_modservice_t)
 files_search_usr(ricci_modservice_t)
 files_manage_etc_symlinks(ricci_modservice_t)
 
 init_domtrans_script(ricci_modservice_t)
 
-miscfiles_read_localization(ricci_modservice_t)
+logging_send_syslog_msg(ricci_modservice_t)
 
 optional_policy(`
 	ccs_read_config(ricci_modservice_t)
@@ -460,7 +442,6 @@ optional_policy(`
 
 allow ricci_modstorage_t self:capability { mknod sys_nice };
 allow ricci_modstorage_t self:process { setsched signal };
-dontaudit ricci_modstorage_t self:process ptrace;
 allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
 
 kernel_read_kernel_sysctls(ricci_modstorage_t)
@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
 
 files_manage_etc_files(ricci_modstorage_t)
 files_read_etc_runtime_files(ricci_modstorage_t)
-files_read_usr_files(ricci_modstorage_t)
 files_read_kernel_modules(ricci_modstorage_t)
 
+files_create_default_dir(ricci_modstorage_t)
+files_root_filetrans_default(ricci_modstorage_t, dir)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
 storage_raw_read_fixed_disk(ricci_modstorage_t)
 
 term_dontaudit_use_console(ricci_modstorage_t)
 
-logging_send_syslog_msg(ricci_modstorage_t)
-
-miscfiles_read_localization(ricci_modstorage_t)
+auth_use_nsswitch(ricci_modstorage_t)
 
-optional_policy(`
-	aisexec_stream_connect(ricci_modstorage_t)
-	corosync_stream_connect(ricci_modstorage_t)
-')
+logging_send_syslog_msg(ricci_modstorage_t)
 
 optional_policy(`
 	ccs_stream_connect(ricci_modstorage_t)
diff --git a/rkhunter.fc b/rkhunter.fc
new file mode 100644
index 0000000000..645a9cc1a5
--- /dev/null
+++ b/rkhunter.fc
@@ -0,0 +1 @@
+/var/lib/rkhunter(/.*)?         gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
diff --git a/rkhunter.if b/rkhunter.if
new file mode 100644
index 0000000000..0be4ceec01
--- /dev/null
+++ b/rkhunter.if
@@ -0,0 +1,39 @@
+## <summary> policy for rkhunter </summary>
+
+########################################
+## <summary>
+##	Append rkhunter lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rkhunter_append_lib_files',`
+	gen_require(`
+		type rkhunter_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage rkhunter lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rkhunter_manage_lib_files',`
+	gen_require(`
+		type rkhunter_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
+')
diff --git a/rkhunter.te b/rkhunter.te
new file mode 100644
index 0000000000..630f92bf9b
--- /dev/null
+++ b/rkhunter.te
@@ -0,0 +1,4 @@
+policy_module(rkhunter, 1.0)
+
+type rkhunter_var_lib_t;
+files_type(rkhunter_var_lib_t)
diff --git a/rlogin.fc b/rlogin.fc
index f111877209..e361ee9e2e 100644
--- a/rlogin.fc
+++ b/rlogin.fc
@@ -1,5 +1,7 @@
-HOME_DIR/\.rhosts	--	gen_context(system_u:object_r:rlogind_home_t,s0)
-HOME_DIR/\.rlogin	--	gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rlogin		--	gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts		--	gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin			--	gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts		--	gen_context(system_u:object_r:rlogind_home_t,s0)
 
 /usr/kerberos/sbin/klogind	--	gen_context(system_u:object_r:rlogind_exec_t,s0)
 
diff --git a/rlogin.if b/rlogin.if
index 050479dea0..0e1b364fb4 100644
--- a/rlogin.if
+++ b/rlogin.if
@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',`
 ##	</summary>
 ## </param>
 #
-template(`rlogin_read_home_content',`
+interface(`rlogin_read_home_content',`
 	gen_require(`
 		type rlogind_home_t;
 	')
diff --git a/rlogin.te b/rlogin.te
index ee27948589..34d2ee96f3 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t)
 # Local policy
 #
 
-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override };
 allow rlogind_t self:process signal_perms;
 allow rlogind_t self:fifo_file rw_fifo_file_perms;
-allow rlogind_t self:tcp_socket { accept listen };
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(rlogind_t, rlogind_devpts_t)
@@ -45,7 +47,6 @@ allow rlogind_t rlogind_keytab_t:file read_file_perms;
 
 manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
 manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
 
 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
 files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
@@ -56,7 +57,6 @@ kernel_read_kernel_sysctls(rlogind_t)
 kernel_read_system_state(rlogind_t)
 kernel_read_network_state(rlogind_t)
 
-corenet_all_recvfrom_unlabeled(rlogind_t)
 corenet_all_recvfrom_netlabel(rlogind_t)
 corenet_tcp_sendrecv_generic_if(rlogind_t)
 corenet_tcp_sendrecv_generic_node(rlogind_t)
@@ -65,6 +65,10 @@ corenet_sendrecv_rlogind_server_packets(rlogind_t)
 corenet_tcp_bind_rlogind_port(rlogind_t)
 corenet_tcp_sendrecv_rlogind_port(rlogind_t)
 
+corenet_sendrecv_rlogin_server_packets(rlogind_t)
+corenet_tcp_bind_rlogin_port(rlogind_t)
+corenet_tcp_sendrecv_rlogin_port(rlogind_t)
+
 dev_read_urand(rlogind_t)
 
 domain_interactive_fd(rlogind_t)
@@ -73,6 +77,7 @@ fs_getattr_all_fs(rlogind_t)
 fs_search_auto_mountpoints(rlogind_t)
 
 auth_domtrans_chk_passwd(rlogind_t)
+auth_signal_chk_passwd(rlogind_t)
 auth_rw_login_records(rlogind_t)
 auth_use_nsswitch(rlogind_t)
 
@@ -83,29 +88,23 @@ init_rw_utmp(rlogind_t)
 
 logging_send_syslog_msg(rlogind_t)
 
-miscfiles_read_localization(rlogind_t)
-
 seutil_read_config(rlogind_t)
 
 userdom_search_user_home_dirs(rlogind_t)
 userdom_setattr_user_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_user_home_content_files(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
 userdom_use_user_terminals(rlogind_t)
+userdom_home_reader(rlogind_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_list_nfs(rlogind_t)
-	fs_read_nfs_files(rlogind_t)
-	fs_read_nfs_symlinks(rlogind_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_list_cifs(rlogind_t)
-	fs_read_cifs_files(rlogind_t)
-	fs_read_cifs_symlinks(rlogind_t)
-')
+rlogin_read_home_content(rlogind_t)
 
 optional_policy(`
 	kerberos_read_keytab(rlogind_t)
-	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
 	kerberos_manage_host_rcache(rlogind_t)
 	kerberos_use(rlogind_t)
 ')
diff --git a/rngd.fc b/rngd.fc
index fa19aa8ded..90eb481c16 100644
--- a/rngd.fc
+++ b/rngd.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/rngd	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/rngd.*    --  gen_context(system_u:object_r:rngd_unit_file_t,s0)
+
 /usr/sbin/rngd	--	gen_context(system_u:object_r:rngd_exec_t,s0)
 
 /var/run/rngd\.pid	--	gen_context(system_u:object_r:rngd_var_run_t,s0)
diff --git a/rngd.if b/rngd.if
index 13f788fd57..10e2033015 100644
--- a/rngd.if
+++ b/rngd.if
@@ -1,5 +1,28 @@
 ## <summary>Check and feed random data from hardware device to kernel random device.</summary>
 
+########################################
+## <summary>
+##	Execute rngd in the rngd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rng_systemctl_rngd',`
+	gen_require(`
+		type rngd_t, rngd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 rngd_unit_file_t:file read_file_perms;
+	allow $1 rngd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, rngd_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -17,14 +40,18 @@
 ## </param>
 ## <rolecap/>
 #
-interface(`rngd_admin',`
+interface(`rng_admin',`
 	gen_require(`
-		type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
+		type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
 	')
 
-	allow $1 rngd_t:process { ptrace signal_perms };
+	allow $1 rngd_t:process signal_perms;
 	ps_process_pattern($1, rngd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 rngd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, rngd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 rngd_initrc_exec_t system_r;
@@ -32,4 +59,8 @@ interface(`rngd_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, rngd_var_run_t)
+
+	rng_systemctl_rngd($1)
+	admin_pattern($1, rngd_unit_file_t)
+	allow $1 rngd_unit_file_t:service all_service_perms;
 ')
diff --git a/rngd.te b/rngd.te
index a7b7717b7f..6023a77e9e 100644
--- a/rngd.te
+++ b/rngd.te
@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
 type rngd_initrc_exec_t;
 init_script_file(rngd_initrc_exec_t)
 
+type rngd_unit_file_t;
+systemd_unit_file(rngd_unit_file_t)
+
 type rngd_var_run_t;
 files_pid_file(rngd_var_run_t)
 
@@ -34,9 +37,10 @@ dev_read_rand(rngd_t)
 dev_read_urand(rngd_t)
 dev_rw_tpm(rngd_t)
 dev_write_rand(rngd_t)
-
-files_read_etc_files(rngd_t)
+dev_read_sysfs(rngd_t)
 
 logging_send_syslog_msg(rngd_t)
 
-miscfiles_read_localization(rngd_t)
+miscfiles_read_certs(rngd_t)
+
+term_use_usb_ttys(rngd_t)
diff --git a/rolekit.fc b/rolekit.fc
new file mode 100644
index 0000000000..504b6e13e7
--- /dev/null
+++ b/rolekit.fc
@@ -0,0 +1,3 @@
+/usr/lib/systemd/system/rolekit.*		--	gen_context(system_u:object_r:rolekit_unit_file_t,s0)
+
+/usr/sbin/roled		--	gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
index 0000000000..b11fb8f6d9
--- /dev/null
+++ b/rolekit.if
@@ -0,0 +1,120 @@
+## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
+
+########################################
+## <summary>
+##	Execute rolekit in the rolekit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rolekit_domtrans',`
+	gen_require(`
+		type rolekit_t, rolekit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rolekit_exec_t, rolekit_t)
+')
+
+########################################
+## <summary>
+##	Execute rolekit server in the rolekit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rolekit_systemctl',`
+	gen_require(`
+		type rolekit_t;
+		type rolekit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 rolekit_unit_file_t:file read_file_perms;
+	allow $1 rolekit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, rolekit_t)
+')
+#######################################
+## <summary>
+##     Manage rolekit kernel keyrings.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rolekit_manage_keys',`
+    gen_require(`
+        type rolekit_t;
+    ')
+
+    allow $1 rolekit_t:key manage_key_perms;
+    allow rolekit_t $1:key manage_key_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	policykit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rolekit_dbus_chat',`
+	gen_require(`
+		type rolekit_t;
+		class dbus send_msg;
+	')
+
+	ps_process_pattern(rolekit_t, $1)
+
+	allow $1 rolekit_t:dbus send_msg;
+	allow rolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rolekit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rolekit_admin',`
+	gen_require(`
+		type rolekit_t;
+	type rolekit_unit_file_t;
+	')
+
+	allow $1 rolekit_t:process { signal_perms };
+	ps_process_pattern($1, rolekit_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 rolekit_t:process ptrace;
+    ')
+
+	rolekit_systemctl($1)
+	admin_pattern($1, rolekit_unit_file_t)
+	allow $1 rolekit_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/rolekit.te b/rolekit.te
new file mode 100644
index 0000000000..da944537bb
--- /dev/null
+++ b/rolekit.te
@@ -0,0 +1,47 @@
+policy_module(rolekit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rolekit_t;
+type rolekit_exec_t;
+init_daemon_domain(rolekit_t, rolekit_exec_t)
+
+type rolekit_tmp_t;
+files_tmp_file(rolekit_tmp_t)
+
+type rolekit_unit_file_t;
+systemd_unit_file(rolekit_unit_file_t)
+
+########################################
+#
+# rolekit local policy
+#
+
+allow rolekit_t self:fifo_file rw_fifo_file_perms;
+allow rolekit_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
+manage_dirs_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
+files_tmp_filetrans(rolekit_t, rolekit_tmp_t, { file dir })
+
+kernel_read_system_state(rolekit_t)
+
+auth_use_nsswitch(rolekit_t)
+
+optional_policy(`
+    sssd_domtrans(rolekit_t)
+')
+
+optional_policy(`
+    rpm_transition_script(rolekit_t, system_r)
+')
+
+optional_policy(`
+    unconfined_domain_noaudit(rolekit_t)
+    #should be changed for debugging
+    #unconfined_domain(rolekit_t)
+    domain_named_filetrans(rolekit_t)
+')
diff --git a/roundup.if b/roundup.if
index 975bb6a457..ce4f5ead8d 100644
--- a/roundup.if
+++ b/roundup.if
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
 		type roundup_initrc_exec_t;
 	')
 
-	allow $1 roundup_t:process { ptrace signal_perms };
+	allow $1 roundup_t:process signal_perms;
 	ps_process_pattern($1, roundup_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 roundup_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
index ccb5991ed5..189ac011c7 100644
--- a/roundup.te
+++ b/roundup.te
@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
 
 corecmd_exec_bin(roundup_t)
 
-corenet_all_recvfrom_unlabeled(roundup_t)
 corenet_all_recvfrom_netlabel(roundup_t)
 corenet_tcp_sendrecv_generic_if(roundup_t)
 corenet_tcp_sendrecv_generic_node(roundup_t)
@@ -60,16 +59,11 @@ dev_read_urand(roundup_t)
 
 domain_use_interactive_fds(roundup_t)
 
-files_read_etc_files(roundup_t)
-files_read_usr_files(roundup_t)
-
 fs_getattr_all_fs(roundup_t)
 fs_search_auto_mountpoints(roundup_t)
 
 logging_send_syslog_msg(roundup_t)
 
-miscfiles_read_localization(roundup_t)
-
 sysnet_dns_name_resolve(roundup_t)
 
 userdom_dontaudit_use_unpriv_user_fds(roundup_t)
diff --git a/rpc.fc b/rpc.fc
index a6fb30cb3a..38a2f09112 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -1,12 +1,23 @@
-/etc/exports	--	gen_context(system_u:object_r:exports_t,s0)
+#
+# /etc
+#
+/etc/exports		--	gen_context(system_u:object_r:exports_t,s0)
+/etc/rc\.d/init\.d/nfs	 --	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd --	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
 
-/etc/rc\.d/init\.d/nfs	--	gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nfslock	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rpcidmapd	--	gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/lib/systemd/system/nfs.* 		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* 		--	gen_context(system_u:object_r:rpcd_unit_file_t,s0)
 
-/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
-/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+#
+# /sbin
+#
+/sbin/rpc\..*		--	gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify		--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 
+#
+# /usr
+#
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -16,7 +27,12 @@
 /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 
-/var/lib/nfs(/.*)?	gen_context(system_u:object_r:var_lib_nfs_t,s0)
+#
+# /var
+#
+/var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
+/var/run/sm-notify.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
 /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
index 0bf13c2207..79a2a9c48a 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
-## <summary>Remote Procedure Call Daemon.</summary>
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
 
 ########################################
 ## <summary>
@@ -20,15 +20,21 @@ interface(`rpc_stub',`
 ## <summary>
 ##	The template to define a rpc domain.
 ## </summary>
-## <param name="domain_prefix">
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new rpc daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The type of daemon to be used.
 ##	</summary>
 ## </param>
 #
 template(`rpc_domain_template',`
 	gen_require(`
-		attribute rpc_domain;
+        attribute rpc_domain;
 	')
 
 	########################################
@@ -42,12 +48,19 @@ template(`rpc_domain_template',`
 
 	domain_use_interactive_fds($1_t)
 
-	########################################
+	####################################
 	#
-	# Policy
+	# Local Policy
 	#
 
+    kernel_read_system_state($1_t)
+
+    corenet_all_recvfrom_unlabeled($1_t)
+    corenet_all_recvfrom_netlabel($1_t)
+
 	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
 ')
 
 ########################################
@@ -66,8 +79,8 @@ interface(`rpc_udp_send',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get
-##	attributes of export files.
+##	Do not audit attempts to get the attributes
+##	of the NFS export file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -80,12 +93,12 @@ interface(`rpc_dontaudit_getattr_exports',`
 		type exports_t;
 	')
 
-	dontaudit $1 exports_t:file getattr;
+	dontaudit $1 exports_t:file getattr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read export files.
+##	Allow read access to exports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,7 +116,7 @@ interface(`rpc_read_exports',`
 
 ########################################
 ## <summary>
-##	Write export files.
+##	Allow write access to exports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -116,12 +129,12 @@ interface(`rpc_write_exports',`
 		type exports_t;
 	')
 
-	allow $1 exports_t:file write;
+	allow $1 exports_t:file write_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Execute nfsd in the nfsd domain.
+##	Execute domain in nfsd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -134,14 +147,12 @@ interface(`rpc_domtrans_nfsd',`
 		type nfsd_t, nfsd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, nfsd_exec_t, nfsd_t)
 ')
 
 #######################################
 ## <summary>
-##	Execute nfsd init scripts in
-##	the initrc domain.
+##	Execute domain in nfsd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -159,7 +170,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
 
 ########################################
 ## <summary>
-##	Execute rpcd in the rpcd domain.
+##	Execute nfsd server in the nfsd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -167,120 +178,128 @@ interface(`rpc_initrc_domtrans_nfsd',`
 ##	</summary>
 ## </param>
 #
-interface(`rpc_domtrans_rpcd',`
+interface(`rpc_systemctl_nfsd',`
 	gen_require(`
-		type rpcd_t, rpcd_exec_t;
+		type nfsd_unit_file_t;
+		type nfsd_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 nfsd_unit_file_t:file read_file_perms;
+	allow $1 nfsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, nfsd_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Execute rpcd init scripts in
-##	the initrc domain.
+##	Send kill signals to rpcd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`rpc_initrc_domtrans_rpcd',`
+interface(`rpc_kill_rpcd',`
 	gen_require(`
-		type rpcd_initrc_exec_t;
+		type rpcd_t;
 	')
 
-	init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+	allow $1 rpcd_t:process sigkill;
 ')
 
 ########################################
 ## <summary>
-##	Read nfs exported content.
+##	Execute domain in rpcd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`rpc_read_nfs_content',`
+interface(`rpc_domtrans_rpcd',`
 	gen_require(`
-		type nfsd_ro_t, nfsd_rw_t;
+		type rpcd_t, rpcd_exec_t;
 	')
 
-	allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
-	allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
-	allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+	domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+	allow rpcd_t $1:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	nfs exported read write content.
+##	Execute rpcd in the rcpd domain, and
+##	allow the specified role the rpcd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
 ## <rolecap/>
 #
-interface(`rpc_manage_nfs_rw_content',`
+interface(`rpc_run_rpcd',`
 	gen_require(`
-		type nfsd_rw_t;
+		type rpcd_t;
 	')
 
-	manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
-	manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
-	manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+	rpc_domtrans_rpcd($1)
+	role $2 types rpcd_t;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Create, read, write, and delete
-##	nfs exported read only content.
+##	Execute domain in rpcd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`rpc_manage_nfs_ro_content',`
+interface(`rpc_initrc_domtrans_rpcd',`
 	gen_require(`
-		type nfsd_ro_t;
+		type rpcd_initrc_exec_t;
 	')
 
-	manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
-	manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
-	manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+	init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write to nfsd tcp sockets.
+##	Execute rpcd server in the rpcd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`rpc_tcp_rw_nfs_sockets',`
+interface(`rpc_systemctl_rpcd',`
 	gen_require(`
-		type nfsd_t;
+		type rpcd_unit_file_t;
+		type rpcd_t;
 	')
 
-	allow $1 nfsd_t:tcp_socket rw_socket_perms;
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 rpcd_unit_file_t:file read_file_perms;
+	allow $1 rpcd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, rpcd_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write to nfsd udp sockets.
+##	Allow domain to read and write to an NFS UDP socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -312,7 +331,7 @@ interface(`rpc_udp_send_nfs',`
 
 ########################################
 ## <summary>
-##	Search nfs lib directories.
+##	Search NFS state data in /var/lib/nfs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 var_lib_nfs_t:dir search;
+	allow $1 var_lib_nfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_list_nfs_state_data',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 var_lib_nfs_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read nfs lib files.
+##	Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data_dir',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 var_lib_nfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read NFS state data in /var/lib/nfs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -346,12 +403,12 @@ interface(`rpc_read_nfs_state_data',`
 
 	files_search_var_lib($1)
 	read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+	read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	nfs lib files.
+##	Manage NFS state data in /var/lib/nfs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -366,31 +423,68 @@ interface(`rpc_manage_nfs_state_data',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rpc environment.
+##	Write keys for all user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`rpc_rw_gssd_keys',`
+	gen_require(`
+		type gssd_t;
+	')
+
+	allow $1 gssd_t:key { read search setattr view write };
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`rpc_filetrans_var_lib_nfs_content',`
+	gen_require(`
+		type var_lib_nfs_t;
+	')
+
+	files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
+')
+
+#######################################
+## <summary>
+##  All of the rules required to
+##  administrate an rpc environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
 ## <rolecap/>
 #
 interface(`rpc_admin',`
-	gen_require(`
+    gen_require(`
 		attribute rpc_domain;
 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
-		type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+		type  nfsd_rw_t, gssd_keytab_t;
 	')
 
 	allow $1 rpc_domain:process { ptrace signal_perms };
@@ -411,10 +505,28 @@ interface(`rpc_admin',`
 	admin_pattern($1, rpcd_var_run_t)
 
 	files_list_all($1)
-	admin_pattern($1, { nfsd_ro_t nfsd_rw_t })
+	admin_pattern($1, nfsd_rw_t )
 
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 
 	fs_search_nfsd_fs($1)
 ')
+
+########################################
+## <summary>
+##	Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpc_gssd_noatsecure',`
+	gen_require(`
+		type gssd_t;
+	')
+
+    allow $1 gssd_t:process { noatsecure rlimitinh };
+')
diff --git a/rpc.te b/rpc.te
index 2da9fca2f7..bbd2099408 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether gssd can read
-##	generic user temporary content.
-##	</p>
+## <p>
+## Allow gssd to list tmp directories and read the kerberos credential cache.
+## </p>
 ## </desc>
-gen_tunable(allow_gssd_read_tmp, false)
+gen_tunable(gssd_read_tmp, true)
 
 ## <desc>
-##	<p>
-##	Determine whether nfs can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.  Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
 ## </desc>
-gen_tunable(allow_nfsd_anon_write, false)
+gen_tunable(nfsd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow rpcd_t  to manage fuse files
+## </p>
+## </desc>
+gen_tunable(rpcd_use_fusefs, false)
 
 attribute rpc_domain;
 
@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t)
 type rpcd_var_run_t;
 files_pid_file(rpcd_var_run_t)
 
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
 rpc_domain_template(rpcd)
 
 type rpcd_initrc_exec_t;
 init_script_file(rpcd_initrc_exec_t)
 
+type rpcd_unit_file_t;
+systemd_unit_file(rpcd_unit_file_t)
+
 rpc_domain_template(nfsd)
 
 type nfsd_initrc_exec_t;
 init_script_file(nfsd_initrc_exec_t)
 
-type nfsd_rw_t;
-files_type(nfsd_rw_t)
-
-type nfsd_ro_t;
-files_type(nfsd_ro_t)
+type nfsd_unit_file_t;
+systemd_unit_file(nfsd_unit_file_t)
 
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen };
 manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 
-kernel_read_system_state(rpc_domain)
 kernel_read_kernel_sysctls(rpc_domain)
 kernel_rw_rpc_sysctls(rpc_domain)
 
@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain)
 dev_read_urand(rpc_domain)
 dev_read_rand(rpc_domain)
 
-corenet_all_recvfrom_unlabeled(rpc_domain)
-corenet_all_recvfrom_netlabel(rpc_domain)
 corenet_tcp_sendrecv_generic_if(rpc_domain)
 corenet_udp_sendrecv_generic_if(rpc_domain)
 corenet_tcp_sendrecv_generic_node(rpc_domain)
@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
 files_list_home(rpc_domain)
 
-logging_send_syslog_msg(rpc_domain)
-
-miscfiles_read_localization(rpc_domain)
-
 userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
 
 optional_policy(`
-	rpcbind_stream_connect(rpc_domain)
+    rpcbind_stream_connect(rpc_domain)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(rpc_domain)
+    seutil_sigchld_newrole(rpc_domain)
 ')
 
 optional_policy(`
-	udev_read_db(rpc_domain)
+    udev_read_db(rpc_domain)
 ')
 
 ########################################
 #
-# Local policy
+# RPC local policy
 #
 
-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search dac_override setgid setuid };
 allow rpcd_t self:capability2 block_suspend;
+
 allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;
 
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
 
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
+
+# rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
 
+kernel_read_system_state(rpcd_t)
+kernel_write_proc_files(rpcd_t)
 kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
 kernel_read_sysctl(rpcd_t)
 kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t)
 
 storage_getattr_fixed_disk_dev(rpcd_t)
 
+init_read_utmp(rpcd_t)
+
 selinux_dontaudit_read_fs(rpcd_t)
 
 miscfiles_read_generic_certs(rpcd_t)
 
-seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
 
-userdom_signal_all_users(rpcd_t)
+tunable_policy(`rpcd_use_fusefs',`
+	fs_manage_fusefs_dirs(rpcd_t)
+	fs_manage_fusefs_files(rpcd_t)
+	fs_read_fusefs_symlinks(rpcd_t)
+	fs_getattr_fusefs(rpcd_t)
+')
 
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
@@ -180,20 +196,28 @@ optional_policy(`
 	automount_dontaudit_write_pipes(rpcd_t)
 ')
 
+optional_policy(`
+	domain_unconfined_signal(rpcd_t)
+')
+
+optional_policy(`
+	quota_manage_db(rpcd_t)
+')
+
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')
 
 optional_policy(`
-	quota_manage_db_files(rpcd_t)
+	quota_read_db(rpcd_t)
 ')
 
 optional_policy(`
-	rgmanager_manage_tmp_files(rpcd_t)
+	rhcs_manage_cluster_tmp_files(rpcd_t)
 ')
 
 optional_policy(`
-	unconfined_signal(rpcd_t)
+    samba_stream_connect_nmbd(rpcd_t)
 ')
 
 ########################################
@@ -201,42 +225,62 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource };
 
 allow nfsd_t exports_t:file read_file_perms;
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
-kernel_setsched(nfsd_t)
+kernel_dontaudit_setsched(nfsd_t)
 kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+kernel_rw_rpc_sysctls_dirs(nfsd_t)
+kernel_create_rpc_sysctls(nfsd_t)
+kernel_rw_fs_sysctls(nfsd_t)
 
-corenet_sendrecv_nfs_server_packets(nfsd_t)
+corecmd_exec_shell(nfsd_t)
+
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
 corenet_tcp_bind_nfs_port(nfsd_t)
 corenet_udp_bind_nfs_port(nfsd_t)
-
-corecmd_exec_shell(nfsd_t)
+corenet_udp_bind_mountd_port(nfsd_t)
+corenet_tcp_bind_mountd_port(nfsd_t)
 
 dev_dontaudit_getattr_all_blk_files(nfsd_t)
 dev_dontaudit_getattr_all_chr_files(nfsd_t)
 dev_rw_lvm_control(nfsd_t)
+dev_read_nvme(nfsd_t)
 
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
 files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
 files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
 
+fs_read_configfs_files(nfsd_t)
+fs_read_configfs_dirs(nfsd_t)
+fs_mounton_nfsd_fs(nfsd_t)
 fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
-fs_rw_nfsd_fs(nfsd_t)
-# fs_manage_nfsd_fs(nfsd_t)
+fs_manage_nfsd_fs(nfsd_t)
 
-storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_fixed_disk(nfsd_t)
 storage_raw_read_removable_device(nfsd_t)
 
+# Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
-tunable_policy(`allow_nfsd_anon_write',`
+userdom_filetrans_home_content(nfsd_t)
+userdom_list_user_tmp(nfsd_t)
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
-	files_manage_non_auth_files(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
-	files_list_non_auth_dirs(nfsd_t)
-	files_read_non_auth_files(nfsd_t)
+	files_read_non_security_files(nfsd_t)
 ')
 
 optional_policy(`
 	mount_exec(nfsd_t)
+	mount_manage_pid_files(nfsd_t)
 ')
 
 ########################################
@@ -270,7 +313,7 @@ optional_policy(`
 # GSSD local policy
 #
 
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
@@ -288,35 +332,46 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
-fs_list_inotifyfs(gssd_t)
+domain_manage_all_domains_keyrings(gssd_t)
+
 fs_list_rpc(gssd_t)
 fs_rw_rpc_sockets(gssd_t)
 fs_read_rpc_files(gssd_t)
-fs_read_nfs_files(gssd_t)
+fs_read_nfsd_files(gssd_t)
 
+fs_list_inotifyfs(gssd_t)
 files_list_tmp(gssd_t)
+files_read_usr_symlinks(gssd_t)
 files_dontaudit_write_var_dirs(gssd_t)
 
+auth_use_nsswitch(gssd_t)
 auth_manage_cache(gssd_t)
+auth_login_manage_key(gssd_t)
 
 miscfiles_read_generic_certs(gssd_t)
 
 userdom_signal_all_users(gssd_t)
+userdom_manage_all_users_keys(gssd_t)
 
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`
 	userdom_list_user_tmp(gssd_t)
 	userdom_read_user_tmp_files(gssd_t)
 	userdom_read_user_tmp_symlinks(gssd_t)
+	userdom_manage_user_tmp_files(gssd_t)
+	files_read_generic_tmp_files(gssd_t)
 ')
 
 optional_policy(`
 	automount_signal(gssd_t)
 ')
 
+optional_policy(`
+	gssproxy_stream_connect(gssd_t)
+')
 optional_policy(`
 	kerberos_manage_host_rcache(gssd_t)
 	kerberos_read_keytab(gssd_t)
-	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+	kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
 	kerberos_use(gssd_t)
 ')
 
diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9eed60..ff1163ff60 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -1,4 +1,4 @@
-## <summary>Universal Addresses to RPC Program Number Mapper.</summary>
+## <summary>Universal Addresses to RPC Program Number Mapper</summary>
 
 ########################################
 ## <summary>
@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',`
 		type rpcbind_t, rpcbind_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to rpcbindd with a
-##	unix domain stream socket.
+##	Connect to rpcbindd over an unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',`
 
 ########################################
 ## <summary>
-##	Read rpcbind pid files.
+##	Read rpcbind PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',`
 		type rpcbind_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	allow $1 rpcbind_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',`
 		type rpcbind_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+	files_search_var_lib($1)
 ')
 
 ########################################
@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',`
 		type rpcbind_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+	files_search_var_lib($1)
 ')
 
 ########################################
 ## <summary>
-##	Send null signals to rpcbind.
+##	Send a null signal to rpcbind.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -136,8 +134,44 @@ interface(`rpcbind_signull',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rpcbind environment.
+##	Transition to rpcbind named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_filetrans_named_content',`
+	gen_require(`
+		type rpcbind_var_run_t;
+	')
+
+	files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
+')
+
+########################################
+## <summary>
+##	Relabel from rpcbind sock file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpcbind_relabel_sock_file',`
+	gen_require(`
+		type rpcbind_var_run_t;
+	')
+
+	allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rpcbind environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -146,7 +180,7 @@ interface(`rpcbind_signull',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the rpcbind domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -157,17 +191,20 @@ interface(`rpcbind_admin',`
 		type rpcbind_initrc_exec_t;
 	')
 
-	allow $1 rpcbind_t:process { ptrace signal_perms };
+	allow $1 rpcbind_t:process signal_perms;
 	ps_process_pattern($1, rpcbind_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 rpcbind_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 rpcbind_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_pids($1)
-	admin_pattern($1, rpcbind_var_run_t)
-
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, rpcbind_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, rpcbind_var_run_t)
 ')
diff --git a/rpcbind.te b/rpcbind.te
index 54de77ccd8..a17c004c33 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
 type rpcbind_initrc_exec_t;
 init_script_file(rpcbind_initrc_exec_t)
 
+type rpcbind_tmp_t;
+files_tmp_file(rpcbind_tmp_t)
+
 type rpcbind_var_run_t;
 files_pid_file(rpcbind_var_run_t)
 init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t)
 # Local policy
 #
 
-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:capability { chown dac_read_search dac_override setgid setuid sys_tty_config };
 allow rpcbind_t self:fifo_file rw_fifo_file_perms;
 allow rpcbind_t self:unix_stream_socket { accept listen };
 allow rpcbind_t self:tcp_socket { accept listen };
 
+manage_files_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t)
+manage_dirs_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t)
+files_tmp_filetrans(rpcbind_t, rpcbind_tmp_t, { file dir })
+
 manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
 manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
 files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 kernel_request_load_module(rpcbind_t)
 
-corenet_all_recvfrom_unlabeled(rpcbind_t)
 corenet_all_recvfrom_netlabel(rpcbind_t)
 corenet_tcp_sendrecv_generic_if(rpcbind_t)
 corenet_udp_sendrecv_generic_if(rpcbind_t)
@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t)
 
 logging_send_syslog_msg(rpcbind_t)
 
-miscfiles_read_localization(rpcbind_t)
+sysnet_dns_name_resolve(rpcbind_t)
+
+optional_policy(`
+	nis_use_ypbind(rpcbind_t)
+')
 
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
index ebe91fc70b..27beed27d7 100644
--- a/rpm.fc
+++ b/rpm.fc
@@ -1,61 +1,81 @@
-/bin/rpm	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
-/etc/rc\.d/init\.d/bcfg2	--	gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
-
-/sbin/yast2	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
+/usr/bin/anaconda-yum		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/debuginfo-install	--	gen_context(system_u:object_r:debuginfo_exec_t,s0)
-/usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/online_update	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/rpmdev-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/rpm	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/smart	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/yum	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/zif	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic  --  gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/bin/yum-builddep		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-builddep	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-deprecated --  gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/repoquery		--	gen_context(system_u:object_r:rpm_exec_t,s0)		
+/usr/bin/zif 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt  --  gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-cron		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
-/usr/sbin/bcfg2	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pup	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/rhn_check	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/up2date	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/yum-complete-transaction	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/system-install-packages	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/yum-updatesd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-
-ifdef(`distro_redhat',`
-/usr/bin/apt-get	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-shell	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/aptitude	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/synaptic	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/lib/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/sbin/bcfg2				--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check-[0-9]+\.[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhnreg_ks		--  gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
-/usr/share/yumex/yumex-yum-backend	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/share/yumex/yum_childtask\.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
 
-/var/cache/bcfg2(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/cache/yum(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpmrebuilddb.*(/.*)?  gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 
-/var/lib/alternatives(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/rpm(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/YaST2(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/lib/yum(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/up2date.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
 
-/var/lock/bcfg2\.run	--	gen_context(system_u:object_r:rpm_lock_t,s0)
 
-/var/log/YaST2(/.*)?	gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log.*	--	gen_context(system_u:object_r:rpm_log_t,s0)
+/var/spool/up2date(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
 
-/var/spool/up2date(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
 
-/var/run/yum.*	--	gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_run_t,s0)
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)?			gen_context(system_u:object_r:rpm_log_t,s0)
+')
 
 ifdef(`enable_mls',`
-/usr/sbin/cpio	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
diff --git a/rpm.if b/rpm.if
index ef3b225073..98dfc781ae 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
-## <summary>Redhat package manager.</summary>
+## <summary>Policy for the RPM package manager.</summary>
 
 ########################################
 ## <summary>
-##	Execute rpm in the rpm domain.
+##	Execute rpm programs in the rpm domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13,16 +13,18 @@
 interface(`rpm_domtrans',`
 	gen_require(`
 		type rpm_t, rpm_exec_t;
+		attribute rpm_transition_domain;
 	')
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, rpm_exec_t, rpm_t)
+	typeattribute $1 rpm_transition_domain;
+	rpm_debuginfo_domtrans($1)
 ')
 
 ########################################
 ## <summary>
-##	Execute debuginfo install
-##	in the rpm domain.
+##	Execute debuginfo_install programs in the rpm domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -37,11 +39,12 @@ interface(`rpm_debuginfo_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+	read_lnk_files_pattern($1, debuginfo_exec_t, debuginfo_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute rpm scripts in the rpm script domain.
+##	Execute rpm_script programs in the rpm_script domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54,18 +57,16 @@ interface(`rpm_domtrans_script',`
 		type rpm_script_t;
 	')
 
+	# transition to rpm script:
 	corecmd_shell_domtrans($1, rpm_script_t)
-
 	allow rpm_script_t $1:fd use;
-	allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+	allow rpm_script_t $1:fifo_file rw_file_perms;
 	allow rpm_script_t $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Execute rpm in the rpm domain,
-##	and allow the specified roles the
-##	rpm domain.
+##	Execute RPM programs in the RPM domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -74,23 +75,28 @@ interface(`rpm_domtrans_script',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the RPM domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`rpm_run',`
 	gen_require(`
-		attribute_role rpm_roles;
+		type rpm_t, rpm_script_t;
+		attribute_role rpm_script_roles;
 	')
 
 	rpm_domtrans($1)
-	roleattribute $2 rpm_roles;
+	roleattribute $2 rpm_script_roles;
+
+	domain_system_change_exemption($1)
+
+    rpm_transition_script($1, $2)
 ')
 
 ########################################
 ## <summary>
-##	Execute the rpm in the caller domain.
+##	Execute the rpm client in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,7 +115,25 @@ interface(`rpm_exec',`
 
 ########################################
 ## <summary>
-##	Send null signals to rpm.
+##	Do not audit to execute a rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_exec',`
+	gen_require(`
+		type rpm_exec_t;
+	')
+
+	dontaudit $1 rpm_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Send a null signal to rpm.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -127,7 +151,7 @@ interface(`rpm_signull',`
 
 ########################################
 ## <summary>
-##	Inherit and use file descriptors from rpm.
+##	Inherit and use file descriptors from RPM.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -145,7 +169,7 @@ interface(`rpm_use_fds',`
 
 ########################################
 ## <summary>
-##	Read rpm unnamed pipes.
+##	Read from an unnamed RPM pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -163,7 +187,7 @@ interface(`rpm_read_pipes',`
 
 ########################################
 ## <summary>
-##	Read and write rpm unnamed pipes.
+##	Read and write an unnamed RPM pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -179,6 +203,60 @@ interface(`rpm_rw_pipes',`
 	allow $1 rpm_t:fifo_file rw_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write an unnamed RPM script pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_rw_script_inherited_pipes',`
+	gen_require(`
+		type rpm_script_tmp_t;
+	')
+
+	allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+	gen_require(`
+		type rpm_t, rpm_var_cache_t;
+		type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+		type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+	')
+
+	dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+ 	dontaudit $1 rpm_t:tcp_socket { read write };
+	dontaudit $1 rpm_t:unix_dgram_socket { read write };
+	dontaudit $1 rpm_t:shm rw_shm_perms;
+
+	dontaudit $1 rpm_script_t:fd use;
+	dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+	dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
+
+	dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+ 	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ 	dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+	dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+	dontaudit $1 rpm_var_lib_t:dir getattr;
+	dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+	dontaudit $1 rpm_var_cache_t:file  rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -224,7 +302,7 @@ interface(`rpm_dontaudit_dbus_chat',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
-##	rpm script over dbus.
+##	rpm_script over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -244,7 +322,7 @@ interface(`rpm_script_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Search rpm log directories.
+##	Search RPM log directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -263,7 +341,8 @@ interface(`rpm_search_log',`
 
 #####################################
 ## <summary>
-##	Append rpm log files.
+##	Allow the specified domain to append
+##	to rpm log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,14 +355,30 @@ interface(`rpm_append_log',`
 		type rpm_log_t;
 	')
 
-	logging_search_logs($1)
-	append_files_pattern($1, rpm_log_t, rpm_log_t)
+	allow $1 rpm_log_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_log',`
+	gen_require(`
+		type rpm_log_t;
+	')
+
+    read_files_pattern($1, rpm_log_t, rpm_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rpm log files.
+##	Create, read, write, and delete the RPM log.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -302,7 +397,32 @@ interface(`rpm_manage_log',`
 
 ########################################
 ## <summary>
-##	Inherit and use rpm script file descriptors.
+##	Create rpm logs with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_named_filetrans',`
+	gen_require(`
+		type rpm_log_t;
+		type rpm_var_lib_t;
+	')
+	logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
+	logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
+	files_var_filetrans($1, rpm_var_lib_t, dir, "dnf")
+	files_var_filetrans($1, rpm_var_lib_t, dir, "yum")
+	files_var_filetrans($1, rpm_var_lib_t, dir, "rpm")
+	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
+	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
+	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from RPM scripts.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -320,8 +440,8 @@ interface(`rpm_use_script_fds',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rpm script temporary files.
+##	Create, read, write, and delete RPM
+##	script temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -335,12 +455,15 @@ interface(`rpm_manage_script_tmp_files',`
 	')
 
 	files_search_tmp($1)
+	manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 	manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+	manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 ')
 
 #####################################
 ## <summary>
-##	Append rpm temporary files.
+##	Allow the specified domain to append
+##	to rpm tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -353,14 +476,13 @@ interface(`rpm_append_tmp_files',`
 		type rpm_tmp_t;
 	')
 
-	files_search_tmp($1)
-	append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+	allow $1 rpm_tmp_t:file append_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rpm temporary files.
+##	Create, read, write, and delete RPM
+##	 temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -374,12 +496,14 @@ interface(`rpm_manage_tmp_files',`
 	')
 
 	files_search_tmp($1)
+	manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
 	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+	manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
 ')
 
 ########################################
 ## <summary>
-##	Read rpm script temporary files.
+##	Read RPM script temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -399,7 +523,7 @@ interface(`rpm_read_script_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read rpm cache content.
+##	Read the RPM cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -420,8 +544,7 @@ interface(`rpm_read_cache',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rpm cache content.
+##	Create, read, write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -442,7 +565,7 @@ interface(`rpm_manage_cache',`
 
 ########################################
 ## <summary>
-##	Read rpm lib content.
+##	Read the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -459,11 +582,13 @@ interface(`rpm_read_db',`
 	allow $1 rpm_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+	allow $1 rpm_var_lib_t:file map;
+	rpm_read_cache($1)
 ')
 
 ########################################
 ## <summary>
-##	Delete rpm lib files.
+##	Delete the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -482,8 +607,7 @@ interface(`rpm_delete_db',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rpm lib files.
+##	Create, read, write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -499,12 +623,33 @@ interface(`rpm_manage_db',`
 	files_search_var_lib($1)
 	manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 	manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+	allow $1 rpm_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_read_db',`
+	gen_require(`
+		type rpm_var_lib_t;
+	')
+
+	dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
+	dontaudit $1 rpm_var_lib_t:file read_file_perms;
+	dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to create, read,
-##	write, and delete rpm lib content.
+##	write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -517,9 +662,10 @@ interface(`rpm_dontaudit_manage_db',`
 		type rpm_var_lib_t;
 	')
 
-	dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+	dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+	dontaudit $1 rpm_var_lib_t:file map;
 ')
 
 #####################################
@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
 
 #####################################
 ## <summary>
-##	Create, read, write, and delete
-##	rpm pid files.
+##	Create, read, write, and delete rpm pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',`
 
 ######################################
 ## <summary>
-##	Create files in pid directories
-##	with the rpm pid file type.
+##	Create files in /var/run with the rpm pid file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',`
 ## </param>
 #
 interface(`rpm_pid_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.')
-	rpm_pid_filetrans_rpm_pid($1, file)
+	gen_require(`
+		type rpm_var_run_t;
+	')
+
+	files_pid_filetrans($1, rpm_var_run_t, file)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in pid directories
-##	with the rpm pid file type.
+##	Send a null signal to rpm.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
+#
+interface(`rpm_inherited_fifo',`
+	gen_require(`
+		attribute rpm_transition_domain;
+	')
+
+	allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+## <summary>
+##	Make rpm_exec_t an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-#
-interface(`rpm_pid_filetrans_rpm_pid',`
+# 
+interface(`rpm_entry_type',`
 	gen_require(`
-		type rpm_var_run_t;
+		type rpm_exec_t;
 	')
 
-	files_pid_filetrans($1, rpm_var_run_t, $3, $4)
+	domain_entry_file($1, rpm_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rpm environment.
+##	Allow application to transition to rpm_script domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 ##	</summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
-## <rolecap/>
 #
-interface(`rpm_admin',`
+interface(`rpm_transition_script',`
 	gen_require(`
-		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
-		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
-		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+		type rpm_script_t;
+		attribute rpm_transition_domain;
+		attribute_role rpm_script_roles;
 	')
 
-	allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { rpm_t rpm_script_t })
+	typeattribute $1 rpm_transition_domain;
+	allow $1 rpm_script_t:process transition;
+	roleattribute $2 rpm_script_roles;
+
+	allow $1 rpm_script_t:fd use;
+	allow rpm_script_t $1:fd use;
+	allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+	allow rpm_script_t $1:process sigchld;
+')
+
+#######################################
+## <summary>
+##  All of the rules required to
+##  administrate an rpm environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpm_admin',`
+    gen_require(`
+        type rpm_t, rpm_script_t, rpm_initrc_exec_t;
+        type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
+
+        type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+        type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+        type rpm_var_run_t;
+    ')
+
+    allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
+    ps_process_pattern($1, { rpm_t rpm_script_t })
 
 	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -641,9 +831,6 @@ interface(`rpm_admin',`
 
 	admin_pattern($1, rpm_file_t)
 
-	files_list_var($1)
-	admin_pattern($1, rpm_cache_t)
-
 	files_list_tmp($1)
 	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
 
diff --git a/rpm.te b/rpm.te
index 6fc360e602..4402cbe093 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
 policy_module(rpm, 1.16.0)
 
+attribute rpm_transition_domain;
+attribute_role rpm_script_roles;
+roleattribute system_r rpm_script_roles;
+
 ########################################
 #
 # Declarations
 #
-
-attribute_role rpm_roles;
-
-type debuginfo_exec_t;
-domain_entry_file(rpm_t, debuginfo_exec_t)
-
 type rpm_t;
 type rpm_exec_t;
 init_system_domain(rpm_t, rpm_exec_t)
@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t)
 domain_role_change_exemption(rpm_t)
 domain_system_change_exemption(rpm_t)
 domain_interactive_fd(rpm_t)
-role rpm_roles types rpm_t;
+role rpm_script_roles types rpm_t;
 
-type rpm_initrc_exec_t;
-init_script_file(rpm_initrc_exec_t)
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
 
 type rpm_file_t;
 files_type(rpm_file_t)
@@ -31,14 +29,12 @@ files_tmp_file(rpm_tmp_t)
 type rpm_tmpfs_t;
 files_tmpfs_file(rpm_tmpfs_t)
 
-type rpm_lock_t;
-files_lock_file(rpm_lock_t)
-
 type rpm_log_t;
 logging_log_file(rpm_log_t)
 
 type rpm_var_lib_t;
 files_type(rpm_var_lib_t)
+files_mountpoint(rpm_var_lib_t)
 typealias rpm_var_lib_t alias var_lib_rpm_t;
 
 type rpm_var_cache_t;
@@ -56,8 +52,7 @@ corecmd_bin_entry_type(rpm_script_t)
 domain_type(rpm_script_t)
 domain_entry_file(rpm_t, rpm_script_exec_t)
 domain_interactive_fd(rpm_script_t)
-role rpm_roles types rpm_script_t;
-role system_r types rpm_script_t;
+role rpm_script_roles types rpm_script_t;
 
 type rpm_script_tmp_t;
 files_tmp_file(rpm_script_tmp_t)
@@ -70,28 +65,35 @@ files_tmpfs_file(rpm_script_tmpfs_t)
 # rpm Local policy
 #
 
-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:capability2 block_suspend;
+allow rpm_t self:capability { audit_write chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
 allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
 allow rpm_t self:fifo_file rw_fifo_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
 allow rpm_t self:unix_dgram_socket sendto;
-allow rpm_t self:unix_stream_socket { accept connectto listen };
-allow rpm_t self:udp_socket connect;
-allow rpm_t self:tcp_socket { accept listen };
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
 allow rpm_t self:shm create_shm_perms;
 allow rpm_t self:sem create_sem_perms;
 allow rpm_t self:msgq create_msgq_perms;
 allow rpm_t self:msg { send receive };
-allow rpm_t self:file rw_file_perms;
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
 allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow rpm_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
 
-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow rpm_t rpm_log_t:file manage_file_perms;
 logging_log_filetrans(rpm_t, rpm_log_t, file)
 
 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
 
 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -99,23 +101,20 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
 
 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
 
-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t)
-files_lock_filetrans(rpm_t, rpm_lock_t, file)
-
-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+# Access /var/lib/rpm files
 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+allow rpm_t rpm_var_lib_t:file map;
 
 manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
 manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file })
-
-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
 
 kernel_read_crypto_sysctls(rpm_t)
 kernel_read_network_state(rpm_t)
@@ -126,41 +125,34 @@ kernel_rw_irq_sysctls(rpm_t)
 
 corecmd_exec_all_executables(rpm_t)
 
-corenet_all_recvfrom_unlabeled(rpm_t)
 corenet_all_recvfrom_netlabel(rpm_t)
 corenet_tcp_sendrecv_generic_if(rpm_t)
+corenet_raw_sendrecv_generic_if(rpm_t)
+corenet_udp_sendrecv_generic_if(rpm_t)
 corenet_tcp_sendrecv_generic_node(rpm_t)
+corenet_raw_sendrecv_generic_node(rpm_t)
+corenet_udp_sendrecv_generic_node(rpm_t)
 corenet_tcp_sendrecv_all_ports(rpm_t)
-
-corenet_sendrecv_all_client_packets(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
 corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
 
 dev_list_sysfs(rpm_t)
 dev_list_usbfs(rpm_t)
 dev_read_urand(rpm_t)
 dev_read_raw_memory(rpm_t)
-
 dev_manage_all_dev_nodes(rpm_t)
-dev_relabel_all_dev_nodes(rpm_t)
 
+#devices_manage_all_device_types(rpm_t)
 dev_create_generic_blk_files(rpm_t)
 dev_create_generic_chr_files(rpm_t)
-
-domain_read_all_domains_state(rpm_t)
-domain_getattr_all_domains(rpm_t)
-domain_use_interactive_fds(rpm_t)
-domain_dontaudit_getattr_all_pipes(rpm_t)
-domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-domain_dontaudit_getattr_all_udp_sockets(rpm_t)
-domain_dontaudit_getattr_all_packet_sockets(rpm_t)
-domain_dontaudit_getattr_all_raw_sockets(rpm_t)
-domain_dontaudit_getattr_all_stream_sockets(rpm_t)
-domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
-domain_signull_all_domains(rpm_t)
-
-files_exec_etc_files(rpm_t)
-files_relabel_non_auth_files(rpm_t)
-files_manage_non_auth_files(rpm_t)
+dev_delete_all_blk_files(rpm_t)
+dev_delete_all_chr_files(rpm_t)
+dev_relabel_all_dev_nodes(rpm_t)
+dev_rename_generic_blk_files(rpm_t)
+dev_rename_generic_chr_files(rpm_t)
+dev_setattr_all_blk_files(rpm_t)
+dev_setattr_all_chr_files(rpm_t)
 
 fs_getattr_all_dirs(rpm_t)
 fs_list_inotifyfs(rpm_t)
@@ -183,29 +175,49 @@ selinux_compute_relabel_context(rpm_t)
 selinux_compute_user_contexts(rpm_t)
 
 storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
 storage_raw_read_fixed_disk(rpm_t)
 
 term_list_ptys(rpm_t)
 
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
 auth_use_nsswitch(rpm_t)
 
+# transition to rpm script:
 rpm_domtrans_script(rpm_t)
 
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+domain_signull_all_domains(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
 init_domtrans_script(rpm_t)
 init_use_script_ptys(rpm_t)
 init_signull_script(rpm_t)
 
 libs_exec_ld_so(rpm_t)
 libs_exec_lib_files(rpm_t)
-libs_run_ldconfig(rpm_t, rpm_roles)
 
 logging_send_syslog_msg(rpm_t)
 
+miscfiles_filetrans_named_content(rpm_t)
+
+# allow compiling and loading new policy
 seutil_manage_src_policy(rpm_t)
 seutil_manage_bin_policy(rpm_t)
 
-userdom_use_user_terminals(rpm_t)
+userdom_use_inherited_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
 
 optional_policy(`
@@ -224,13 +236,17 @@ optional_policy(`
 		networkmanager_dbus_chat(rpm_t)
 	')
 
-	optional_policy(`
-		unconfined_dbus_chat(rpm_t)
-	')
 ')
 
 optional_policy(`
-	prelink_run(rpm_t, rpm_roles)
+	prelink_domtrans(rpm_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(rpm_t)
+	# yum-updatesd requires this
+	unconfined_dbus_chat(rpm_t)
+	unconfined_dbus_chat(rpm_script_t)
 ')
 
 ########################################
@@ -239,18 +255,20 @@ optional_policy(`
 #
 
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+
 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
 allow rpm_script_t self:unix_dgram_socket sendto;
-allow rpm_script_t self:unix_stream_socket { accept connectto listen };
+allow rpm_script_t self:unix_stream_socket connectto;
 allow rpm_script_t self:shm create_shm_perms;
 allow rpm_script_t self:sem create_sem_perms;
 allow rpm_script_t self:msgq create_msgq_perms;
 allow rpm_script_t self:msg { send receive };
 allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
+allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
 
 allow rpm_script_t rpm_tmp_t:file read_file_perms;
 
@@ -267,8 +285,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
 
-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
+allow rpm_script_t rpm_t:netlink_route_socket { read write };
 
 kernel_read_crypto_sysctls(rpm_script_t)
 kernel_read_kernel_sysctls(rpm_script_t)
@@ -277,45 +296,29 @@ kernel_read_network_state(rpm_script_t)
 kernel_list_all_proc(rpm_script_t)
 kernel_read_software_raid_state(rpm_script_t)
 
-corenet_all_recvfrom_unlabeled(rpm_script_t)
-corenet_all_recvfrom_netlabel(rpm_script_t)
-corenet_tcp_sendrecv_generic_if(rpm_script_t)
-corenet_tcp_sendrecv_generic_node(rpm_script_t)
-
-corenet_sendrecv_http_client_packets(rpm_script_t)
+# needed by rhn_check
 corenet_tcp_connect_http_port(rpm_script_t)
-corenet_tcp_sendrecv_http_port(rpm_script_t)
-
-corecmd_exec_all_executables(rpm_script_t)
+# needed by unbound-anchor
+corenet_udp_bind_all_unreserved_ports(rpm_script_t)
 
 dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
 dev_manage_generic_blk_files(rpm_script_t)
 dev_manage_generic_chr_files(rpm_script_t)
 dev_manage_all_blk_files(rpm_script_t)
 dev_manage_all_chr_files(rpm_script_t)
 
-domain_read_all_domains_state(rpm_script_t)
-domain_getattr_all_domains(rpm_script_t)
-domain_use_interactive_fds(rpm_script_t)
-domain_signal_all_domains(rpm_script_t)
-domain_signull_all_domains(rpm_script_t)
-
-files_exec_etc_files(rpm_script_t)
-files_exec_usr_files(rpm_script_t)
-files_manage_non_auth_files(rpm_script_t)
-files_relabel_non_auth_files(rpm_script_t)
-
 fs_manage_nfs_files(rpm_script_t)
 fs_getattr_nfs(rpm_script_t)
 fs_search_all(rpm_script_t)
 fs_getattr_all_fs(rpm_script_t)
+# why is this not using mount?
 fs_getattr_xattr_fs(rpm_script_t)
 fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
 fs_search_auto_mountpoints(rpm_script_t)
 
-mcs_killall(rpm_script_t)
-
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
 
@@ -331,73 +334,129 @@ storage_raw_write_fixed_disk(rpm_script_t)
 
 term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
-term_use_all_terms(rpm_script_t)
+term_use_all_inherited_terms(rpm_script_t)
 
 auth_dontaudit_getattr_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)
 
+corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+# ideally we would not need this
+files_manage_all_files(rpm_script_t)
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
+init_disable_services(rpm_script_t)
+init_enable_services(rpm_script_t)
+init_reload_services(rpm_script_t)
+init_manage_transient_unit(rpm_script_t)
 init_domtrans_script(rpm_script_t)
 init_telinit(rpm_script_t)
 
+systemd_config_all_services(rpm_script_t)
+
 libs_exec_ld_so(rpm_script_t)
 libs_exec_lib_files(rpm_script_t)
-libs_run_ldconfig(rpm_script_t, rpm_roles)
+libs_ldconfig_exec_entry_type(rpm_script_t)
 
 logging_send_syslog_msg(rpm_script_t)
+logging_send_audit_msgs(rpm_script_t)
 
-miscfiles_read_localization(rpm_script_t)
-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
+miscfiles_filetrans_named_content(rpm_script_t)
 
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
+seutil_run_loadpolicy(rpm_script_t, rpm_script_roles)
+seutil_run_setfiles(rpm_script_t, rpm_script_roles)
+seutil_run_semanage(rpm_script_t, rpm_script_roles)
+seutil_run_setsebool(rpm_script_t, rpm_script_roles)
 
 userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
 
 ifdef(`distro_redhat',`
 	optional_policy(`
 		mta_send_mail(rpm_script_t)
+        mta_role_access_system_mail(rpm_script_roles)
 		mta_system_content(rpm_var_run_t)
 	')
 ')
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`',`
 	allow rpm_script_t self:process execmem;
 ')
 
 optional_policy(`
-	bootloader_run(rpm_script_t, rpm_roles)
+	bootloader_run(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
+    bind_systemctl(rpm_script_t)
+')
+
+optional_policy(`
+	certmonger_dbus_chat(rpm_script_t)
+')
+
+optional_policy(`
+	cups_filetrans_named_content(rpm_script_t)
+')
+
+optional_policy(`
+    glusterd_filetrans_named_pid(rpm_script_t)
+') 
+
+optional_policy(`
+    sblim_filetrans_named_content(rpm_script_t)
 ')
 
 optional_policy(`
 	dbus_system_bus_client(rpm_script_t)
 
-	optional_policy(`
-		unconfined_dbus_chat(rpm_script_t)
-	')
+    optional_policy(`
+        systemd_dbus_chat_logind(rpm_script_t)
+        systemd_dbus_chat_timedated(rpm_script_t)
+        systemd_dbus_chat_localed(rpm_script_t)
+    ')
+')
+
+optional_policy(`
+	lvm_domtrans(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
+	ntp_run(rpm_script_t, rpm_script_roles)
 ')
 
 optional_policy(`
-	lvm_run(rpm_script_t, rpm_roles)
+	modutils_run_depmod(rpm_script_t, rpm_script_roles)
+	modutils_run_insmod(rpm_script_t, rpm_script_roles)
 ')
 
 optional_policy(`
-	ntp_domtrans(rpm_script_t)
+	openshift_initrc_run(rpm_script_t, rpm_script_roles)
 ')
 
 optional_policy(`
-	tzdata_run(rpm_t, rpm_roles)
-	tzdata_run(rpm_script_t, rpm_roles)
+	tzdata_domtrans(rpm_t)
+	tzdata_run(rpm_script_t, rpm_script_roles)
 ')
 
 optional_policy(`
-	udev_domtrans(rpm_script_t)
+	udev_run(rpm_script_t, rpm_script_roles)
 ')
 
 optional_policy(`
-	unconfined_domtrans(rpm_script_t)
+	unconfined_domain_noaudit(rpm_script_t)
+	domain_named_filetrans(rpm_script_t)
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
@@ -409,6 +468,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	usermanage_run_groupadd(rpm_script_t, rpm_roles)
-	usermanage_run_useradd(rpm_script_t, rpm_roles)
+	usermanage_run_groupadd(rpm_script_t, rpm_script_roles)
+	usermanage_run_useradd(rpm_script_t, rpm_script_roles)
 ')
diff --git a/rshd.fc b/rshd.fc
index 9ad0d58dcf..6a4db031ff 100644
--- a/rshd.fc
+++ b/rshd.fc
@@ -1,3 +1,4 @@
+
 /usr/kerberos/sbin/kshd	--	gen_context(system_u:object_r:rshd_exec_t,s0)
 
 /usr/sbin/in\.rexecd	--	gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/rshd.if b/rshd.if
index 7ad29c0467..2e87d76b4e 100644
--- a/rshd.if
+++ b/rshd.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute rshd in the rshd domain.
+##	Domain transition to rshd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,6 +15,7 @@ interface(`rshd_domtrans',`
 		type rshd_exec_t, rshd_t;
 	')
 
+	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, rshd_exec_t, rshd_t)
 ')
diff --git a/rshd.te b/rshd.te
index 864e089a07..f919bc5373 100644
--- a/rshd.te
+++ b/rshd.te
@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
 #
 # Declarations
 #
-
 type rshd_t;
 type rshd_exec_t;
-auth_login_pgm_domain(rshd_t)
 inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
 
 type rshd_keytab_t;
 files_type(rshd_keytab_t)
@@ -17,51 +18,66 @@ files_type(rshd_keytab_t)
 #
 # Local policy
 #
-
-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
-allow rshd_t self:process { signal_perms setsched setpgid setexec };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search dac_override };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
 allow rshd_t self:fifo_file rw_fifo_file_perms;
 allow rshd_t self:tcp_socket create_stream_socket_perms;
 
 allow rshd_t rshd_keytab_t:file read_file_perms;
 
 kernel_read_kernel_sysctls(rshd_t)
+kernel_read_net_sysctls(rshd_t)
 
-corenet_all_recvfrom_unlabeled(rshd_t)
 corenet_all_recvfrom_netlabel(rshd_t)
 corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
 corenet_tcp_sendrecv_generic_node(rshd_t)
+corenet_udp_sendrecv_generic_node(rshd_t)
 corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
 corenet_tcp_bind_generic_node(rshd_t)
-
-corenet_sendrecv_all_server_packets(rshd_t)
 corenet_tcp_bind_rsh_port(rshd_t)
 corenet_tcp_bind_all_rpc_ports(rshd_t)
 corenet_tcp_connect_all_ports(rshd_t)
 corenet_tcp_connect_all_rpc_ports(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+domain_interactive_fd(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
 
 corecmd_read_bin_symlinks(rshd_t)
 
 files_list_home(rshd_t)
+files_search_tmp(rshd_t)
+
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
 
+init_rw_utmp(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
 logging_search_logs(rshd_t)
 
-miscfiles_read_localization(rshd_t)
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(rshd_t)
-	fs_read_nfs_symlinks(rshd_t)
-')
+userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(rshd_t)
-	fs_read_cifs_symlinks(rshd_t)
-')
+userdom_home_reader(rshd_t)
 
 optional_policy(`
 	kerberos_manage_host_rcache(rshd_t)
 	kerberos_read_keytab(rshd_t)
-	kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(rshd_t, "host_0")
 	kerberos_use(rshd_t)
 ')
 
diff --git a/rssh.te b/rssh.te
index 5c5465feb7..60059323f4 100644
--- a/rssh.te
+++ b/rssh.te
@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
 kernel_read_system_state(rssh_t)
 kernel_read_kernel_sysctls(rssh_t)
 
-files_read_etc_files(rssh_t)
 files_read_etc_runtime_files(rssh_t)
 files_list_home(rssh_t)
-files_read_usr_files(rssh_t)
 files_list_var(rssh_t)
 
 fs_search_auto_mountpoints(rssh_t)
 
 logging_send_syslog_msg(rssh_t)
 
-miscfiles_read_localization(rssh_t)
-
 rssh_domtrans_chroot_helper(rssh_t)
 
 ssh_rw_tcp_sockets(rssh_t)
@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
 auth_use_nsswitch(rssh_chroot_helper_t)
 
 logging_send_syslog_msg(rssh_chroot_helper_t)
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
index d25301b85b..f3eeec7b6b 100644
--- a/rsync.fc
+++ b/rsync.fc
@@ -1,7 +1,8 @@
 /etc/rsyncd\.conf	--	gen_context(system_u:object_r:rsync_etc_t, s0)
 
-/usr/bin/rsync	--	gen_context(system_u:object_r:rsync_exec_t,s0)
+/usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
 
-/var/log/rsync\.log.*	--	gen_context(system_u:object_r:rsync_log_t,s0)
+/var/log/rsync.*		gen_context(system_u:object_r:rsync_log_t,s0)
 
 /var/run/rsyncd\.lock	--	gen_context(system_u:object_r:rsync_var_run_t,s0)
+/var/run/swift_server\.lock	--	gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
index f1140efe48..642e062f41 100644
--- a/rsync.if
+++ b/rsync.if
@@ -1,16 +1,32 @@
-## <summary>Fast incremental file transfer for synchronization.</summary>
+## <summary>Fast incremental file transfer for synchronization</summary>
+
+#######################################
+## <summary>
+##      Sendmail stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rsync_stub',`
+    gen_require(`
+        type rsync_t;
+    ')
+')
 
 ########################################
 ## <summary>
-##	Make rsync executable file an
-##	entry point for the specified domain.
+##	Make rsync an entry point for
+##	the specified domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The domain for which rsync_exec_t is an entrypoint.
+##	The domain for which init scripts are an entrypoint.
 ##	</summary>
 ## </param>
-#
+# cjp: added for portage
 interface(`rsync_entry_type',`
 	gen_require(`
 		type rsync_exec_t;
@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
 ##	Domain to transition to.
 ##	</summary>
 ## </param>
-#
+# cjp: added for portage
 interface(`rsync_entry_spec_domtrans',`
 	gen_require(`
 		type rsync_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	auto_trans($1, rsync_exec_t, $2)
+	domain_trans($1, rsync_exec_t, $2)
 ')
 
 ########################################
@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',`
 ##	Domain to transition to.
 ##	</summary>
 ## </param>
-#
+# cjp: added for portage
 interface(`rsync_entry_domtrans',`
 	gen_require(`
 		type rsync_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domain_auto_trans($1, rsync_exec_t, $2)
 ')
 
 ########################################
 ## <summary>
-##	Execute the rsync program in the rsync domain.
+##	Execute rsync in the caller domain domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`rsync_domtrans',`
+interface(`rsync_exec',`
 	gen_require(`
-		type rsync_t, rsync_exec_t;
+		type rsync_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rsync_exec_t, rsync_t)
+	can_exec($1, rsync_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute rsync in the rsync domain, and
-##	allow the specified role the rsync domain.
+##	Read rsync config files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-#
-interface(`rsync_run',`
-	gen_require(`
-		attribute_role rsync_roles;
-	')
-
-	rsync_domtrans($1)
-	roleattribute $2 rsync_roles;
-')
-
-########################################
 ## <summary>
-##	Execute rsync in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
-interface(`rsync_exec',`
+interface(`rsync_read_config',`
 	gen_require(`
-		type rsync_exec_t;
+		type rsync_etc_t;
 	')
 
-	corecmd_search_bin($1)
-	can_exec($1, rsync_exec_t)
+	read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+	files_search_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Read rsync config files.
+##	Read rsync data files.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -160,23 +149,23 @@ interface(`rsync_exec',`
 ## </summary>
 ## </param>
 #
-interface(`rsync_read_config',`
+interface(`rsync_read_data',`
 	gen_require(`
-		type rsync_etc_t;
+		type rsync_data_t;
 	')
 
-	files_search_etc($1)
-	allow $1 rsync_etc_t:file read_file_perms;
+	read_files_pattern($1, rsync_data_t, rsync_data_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Write rsync config files.
+##	Write to rsync config files.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`rsync_write_config',`
@@ -184,14 +173,13 @@ interface(`rsync_write_config',`
 		type rsync_etc_t;
 	')
 
+	write_files_pattern($1, rsync_etc_t, rsync_etc_t)
 	files_search_etc($1)
-	allow $1 rsync_etc_t:file write_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	rsync config files.
+##	Manage rsync config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -199,18 +187,18 @@ interface(`rsync_write_config',`
 ##	</summary>
 ## </param>
 #
-interface(`rsync_manage_config_files',`
+interface(`rsync_manage_config',`
 	gen_require(`
 		type rsync_etc_t;
 	')
 
-	files_search_etc($1)
 	manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
+	files_search_etc($1)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in etc directories
+##	Create objects in etc directories
 ##	with rsync etc type.
 ## </summary>
 ## <param name="domain">
@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rsync environment.
+##	Transition to rsync named content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`rsync_admin',`
+interface(`rsync_filetrans_named_content',`
 	gen_require(`
-		type rsync_t, rsync_etc_t, rsync_data_t;
-		type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+		type rsync_etc_t;
+        type rsync_var_run_t;
 	')
 
-	allow $1 rsync_t:process { ptrace signal_perms };
-	ps_process_pattern($1, rsync_t)
-
-	files_search_etc($1)
-	admin_pattern($1, rsync_etc_t)
-
-	admin_pattern($1, rsync_data_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, rsync_log_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, rsync_tmp_t)
-
-	files_search_pids($1)
-	admin_pattern($1, rsync_var_run_t)
-
-	rsync_run($1, $2)
+	files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
+	files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
+	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
 ')
diff --git a/rsync.te b/rsync.te
index abeb302a74..6836678c82 100644
--- a/rsync.te
+++ b/rsync.te
@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether rsync can use
-##	cifs file systems.
-##	</p>
+## <p>
+## Allow rsync to run as a client
+## </p>
 ## </desc>
-gen_tunable(rsync_use_cifs, false)
+gen_tunable(rsync_client, false)
 
 ## <desc>
-##	<p>
-##	Determine whether rsync can
-##	use fuse file systems.
-##	</p>
+## <p>
+## Allow rsync to export any files/directories read only.
+## </p>
 ## </desc>
-gen_tunable(rsync_use_fusefs, false)
+gen_tunable(rsync_export_all_ro, false)
 
 ## <desc>
-##	<p>
-##	Determine whether rsync can use
-##	nfs file systems.
-##	</p>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services.  Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
 ## </desc>
-gen_tunable(rsync_use_nfs, false)
+gen_tunable(rsync_anon_write, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether rsync can
-##	run as a client
+##	Allow rsync server to manage all files/directories on the system.
 ##	</p>
 ## </desc>
-gen_tunable(rsync_client, false)
+gen_tunable(rsync_full_access, false)
 
-## <desc>
-##	<p>
-##	Determine whether rsync can
-##	export all content read only.
-##	</p>
-## </desc>
-gen_tunable(rsync_export_all_ro, false)
-
-## <desc>
-##	<p>
-##	Determine whether rsync can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
-## </desc>
-gen_tunable(allow_rsync_anon_write, false)
-
-attribute_role rsync_roles;
 
 type rsync_t;
 type rsync_exec_t;
-init_daemon_domain(rsync_t, rsync_exec_t)
-application_domain(rsync_t, rsync_exec_t)
-role rsync_roles types rsync_t;
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
 
 type rsync_etc_t;
 files_config_file(rsync_etc_t)
 
-type rsync_data_t; # customizable
+type rsync_data_t;
 files_type(rsync_data_t)
 
 type rsync_log_t;
@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
 allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
-allow rsync_t self:tcp_socket { accept listen };
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
 
-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
 
 allow rsync_t rsync_data_t:dir list_dir_perms;
-allow rsync_t rsync_data_t:file read_file_perms;
-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+allow rsync_t rsync_data_t:dir_file_class_set getattr;
+allow rsync_t rsync_data_t:socket_class_set getattr;
+allow rsync_t rsync_data_t:sock_file setattr;
 
-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
 logging_log_filetrans(rsync_t, rsync_log_t, file)
 
 manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t)
 kernel_read_system_state(rsync_t)
 kernel_read_network_state(rsync_t)
 
-corenet_all_recvfrom_unlabeled(rsync_t)
 corenet_all_recvfrom_netlabel(rsync_t)
 corenet_tcp_sendrecv_generic_if(rsync_t)
+corenet_udp_sendrecv_generic_if(rsync_t)
 corenet_tcp_sendrecv_generic_node(rsync_t)
+corenet_udp_sendrecv_generic_node(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
 corenet_tcp_bind_generic_node(rsync_t)
-
-corenet_sendrecv_rsync_server_packets(rsync_t)
 corenet_tcp_bind_rsync_port(rsync_t)
-corenet_tcp_sendrecv_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
 
 dev_read_urand(rsync_t)
 
-fs_getattr_all_fs(rsync_t)
+fs_getattr_xattr_fs(rsync_t)
 fs_search_auto_mountpoints(rsync_t)
 
 files_search_home(rsync_t)
 
-auth_can_read_shadow_passwords(rsync_t)
 auth_use_nsswitch(rsync_t)
 
 logging_send_syslog_msg(rsync_t)
 
-miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
 
-tunable_policy(`allow_rsync_anon_write',`
-	miscfiles_manage_public_files(rsync_t)
+userdom_home_manager(rsync_t)
+
+optional_policy(`
+	daemontools_service_domain(rsync_t, rsync_exec_t)
 ')
 
-tunable_policy(`rsync_client',`
-	corenet_sendrecv_rsync_client_packets(rsync_t)
-	corenet_tcp_connect_rsync_port(rsync_t)
+optional_policy(`
+	kerberos_use(rsync_t)
+')
 
-	corenet_sendrecv_ssh_client_packets(rsync_t)
-	corenet_tcp_connect_ssh_port(rsync_t)
-	corenet_tcp_sendrecv_ssh_port(rsync_t)
+optional_policy(`
+	inetd_service_domain(rsync_t, rsync_exec_t)
+')
 
-	manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
-	manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-	manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+optional_policy(`
+	mta_send_mail(rsync_t)
+')
+
+tunable_policy(`rsync_anon_write',`
+	miscfiles_manage_public_files(rsync_t)
+')
+
+tunable_policy(`rsync_full_access',`
+	allow rsync_t self:capability { dac_override dac_read_search };
+	files_manage_non_auth_files(rsync_t)
 ')
 
 tunable_policy(`rsync_export_all_ro',`
@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',`
 	auth_tunable_read_shadow(rsync_t)
 ')
 
-tunable_policy(`rsync_use_cifs',`
-	fs_list_cifs(rsync_t)
-	fs_read_cifs_files(rsync_t)
-	fs_read_cifs_symlinks(rsync_t)
-')
-
-tunable_policy(`rsync_use_fusefs',`
-	fs_search_fusefs(rsync_t)
-	fs_read_fusefs_files(rsync_t)
-	fs_read_fusefs_symlinks(rsync_t)
-')
-
-tunable_policy(`rsync_use_nfs',`
-	fs_list_nfs(rsync_t)
-	fs_read_nfs_files(rsync_t)
-	fs_read_nfs_symlinks(rsync_t)
+tunable_policy(`rsync_client',`
+	corenet_tcp_connect_rsync_port(rsync_t)
+	corenet_tcp_connect_ssh_port(rsync_t)
+	manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+	manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+	manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
 ')
 
 optional_policy(`
 	tunable_policy(`rsync_client',`
-		ssh_exec(rsync_t)
+		ssh_exec(rsync_t) 
 	')
 ')
 
-optional_policy(`
-	daemontools_service_domain(rsync_t, rsync_exec_t)
-')
-
-optional_policy(`
-	kerberos_use(rsync_t)
-')
+auth_can_read_shadow_passwords(rsync_t)
 
 optional_policy(`
-	inetd_service_domain(rsync_t, rsync_exec_t)
+	swift_manage_data_files(rsync_t)
+    swift_manage_lock(rsync_t)
+    swift_filetrans_named_lock(rsync_t)
 ')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
index 0000000000..8d12521d29
--- /dev/null
+++ b/rtas.fc
@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/rtas_errd.*   --  gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
+
+/usr/sbin/rtas_errd    --  gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+/usr/libexec/ppc64-diag/rtas_errd   --  gen_context(system_u:object_r:rtas_errd_exec_t,s0)
+
+/var/lock/subsys/rtas_errd  --  gen_context(system_u:object_r:rtas_errd_var_lock_t)
+/var/lock/.*librtas  --  gen_context(system_u:object_r:rtas_errd_var_lock_t)
+
+/var/log/rtas_errd.*    --  gen_context(system_u:object_r:rtas_errd_log_t)
+/var/log/platform.*   --  gen_context(system_u:object_r:rtas_errd_log_t)
+/var/log/epow_status.*    --  gen_context(system_u:object_r:rtas_errd_log_t)
+
+/var/run/rtas_errd.*     --     gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
+
diff --git a/rtas.if b/rtas.if
new file mode 100644
index 0000000000..92cc49d7ff
--- /dev/null
+++ b/rtas.if
@@ -0,0 +1,163 @@
+
+## <summary>Platform diagnostics report firmware events.</summary>
+
+########################################
+## <summary>
+##	Execute rtas_errd in the rtas_errd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rtas_errd_domtrans',`
+	gen_require(`
+		type rtas_errd_t, rtas_errd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
+')
+
+########################################
+## <summary>
+##	Read rtas_errd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rtas_errd_read_log',`
+	gen_require(`
+		type rtas_errd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to rtas_errd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtas_errd_append_log',`
+	gen_require(`
+		type rtas_errd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage rtas_errd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtas_errd_manage_log',`
+	gen_require(`
+		type rtas_errd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+	manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+	manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
+')
+
+########################################
+## <summary>
+##	Read rtas_errd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtas_errd_read_pid_files',`
+	gen_require(`
+		type rtas_errd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute rtas_errd server in the rtas_errd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rtas_errd_systemctl',`
+	gen_require(`
+		type rtas_errd_t;
+		type rtas_errd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 rtas_errd_unit_file_t:file read_file_perms;
+	allow $1 rtas_errd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, rtas_errd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an rtas_errd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtas_errd_admin',`
+	gen_require(`
+		type rtas_errd_t;
+		type rtas_errd_log_t, rtas_errd_var_run_t;
+    	type rtas_errd_unit_file_t;
+	')
+
+	allow $1 rtas_errd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, rtas_errd_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, rtas_errd_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rtas_errd_var_run_t)
+
+	rtas_errd_systemctl($1)
+	admin_pattern($1, rtas_errd_unit_file_t)
+	allow $1 rtas_errd_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
index 0000000000..9a5164c7e1
--- /dev/null
+++ b/rtas.te
@@ -0,0 +1,95 @@
+policy_module(rtas, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rtas_errd_t;
+type rtas_errd_exec_t;
+init_daemon_domain(rtas_errd_t, rtas_errd_exec_t)
+
+type rtas_errd_log_t;
+logging_log_file(rtas_errd_log_t)
+
+type rtas_errd_var_run_t;
+files_pid_file(rtas_errd_var_run_t)
+
+type rtas_errd_var_lock_t;
+files_lock_file(rtas_errd_var_lock_t)
+
+type rtas_errd_unit_file_t;
+systemd_unit_file(rtas_errd_unit_file_t)
+
+type rtas_errd_tmp_t;
+files_tmp_file(rtas_errd_tmp_t)
+
+type rtas_errd_tmpfs_t;
+files_tmpfs_file(rtas_errd_tmpfs_t)
+
+########################################
+#
+# rtas_errd local policy
+#
+
+allow rtas_errd_t self:capability { net_admin chown sys_admin };
+allow rtas_errd_t self:process { fork signull };
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
+logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file })
+
+manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
+manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
+files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } )
+
+manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
+manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
+files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir })
+
+manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
+manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
+fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir })
+
+kernel_read_all_sysctls(rtas_errd_t)
+kernel_read_system_state(rtas_errd_t)
+kernel_read_network_state(rtas_errd_t)
+
+domain_read_all_domains_state(rtas_errd_t)
+
+auth_use_nsswitch(rtas_errd_t)
+
+corecmd_exec_bin(rtas_errd_t)
+
+dev_read_rand(rtas_errd_t)
+dev_read_urand(rtas_errd_t)
+dev_read_raw_memory(rtas_errd_t)
+dev_write_raw_memory(rtas_errd_t)
+dev_read_sysfs(rtas_errd_t)
+dev_rw_nvram(rtas_errd_t)
+
+files_manage_system_db_files(rtas_errd_t)
+
+logging_send_syslog_msg(rtas_errd_t)
+logging_read_generic_logs(rtas_errd_t)
+
+optional_policy(`
+    hostname_exec(rtas_errd_t)
+')
+
+optional_policy(`
+    rpm_exec(rtas_errd_t)
+    rpm_dontaudit_manage_db(rtas_errd_t)
+')
+
+optional_policy(`
+    unconfined_domain(rtas_errd_t)
+')
diff --git a/rtkit.if b/rtkit.if
index e904ec472f..e0dd20eeb1 100644
--- a/rtkit.if
+++ b/rtkit.if
@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
 		type rtkit_daemon_t, rtkit_daemon_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
 ')
 
@@ -42,56 +41,47 @@ interface(`rtkit_daemon_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Allow rtkit to control scheduling for your process.
+##	Do not audit send and receive messages from
+##	rtkit_daemon over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`rtkit_scheduled',`
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
 	gen_require(`
 		type rtkit_daemon_t;
+		class dbus send_msg;
 	')
 
-	allow rtkit_daemon_t $1:process { getsched setsched };
-
-	kernel_search_proc($1)
-	ps_process_pattern(rtkit_daemon_t, $1)
-
-	optional_policy(`
-		rtkit_daemon_dbus_chat($1)
-	')
+	dontaudit $1 rtkit_daemon_t:dbus send_msg;
+	dontaudit rtkit_daemon_t $1:dbus send_msg;
+	dontaudit rtkit_daemon_t $1:process { getsched setsched };
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an rtkit environment.
+##	Allow rtkit to control scheduling for your process
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`rtkit_admin',`
+interface(`rtkit_scheduled',`
 	gen_require(`
-		type rtkit_daemon_t, rtkit_daemon_initrc_exec_t;
+		type rtkit_daemon_t;
 	')
 
-	allow $1 rtkit_daemon_t:process { ptrace signal_perms };
-	ps_process_pattern($1, rtkit_daemon_t)
+	allow rtkit_daemon_t $1:process { getsched setsched };
+
+	kernel_search_proc($1)
+	ps_process_pattern(rtkit_daemon_t, $1)
 
-	init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 rtkit_daemon_initrc_exec_t system_r;
-	allow $2 system_r;
+	optional_policy(`
+		rtkit_daemon_dbus_chat($1)
+	')
 ')
diff --git a/rtkit.te b/rtkit.te
index 7eea21f3fa..7140646330 100644
--- a/rtkit.te
+++ b/rtkit.te
@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
 
 logging_send_syslog_msg(rtkit_daemon_t)
 
-miscfiles_read_localization(rtkit_daemon_t)
-
 optional_policy(`
 	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
 
diff --git a/rwho.if b/rwho.if
index 0360ff0139..e6cb34f717 100644
--- a/rwho.if
+++ b/rwho.if
@@ -139,8 +139,11 @@ interface(`rwho_admin',`
 		type rwho_initrc_exec_t;
 	')
 
-	allow $1 rwho_t:process { ptrace signal_perms };
+	allow $1 rwho_t:process signal_perms;
 	ps_process_pattern($1, rwho_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 rwho_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/rwho.te b/rwho.te
index 7fb75f457b..eafd70620a 100644
--- a/rwho.te
+++ b/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
 files_type(rwho_log_t)
 
 type rwho_spool_t;
-files_type(rwho_spool_t)
+files_spool_file(rwho_spool_t)
 
 ########################################
 #
@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
 
 kernel_read_system_state(rwho_t)
 
-corenet_all_recvfrom_unlabeled(rwho_t)
 corenet_all_recvfrom_netlabel(rwho_t)
 corenet_udp_sendrecv_generic_if(rwho_t)
 corenet_udp_sendrecv_generic_node(rwho_t)
@@ -50,15 +49,15 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
 
 domain_use_interactive_fds(rwho_t)
 
-files_read_etc_files(rwho_t)
 
 init_read_utmp(rwho_t)
 init_dontaudit_write_utmp(rwho_t)
 
-logging_send_syslog_msg(rwho_t)
+auth_use_nsswitch(rwho_t)
 
-miscfiles_read_localization(rwho_t)
+logging_send_syslog_msg(rwho_t)
 
 sysnet_dns_name_resolve(rwho_t)
 
-# userdom_getattr_user_terminals(rwho_t)
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
index b8b66ff4d0..a93346efee 100644
--- a/samba.fc
+++ b/samba.fc
@@ -1,42 +1,55 @@
-/etc/rc\.d/init\.d/nmb	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/nmb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/winbind	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/samba/MACHINE\.SID		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)?			gen_context(system_u:object_r:samba_etc_t,s0)
 
-/etc/samba/MACHINE\.SID	--	gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/passdb\.tdb	--	gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/secrets\.tdb	--	gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba/smbpasswd	--	gen_context(system_u:object_r:samba_secrets_t,s0)
-/etc/samba(/.*)?	gen_context(system_u:object_r:samba_etc_t,s0)
+#
+# /usr
+#
+/usr/lib/systemd/system/smb.* 	--	gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.*   --      gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/winbind.*   --  gen_context(system_u:object_r:samba_unit_file_t,s0)
 
-/usr/bin/net	--	gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth	--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
-/usr/bin/smbcontrol	--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-/usr/bin/smbmount	--	gen_context(system_u:object_r:smbmount_exec_t,s0)
-/usr/bin/smbmnt	--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/net			--	gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
 
-/usr/sbin/swat	--	gen_context(system_u:object_r:swat_exec_t,s0)
-/usr/sbin/nmbd	--	gen_context(system_u:object_r:nmbd_exec_t,s0)
-/usr/sbin/smbd	--	gen_context(system_u:object_r:smbd_exec_t,s0)
-/usr/sbin/winbindd	--	gen_context(system_u:object_r:winbind_exec_t,s0)
+/usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd			--	gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd		--	gen_context(system_u:object_r:winbind_exec_t,s0)
 
-/var/cache/samba(/.*)?	gen_context(system_u:object_r:samba_var_t,s0)
-/var/cache/samba/winbindd_privileged(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)
+#
+# /var
+#
+/var/cache/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
 
-/var/lib/samba(/.*)?	gen_context(system_u:object_r:samba_var_t,s0)
-/var/lib/samba/winbindd_privileged(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/nmbd(/.*)?				gen_context(system_u:object_r:samba_var_t,s0)
 
-/var/log/samba(/.*)?	gen_context(system_u:object_r:samba_log_t,s0)
+/var/lib/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
 
-/var/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_t,s0)
+/var/log/samba(/.*)?			gen_context(system_u:object_r:samba_log_t,s0)
 
-/var/run/nmbd(/.*)?	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-/var/run/samba/nmbd(/.*)?	gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/nmbd(/.*)?			gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd(/.*)?			gen_context(system_u:object_r:nmbd_var_run_t,s0)
 
-/var/run/samba(/.*)?	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba(/.*)?			gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
-/var/run/samba/locking\.tdb --	gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb 	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/messages\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
 /var/run/samba/namelist\.debug	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
 /var/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -45,7 +58,11 @@
 /var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 /var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
 
-/var/run/winbindd(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)
-/var/run/samba/winbindd(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/samba/winbindd(/.*)?		gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)?			gen_context(system_u:object_r:samba_spool_t,s0)
 
-/var/spool/samba(/.*)?	gen_context(system_u:object_r:samba_var_t,s0)
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
index 50d07fb2e5..e4de70769f 100644
--- a/samba.if
+++ b/samba.if
@@ -1,8 +1,12 @@
-## <summary>SMB and CIFS client/server programs.</summary>
+## <summary>
+##	SMB and CIFS client/server programs for UNIX and
+##	name  Service  Switch  daemon for resolving names
+##	from Windows NT servers.
+## </summary>
 
 ########################################
 ## <summary>
-##	Execute nmbd in the nmbd domain.
+##	Execute nmbd net in the nmbd_t domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',`
 
 #######################################
 ## <summary>
-##	Send generic signals to nmbd.
+##	Allow domain to signal samba
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',`
 
 ########################################
 ## <summary>
-##	Connect to nmbd with a unix domain
-##	stream socket.
+##	Search the samba pid directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`samba_search_pid',`
+	gen_require(`
+		type smbd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 smbd_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Connect to nmbd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',`
 #
 interface(`samba_stream_connect_nmbd',`
 	gen_require(`
-		type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+		type nmbd_t, nmbd_var_run_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t)
+	samba_search_pid($1)
+	stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute samba init scripts in
-##	the init script domain.
+##	Execute samba server in the samba domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -77,7 +98,31 @@ interface(`samba_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute samba net in the samba net domain.
+##	Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_systemctl',`
+	gen_require(`
+		type samba_unit_file_t;
+		type smbd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 samba_unit_file_t:file read_file_perms;
+	allow $1 samba_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, smbd_t)
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_net domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -96,9 +141,27 @@ interface(`samba_domtrans_net',`
 
 ########################################
 ## <summary>
-##	Execute samba net in the samba net
-##	domain, and allow the specified
-##	role the samba net domain.
+##	Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+	gen_require(`
+		type samba_unconfined_net_t, samba_net_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_net domain, and
+##	allow the specified role the samba_net domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -114,11 +177,56 @@ interface(`samba_domtrans_net',`
 #
 interface(`samba_run_net',`
 	gen_require(`
-		attribute_role samba_net_roles;
+		type samba_net_t;
 	')
 
 	samba_domtrans_net($1)
-	roleattribute $2 samba_net_roles;
+	role $2 types samba_net_t;
+')
+
+#######################################
+## <summary>
+##	The role for the samba module.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the samba_net domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_role_notrans',`
+	gen_require(`
+		type smbd_t;
+	')
+
+	role $1 types smbd_t;
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_unconfined_net domain, and
+##	allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the samba_unconfined_net domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+	gen_require(`
+		type samba_unconfined_net_t;
+	')
+
+	samba_domtrans_unconfined_net($1)
+	role $2 types samba_unconfined_net_t;
 ')
 
 ########################################
@@ -142,9 +250,8 @@ interface(`samba_domtrans_smbmount',`
 
 ########################################
 ## <summary>
-##	Execute smbmount in the smbmount
-##	domain, and allow the specified
-##	role the smbmount domain.
+##	Execute smbmount interactively and do
+##	a domain transition to the smbmount domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -160,16 +267,17 @@ interface(`samba_domtrans_smbmount',`
 #
 interface(`samba_run_smbmount',`
 	gen_require(`
-		attribute_role smbmount_roles;
+		type smbmount_t;
 	')
 
 	samba_domtrans_smbmount($1)
-	roleattribute $2 smbmount_roles;
+	role $2 types smbmount_t;
 ')
 
 ########################################
 ## <summary>
-##	Read samba configuration files.
+##	Allow the specified domain to read
+##	samba configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,12 +292,14 @@ interface(`samba_read_config',`
 	')
 
 	files_search_etc($1)
+	list_dirs_pattern($1, samba_etc_t, samba_etc_t)
 	read_files_pattern($1, samba_etc_t, samba_etc_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write samba configuration files.
+##	Allow the specified domain to read
+##	and write samba configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -209,8 +319,8 @@ interface(`samba_rw_config',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	samba configuration files.
+##	Allow the specified domain to read
+##	and write samba configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -231,7 +341,7 @@ interface(`samba_manage_config',`
 
 ########################################
 ## <summary>
-##	Read samba log files.
+##	Allow the specified domain to read samba's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -252,7 +362,7 @@ interface(`samba_read_log',`
 
 ########################################
 ## <summary>
-##	Append to samba log files.
+##	Allow the specified domain to append to samba's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -273,7 +383,7 @@ interface(`samba_append_log',`
 
 ########################################
 ## <summary>
-##	Execute samba log files in the caller domain.
+##	Execute samba log in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -292,7 +402,7 @@ interface(`samba_exec_log',`
 
 ########################################
 ## <summary>
-##	Read samba secret files.
+##	Allow the specified domain to read samba's secrets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -311,7 +421,7 @@ interface(`samba_read_secrets',`
 
 ########################################
 ## <summary>
-##	Read samba share files.
+##	Allow the specified domain to read samba's shares
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -330,7 +440,8 @@ interface(`samba_read_share_files',`
 
 ########################################
 ## <summary>
-##	Search samba var directories.
+##	Allow the specified domain to search
+##	samba /var directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -343,13 +454,15 @@ interface(`samba_search_var',`
 		type samba_var_t;
 	')
 
+	files_search_var($1)
 	files_search_var_lib($1)
 	allow $1 samba_var_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read samba var files.
+##	Allow the specified domain to
+##	read samba /var files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -362,14 +475,15 @@ interface(`samba_read_var_files',`
 		type samba_var_t;
 	')
 
+	files_search_var($1)
 	files_search_var_lib($1)
 	read_files_pattern($1, samba_var_t, samba_var_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	samba var files.
+##	Do not audit attempts to write samba
+##	/var files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -387,7 +501,8 @@ interface(`samba_dontaudit_write_var_files',`
 
 ########################################
 ## <summary>
-##	Read and write samba var files.
+##	Allow the specified domain to
+##	read and write samba /var files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -400,14 +515,16 @@ interface(`samba_rw_var_files',`
 		type samba_var_t;
 	')
 
+	files_search_var($1)
 	files_search_var_lib($1)
 	rw_files_pattern($1, samba_var_t, samba_var_t)
+    allow $1 samba_var_t:file { map};
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	samba var files.
+##	Allow the specified domain to
+##	read and write samba /var files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -420,34 +537,58 @@ interface(`samba_manage_var_files',`
 		type samba_var_t;
 	')
 
+	files_search_var_lib($1)
 	files_search_var_lib($1)
 	manage_files_pattern($1, samba_var_t, samba_var_t)
+	manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
+	manage_sock_files_pattern($1, samba_var_t, samba_var_t)
+    allow $1 samba_var_t:file { map };
 ')
 
 ########################################
 ## <summary>
-##	Execute smbcontrol in the smbcontrol domain.
+##	Allow the specified domain to
+##	read and write samba /var directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
+interface(`samba_manage_var_dirs',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	files_search_var_lib($1)
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
 interface(`samba_domtrans_smbcontrol',`
 	gen_require(`
-		type smbcontrol_t, smbcontrol_exec_t;
+		type smbcontrol_t;
+		type smbcontrol_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute smbcontrol in the smbcontrol
-##	domain, and allow the specified
-##	role the smbcontrol domain.
+##	Execute smbcontrol in the smbcontrol domain, and
+##	allow the specified role the smbcontrol domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -462,16 +603,16 @@ interface(`samba_domtrans_smbcontrol',`
 #
 interface(`samba_run_smbcontrol',`
 	gen_require(`
-		attribute_role smbcontrol_roles;
+		type smbcontrol_t;
 	')
 
 	samba_domtrans_smbcontrol($1)
-	roleattribute $2 smbcontrol_roles;
+	role $2 types smbcontrol_t;
 ')
 
 ########################################
 ## <summary>
-##	Execute smbd in the smbd domain.
+##	Execute smbd in the smbd_t domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -488,9 +629,27 @@ interface(`samba_domtrans_smbd',`
 	domtrans_pattern($1, smbd_exec_t, smbd_t)
 ')
 
+########################################
+## <summary>
+##	Set attributes of samba_share directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_setattr_samba_share_dirs',`
+	gen_require(`
+		type samba_share_t;
+	')
+
+	allow $1 samba_share_t:dir setattr_dir_perms;
+')
+
 ######################################
 ## <summary>
-##	Send generic signals to smbd.
+##	Allow domain to signal samba
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -505,10 +664,26 @@ interface(`samba_signal_smbd',`
 	allow $1 smbd_t:process signal;
 ')
 
+######################################
+## <summary>
+##	Allow domain to signull samba
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_signull_smbd',`
+	gen_require(`
+		type smbd_t;
+	')
+	allow $1 smbd_t:process signull;
+')
+
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit
-##	and use smbd file descriptors.
+##	Do not audit attempts to use file descriptors from samba.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -526,7 +701,7 @@ interface(`samba_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Write smbmount tcp sockets.
+##	Allow the specified domain to write to smbmount tcp sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -544,7 +719,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Read and write smbmount tcp sockets.
+##	Allow the specified domain to read and write to smbmount tcp sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -560,49 +735,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
 	allow $1 smbmount_t:tcp_socket { read write };
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute winbind helper in the
-##	winbind helper domain.
+##  Allow to getattr on winbind binary.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
-interface(`samba_domtrans_winbind_helper',`
-	gen_require(`
-		type winbind_helper_t, winbind_helper_exec_t;
-	')
+interface(`samba_getattr_winbind',`
+    gen_require(`
+        type winbind_exec_t;
+    ')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+	allow $1 winbind_exec_t:file getattr;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Get attributes of winbind executable files.
+##	Execute winbind_helper in the winbind_helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`samba_getattr_winbind_exec',`
+interface(`samba_domtrans_winbind_helper',`
 	gen_require(`
-		type winbind_exec_t;
+		type winbind_helper_t, winbind_helper_exec_t;
 	')
 
-	allow $1 winbind_exec_t:file getattr_file_perms;
+	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+	allow $1 winbind_helper_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Execute winbind helper in the winbind
-##	helper domain, and allow the specified
-##	role the winbind helper domain.
+##	Execute winbind_helper in the winbind_helper domain, and
+##	allow the specified role the winbind_helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -618,16 +791,16 @@ interface(`samba_getattr_winbind_exec',`
 #
 interface(`samba_run_winbind_helper',`
 	gen_require(`
-		attribute_role winbind_helper_roles;
+		type winbind_helper_t;
 	')
 
 	samba_domtrans_winbind_helper($1)
-	roleattribute $2 winbind_helper_roles;
+	role $2 types winbind_helper_t;
 ')
 
 ########################################
 ## <summary>
-##	Read winbind pid files.
+##	Allow the specified domain to read the winbind pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -637,17 +810,71 @@ interface(`samba_run_winbind_helper',`
 #
 interface(`samba_read_winbind_pid',`
 	gen_require(`
-		type winbind_var_run_t, smbd_var_run_t;
+		type winbind_var_run_t;
+	')
+
+	samba_search_pid($1)
+	allow $1 winbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage winbind  PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_manage_winbind_pid',`
+	gen_require(`
+		type winbind_var_run_t;
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+	manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t)
+	manage_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
+	manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
+')
+
+######################################
+## <summary>
+##	Allow domain to signull winbind
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_signull_winbind',`
+	gen_require(`
+		type winbind_t;
+	')
+	allow $1 winbind_t:process signull;
+')
+
+######################################
+## <summary>
+##	Allow domain to signull samba_unconfined_net
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_signull_unconfined_net',`
+	gen_require(`
+		type samba_unconfined_net_t;
+	')
+	allow $1 samba_unconfined_net_t:process signull;
 ')
 
 ########################################
 ## <summary>
-##	Connect to winbind with a unix
-##	domain stream socket.
+##	Connect to winbind.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -657,17 +884,61 @@ interface(`samba_read_winbind_pid',`
 #
 interface(`samba_stream_connect_winbind',`
 	gen_require(`
-		type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t;
+		type samba_var_t, winbind_t, winbind_var_run_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t)
+	samba_search_pid($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+	stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+	samba_read_config($1)
+
+	ifndef(`distro_redhat',`
+		gen_require(`
+			type winbind_tmp_t;
+		')
+
+		# the default for the socket is (poorly named):
+		# /tmp/.winbindd/pipe
+		files_search_tmp($1)
+		stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
+	')
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`samba_helper_template',`
+	gen_require(`
+		type smbd_t;
+		role system_r;
+	')
+
+	#This type is for samba helper scripts
+	type samba_$1_script_t;
+	domain_type(samba_$1_script_t)
+	role system_r types samba_$1_script_t;
+
+	# This type is used for executable scripts files
+	type samba_$1_script_exec_t;
+	corecmd_shell_entry_type(samba_$1_script_t)
+	domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+	allow smbd_t samba_$1_script_exec_t:file ioctl;
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an samba environment.
+##	All of the rules required to administrate 
+##	an samba environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -676,7 +947,7 @@ interface(`samba_stream_connect_winbind',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the samba domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -689,11 +960,30 @@ interface(`samba_admin',`
 		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
 		type swat_var_run_t, swat_tmp_t, winbind_log_t;
 		type winbind_var_run_t, winbind_tmp_t;
-		type smbd_keytab_t;
+		type smbd_keytab_t, samba_unit_file_t;
+        type samba_unconfined_script_t;
+        type samba_unconfined_script_exec_t;
 	')
 
-	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { nmbd_t smbd_t })
+	allow $1 smbd_t:process signal_perms;
+	ps_process_pattern($1, smbd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 smbd_t:process ptrace;
+		allow $1 nmbd_t:process ptrace;
+		allow $1 samba_unconfined_script_t:process ptrace;
+	')
+
+	allow $1 nmbd_t:process signal_perms;
+	ps_process_pattern($1, nmbd_t)
+
+	allow $1 samba_unconfined_script_t:process signal_perms;
+	ps_process_pattern($1, samba_unconfined_script_t)
+
+	samba_run_smbcontrol($1, $2)
+	samba_run_winbind_helper($1, $2)
+	samba_run_smbmount($1, $2)
+	samba_run_net($1, $2)
 
 	init_labeled_script_domtrans($1, samba_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -703,23 +993,34 @@ interface(`samba_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { samba_etc_t smbd_keytab_t })
 
+	admin_pattern($1, samba_log_t)
 	logging_list_logs($1)
-	admin_pattern($1, { samba_log_t winbind_log_t })
 
-	files_list_var($1)
-	admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
+	admin_pattern($1, samba_secrets_t)
 
-	files_list_spool($1)
-	admin_pattern($1, smbd_spool_t)
+	admin_pattern($1, samba_share_t)
 
+	admin_pattern($1, samba_var_t)
+	files_list_var($1)
+
+	admin_pattern($1, smbd_var_run_t)
 	files_list_pids($1)
-	admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
 
+	admin_pattern($1, smbd_tmp_t)
 	files_list_tmp($1)
-	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
 
-	samba_run_smbcontrol($1, $2)
-	samba_run_winbind_helper($1, $2)
-	samba_run_smbmount($1, $2)
-	samba_run_net($1, $2)
+	admin_pattern($1, swat_var_run_t)
+
+	admin_pattern($1, swat_tmp_t)
+
+	admin_pattern($1, winbind_log_t)
+
+	admin_pattern($1, winbind_tmp_t)
+
+	admin_pattern($1, winbind_var_run_t)
+	admin_pattern($1, samba_unconfined_script_exec_t)
+
+	samba_systemctl($1)
+	admin_pattern($1, samba_unit_file_t)
+	allow $1 samba_unit_file_t:service all_service_perms;
 ')
diff --git a/samba.te b/samba.te
index 2b7c441e70..3bc2124af6 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether samba can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow samba to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
 ## </desc>
-gen_tunable(allow_smbd_anon_write, false)
+gen_tunable(smbd_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can
-##	create home directories via pam.
-##	</p>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
 ## </desc>
 gen_tunable(samba_create_home_dirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can act as the
-##	domain controller, add users, groups
-##	and change passwords.
-##	</p>
+## <p>
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
+##
+## </p>
 ## </desc>
 gen_tunable(samba_domain_controller, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can
-##	act as a portmapper.
-##	</p>
+## <p>
+## Allow samba to act as a portmapper
+## 
+## </p>
 ## </desc>
 gen_tunable(samba_portmapper, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can share
-##	users home directories.
-##	</p>
+## <p>
+## Allow samba to share users home directories.
+## </p>
 ## </desc>
 gen_tunable(samba_enable_home_dirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can share
-##	any content read only.
-##	</p>
+## <p>
+## Allow samba to share any file/directory read only.
+## </p>
 ## </desc>
 gen_tunable(samba_export_all_ro, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can share any
-##	content readable and writable.
-##	</p>
+## <p>
+## Allow samba to share any file/directory read/write.
+## </p>
 ## </desc>
 gen_tunable(samba_export_all_rw, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can
-##	run unconfined scripts.
-##	</p>
+## <p>
+## Allow samba to run unconfined scripts
+## </p>
 ## </desc>
 gen_tunable(samba_run_unconfined, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can
-##	use nfs file systems.
-##	</p>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
 ## </desc>
 gen_tunable(samba_share_nfs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether samba can
-##	use fuse file systems.
-##	</p>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
 ## </desc>
 gen_tunable(samba_share_fusefs, false)
 
-attribute_role samba_net_roles;
-roleattribute system_r samba_net_roles;
-
-attribute_role smbcontrol_roles;
-roleattribute system_r smbcontrol_roles;
-
-attribute_role smbmount_roles;
-roleattribute system_r smbmount_roles;
-
-attribute_role winbind_helper_roles;
-roleattribute system_r winbind_helper_roles;
+## <desc>
+## <p>
+## Allow smbd to load libgfapi from gluster.
+## </p>
+## </desc>
+gen_tunable(samba_load_libgfapi, false)
 
 type nmbd_t;
 type nmbd_exec_t;
@@ -113,13 +100,16 @@ files_config_file(samba_etc_t)
 type samba_initrc_exec_t;
 init_script_file(samba_initrc_exec_t)
 
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
 type samba_log_t;
 logging_log_file(samba_log_t)
 
 type samba_net_t;
 type samba_net_exec_t;
 application_domain(samba_net_t, samba_net_exec_t)
-role samba_net_roles types samba_net_t;
+role system_r types samba_net_t;
 
 type samba_net_tmp_t;
 files_tmp_file(samba_net_tmp_t)
@@ -130,13 +120,16 @@ files_type(samba_secrets_t)
 type samba_share_t; # customizable
 files_type(samba_share_t)
 
+type samba_spool_t;
+files_type(samba_spool_t)
+
 type samba_var_t;
 files_type(samba_var_t)
 
 type smbcontrol_t;
 type smbcontrol_exec_t;
 application_domain(smbcontrol_t, smbcontrol_exec_t)
-role smbcontrol_roles types smbcontrol_t;
+role system_r types smbcontrol_t;
 
 type smbd_t;
 type smbd_exec_t;
@@ -148,13 +141,17 @@ files_type(smbd_keytab_t)
 type smbd_tmp_t;
 files_tmp_file(smbd_tmp_t)
 
+type smbd_tmpfs_t;
+files_tmpfs_file(smbd_tmpfs_t)
+
 type smbd_var_run_t;
 files_pid_file(smbd_var_run_t)
 
 type smbmount_t;
+domain_type(smbmount_t)
+
 type smbmount_exec_t;
-application_domain(smbmount_t, smbmount_exec_t)
-role smbmount_roles types smbmount_t;
+domain_entry_file(smbmount_t, smbmount_exec_t)
 
 type swat_t;
 type swat_exec_t;
@@ -173,28 +170,29 @@ type winbind_exec_t;
 init_daemon_domain(winbind_t, winbind_exec_t)
 
 type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
 type winbind_helper_exec_t;
-application_domain(winbind_helper_t, winbind_helper_exec_t)
-role winbind_helper_roles types winbind_helper_t;
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
 
 type winbind_log_t;
 logging_log_file(winbind_log_t)
 
-type winbind_tmp_t;
-files_tmp_file(winbind_tmp_t)
-
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
 
 ########################################
 #
-# Net local policy
+# Samba net local policy
 #
-
 allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
 allow samba_net_t self:capability2 block_suspend;
 allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
 
 allow samba_net_t samba_etc_t:file read_file_perms;
 
@@ -208,19 +206,26 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
+allow samba_net_t samba_var_t:file { map } ;
 
+kernel_read_proc_symlinks(samba_net_t)
 kernel_read_system_state(samba_net_t)
 kernel_read_network_state(samba_net_t)
 
-corenet_all_recvfrom_unlabeled(samba_net_t)
 corenet_all_recvfrom_netlabel(samba_net_t)
+corenet_tcp_sendrecv_generic_if(samba_net_t)
 corenet_udp_sendrecv_generic_if(samba_net_t)
+corenet_raw_sendrecv_generic_if(samba_net_t)
 corenet_tcp_sendrecv_generic_node(samba_net_t)
-
-corenet_sendrecv_smbd_client_packets(samba_net_t)
+corenet_udp_sendrecv_generic_node(samba_net_t)
+corenet_raw_sendrecv_generic_node(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_generic_node(samba_net_t)
+corenet_udp_bind_generic_node(samba_net_t)
 corenet_tcp_connect_smbd_port(samba_net_t)
-corenet_tcp_sendrecv_smbd_port(samba_net_t)
 
 dev_read_urand(samba_net_t)
 
@@ -233,63 +238,86 @@ auth_manage_cache(samba_net_t)
 
 logging_send_syslog_msg(samba_net_t)
 
-miscfiles_read_localization(samba_net_t)
-
 samba_read_var_files(samba_net_t)
 
-userdom_use_user_terminals(samba_net_t)
+sysnet_use_ldap(samba_net_t)
+
+userdom_use_inherited_user_terminals(samba_net_t)
 userdom_list_user_home_dirs(samba_net_t)
 
 optional_policy(`
-	ldap_stream_connect(samba_net_t)
+	ctdbd_stream_connect(samba_net_t)
+    ctdbd_manage_lib_dirs(samba_net_t)
+    ctdbd_manage_lib_files(samba_net_t)
+')
+
+optional_policy(`
+    ldap_stream_connect(samba_net_t)
+    dirsrv_stream_connect(samba_net_t)
 ')
 
 optional_policy(`
 	pcscd_read_pid_files(samba_net_t)
 ')
 
+optional_policy(`
+    realmd_manage_cache_files(samba_net_t)
+    realmd_read_tmp_files(samba_net_t)
+')
+
 optional_policy(`
 	kerberos_use(samba_net_t)
-	kerberos_etc_filetrans_keytab(samba_net_t, file)
+	kerberos_etc_filetrans_keytab(samba_net_t)
 ')
 
 ########################################
 #
-# Smbd Local policy
+# smbd Local policy
 #
 
-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin };
 dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+dontaudit smbd_t self:capability2 block_suspend;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
 allow smbd_t self:fd use;
 allow smbd_t self:fifo_file rw_fifo_file_perms;
 allow smbd_t self:msg { send receive };
 allow smbd_t self:msgq create_msgq_perms;
 allow smbd_t self:sem create_sem_perms;
 allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:tcp_socket { accept listen };
-allow smbd_t self:unix_dgram_socket sendto;
-allow smbd_t self:unix_stream_socket { accept connectto listen };
+allow smbd_t self:key manage_key_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
+allow smbd_t nmbd_t:process { signal signull };
 
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+allow smbd_t nmbd_t:unix_dgram_socket sendto;
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
 
 allow smbd_t smbd_keytab_t:file read_file_perms;
 
 manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
-append_files_pattern(smbd_t, samba_log_t, samba_log_t)
-create_files_pattern(smbd_t, samba_log_t, samba_log_t)
-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
 
-allow smbd_t samba_net_tmp_t:file getattr_file_perms;
+allow smbd_t samba_net_tmp_t:file getattr;
 
 manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
 filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
 
 manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+allow smbd_t samba_share_t:file { map };
 allow smbd_t samba_share_t:filesystem { getattr quotaget };
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
@@ -297,66 +325,76 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
+allow smbd_t samba_var_t:file { map } ;
+
+manage_dirs_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_lnk_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_sock_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+files_spool_filetrans(smbd_t, samba_spool_t, dir, "samba")
+
+allow smbd_t smbcontrol_t:process { signal signull };
+allow smbd_t smbcontrol_t:unix_dgram_socket sendto;
+
+allow smbd_t winbind_t:unix_dgram_socket sendto;
 
 manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
 manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
 files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
 
+manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
+manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
+fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir })
+
 manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
 
-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+allow smbd_t swat_t:process signal;
 
-allow smbd_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+
+allow smbd_t winbind_t:process { signal signull };
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
+kernel_read_net_sysctls(smbd_t)
 kernel_read_fs_sysctls(smbd_t)
 kernel_read_kernel_sysctls(smbd_t)
+kernel_read_usermodehelper_state(smbd_t)
 kernel_read_software_raid_state(smbd_t)
 kernel_read_system_state(smbd_t)
 
-corecmd_exec_bin(smbd_t)
 corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
 
-corenet_all_recvfrom_unlabeled(smbd_t)
 corenet_all_recvfrom_netlabel(smbd_t)
 corenet_tcp_sendrecv_generic_if(smbd_t)
+corenet_udp_sendrecv_generic_if(smbd_t)
+corenet_raw_sendrecv_generic_if(smbd_t)
 corenet_tcp_sendrecv_generic_node(smbd_t)
+corenet_udp_sendrecv_generic_node(smbd_t)
+corenet_raw_sendrecv_generic_node(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
 corenet_tcp_bind_generic_node(smbd_t)
-
-corenet_sendrecv_smbd_client_packets(smbd_t)
-corenet_tcp_connect_smbd_port(smbd_t)
-corenet_sendrecv_smbd_server_packets(smbd_t)
+corenet_udp_bind_generic_node(smbd_t)
 corenet_tcp_bind_smbd_port(smbd_t)
-corenet_tcp_sendrecv_smbd_port(smbd_t)
-
-corenet_sendrecv_ipp_client_packets(smbd_t)
 corenet_tcp_connect_ipp_port(smbd_t)
-corenet_tcp_sendrecv_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
 
 dev_read_sysfs(smbd_t)
 dev_read_urand(smbd_t)
+dev_dontaudit_write_urand(smbd_t)
 dev_getattr_mtrr_dev(smbd_t)
 dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+# For redhat bug 566984
 dev_getattr_all_blk_files(smbd_t)
 dev_getattr_all_chr_files(smbd_t)
 
-domain_use_interactive_fds(smbd_t)
-domain_dontaudit_list_all_domains_state(smbd_t)
-
-files_list_var_lib(smbd_t)
-files_read_etc_runtime_files(smbd_t)
-files_read_usr_files(smbd_t)
-files_search_spool(smbd_t)
-files_dontaudit_getattr_all_dirs(smbd_t)
-files_dontaudit_list_all_mountpoints(smbd_t)
-files_list_mnt(smbd_t)
+domain_dontaudit_signull_all_domains(smbd_t)
 
 fs_getattr_all_fs(smbd_t)
 fs_getattr_all_dirs(smbd_t)
@@ -366,44 +404,53 @@ fs_getattr_rpc_dirs(smbd_t)
 fs_list_inotifyfs(smbd_t)
 fs_get_all_fs_quotas(smbd_t)
 
-term_use_ptmx(smbd_t)
-
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
 auth_domtrans_upd_passwd(smbd_t)
 auth_manage_cache(smbd_t)
 auth_write_login_records(smbd_t)
 
+domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
 init_rw_utmp(smbd_t)
 
 logging_search_logs(smbd_t)
 logging_send_syslog_msg(smbd_t)
 
-miscfiles_read_localization(smbd_t)
 miscfiles_read_public_files(smbd_t)
 
 sysnet_use_ldap(smbd_t)
 
 userdom_use_unpriv_users_fds(smbd_t)
+userdom_search_user_home_content(smbd_t)
 userdom_signal_all_users(smbd_t)
-userdom_home_filetrans_user_home_dir(smbd_t)
-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
 
 usermanage_read_crack_db(smbd_t)
 
-ifdef(`hide_broken_symptoms',`
+term_use_ptmx(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
-	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
 ')
 
-tunable_policy(`allow_smbd_anon_write',`
+tunable_policy(`smbd_anon_write',`
 	miscfiles_manage_public_files(smbd_t)
-')
+') 
 
-tunable_policy(`samba_create_home_dirs',`
-	allow smbd_t self:capability chown;
-	userdom_create_user_home_dirs(smbd_t)
+tunable_policy(`samba_portmapper',`
+	corenet_tcp_bind_epmap_port(smbd_t)
+	corenet_tcp_bind_all_unreserved_ports(smbd_t)
 ')
 
 tunable_policy(`samba_domain_controller',`
@@ -419,20 +466,16 @@ tunable_policy(`samba_domain_controller',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
-	userdom_manage_user_home_content_dirs(smbd_t)
-	userdom_manage_user_home_content_files(smbd_t)
-	userdom_manage_user_home_content_symlinks(smbd_t)
-	userdom_manage_user_home_content_sockets(smbd_t)
-	userdom_manage_user_home_content_pipes(smbd_t)
+	userdom_manage_user_home_content(smbd_t)
 ')
 
-tunable_policy(`samba_portmapper',`
-	corenet_sendrecv_all_server_packets(smbd_t)
-	corenet_tcp_bind_epmap_port(smbd_t)
-	corenet_tcp_bind_all_unreserved_ports(smbd_t)
-	corenet_tcp_sendrecv_all_ports(smbd_t)
+optional_policy(`
+    tunable_policy(`samba_enable_home_dirs',`
+        apache_manage_user_content(smbd_t)
+    ')
 ')
 
+# Support Samba sharing of NFS mount points
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
@@ -441,6 +484,7 @@ tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_named_sockets(smbd_t)
 ')
 
+# Support Samba sharing of ntfs/fusefs mount points
 tunable_policy(`samba_share_fusefs',`
 	fs_manage_fusefs_dirs(smbd_t)
 	fs_manage_fusefs_files(smbd_t)
@@ -448,15 +492,14 @@ tunable_policy(`samba_share_fusefs',`
 	fs_search_fusefs(smbd_t)
 ')
 
-tunable_policy(`samba_export_all_ro',`
-	fs_read_noxattr_fs_files(smbd_t)
-	files_list_non_auth_dirs(smbd_t)
-	files_read_non_auth_files(smbd_t)
+tunable_policy(`samba_load_libgfapi',`
+    corenet_tcp_connect_all_ports(smbd_t)
+    corenet_tcp_bind_all_ports(smbd_t)
+    corenet_sendrecv_all_packets(smbd_t)
 ')
 
-tunable_policy(`samba_export_all_rw',`
-	fs_read_noxattr_fs_files(smbd_t)
-	files_manage_non_auth_files(smbd_t)
+optional_policy(`
+    avahi_dbus_chat(smbd_t)
 ')
 
 optional_policy(`
@@ -466,6 +509,7 @@ optional_policy(`
 optional_policy(`
 	ctdbd_stream_connect(smbd_t)
 	ctdbd_manage_lib_files(smbd_t)
+    ctdbd_manage_lib_dirs(smbd_t)
 ')
 
 optional_policy(`
@@ -473,9 +517,31 @@ optional_policy(`
 	cups_stream_connect(smbd_t)
 ')
 
+optional_policy(`
+    dbus_system_bus_client(smbd_t)
+
+    optional_policy(`
+        oddjob_dbus_chat(smbd_t)
+        oddjob_domtrans_mkhomedir(smbd_t)
+    ')
+')
+
+optional_policy(`
+    glusterd_read_conf(smbd_t)
+    glusterd_rw_lib(smbd_t)
+    glusterd_manage_pid(smbd_t)
+')
+
 optional_policy(`
 	kerberos_read_keytab(smbd_t)
 	kerberos_use(smbd_t)
+	kerberos_tmp_filetrans_host_rcache(smbd_t, "host_0")
+	kerberos_manage_host_rcache(smbd_t)
+')
+
+optional_policy(`
+	ldap_stream_connect(smbd_t)
+	dirsrv_stream_connect(smbd_t)
 ')
 
 optional_policy(`
@@ -487,6 +553,10 @@ optional_policy(`
 	qemu_manage_tmp_files(smbd_t)
 ')
 
+optional_policy(`
+	rhcs_signull_cluster(smbd_t)
+')
+
 optional_policy(`
 	rpc_search_nfs_state_data(smbd_t)
 ')
@@ -499,12 +569,53 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
+tunable_policy(`samba_create_home_dirs',`
+	allow smbd_t self:capability chown;
+	userdom_create_user_home_dirs(smbd_t)
+')
+
+userdom_home_filetrans_user_home_dir(smbd_t)
+
+tunable_policy(`samba_export_all_ro',`
+	allow nmbd_t self:capability { dac_read_search dac_override };
+	fs_read_noxattr_fs_files(smbd_t) 
+	files_read_non_security_files(smbd_t)
+    files_dontaudit_list_security_dirs(smbd_t)
+    files_dontaudit_search_security_files(smbd_t)
+    files_dontaudit_read_security_files(smbd_t)
+	fs_read_noxattr_fs_files(nmbd_t) 
+	files_read_non_security_files(nmbd_t) 
+    files_dontaudit_list_security_dirs(nmbd_t)
+    files_dontaudit_search_security_files(nmbd_t)
+    files_dontaudit_read_security_files(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+	allow nmbd_t self:capability { dac_read_search dac_override };
+	fs_manage_noxattr_fs_files(smbd_t) 
+	files_manage_non_security_files(smbd_t)
+    files_manage_non_security_dirs(smbd_t)
+    files_dontaudit_list_security_dirs(smbd_t)
+    files_dontaudit_search_security_files(smbd_t)
+    files_dontaudit_read_security_files(smbd_t)
+	fs_manage_noxattr_fs_files(nmbd_t) 
+	files_manage_non_security_files(nmbd_t)
+    files_manage_non_security_dirs(nmbd_t)
+    files_dontaudit_list_security_dirs(nmbd_t)
+    files_dontaudit_search_security_files(nmbd_t)
+    files_dontaudit_read_security_files(nmbd_t)
+')
+
+userdom_filetrans_home_content(nmbd_t)
+
 ########################################
 #
-# Nmbd Local policy
+# nmbd Local policy
 #
 
 dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:capability {net_admin};
+allow nmbd_t self:capability2 block_suspend;
 allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow nmbd_t self:fd use;
 allow nmbd_t self:fifo_file rw_fifo_file_perms;
@@ -512,9 +623,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:tcp_socket { accept listen };
-allow nmbd_t self:unix_dgram_socket sendto;
-allow nmbd_t self:unix_stream_socket { accept connectto listen };
+allow nmbd_t self:sock_file read_sock_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -526,20 +639,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
 files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
+allow nmbd_t samba_var_t:file map;
 
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
-
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+allow nmbd_t smbcontrol_t:process signal;
+allow nmbd_t smbcontrol_t:unix_dgram_socket sendto;
 
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
@@ -547,53 +657,44 @@ kernel_read_kernel_sysctls(nmbd_t)
 kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
+kernel_read_usermodehelper_state(nmbd_t)
 
-corenet_all_recvfrom_unlabeled(nmbd_t)
 corenet_all_recvfrom_netlabel(nmbd_t)
 corenet_tcp_sendrecv_generic_if(nmbd_t)
 corenet_udp_sendrecv_generic_if(nmbd_t)
 corenet_tcp_sendrecv_generic_node(nmbd_t)
 corenet_udp_sendrecv_generic_node(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
 corenet_udp_bind_generic_node(nmbd_t)
-
-corenet_sendrecv_nmbd_server_packets(nmbd_t)
 corenet_udp_bind_nmbd_port(nmbd_t)
-corenet_udp_sendrecv_nmbd_port(nmbd_t)
-
-corenet_sendrecv_smbd_client_packets(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
 corenet_tcp_connect_smbd_port(nmbd_t)
-corenet_tcp_sendrecv_smbd_port(nmbd_t)
 
-dev_read_sysfs(nmbd_t)
 dev_getattr_mtrr_dev(nmbd_t)
+dev_read_sysfs(nmbd_t)
+dev_read_urand(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
 
 domain_use_interactive_fds(nmbd_t)
 
-files_read_usr_files(nmbd_t)
 files_list_var_lib(nmbd_t)
 
-fs_getattr_all_fs(nmbd_t)
-fs_search_auto_mountpoints(nmbd_t)
-
 auth_use_nsswitch(nmbd_t)
 
 logging_search_logs(nmbd_t)
 logging_send_syslog_msg(nmbd_t)
 
-miscfiles_read_localization(nmbd_t)
-
 userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-
-tunable_policy(`samba_export_all_ro',`
-	fs_read_noxattr_fs_files(nmbd_t)
-	files_list_non_auth_dirs(nmbd_t)
-	files_read_non_auth_files(nmbd_t)
-')
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
 
-tunable_policy(`samba_export_all_rw',`
-	fs_read_noxattr_fs_files(nmbd_t)
-	files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+	ctdbd_stream_connect(nmbd_t)
+    ctdbd_manage_lib_dirs(nmbd_t)
+    ctdbd_manage_lib_files(nmbd_t)
 ')
 
 optional_policy(`
@@ -606,18 +707,31 @@ optional_policy(`
 
 ########################################
 #
-# Smbcontrol local policy
+# smbcontrol local policy
 #
 
-allow smbcontrol_t self:process signal;
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
-allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:capability2 block_suspend;
 allow smbcontrol_t self:process { signal signull };
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
+
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
 
-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+manage_dirs_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:file map;
+
+allow smbcontrol_t nmbd_t:unix_dgram_socket sendto;
+allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
+allow smbcontrol_t winbind_t:unix_dgram_socket sendto;
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -627,39 +741,38 @@ domain_use_interactive_fds(smbcontrol_t)
 
 dev_read_urand(smbcontrol_t)
 
-files_read_etc_files(smbcontrol_t)
-files_search_var_lib(smbcontrol_t)
-
 term_use_console(smbcontrol_t)
 
-miscfiles_read_localization(smbcontrol_t)
+auth_read_passwd(smbcontrol_t)
 
 sysnet_use_ldap(smbcontrol_t)
 
-userdom_use_user_terminals(smbcontrol_t)
+userdom_use_inherited_user_terminals(smbcontrol_t)
 
 optional_policy(`
 	ctdbd_stream_connect(smbcontrol_t)
+	ctdbd_sigchld(smbcontrol_t)
 ')
 
 ########################################
 #
-# Smbmount Local policy
+# smbmount Local policy
 #
 
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
-allow smbmount_t self:process signal_perms;
-allow smbmount_t self:tcp_socket { accept listen };
+allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
 allow smbmount_t self:unix_dgram_socket create_socket_perms;
 allow smbmount_t self:unix_stream_socket create_socket_perms;
 
 allow smbmount_t samba_etc_t:dir list_dir_perms;
 allow smbmount_t samba_etc_t:file read_file_perms;
 
-allow smbmount_t samba_log_t:dir list_dir_perms;
-append_files_pattern(smbmount_t, samba_log_t, samba_log_t)
-create_files_pattern(smbmount_t, samba_log_t, samba_log_t)
-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t)
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir list_dir_perms; 
+allow smbmount_t samba_log_t:file manage_file_perms;
 
 allow smbmount_t samba_secrets_t:file manage_file_perms;
 
@@ -668,26 +781,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
 
-can_exec(smbmount_t, smbmount_exec_t)
+files_list_var_lib(smbmount_t)
 
 kernel_read_system_state(smbmount_t)
 
-corenet_all_recvfrom_unlabeled(smbmount_t)
 corenet_all_recvfrom_netlabel(smbmount_t)
 corenet_tcp_sendrecv_generic_if(smbmount_t)
+corenet_raw_sendrecv_generic_if(smbmount_t)
+corenet_udp_sendrecv_generic_if(smbmount_t)
 corenet_tcp_sendrecv_generic_node(smbmount_t)
-
-corenet_sendrecv_all_client_packets(smbmount_t)
-corenet_tcp_connect_all_ports(smbmount_t)
+corenet_raw_sendrecv_generic_node(smbmount_t)
+corenet_udp_sendrecv_generic_node(smbmount_t)
 corenet_tcp_sendrecv_all_ports(smbmount_t)
-
-corecmd_list_bin(smbmount_t)
-
-files_list_mnt(smbmount_t)
-files_list_var_lib(smbmount_t)
-files_mounton_mnt(smbmount_t)
-files_manage_etc_runtime_files(smbmount_t)
-files_etc_filetrans_etc_runtime(smbmount_t, file)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_generic_node(smbmount_t)
+corenet_udp_bind_generic_node(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
 
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
@@ -699,58 +808,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
 
-auth_use_nsswitch(smbmount_t)
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
 
-miscfiles_read_localization(smbmount_t)
+auth_use_nsswitch(smbmount_t)
 
-mount_use_fds(smbmount_t)
 
 locallogin_use_fds(smbmount_t)
 
 logging_search_logs(smbmount_t)
 
-userdom_use_user_terminals(smbmount_t)
+userdom_use_inherited_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 
 optional_policy(`
 	cups_read_rw_config(smbmount_t)
 ')
 
+optional_policy(`
+	mount_use_fds(smbmount_t)
+')
+
 ########################################
 #
-# Swat Local policy
+# SWAT Local policy
 #
 
-allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:capability { dac_read_search dac_override setuid setgid sys_resource };
+allow swat_t self:capability2 block_suspend;
 allow swat_t self:process { setrlimit signal_perms };
 allow swat_t self:fifo_file rw_fifo_file_perms;
 allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:tcp_socket { accept listen };
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
 allow swat_t self:unix_stream_socket connectto;
 
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
 
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
 
 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
-append_files_pattern(swat_t, samba_log_t, samba_log_t)
-create_files_pattern(swat_t, samba_log_t, samba_log_t)
-setattr_files_pattern(swat_t, samba_log_t, samba_log_t)
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
 
 manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
 
 manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
 manage_files_pattern(swat_t, samba_var_t, samba_var_t)
-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
 files_var_filetrans(swat_t, samba_var_t, dir, "samba")
 
 allow swat_t smbd_exec_t:file mmap_file_perms ;
 
-allow swat_t { winbind_t smbd_t }:process { signal signull };
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
 
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -759,17 +887,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
-
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-
-samba_domtrans_smbd(swat_t)
-samba_domtrans_nmbd(swat_t)
-
+allow swat_t winbind_exec_t:file mmap_file_perms;
 domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+allow swat_t winbind_t:process { signal signull };
+
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
@@ -777,36 +901,25 @@ kernel_read_network_state(swat_t)
 
 corecmd_search_bin(swat_t)
 
-corenet_all_recvfrom_unlabeled(swat_t)
 corenet_all_recvfrom_netlabel(swat_t)
 corenet_tcp_sendrecv_generic_if(swat_t)
 corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
 corenet_tcp_sendrecv_generic_node(swat_t)
 corenet_udp_sendrecv_generic_node(swat_t)
-corenet_tcp_bind_generic_node(swat_t)
-corenet_udp_bind_generic_node(swat_t)
-
-corenet_sendrecv_nmbd_server_packets(swat_t)
-corenet_udp_bind_nmbd_port(swat_t)
-corenet_udp_sendrecv_nmbd_port(swat_t)
-
-corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_raw_sendrecv_generic_node(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
 corenet_tcp_connect_smbd_port(swat_t)
-corenet_sendrecv_smbd_server_packets(swat_t)
-corenet_tcp_bind_smbd_port(swat_t)
-corenet_tcp_sendrecv_smbd_port(swat_t)
-
-corenet_sendrecv_ipp_client_packets(swat_t)
 corenet_tcp_connect_ipp_port(swat_t)
-corenet_tcp_sendrecv_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
 
 dev_read_urand(swat_t)
 
 files_list_var_lib(swat_t)
 files_search_home(swat_t)
-files_read_usr_files(swat_t)
 fs_getattr_xattr_fs(swat_t)
-files_list_var_lib(swat_t)
 
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
@@ -818,10 +931,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
 
-miscfiles_read_localization(swat_t)
-
 sysnet_use_ldap(swat_t)
 
+
+userdom_dontaudit_search_admin_dir(swat_t)
+
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
@@ -840,17 +954,21 @@ optional_policy(`
 # Winbind local policy
 #
 
-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability { kill dac_read_search dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
 dontaudit winbind_t self:capability sys_tty_config;
 allow winbind_t self:process { signal_perms getsched setsched };
 allow winbind_t self:fifo_file rw_fifo_file_perms;
-allow winbind_t self:unix_stream_socket { accept listen };
-allow winbind_t self:tcp_socket { accept listen };
+allow winbind_t self:unix_dgram_socket { create_socket_perms sendto };
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
+allow winbind_t self:socket create_socket_perms;
 
 allow winbind_t nmbd_t:process { signal signull };
 
-allow winbind_t nmbd_var_run_t:file read_file_perms;
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
+samba_stream_connect_nmbd(winbind_t)
 
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -860,9 +978,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
-append_files_pattern(winbind_t, samba_log_t, samba_log_t)
-create_files_pattern(winbind_t, samba_log_t, samba_log_t)
-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -870,41 +986,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
 files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+allow winbind_t samba_var_t:file { map } ;
 
-rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 
-# This needs a file context specification
-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow winbind_t winbind_log_t:file manage_file_perms;
 logging_log_filetrans(winbind_t, winbind_log_t, file)
 
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+userdom_manage_user_tmp_dirs(winbind_t)
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
 
 manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
 manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
 filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
-
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+# /run/samba/krb5cc_samba
 manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
 
 kernel_read_network_state(winbind_t)
 kernel_read_kernel_sysctls(winbind_t)
 kernel_read_system_state(winbind_t)
+kernel_read_usermodehelper_state(winbind_t)
+kernel_request_load_module(winbind_t)
 
 corecmd_exec_bin(winbind_t)
 
-corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
 corenet_tcp_sendrecv_generic_if(winbind_t)
+corenet_udp_sendrecv_generic_if(winbind_t)
+corenet_raw_sendrecv_generic_if(winbind_t)
 corenet_tcp_sendrecv_generic_node(winbind_t)
+corenet_udp_sendrecv_generic_node(winbind_t)
+corenet_raw_sendrecv_generic_node(winbind_t)
 corenet_tcp_sendrecv_all_ports(winbind_t)
-
-corenet_sendrecv_all_client_packets(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_tcp_bind_generic_node(winbind_t)
+corenet_udp_bind_generic_node(winbind_t)
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,38 +1033,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
 
-domain_use_interactive_fds(winbind_t)
-
-files_read_usr_symlinks(winbind_t)
-files_list_var_lib(winbind_t)
 
 fs_getattr_all_fs(winbind_t)
 fs_search_auto_mountpoints(winbind_t)
+fs_read_anon_inodefs_files(winbind_t)
 
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
 auth_manage_cache(winbind_t)
 
+domain_use_interactive_fds(winbind_t)
+
+files_read_usr_symlinks(winbind_t)
+files_list_var_lib(winbind_t)
+
 logging_send_syslog_msg(winbind_t)
 
-miscfiles_read_localization(winbind_t)
 miscfiles_read_generic_certs(winbind_t)
 
+sysnet_use_ldap(winbind_t)
+
 userdom_dontaudit_use_unpriv_user_fds(winbind_t)
 userdom_manage_user_home_content_dirs(winbind_t)
 userdom_manage_user_home_content_files(winbind_t)
 userdom_manage_user_home_content_symlinks(winbind_t)
 userdom_manage_user_home_content_pipes(winbind_t)
 userdom_manage_user_home_content_sockets(winbind_t)
-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(winbind_t)
 
 optional_policy(`
 	ctdbd_stream_connect(winbind_t)
 	ctdbd_manage_lib_files(winbind_t)
+	ctdbd_manage_lib_dirs(winbind_t)
+')
+
+
+optional_policy(`
+	dirsrv_stream_connect(winbind_t)
 ')
 
 optional_policy(`
 	kerberos_use(winbind_t)
+	kerberos_filetrans_named_content(winbind_t)
+')
+
+optional_policy(`
+    nis_authenticate(winbind_t)
 ')
 
 optional_policy(`
@@ -959,31 +1094,36 @@ optional_policy(`
 # Winbind helper local policy
 #
 
-allow winbind_helper_t self:unix_stream_socket { accept listen };
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
 
 allow winbind_helper_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
 
 allow winbind_helper_t samba_var_t:dir search_dir_perms;
+files_list_var_lib(winbind_helper_t)
 
 allow winbind_t smbcontrol_t:process signal;
+allow winbind_t smbcontrol_t:unix_dgram_socket sendto;
 
 stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
 
-domain_use_interactive_fds(winbind_helper_t)
-
-files_list_var_lib(winbind_helper_t)
+dev_read_urand(winbind_helper_t)
 
 term_list_ptys(winbind_helper_t)
 
+corecmd_exec_bin(winbind_helper_t)
+
+domain_use_interactive_fds(winbind_helper_t)
+
+files_list_tmp(winbind_helper_t)
+
 auth_use_nsswitch(winbind_helper_t)
 
 logging_send_syslog_msg(winbind_helper_t)
 
-miscfiles_read_localization(winbind_helper_t)
-
-userdom_use_user_terminals(winbind_helper_t)
+userdom_use_inherited_user_terminals(winbind_helper_t)
 
 optional_policy(`
 	apache_append_log(winbind_helper_t)
@@ -997,25 +1137,38 @@ optional_policy(`
 
 ########################################
 #
-# Unconfined script local policy
+# samba_unconfined_script_t local policy
 #
 
 optional_policy(`
-	type samba_unconfined_script_t;
-	type samba_unconfined_script_exec_t;
-	domain_type(samba_unconfined_script_t)
-	domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
-	corecmd_shell_entry_type(samba_unconfined_script_t)
-	role system_r types samba_unconfined_script_t;
+	type samba_unconfined_net_t;
+	domain_type(samba_unconfined_net_t)
+	domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+	role system_r types samba_unconfined_net_t;
+
+	unconfined_domain(samba_unconfined_net_t)
 
-	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+	manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+	filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+	userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
 
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
+
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
 	unconfined_domain(samba_unconfined_script_t)
+')
 
-	tunable_policy(`samba_run_unconfined',`
+tunable_policy(`samba_run_unconfined',`
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-	',`
-		can_exec(smbd_t, samba_unconfined_script_exec_t)
-	')
+',`
+	can_exec(smbd_t, samba_unconfined_script_exec_t)
 ')
diff --git a/sambagui.te b/sambagui.te
index e18b0a2844..f497f5eb5b 100644
--- a/sambagui.te
+++ b/sambagui.te
@@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t;
 # Local policy
 #
 
-allow sambagui_t self:capability dac_override;
+allow sambagui_t self:capability { dac_read_search dac_override };
 allow sambagui_t self:fifo_file rw_fifo_file_perms;
 
 kernel_read_system_state(sambagui_t)
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
 
 dev_dontaudit_read_urand(sambagui_t)
 
-files_read_usr_files(sambagui_t)
+files_search_var_lib(sambagui_t)
 
 auth_use_nsswitch(sambagui_t)
 auth_dontaudit_read_shadow(sambagui_t)
 
-logging_send_syslog_msg(sambagui_t)
+init_access_check(sambagui_t)
 
-miscfiles_read_localization(sambagui_t)
+logging_send_syslog_msg(sambagui_t)
 
 sysnet_use_ldap(sambagui_t)
 
@@ -61,6 +61,7 @@ optional_policy(`
 	samba_manage_var_files(sambagui_t)
 	samba_read_secrets(sambagui_t)
 	samba_initrc_domtrans(sambagui_t)
+	samba_systemctl(sambagui_t)
 	samba_domtrans_smbd(sambagui_t)
 	samba_domtrans_nmbd(sambagui_t)
 ')
diff --git a/samhain.if b/samhain.if
index f0236d67d5..37665a1b68 100644
--- a/samhain.if
+++ b/samhain.if
@@ -23,6 +23,8 @@ template(`samhain_service_template',`
 	files_read_all_files($1_t)
 
 	mls_file_write_all_levels($1_t)
+
+	logging_send_syslog_msg($1_t)
 ')
 
 ########################################
diff --git a/samhain.te b/samhain.te
index c41ce4bffc..8837e4c41a 100644
--- a/samhain.te
+++ b/samhain.te
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
 
 init_read_utmp(samhain_domain)
 
-logging_send_syslog_msg(samhain_domain)
-
 ########################################
 #
 # Client local policy
@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t)
 
 seutil_sigchld_newrole(samhain_t)
 
-userdom_use_user_terminals(samhain_t)
+userdom_use_inherited_user_terminals(samhain_t)
 
 ########################################
 #
diff --git a/sandbox.fc b/sandbox.fc
new file mode 100644
index 0000000000..b7db25411d
--- /dev/null
+++ b/sandbox.fc
@@ -0,0 +1 @@
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
index 0000000000..1e7c447a07
--- /dev/null
+++ b/sandbox.if
@@ -0,0 +1,80 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
+##	Execute sandbox in the sandbox domain, and
+##	allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`sandbox_transition',`
+	gen_require(`
+		attribute sandbox_domain;
+	')
+
+    sandbox_dyntransition($1) #885288
+    allow $1 sandbox_domain:process transition;
+    dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+
+    role $2 types sandbox_domain;
+
+    allow sandbox_domain $1:process { sigchld signull };
+    allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+    dontaudit sandbox_domain $1:process signal;
+    dontaudit sandbox_domain $1:key { link read search view };
+    dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Execute sandbox in the sandbox domain, and
+##	allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_dyntransition',`
+	gen_require(`
+		attribute sandbox_domain;
+	')
+
+	allow $1 sandbox_domain:process dyntransition;
+')
+
+########################################
+## <summary>
+##	Creates types and rules for a basic
+##	sandbox process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`sandbox_domain_template',`
+
+	gen_require(`
+		attribute sandbox_domain;
+	')
+	type $1_t, sandbox_domain;
+
+	application_type($1_t)
+
+	mls_rangetrans_target($1_t)
+	mcs_constrained($1_t)
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
index 0000000000..eb990f6a45
--- /dev/null
+++ b/sandbox.te
@@ -0,0 +1,64 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
+
+########################################
+#
+# Declarations
+#
+sandbox_domain_template(sandbox)
+
+########################################
+#
+# sandbox local policy
+#
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+	allow sandbox_domain self:process execmem;
+')
+
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
+# sandbox_file_t was moved to sandboxX.te
+optional_policy(`
+	sandbox_exec_file(sandbox_domain)
+	sandbox_manage_content(sandbox_domain)
+	sandbox_dontaudit_mounton(sandbox_domain)
+	sandbox_manage_tmpfs_files(sandbox_domain)
+')
+
+gen_require(`
+	type usr_t, lib_t, locale_t, device_t;
+	type var_t, var_run_t, rpm_log_t, locale_t;
+	attribute exec_type, configfile;
+')
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+kernel_dontaudit_getattr_core_if(sandbox_domain)
+
+corecmd_exec_all_executables(sandbox_domain)
+
+dev_dontaudit_getattr_all(sandbox_domain)
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
+files_read_config_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_read_all_mountpoint_symlinks(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
+
+fs_dontaudit_getattr_all_fs(sandbox_domain)
+
+userdom_use_inherited_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
diff --git a/sandboxX.fc b/sandboxX.fc
new file mode 100644
index 0000000000..6caef63264
--- /dev/null
+++ b/sandboxX.fc
@@ -0,0 +1,2 @@
+
+/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
index 0000000000..885d799743
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,397 @@
+
+## <summary>policy for sandboxX </summary>
+
+########################################
+## <summary>
+##	Execute sandbox in the sandbox domain, and
+##	allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`sandbox_x_transition',`
+	gen_require(`
+		type sandbox_xserver_t;
+		type sandbox_file_t;
+		attribute sandbox_x_domain;
+		attribute sandbox_tmpfs_type;
+	')
+
+	allow $1 sandbox_x_domain:process { signal_perms transition };
+	allow $1 sandbox_x_domain:process dyntransition;
+	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+	allow sandbox_x_domain $1:process { sigchld signull };
+	allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
+	role $2 types sandbox_x_domain;
+	role $2 types sandbox_xserver_t;
+	allow $1 sandbox_xserver_t:process signal_perms;
+	dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+	dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+	allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+	dontaudit sandbox_xserver_t $1:file read;
+	allow sandbox_x_domain sandbox_x_domain:process signal;
+	# Dontaudit leaked file descriptors
+	dontaudit sandbox_x_domain $1:key { link read search view };
+	dontaudit sandbox_x_domain $1:fifo_file { read write };
+	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+	dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
+	dontaudit sandbox_x_domain $1:process { signal sigkill };
+	
+	allow $1 sandbox_tmpfs_type:file manage_file_perms;
+	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+	can_exec($1, sandbox_file_t)
+	allow $1 sandbox_file_t:filesystem getattr;
+	manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+	relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
+	relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+	relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+	relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+##	Creates types and rules for a basic
+##	sandbox process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`sandbox_x_domain_template',`
+	gen_require(`
+		type xserver_exec_t, sandbox_devpts_t;
+		type sandbox_xserver_t;
+		type sandbox_exec_t;
+		attribute sandbox_x_domain;
+		attribute sandbox_tmpfs_type;
+		attribute sandbox_type;
+        attribute sandbox_web_type;
+	')
+
+	type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
+	application_type($1_t)
+	mcs_constrained($1_t)
+
+	kernel_read_system_state($1_t)
+	selinux_get_fs_mount($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	# window manager
+	miscfiles_setattr_fonts_cache_dirs($1_t)
+	allow $1_t self:capability setuid;
+
+	type $1_client_t, sandbox_x_domain;
+	application_type($1_client_t)
+	kernel_read_system_state($1_client_t)
+
+	mcs_constrained($1_t)
+
+	type $1_client_tmpfs_t, sandbox_tmpfs_type;
+	files_tmpfs_file($1_client_tmpfs_t)
+
+	manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+	manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+	fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+	fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+	# Pulseaudio tmpfs files with different MCS labels
+	dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+	dontaudit $1_t $1_client_tmpfs_t:file { read write map };
+	allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+	allow $1_client_t $1_client_tmpfs_t:file { map };
+
+	domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+	allow $1_t sandbox_xserver_t:process signal_perms;
+
+	domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+	domain_entry_file($1_client_t,  sandbox_exec_t)
+	allow $1_client_t $1_t:shm { unix_read unix_write };
+
+	ps_process_pattern(sandbox_xserver_t, $1_client_t)
+	ps_process_pattern(sandbox_xserver_t, $1_t)
+	allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+	allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+	allow $1_client_t $1_t:unix_stream_socket connectto;
+	allow $1_t $1_client_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	allow domain to read, 
+##	write sandbox_xserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+	gen_require(`
+		type sandbox_xserver_tmpfs_t;
+	')
+
+	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	allow domain to read
+##	sandbox tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_read_tmpfs_files',`
+	gen_require(`
+		attribute sandbox_tmpfs_type;
+	')
+
+	allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	allow domain to manage
+##	sandbox tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_manage_tmpfs_files',`
+	gen_require(`
+		attribute sandbox_tmpfs_type;
+	')
+
+	allow $1 sandbox_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete sandbox files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+##	Manage sandbox content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_manage_content',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	allow $1 sandbox_file_t:filesystem getattr;
+	manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
+	manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
+')
+
+########################################
+## <summary>
+##	Delete sandbox symbolic links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_lnk_files',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+##	Delete sandbox fifo files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_pipes',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+##	Delete sandbox sock files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_sock_files',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to  set the attributes
+##	of the sandbox directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_setattr_dirs',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	allow $1 sandbox_file_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Delete sandbox directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+##	allow domain to list sandbox dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`sandbox_list',`
+	gen_require(`
+		type sandbox_file_t;
+	')
+
+	allow $1 sandbox_file_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read and write a sandbox domain pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sandbox_use_ptys',`
+	gen_require(`
+		type sandbox_devpts_t;
+	')
+
+	allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+#######################################
+## <summary>
+##  Allow domain to execute sandbox_file_t in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sandbox_exec_file',`
+    gen_require(`
+        type sandbox_file_t;
+    ')
+
+	can_exec($1, sandbox_file_t)
+')
+
+######################################
+## <summary>
+##  Allow domain to execute sandbox_file_t in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sandbox_dontaudit_mounton',`
+    gen_require(`
+        type sandbox_file_t;
+    ')
+
+	dontaudit $1 sandbox_file_t:dir mounton;
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000000..7d126f9fd1
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,531 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
+attribute sandbox_x_domain;
+attribute sandbox_web_type;
+attribute sandbox_file_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_type;
+
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
+type sandbox_file_t, sandbox_file_type;
+userdom_user_home_content(sandbox_file_t)
+
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
+
+########################################
+#
+# Declarations
+#
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process { signal_perms execstack };
+
+allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition;
+
+tunable_policy(`deny_execmem',`',`
+	allow sandbox_xserver_t self:process execmem;
+')
+
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+kernel_read_system_state(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_read_sysfs(sandbox_xserver_t)
+dev_rwx_zero(sandbox_xserver_t)
+dev_read_urand(sandbox_xserver_t)
+
+domain_use_interactive_fds(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
+userdom_map_tmp_files(sandbox_xserver_t)
+userdom_rw_user_tmp_files(sandbox_xserver_t)
+
+xserver_read_xkb_libs(sandbox_xserver_t)
+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+	dbus_system_bus_client(sandbox_xserver_t)
+
+	optional_policy(`
+		hal_dbus_chat(sandbox_xserver_t)
+	')
+')
+
+########################################
+#
+# sandbox_x_t local policy
+#
+
+allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition;
+allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition;
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_t)
+userdom_map_tmp_files(sandbox_x_t)
+userdom_manage_user_tmp_files(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
+tunable_policy(`deny_execmem',`',`
+	allow sandbox_x_domain self:process execmem;
+')
+
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
+
+can_exec(sandbox_x_domain, sandbox_file_t)
+allow sandbox_x_domain sandbox_file_t:filesystem getattr;
+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+allow sandbox_x_domain sandbox_file_t:file execmod;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+dev_dontaudit_rw_dri(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+fs_get_xattr_fs_quotas(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+libs_dontaudit_setattr_lib_files(sandbox_x_domain)
+
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
+
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
+selinux_compute_create_context(sandbox_x_domain)
+selinux_compute_relabel_context(sandbox_x_domain)
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
+
+application_dontaudit_signal(sandbox_x_domain)
+application_dontaudit_sigkill(sandbox_x_domain)
+
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
+	bluetooth_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+	consolekit_dbus_chat(sandbox_x_domain)
+')
+
+optional_policy(`
+	cups_stream_connect(sandbox_x_domain)
+	cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+	dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
+	devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
+')
+
+optional_policy(`
+	gnome_read_gconf_config(sandbox_x_domain)
+	gnome_dontaudit_rw_inherited_config(sandbox_x_domain)
+	gnome_dontaudit_rw_inherited_config(sandbox_xserver_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+	sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+optional_policy(`
+	udev_read_db(sandbox_x_domain)
+')
+
+userdom_use_inherited_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
+
+fs_search_auto_mountpoints(sandbox_x_domain)
+fs_read_hugetlbfs_files(sandbox_x_domain)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_auto_mountpoints(sandbox_x_domain)
+	fs_search_nfs(sandbox_xserver_t)
+	fs_read_nfs_files(sandbox_xserver_t)
+	fs_manage_nfs_dirs(sandbox_x_domain)
+	fs_manage_nfs_files(sandbox_x_domain)
+	fs_exec_nfs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(sandbox_xserver_t)
+	fs_read_cifs_files(sandbox_xserver_t)
+	fs_manage_cifs_dirs(sandbox_x_domain)
+	fs_manage_cifs_files(sandbox_x_domain)
+	fs_exec_cifs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+	fs_search_fusefs(sandbox_xserver_t)
+	fs_read_fusefs_files(sandbox_xserver_t)
+	fs_manage_fusefs_dirs(sandbox_x_domain)
+	fs_manage_fusefs_files(sandbox_x_domain)
+	fs_exec_fusefs_files(sandbox_x_domain)
+')
+
+optional_policy(`
+	networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
+')
+
+#1103622
+corenet_tcp_connect_xserver_port(sandbox_x_domain)
+xserver_stream_connect(sandbox_x_domain)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+logging_send_syslog_msg(sandbox_x_client_t)
+
+# This access is needed due to Wayland
+userdom_manage_user_tmp_dirs(sandbox_x_client_t)
+userdom_map_tmp_files(sandbox_x_client_t)
+userdom_manage_user_tmp_files(sandbox_x_client_t)
+
+optional_policy(`
+	avahi_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+	colord_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+	hal_dbus_chat(sandbox_x_client_t)
+')
+
+optional_policy(`
+	nsplugin_read_rw_files(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition;
+
+selinux_get_fs_mount(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+logging_send_syslog_msg(sandbox_web_client_t)
+
+miscfiles_map_generic_certs(sandbox_web_client_t)
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
+corenet_tcp_sendrecv_generic_if(sandbox_web_type)
+corenet_raw_sendrecv_generic_if(sandbox_web_type)
+corenet_tcp_sendrecv_generic_node(sandbox_web_type)
+corenet_raw_sendrecv_generic_node(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
+corenet_tcp_connect_aol_port(sandbox_web_type)
+corenet_tcp_connect_asterisk_port(sandbox_web_type)
+corenet_tcp_connect_commplex_link_port(sandbox_web_type)
+corenet_tcp_connect_couchdb_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_gatekeeper_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_ipsecnat_port(sandbox_web_type)
+corenet_tcp_connect_ircd_port(sandbox_web_type)
+corenet_tcp_connect_jabber_client_port(sandbox_web_type)
+corenet_tcp_connect_jboss_management_port(sandbox_web_type)
+corenet_tcp_connect_mmcc_port(sandbox_web_type)
+corenet_tcp_connect_monopd_port(sandbox_web_type)
+corenet_tcp_connect_msnp_port(sandbox_web_type)
+corenet_tcp_connect_ms_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
+corenet_tcp_connect_rtsp_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_tor_port(sandbox_web_type)
+corenet_tcp_connect_transproxy_port(sandbox_web_type)
+corenet_tcp_connect_vnc_port(sandbox_web_type)
+corenet_tcp_connect_whois_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_validate_context(sandbox_web_type)
+selinux_compute_access_vector(sandbox_web_type)
+selinux_compute_create_context(sandbox_web_type)
+selinux_compute_relabel_context(sandbox_web_type)
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmp_files(sandbox_web_type)
+userdom_delete_user_tmp_files(sandbox_web_type)
+
+optional_policy(`
+	alsa_read_rw_config(sandbox_web_type)
+')
+
+optional_policy(`
+	avahi_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+	bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+	hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+	chrome_domtrans_sandbox(sandbox_web_type)
+')
+
+optional_policy(`
+	mozilla_plugin_rw_sem(sandbox_web_type)
+')
+
+optional_policy(`
+	nsplugin_manage_rw(sandbox_web_type)
+	nsplugin_read_rw_files(sandbox_web_type)
+	nsplugin_rw_exec(sandbox_web_type)
+')
+
+optional_policy(`
+	pulseaudio_stream_connect(sandbox_web_type)
+	allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
+	rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+    # needed by pulseaudio
+    systemd_read_logind_sessions_files(sandbox_web_type)
+    systemd_login_read_pid_files(sandbox_web_type)
+')
+
+optional_policy(`
+	udev_read_state(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+selinux_get_fs_mount(sandbox_net_client_t)
+
+auth_use_nsswitch(sandbox_net_client_t)
+
+logging_send_syslog_msg(sandbox_net_client_t)
+
+optional_policy(`
+	mozilla_plugin_rw_tmpfs_files(sandbox_x_domain)
+	mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+	mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+	mozilla_plugin_rw_sem(sandbox_x_domain)
+	mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
+
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f14e..7264d8ae19 100644
--- a/sanlock.fc
+++ b/sanlock.fc
@@ -1,7 +1,18 @@
+
 /etc/rc\.d/init\.d/sanlock	--	gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
 
-/usr/sbin/sanlock	--	gen_context(system_u:object_r:sanlock_exec_t,s0)
+/etc/sanlock(/.*)?			gen_context(system_u:object_r:sanlock_conf_t,s0)
+
+/var/run/sanlock(/.*)?			gen_context(system_u:object_r:sanlock_var_run_t,s0)
+ 
+/var/run/sanlk-resetd(/.*)?		gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
+/var/log/sanlock\.log.*			gen_context(system_u:object_r:sanlock_log_t,s0)
+
+/usr/sbin/sanlock		--	gen_context(system_u:object_r:sanlock_exec_t,s0)
+
+/usr/sbin/sanlk-resetd		--	gen_context(system_u:object_r:sanlk_resetd_exec_t,s0)
 
-/var/run/sanlock(/.*)?	gen_context(system_u:object_r:sanlock_var_run_t,s0)
+/usr/lib/systemd/system/sanlock\.service	--	gen_context(system_u:object_r:sanlock_unit_file_t,s0)
 
-/var/log/sanlock\.log.*	--	gen_context(system_u:object_r:sanlock_log_t,s0)
+/usr/lib/systemd/system/sanlk-resetd\.service	--	gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
index cd6c213d2c..9becdddccd 100644
--- a/sanlock.if
+++ b/sanlock.if
@@ -1,4 +1,6 @@
-## <summary>shared storage lock manager.</summary>
+
+## <summary>Sanlock - lock manager built on shared storage.</summary>
+
 
 ########################################
 ## <summary>
@@ -15,18 +17,17 @@ interface(`sanlock_domtrans',`
 		type sanlock_t, sanlock_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, sanlock_exec_t, sanlock_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Execute sanlock init scripts in
-##	the initrc domain.
+##	Execute sanlock server in the sanlock domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
@@ -40,8 +41,7 @@ interface(`sanlock_initrc_domtrans',`
 
 ######################################
 ## <summary>
-##	Create, read, write, and delete
-##	sanlock pid files.
+##	Create, read, write, and delete sanlock PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -60,28 +60,51 @@ interface(`sanlock_manage_pid_files',`
 
 ########################################
 ## <summary>
-##	Connect to sanlock with a unix
-##	domain stream socket.
+##      Connect to sanlock over a unix stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sanlock_stream_connect',`
+        gen_require(`
+                type sanlock_t, sanlock_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+')
+
+########################################
+## <summary>
+##	Execute virt server in the virt domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`sanlock_stream_connect',`
+interface(`sanlock_systemctl',`
 	gen_require(`
-		type sanlock_t, sanlock_var_run_t;
+		type sanlock_unit_file_t;
+		type sanlock_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 sanlock_unit_file_t:file read_file_perms;
+	allow $1 sanlock_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, sanlock_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an sanlock environment.
+##	All of the rules required to administrate
+##	an sanlock environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -97,21 +120,139 @@ interface(`sanlock_stream_connect',`
 #
 interface(`sanlock_admin',`
 	gen_require(`
-		type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t;
-		type sanlock_log_t;
+		type sanlock_t;
+		type sanlock_initrc_exec_t;
+		type sanlock_unit_file_t;
 	')
 
-	allow $1 sanlock_t:process { ptrace signal_perms };
+	allow $1 sanlock_t:process signal_perms;
 	ps_process_pattern($1, sanlock_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 sanlock_t:process ptrace;
+	')
 
 	sanlock_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 sanlock_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	virt_systemctl($1)
+	admin_pattern($1, sanlock_unit_file_t)
+	allow $1 sanlock_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Execute sanlk_resetd_exec_t in the sanlk_resetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sanlock_domtrans_sanlk_resetd',`
+	gen_require(`
+		type sanlk_resetd_t, sanlk_resetd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t)
+')
+
+######################################
+## <summary>
+##	Execute sanlk_resetd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sanlock_exec_sanlk_resetd',`
+	gen_require(`
+		type sanlk_resetd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, sanlk_resetd_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute sanlk_resetd server in the sanlk_resetd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sanlock_systemctl_sanlk_resetd',`
+	gen_require(`
+		type sanlk_resetd_t;
+		type sanlk_resetd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 sanlk_resetd_unit_file_t:file read_file_perms;
+	allow $1 sanlk_resetd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, sanlk_resetd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an sanlk_resetd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sanlock_admin_sanlk_resetd',`
+	gen_require(`
+		type sanlk_resetd_t;
+	type sanlk_resetd_unit_file_t;
+	type sanlk_resetd_unit_file_t;
+	')
+
+	allow $1 sanlk_resetd_t:process { signal_perms };
+	ps_process_pattern($1, sanlk_resetd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 sanlk_resetd_t:process ptrace;
+    ')
+
 	files_search_pids($1)
-	admin_pattern($1, sanlock_var_run_t)
 
-	logging_search_logs($1)
-	admin_pattern($1, sanlock_log_t)
+	sanlock_systemctl_sanlk_resetd($1)
+	admin_pattern($1, sanlk_resetd_unit_file_t)
+	allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read sanlock process state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sanlock_read_state',`
+	gen_require(`
+		type sanlock_t;
+	')
+
+	ps_process_pattern($1, sanlock_t)
 ')
diff --git a/sanlock.te b/sanlock.te
index 0045465a0b..f5f6921368 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether sanlock can use
-##	nfs file systems.
-##	</p>
+##  <p>
+##  Allow sanlock to manage nfs files
+##  </p>
 ## </desc>
 gen_tunable(sanlock_use_nfs, false)
 
+## <desc>
+##  <p>
+##  Allow sanlock to manage cifs files
+##  </p>
+## </desc>
+gen_tunable(sanlock_use_samba, false)
+
+## <desc>
+## <p>
+## Allow sanlock to read/write fuse files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_fusefs, false)
+
 ## <desc>
 ##	<p>
-##	Determine whether sanlock can use
-##	cifs file systems.
+##	Allow sanlock to read/write user home directories.
 ##	</p>
 ## </desc>
-gen_tunable(sanlock_use_samba, false)
+gen_tunable(sanlock_enable_home_dirs, false)
 
 type sanlock_t;
 type sanlock_exec_t;
 init_daemon_domain(sanlock_t, sanlock_exec_t)
 
+type sanlk_resetd_t;
+type sanlk_resetd_exec_t;
+init_daemon_domain(sanlk_resetd_t, sanlk_resetd_exec_t)
+
+type sanlock_conf_t;
+files_config_file(sanlock_conf_t)
+
 type sanlock_var_run_t;
 files_pid_file(sanlock_var_run_t)
 
@@ -34,6 +53,12 @@ logging_log_file(sanlock_log_t)
 type sanlock_initrc_exec_t;
 init_script_file(sanlock_initrc_exec_t)
 
+type sanlock_unit_file_t;
+systemd_unit_file(sanlock_unit_file_t)
+
+type sanlk_resetd_unit_file_t;
+systemd_unit_file(sanlk_resetd_unit_file_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
 ')
@@ -44,17 +69,18 @@ ifdef(`enable_mls',`
 
 ########################################
 #
-# Local policy
+# sanlock local policy
 #
-
-allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
+allow sanlock_t self:capability { chown dac_read_search dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
 allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
 allow sanlock_t self:fifo_file rw_fifo_file_perms;
-allow sanlock_t self:unix_stream_socket { accept listen };
+allow sanlock_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t)
 
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
 logging_log_filetrans(sanlock_t, sanlock_log_t, file)
 
 manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -65,13 +91,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
 kernel_read_system_state(sanlock_t)
 kernel_read_kernel_sysctls(sanlock_t)
 
-dev_read_rand(sanlock_t)
-dev_read_urand(sanlock_t)
-
 domain_use_interactive_fds(sanlock_t)
 
+files_read_mnt_symlinks(sanlock_t)
+
+fs_rw_cephfs_files(sanlock_t)
+
 storage_raw_rw_fixed_disk(sanlock_t)
 
+dev_read_rand(sanlock_t)
+dev_read_urand(sanlock_t)
+dev_read_sysfs(sanlock_t)
+
 auth_use_nsswitch(sanlock_t)
 
 init_read_utmp(sanlock_t)
@@ -79,20 +110,35 @@ init_dontaudit_write_utmp(sanlock_t)
 
 logging_send_syslog_msg(sanlock_t)
 
-miscfiles_read_localization(sanlock_t)
+tunable_policy(`sanlock_use_fusefs',`
+    fs_manage_fusefs_dirs(sanlock_t)
+    fs_manage_fusefs_files(sanlock_t)
+    fs_read_fusefs_symlinks(sanlock_t)
+    fs_getattr_fusefs(sanlock_t)
+')
 
 tunable_policy(`sanlock_use_nfs',`
-	fs_manage_nfs_dirs(sanlock_t)
-	fs_manage_nfs_files(sanlock_t)
-	fs_manage_nfs_named_sockets(sanlock_t)
-	fs_read_nfs_symlinks(sanlock_t)
+    fs_manage_nfs_dirs(sanlock_t)
+    fs_manage_nfs_files(sanlock_t)
+    fs_manage_nfs_named_sockets(sanlock_t)
+    fs_read_nfs_symlinks(sanlock_t)
 ')
 
 tunable_policy(`sanlock_use_samba',`
-	fs_manage_cifs_dirs(sanlock_t)
-	fs_manage_cifs_files(sanlock_t)
-	fs_manage_cifs_named_sockets(sanlock_t)
-	fs_read_cifs_symlinks(sanlock_t)
+    fs_manage_cifs_dirs(sanlock_t)
+    fs_manage_cifs_files(sanlock_t)
+    fs_manage_cifs_named_sockets(sanlock_t)
+    fs_read_cifs_symlinks(sanlock_t)
+')
+
+tunable_policy(`sanlock_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(sanlock_t)
+	userdom_manage_user_home_content_files(sanlock_t)
+	userdom_manage_user_home_content_symlinks(sanlock_t)
+')
+
+optional_policy(`
+    rhcs_domtrans_fenced(sanlock_t)
 ')
 
 optional_policy(`
@@ -100,7 +146,34 @@ optional_policy(`
 ')
 
 optional_policy(`
-	virt_kill_all_virt_domains(sanlock_t)
+	virt_kill_svirt(sanlock_t)
+	virt_kill(sanlock_t)
+	virt_signal(sanlock_t)
 	virt_manage_lib_files(sanlock_t)
-	virt_signal_all_virt_domains(sanlock_t)
+	virt_signal_svirt(sanlock_t)
+	virt_read_pid_files(sanlock_t)
+')
+
+########################################
+#
+# sanlk_resetd local policy
+#
+
+allow sanlk_resetd_t self:capability { dac_read_search dac_override };
+allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms;
+allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_sock_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t)
+files_pid_filetrans(sanlk_resetd_t, sanlock_var_run_t, dir)
+
+kernel_dgram_send(sanlk_resetd_t)
+
+domain_use_interactive_fds(sanlk_resetd_t)
+
+logging_send_syslog_msg(sanlk_resetd_t)
+
+optional_policy(`
+        wdmd_stream_connect(sanlk_resetd_t)
 ')
diff --git a/sasl.fc b/sasl.fc
index 54f41c2b75..7e58679685 100644
--- a/sasl.fc
+++ b/sasl.fc
@@ -1,7 +1,12 @@
 /etc/rc\.d/init\.d/sasl	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
 
+#
+# /usr
+#
 /usr/sbin/saslauthd	--	gen_context(system_u:object_r:saslauthd_exec_t,s0)
 
-/var/lib/sasl2(/.*)?	gen_context(system_u:object_r:saslauthd_var_run_t,s0)
-
+#
+# /var
+#
+/var/lib/sasl2(/.*)?		gen_context(system_u:object_r:saslauthd_var_run_t,s0)
 /var/run/saslauthd(/.*)?	gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
index 8c3c151cbf..93b7227892 100644
--- a/sasl.if
+++ b/sasl.if
@@ -1,4 +1,4 @@
-## <summary>SASL authentication server.</summary>
+## <summary>SASL authentication server</summary>
 
 ########################################
 ## <summary>
@@ -21,8 +21,8 @@ interface(`sasl_connect',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an sasl environment.
+##	All of the rules required to administrate 
+##	an sasl environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -42,9 +42,13 @@ interface(`sasl_admin',`
 		type saslauthd_keytab_t;
 	')
 
-	allow $1 saslauthd_t:process { ptrace signal_perms };
+	allow $1 saslauthd_t:process signal_perms;
 	ps_process_pattern($1, saslauthd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 saslauthd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 saslauthd_initrc_exec_t system_r;
diff --git a/sasl.te b/sasl.te
index 6c3bc20594..eb05a49202 100644
--- a/sasl.te
+++ b/sasl.te
@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether sasl can
-##	read shadow files.
-##	</p>
+## <p>
+## Allow sasl to read shadow
+## </p>
 ## </desc>
-gen_tunable(allow_saslauthd_read_shadow, false)
+gen_tunable(saslauthd_read_shadow, false)
 
 type saslauthd_t;
 type saslauthd_exec_t;
@@ -35,7 +34,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
 dontaudit saslauthd_t self:capability sys_tty_config;
 allow saslauthd_t self:process { setsched signal_perms };
 allow saslauthd_t self:fifo_file rw_fifo_file_perms;
-allow saslauthd_t self:unix_stream_socket { accept listen };
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
 
 allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
 
@@ -48,29 +49,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
 kernel_read_system_state(saslauthd_t)
 kernel_rw_afs_state(saslauthd_t)
 
-corenet_all_recvfrom_unlabeled(saslauthd_t)
+#577519
+corecmd_exec_bin(saslauthd_t)
+
 corenet_all_recvfrom_netlabel(saslauthd_t)
 corenet_tcp_sendrecv_generic_if(saslauthd_t)
 corenet_tcp_sendrecv_generic_node(saslauthd_t)
-
-corenet_sendrecv_pop_client_packets(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
+corenet_tcp_connect_ldap_port(saslauthd_t)
 corenet_tcp_connect_pop_port(saslauthd_t)
-corenet_tcp_sendrecv_pop_port(saslauthd_t)
-
-corenet_sendrecv_zarafa_client_packets(saslauthd_t)
 corenet_tcp_connect_zarafa_port(saslauthd_t)
-corenet_tcp_sendrecv_zarafa_port(saslauthd_t)
-
-corecmd_exec_bin(saslauthd_t)
+corenet_sendrecv_pop_client_packets(saslauthd_t)
 
 dev_read_urand(saslauthd_t)
 
-domain_use_interactive_fds(saslauthd_t)
-
-files_dontaudit_read_etc_runtime_files(saslauthd_t)
-files_dontaudit_getattr_home_dir(saslauthd_t)
-files_dontaudit_getattr_tmp_dirs(saslauthd_t)
-
 fs_getattr_all_fs(saslauthd_t)
 fs_search_auto_mountpoints(saslauthd_t)
 
@@ -78,34 +70,39 @@ selinux_compute_access_vector(saslauthd_t)
 
 auth_use_pam(saslauthd_t)
 
+domain_use_interactive_fds(saslauthd_t)
+
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
+files_search_var_lib(saslauthd_t)
+files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+
 init_dontaudit_stream_connect_script(saslauthd_t)
 
 logging_send_syslog_msg(saslauthd_t)
 
-miscfiles_read_localization(saslauthd_t)
 miscfiles_read_generic_certs(saslauthd_t)
 
-seutil_dontaudit_read_config(saslauthd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
 userdom_dontaudit_search_user_home_dirs(saslauthd_t)
 
+# cjp: typeattribute doesnt work in conditionals
 auth_can_read_shadow_passwords(saslauthd_t)
-tunable_policy(`allow_saslauthd_read_shadow',`
-	allow saslauthd_t self:capability dac_override;
+tunable_policy(`saslauthd_read_shadow',`
+	allow saslauthd_t self:capability { dac_read_search dac_override };
 	auth_tunable_read_shadow(saslauthd_t) 
 ')
 
 optional_policy(`
 	kerberos_read_keytab(saslauthd_t)
 	kerberos_manage_host_rcache(saslauthd_t)
-	kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
 	kerberos_use(saslauthd_t)
 ')
 
 optional_policy(`
+	mysql_search_db(saslauthd_t)
 	mysql_stream_connect(saslauthd_t)
-	mysql_tcp_connect(saslauthd_t)
 ')
 
 optional_policy(`
diff --git a/sbd.fc b/sbd.fc
new file mode 100644
index 0000000000..41768eed0f
--- /dev/null
+++ b/sbd.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/sbd.service		--	gen_context(system_u:object_r:sbd_unit_file_t,s0)
+
+/usr/lib/systemd/system/sbd_remote.service		--	gen_context(system_u:object_r:sbd_unit_file_t,s0)
+
+/usr/sbin/sbd		--	gen_context(system_u:object_r:sbd_exec_t,s0)
+
+/var/run/sbd.*		--	gen_context(system_u:object_r:sbd_var_run_t,s0)
diff --git a/sbd.if b/sbd.if
new file mode 100644
index 0000000000..7a058a82aa
--- /dev/null
+++ b/sbd.if
@@ -0,0 +1,126 @@
+
+## <summary>policy for sbd</summary>
+
+########################################
+## <summary>
+##	Execute sbd_exec_t in the sbd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sbd_domtrans',`
+	gen_require(`
+		type sbd_t, sbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sbd_exec_t, sbd_t)
+')
+
+######################################
+## <summary>
+##	Execute sbd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sbd_exec',`
+	gen_require(`
+		type sbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, sbd_exec_t)
+')
+########################################
+## <summary>
+##	Read sbd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sbd_read_pid_files',`
+	gen_require(`
+		type sbd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, sbd_var_run_t, sbd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute sbd server in the sbd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sbd_systemctl',`
+	gen_require(`
+		type sbd_t;
+		type sbd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 sbd_unit_file_t:file read_file_perms;
+	allow $1 sbd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, sbd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an sbd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sbd_admin',`
+	gen_require(`
+		type sbd_t;
+		type sbd_var_run_t;
+	type sbd_unit_file_t;
+	')
+
+	allow $1 sbd_t:process { signal_perms };
+	ps_process_pattern($1, sbd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 sbd_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, sbd_var_run_t)
+
+	sbd_systemctl($1)
+	admin_pattern($1, sbd_unit_file_t)
+	allow $1 sbd_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
index 0000000000..5aea5cbe1d
--- /dev/null
+++ b/sbd.te
@@ -0,0 +1,71 @@
+policy_module(sbd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sbd_t;
+type sbd_exec_t;
+init_daemon_domain(sbd_t, sbd_exec_t)
+
+type sbd_var_run_t;
+files_pid_file(sbd_var_run_t)
+
+type sbd_unit_file_t;
+systemd_unit_file(sbd_unit_file_t)
+
+type sbd_tmpfs_t;
+userdom_user_tmpfs_file(sbd_tmpfs_t)
+
+########################################
+#
+# sbd local policy
+#
+allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_admin};
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
+allow sbd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+manage_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+manage_lnk_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
+files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
+manage_dirs_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
+fs_tmpfs_filetrans(sbd_t, sbd_tmpfs_t, { file dir })
+
+auth_use_nsswitch(sbd_t)
+
+kernel_read_system_state(sbd_t)
+kernel_dgram_send(sbd_t)
+kernel_rw_all_sysctls(sbd_t)
+kernel_create_rpc_sysctls(sbd_t)
+
+dev_read_rand(sbd_t)
+dev_write_watchdog(sbd_t)
+dev_getattr_all_chr_files(sbd_t)
+dev_read_sysfs(sbd_t)
+
+domain_read_all_domains_state(sbd_t)
+
+files_read_etc_files(sbd_t)
+
+fs_read_tmpfs_symlinks(sbd_t)
+fs_manage_cgroup_files(sbd_t)
+fs_manage_cgroup_dirs(sbd_t)
+
+miscfiles_read_localization(sbd_t)
+
+logging_send_syslog_msg(sbd_t)
+
+storage_raw_rw_fixed_disk(sbd_t)
+
+optional_policy(`
+    rhcs_rw_cluster_tmpfs(sbd_t)
+    rhcs_stream_connect_cluster(sbd_t)
+    rhcs_signull_cluster(sbd_t)
+
+')
diff --git a/sblim.fc b/sblim.fc
index 68a550d54b..e976fc62e8 100644
--- a/sblim.fc
+++ b/sblim.fc
@@ -1,6 +1,10 @@
 /etc/rc\.d/init\.d/gatherer	--	gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sblim-sfcbd     --      gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
 
 /usr/sbin/gatherd	--	gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
 /usr/sbin/reposd	--	gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+/usr/sbin/sfcbd         --      gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
+
+/var/lib/sfcb(/.*)?             gen_context(system_u:object_r:sblim_var_lib_t,s0)
 
 /var/run/gather(/.*)?	gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
index 98c9e0a884..562666e065 100644
--- a/sblim.if
+++ b/sblim.if
@@ -1,8 +1,36 @@
-## <summary>Standards Based Linux Instrumentation for Manageability.</summary>
+## <summary> Standards Based Linux Instrumentation for Manageability. </summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  sblim daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`sblim_domain_template',`
+    gen_require(`
+        attribute sblim_domain;
+    ')
+
+    type sblim_$1_t, sblim_domain;
+    type sblim_$1_exec_t;
+    init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
+
+	kernel_read_system_state(sblim_$1_t)
+
+	corenet_all_recvfrom_unlabeled(sblim_$1_t)
+	corenet_all_recvfrom_netlabel(sblim_$1_t)
+
+	logging_send_syslog_msg(sblim_$1_t)
+')
 
 ########################################
 ## <summary>
-##	Execute gatherd in the gatherd domain.
+##	Transition to gatherd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',`
 
 ########################################
 ## <summary>
-##	Read gatherd pid files.
+##	Read gatherd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an sblim environment.
+##	Transition to sblim named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_filetrans_named_content',`
+	gen_require(`
+		type sblim_var_run_t;
+	')
+
+	files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
+')
+
+########################################
+## <summary>
+##	Connect to sblim_sfcb over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`sblim_stream_connect_sfcbd',`
+	gen_require(`
+		type sblim_sfcb_t, sblim_var_lib_t;
+        type sblim_tmp_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
+#######################################
+## <summary>
+##  Getattr on sblim executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`sblim_getattr_exec_sfcbd',`
+    gen_require(`
+        type sblim_sfcbd_exec_t;
+    ')
+
+	allow $1 sblim_sfcbd_exec_t:file getattr;
+')
+
+
+########################################
+## <summary>
+##	Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcb',`
+	gen_require(`
+		type sblim_sfcb_t, sblim_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+')
+
+#######################################
+## <summary>
+##	Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_rw_semaphores_sfcbd',`
+	gen_require(`
+		type sblim_sfcbd_t;
+	')
+
+	allow $1 sblim_sfcbd_t:sem rw_sem_perms;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gatherd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`sblim_admin',`
 	gen_require(`
-		attribute sblim_domain;
-		type sblim_initrc_exec_t, sblim_var_run_t;
+		type sblim_gatherd_t;
+		type sblim_reposd_t;
+		type sblim_var_run_t;
 	')
 
-	allow $1 sblim_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, sblim_domain)
+	allow $1 sblim_gatherd_t:process signal_perms;
+	ps_process_pattern($1, sblim_gatherd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 sblim_gatherd_t:process ptrace;
+		allow $1 sblim_reposd_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, sblim_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 sblim_initrc_exec_t system_r;
-	allow $2 system_r;
+	allow $1 sblim_reposd_t:process signal_perms;
+	ps_process_pattern($1, sblim_reposd_t)
 
 	files_search_pids($1)
 	admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
index 299756bc85..6a6dc53c71 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
 
 attribute sblim_domain;
 
-type sblim_gatherd_t, sblim_domain;
-type sblim_gatherd_exec_t;
-init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
+sblim_domain_template(gatherd)
 
-type sblim_reposd_t, sblim_domain;
-type sblim_reposd_exec_t;
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+sblim_domain_template(reposd)
+
+sblim_domain_template(sfcbd)
 
 type sblim_initrc_exec_t;
 init_script_file(sblim_initrc_exec_t)
@@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t)
 type sblim_var_run_t;
 files_pid_file(sblim_var_run_t)
 
+type sblim_var_lib_t;
+files_type(sblim_var_lib_t)
+
+type sblim_tmp_t;
+files_tmp_file(sblim_tmp_t)
+
+type sblim_sfcb_tmpfs_t;
+files_tmpfs_file(sblim_sfcb_tmpfs_t)
+
 ######################################
 #
 # Common sblim domain local policy
@@ -31,32 +38,39 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
 manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
 manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
 manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+files_pid_filetrans(sblim_domain, sblim_var_run_t,dir,"gather")
+
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
 
 kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
+kernel_read_sysctl(sblim_domain)
 
-corenet_all_recvfrom_unlabeled(sblim_domain)
-corenet_all_recvfrom_netlabel(sblim_domain)
 corenet_tcp_sendrecv_generic_if(sblim_domain)
 corenet_tcp_sendrecv_generic_node(sblim_domain)
 
 corenet_tcp_sendrecv_repository_port(sblim_domain)
 
 dev_read_sysfs(sblim_domain)
+dev_read_rand(sblim_domain)
+dev_read_urand(sblim_domain)
 
-logging_send_syslog_msg(sblim_domain)
-
-files_read_etc_files(sblim_domain)
-
-miscfiles_read_localization(sblim_domain)
+auth_read_passwd(sblim_domain)
 
 ########################################
 #
 # Gatherd local policy
 #
 
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:capability { dac_read_search dac_override sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal };
 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
 allow sblim_gatherd_t self:unix_stream_socket { accept listen };
 
@@ -82,8 +96,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t)
 storage_raw_read_fixed_disk(sblim_gatherd_t)
 storage_raw_read_removable_device(sblim_gatherd_t)
 
+auth_use_nsswitch(sblim_gatherd_t)
+
 init_read_utmp(sblim_gatherd_t)
 
+logging_send_syslog_msg(sblim_gatherd_t)
+
 sysnet_dns_name_resolve(sblim_gatherd_t)
 
 term_getattr_pty_fs(sblim_gatherd_t)
@@ -103,8 +121,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	virt_getattr_virtd_exec_files(sblim_gatherd_t)
+	virt_read_config(sblim_gatherd_t)
 	virt_stream_connect(sblim_gatherd_t)
+	virt_getattr_exec(sblim_gatherd_t)
 ')
 
 optional_policy(`
@@ -117,6 +136,64 @@ optional_policy(`
 # Reposd local policy
 #
 
+corenet_tcp_bind_generic_node(sblim_reposd_t)
+
 corenet_sendrecv_repository_server_packets(sblim_reposd_t)
 corenet_tcp_bind_repository_port(sblim_reposd_t)
-corenet_tcp_bind_generic_node(sblim_domain)
+
+logging_send_syslog_msg(sblim_reposd_t)
+
+#######################################
+#
+# Sfcbd local policy
+#
+
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid setuid };
+allow sblim_sfcbd_t self:process signal;
+allow sblim_sfcbd_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
+manage_files_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
+fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file })
+allow sblim_sfcbd_t sblim_sfcb_tmpfs_t:file map;
+
+auth_use_nsswitch(sblim_sfcbd_t)
+auth_domtrans_chkpwd(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
+corenet_tcp_connect_http_port(sblim_sfcbd_t)
+
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
+
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
+logging_send_audit_msgs(sblim_sfcbd_t)
+
+optional_policy(`
+    setroubleshoot_signull(sblim_sfcbd_t)
+')
+
+optional_policy(`
+    rpm_exec(sblim_sfcbd_t)
+    rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
+
+optional_policy(`
+    virt_manage_config(sblim_sfcbd_t)
+    virt_stream_connect(sblim_sfcbd_t)
+    virt_search_images(sblim_sfcbd_t)
+    virt_getattr_images(sblim_sfcbd_t)
+')
+
+optional_policy(`
+    qemu_getattr_exec(sblim_sfcbd_t)
+')
diff --git a/screen.fc b/screen.fc
index e7c2cf74fa..435aaa61cf 100644
--- a/screen.fc
+++ b/screen.fc
@@ -2,8 +2,10 @@ HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
 
-/usr/bin/screen	--	gen_context(system_u:object_r:screen_exec_t,s0)
-/usr/bin/tmux	--	gen_context(system_u:object_r:screen_exec_t,s0)
+/root/\.screen(/.*)?			gen_context(system_u:object_r:screen_home_t,s0)
 
-/var/run/screen(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)
-/var/run/tmux(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)
+/usr/bin/screen			--	gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux			--	gen_context(system_u:object_r:screen_exec_t,s0)
+
+/var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
index be5cce2d37..7b4d6294c3 100644
--- a/screen.if
+++ b/screen.if
@@ -1,4 +1,4 @@
-## <summary>GNU terminal multiplexer.</summary>
+## <summary>GNU terminal multiplexer</summary>
 
 #######################################
 ## <summary>
@@ -23,10 +23,9 @@
 #
 template(`screen_role_template',`
 	gen_require(`
-		attribute screen_domain;
-		attribute_role screen_roles;
 		type screen_exec_t, screen_tmp_t;
 		type screen_home_t, screen_var_run_t;
+		attribute screen_domain;
 	')
 
 	########################################
@@ -35,50 +34,54 @@ template(`screen_role_template',`
 	#
 
 	type $1_screen_t, screen_domain;
-	userdom_user_application_domain($1_screen_t, screen_exec_t)
+	application_domain($1_screen_t, screen_exec_t)
 	domain_interactive_fd($1_screen_t)
-	role screen_roles types $1_screen_t;
+	ubac_constrained($1_screen_t)
+	role $2 types $1_screen_t;
 
-	roleattribute $2 screen_roles;
+	tunable_policy(`deny_ptrace',`',`
+		allow $3 $1_screen_t:process ptrace;
+	')
 
-	########################################
-	#
-	# Local policy
-	#
+	userdom_home_reader($1_screen_t)
 
 	domtrans_pattern($3, screen_exec_t, $1_screen_t)
-
-	ps_process_pattern($3, $1_screen_t)
-	allow $3 $1_screen_t:process { ptrace signal_perms };
-
+	allow $3 $1_screen_t:process { signal sigchld };
 	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+	allow $1_screen_t $3:unix_stream_socket { connectto };
 	allow $1_screen_t $3:process signal;
+    allow $3 screen_exec_t:file entrypoint;
+	ps_process_pattern($1_screen_t, $3)
 
-	allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
-	allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-
-	allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 screen_home_t:file { manage_file_perms relabel_file_perms };
-	allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+	manage_dirs_pattern($3, screen_home_t, screen_home_t)
+	manage_files_pattern($3, screen_home_t, screen_home_t)
+	manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+	relabel_dirs_pattern($3, screen_home_t, screen_home_t)
+	relabel_files_pattern($3, screen_home_t, screen_home_t)
+	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
 
 	userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
 
 	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
-	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
-	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
 	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+	manage_sock_files_pattern($3, screen_var_run_t, screen_var_run_t)
 
-	corecmd_bin_domtrans($1_screen_t, $3)
+	kernel_read_system_state($1_screen_t)
+
+	# Revert to the user domain when a shell is executed.
 	corecmd_shell_domtrans($1_screen_t, $3)
+	corecmd_bin_domtrans($1_screen_t, $3)
 
 	auth_domtrans_chk_passwd($1_screen_t)
 	auth_use_nsswitch($1_screen_t)
 
+	logging_send_syslog_msg($1_screen_t)
+
 	userdom_user_home_domtrans($1_screen_t, $3)
+	userdom_manage_tmp_role($2, $1_screen_t)
 
 	tunable_policy(`use_samba_home_dirs',`
 		fs_cifs_domtrans($1_screen_t, $3)
@@ -88,3 +91,41 @@ template(`screen_role_template',`
 		fs_nfs_domtrans($1_screen_t, $3)
 	')
 ')
+
+#######################################
+## <summary>
+##      Execute the rssh program
+##      in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`screen_exec',`
+        gen_require(`
+                type screen_exec_t;
+        ')
+
+        can_exec($1, screen_exec_t)
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the screen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`screen_sigchld',`
+	gen_require(`
+		attribute screen_domain;
+	')
+
+	allow $1 screen_domain:process sigchld;
+')
+
diff --git a/screen.te b/screen.te
index 5466a73277..33598f3b33 100644
--- a/screen.te
+++ b/screen.te
@@ -5,9 +5,7 @@ policy_module(screen, 2.6.0)
 # Declarations
 #
 
-attribute screen_domain;
-
-attribute_role screen_roles;
+attribute  screen_domain;
 
 type screen_exec_t;
 application_executable_file(screen_exec_t)
@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
 typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
 userdom_user_home_content(screen_home_t)
 
-type screen_tmp_t;
-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
-userdom_user_tmp_file(screen_tmp_t)
-
 type screen_var_run_t;
 typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
 typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t)
 
 ########################################
 #
-# Common screen domain local policy
+# Local policy
 #
 
-allow screen_domain self:capability { setuid setgid fsetid };
+allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
+dontaudit screen_domain self:capability { dac_read_search dac_override };
 allow screen_domain self:process signal_perms;
-allow screen_domain self:fd use;
 allow screen_domain self:fifo_file rw_fifo_file_perms;
-allow screen_domain self:tcp_socket { accept listen };
-allow screen_domain self:unix_stream_socket { accept connectto listen };
-
-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
+allow screen_domain self:tcp_socket create_stream_socket_perms;
+allow screen_domain self:udp_socket create_socket_perms;
+# Internal screen networking
+allow screen_domain self:fd use;
+allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
+allow screen_domain self:unix_dgram_socket create_socket_perms;
 
+# Create fifo
 manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
 manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
 manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
 files_pid_filetrans(screen_domain, screen_var_run_t, dir)
 
+allow screen_domain screen_home_t:dir list_dir_perms;
 manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
 manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
+manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
 read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
-userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen")
 
-kernel_read_system_state(screen_domain)
 kernel_read_kernel_sysctls(screen_domain)
 
 corecmd_list_bin(screen_domain)
@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
 corecmd_read_bin_pipes(screen_domain)
 corecmd_read_bin_sockets(screen_domain)
 
-corenet_all_recvfrom_unlabeled(screen_domain)
-corenet_all_recvfrom_netlabel(screen_domain)
 corenet_tcp_sendrecv_generic_if(screen_domain)
+corenet_udp_sendrecv_generic_if(screen_domain)
 corenet_tcp_sendrecv_generic_node(screen_domain)
+corenet_udp_sendrecv_generic_node(screen_domain)
 corenet_tcp_sendrecv_all_ports(screen_domain)
-
-corenet_sendrecv_all_client_packets(screen_domain)
+corenet_udp_sendrecv_all_ports(screen_domain)
 corenet_tcp_connect_all_ports(screen_domain)
 
 dev_dontaudit_getattr_all_chr_files(screen_domain)
 dev_dontaudit_getattr_all_blk_files(screen_domain)
+# for SSP
 dev_read_urand(screen_domain)
 
-domain_use_interactive_fds(screen_domain)
 domain_sigchld_interactive_fds(screen_domain)
+domain_use_interactive_fds(screen_domain)
 domain_read_all_domains_state(screen_domain)
 
+files_search_tmp(screen_domain)
+files_search_home(screen_domain)
 files_list_home(screen_domain)
-files_read_usr_files(screen_domain)
 
 fs_search_auto_mountpoints(screen_domain)
-fs_getattr_all_fs(screen_domain)
+fs_getattr_xattr_fs(screen_domain)
 
 auth_dontaudit_read_shadow(screen_domain)
 auth_dontaudit_exec_utempter(screen_domain)
 
+# Write to utmp.
 init_rw_utmp(screen_domain)
 
-logging_send_syslog_msg(screen_domain)
-
-miscfiles_read_localization(screen_domain)
-
 seutil_read_config(screen_domain)
 
 userdom_use_user_terminals(screen_domain)
 userdom_create_user_pty(screen_domain)
 userdom_setattr_user_ptys(screen_domain)
 userdom_setattr_user_ttys(screen_domain)
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(screen_domain)
-	fs_read_cifs_files(screen_domain)
-	fs_manage_cifs_named_pipes(screen_domain)
-	fs_read_cifs_symlinks(screen_domain)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(screen_domain)
-	fs_read_nfs_files(screen_domain)
-	fs_manage_nfs_named_pipes(screen_domain)
-	fs_read_nfs_symlinks(screen_domain)
-')
diff --git a/sectoolm.fc b/sectoolm.fc
index 64a239453e..3f1dac59aa 100644
--- a/sectoolm.fc
+++ b/sectoolm.fc
@@ -1,5 +1,4 @@
 /usr/libexec/sectool-mechanism\.py	--	gen_context(system_u:object_r:sectoolm_exec_t,s0)
 
-/var/lib/sectool(/.*)?	gen_context(system_u:object_r:sectool_var_lib_t,s0)
-
-/var/log/sectool\.log.*	--	gen_context(system_u:object_r:sectool_var_log_t,s0)
+/var/lib/sectool(/.*)?				gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log.*			--	gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/sectoolm.if b/sectoolm.if
index c78a569c3b..9007451188 100644
--- a/sectoolm.if
+++ b/sectoolm.if
@@ -1,24 +1,2 @@
-## <summary>Sectool security audit tool.</summary>
+## <summary>Sectool security audit tool</summary>
 
-########################################
-## <summary>
-##	Role access for sectoolm.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`sectoolm_role',`
-	gen_require(`
-		type sectoolm_t;
-	')
-
-	allow sectoolm_t $2:unix_dgram_socket sendto;
-')
diff --git a/sectoolm.te b/sectoolm.te
index 4bc8c13eab..e05d74d48a 100644
--- a/sectoolm.te
+++ b/sectoolm.te
@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
 
 type sectoolm_t;
 type sectoolm_exec_t;
-init_system_domain(sectoolm_t, sectoolm_exec_t)
+init_daemon_domain(sectoolm_t, sectoolm_exec_t)
 
 type sectool_var_lib_t;
 files_type(sectool_var_lib_t)
@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t)
 
 ########################################
 #
-# Local policy
+# sectool local policy
 #
 
-allow sectoolm_t self:capability { dac_override net_admin sys_nice };
+allow sectoolm_t self:capability { dac_read_search dac_override net_admin sys_nice sys_ptrace };
 allow sectoolm_t self:process { getcap getsched	signull setsched };
 dontaudit sectoolm_t self:process { execstack execmem };
 allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-allow sectoolm_t self:unix_dgram_socket sendto;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
 
 manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
 manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
 manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
 files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
 
-allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
 logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
 
 kernel_read_net_sysctls(sectoolm_t)
@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t)
 
 selinux_validate_context(sectoolm_t)
 
+# tcp_wrappers test
 application_exec_all(sectoolm_t)
 
 auth_use_nsswitch(sectoolm_t)
@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t)
 
 logging_send_syslog_msg(sectoolm_t)
 
+# tests related to network
 sysnet_domtrans_ifconfig(sectoolm_t)
 
-userdom_write_user_tmp_sockets(sectoolm_t)
+userdom_manage_user_tmp_sockets(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
 
 optional_policy(`
-	mount_exec(sectoolm_t)
+	dbus_system_domain(sectoolm_t, sectoolm_exec_t)
 ')
 
 optional_policy(`
-	dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+	# tests related to network
+	hostname_exec(sectoolm_t)
+')
 
-	optional_policy(`
-		policykit_dbus_chat(sectoolm_t)
-	')
+optional_policy(`
+	# tests related to network
+	iptables_domtrans(sectoolm_t)
 ')
 
 optional_policy(`
-	hostname_exec(sectoolm_t)
+	mount_exec(sectoolm_t)
 ')
 
 optional_policy(`
-	iptables_domtrans(sectoolm_t)
+	policykit_dbus_chat(sectoolm_t)
 ')
 
+# suid test using
+# rpm -Vf option
 optional_policy(`
 	prelink_domtrans(sectoolm_t)
 ')
diff --git a/sendmail.fc b/sendmail.fc
index d14b6bfc7b..da5d41d5c0 100644
--- a/sendmail.fc
+++ b/sendmail.fc
@@ -1,7 +1,8 @@
-/etc/rc\.d/init\.d/sendmail	--	gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
 
-/var/log/sendmail\.st.*	--	gen_context(system_u:object_r:sendmail_log_t,s0)
-/var/log/mail(/.*)?	gen_context(system_u:object_r:sendmail_log_t,s0)
+/etc/rc\.d/init\.d/sendmail --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
 
-/var/run/sendmail\.pid	--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
-/var/run/sm-client\.pid	--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/log/sendmail\.st.*		--	gen_context(system_u:object_r:sendmail_log_t,s0)
+/var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
+
+/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
index 35ad2a733b..afdc7da29e 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
-## <summary>Internetwork email routing facility.</summary>
+## <summary>Policy for sendmail.</summary>
 
 ########################################
 ## <summary>
@@ -18,7 +18,8 @@ interface(`sendmail_stub',`
 
 ########################################
 ## <summary>
-##	Read and write sendmail unnamed pipes.
+##	Allow attempts to read and write to
+##	sendmail unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',`
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run sendmail.
+##	Domain transition to sendmail.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',`
 		type sendmail_t;
 	')
 
-	corecmd_search_bin($1)
 	mta_sendmail_domtrans($1, sendmail_t)
+')
 
-	allow sendmail_t $1:fd use;
-	allow sendmail_t $1:fifo_file rw_fifo_file_perms;
-	allow sendmail_t $1:process sigchld;
+#######################################
+## <summary>
+##  Execute sendmail in the sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_initrc_domtrans',`
+	gen_require(`
+		type sendmail_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the sendmail program in the
-##	sendmail domain, and allow the
-##	specified role the sendmail domain.
+##	Execute the sendmail program in the sendmail domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -70,7 +82,7 @@ interface(`sendmail_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to allow the sendmail domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -81,7 +93,7 @@ interface(`sendmail_run',`
 	')
 
 	sendmail_domtrans($1)
-	roleattribute $2 sendmail_roles;
+    roleattribute $2 sendmail_roles;
 ')
 
 ########################################
@@ -102,6 +114,53 @@ interface(`sendmail_signal',`
 	allow $1 sendmail_t:process signal;
 ')
 
+########################################
+## <summary>
+##	Execute sendmail in the sendmail_unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t, sendmail_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
+#######################################
+## <summary>
+##  Execute sendmail in the unconfined
+##  sendmail domain, and allow the
+##  specified role the unconfined
+##  sendmail domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+    gen_require(`
+        attribute_role sendmail_unconfined_roles;
+    ')
+
+    sendmail_domtrans_unconfined($1)
+    roleattribute $2 sendmail_unconfined_roles;
+')
+
 ########################################
 ## <summary>
 ##	Read and write sendmail TCP sockets.
@@ -141,8 +200,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Read and write sendmail unix
-##	domain stream sockets.
+##	Read and write sendmail unix_stream_sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -179,7 +237,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
 
 ########################################
 ## <summary>
-##	Read sendmail log files.
+##	Read sendmail logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -199,8 +257,7 @@ interface(`sendmail_read_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	sendmail log files.
+##	Create, read, write, and delete sendmail logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -220,8 +277,7 @@ interface(`sendmail_manage_log',`
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	log directories sendmail log file type.
+##	Create sendmail logs with the correct type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -231,7 +287,6 @@ interface(`sendmail_manage_log',`
 #
 interface(`sendmail_create_log',`
 	refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
-	sendmail_log_filetrans_sendmail_log($1, $2, $3)
 ')
 
 ########################################
@@ -265,8 +320,7 @@ interface(`sendmail_log_filetrans_sendmail_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	sendmail tmp files.
+##	Manage sendmail tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -285,58 +339,27 @@ interface(`sendmail_manage_tmp_files',`
 
 ########################################
 ## <summary>
-##	Execute sendmail in the unconfined sendmail domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`sendmail_domtrans_unconfined',`
-	gen_require(`
-		type unconfined_sendmail_t;
-	')
-
-	mta_sendmail_domtrans($1, unconfined_sendmail_t)
-
-	allow unconfined_sendmail_t $1:fd use;
-	allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
-	allow unconfined_sendmail_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-##	Execute sendmail in the unconfined
-##	sendmail domain, and allow the
-##	specified role the unconfined
-##	sendmail domain.
+##	Set the attributes of sendmail pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`sendmail_run_unconfined',`
+interface(`sendmail_setattr_pid_files',`
 	gen_require(`
-		attribute_role sendmail_unconfined_roles;
+		type sendmail_var_run_t;
 	')
 
-	sendmail_domtrans_unconfined($1)
-	roleattribute $2 sendmail_unconfined_roles;
+	allow $1 sendmail_var_run_t:file setattr_file_perms;
+	files_search_pids($1)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an sendmail environment.
+##	All of the rules required to administrate
+##	an sendmail environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -355,12 +378,17 @@ interface(`sendmail_admin',`
 		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
 		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
 		type sendmail_keytab_t;
+		type mail_spool_t;
 	')
 
-	allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
+	allow $1 sendmail_t:process signal_perms;
+	ps_process_pattern($1, sendmail_t)
 
-	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 sendmail_t:process ptrace;
+	')
+
+	sendmail_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 sendmail_initrc_exec_t system_r;
 
@@ -376,6 +404,6 @@ interface(`sendmail_admin',`
 	files_list_pids($1)
 	admin_pattern($1, sendmail_var_run_t)
 
-	sendmail_run($1, $2)
-	sendmail_run_unconfined($1, $2)
+	files_list_spool($1)
+	admin_pattern($1, mail_spool_t)
 ')
diff --git a/sendmail.te b/sendmail.te
index 12700b4133..8ba2995151 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
 
 ########################################
 #
-# Local policy
+# Sendmail local policy
 #
 
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+dontaudit sendmail_t self:capability net_admin;
+dontaudit sendmail_t self:capability2 block_suspend;
 allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
-allow sendmail_t self:unix_stream_socket { accept listen };
-allow sendmail_t self:tcp_socket { accept listen };
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
 
+allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
 allow sendmail_t sendmail_keytab_t:file read_file_perms;
 
-allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
-append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
-create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
-setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
 logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
 
 manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
@@ -63,33 +65,24 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
 
 kernel_read_network_state(sendmail_t)
 kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
 kernel_read_system_state(sendmail_t)
+kernel_search_network_sysctl(sendmail_t)
+kernel_read_kernel_sysctls(sendmail_t)
+kernel_read_net_sysctls(sendmail_t)
 
-corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
 corenet_tcp_sendrecv_generic_if(sendmail_t)
 corenet_tcp_sendrecv_generic_node(sendmail_t)
 corenet_tcp_sendrecv_all_ports(sendmail_t)
 corenet_tcp_bind_generic_node(sendmail_t)
-
-corenet_sendrecv_smtp_server_packets(sendmail_t)
 corenet_tcp_bind_smtp_port(sendmail_t)
-
-corenet_sendrecv_all_client_packets(sendmail_t)
 corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
 
-corecmd_exec_bin(sendmail_t)
-corecmd_exec_shell(sendmail_t)
-
-dev_read_sysfs(sendmail_t)
 dev_read_urand(sendmail_t)
-
-domain_use_interactive_fds(sendmail_t)
-
-files_read_all_tmp_files(sendmail_t)
-files_read_etc_runtime_files(sendmail_t)
-files_read_usr_files(sendmail_t)
-files_search_spool(sendmail_t)
+dev_read_sysfs(sendmail_t)
 
 fs_getattr_all_fs(sendmail_t)
 fs_search_auto_mountpoints(sendmail_t)
@@ -98,35 +91,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
 term_dontaudit_use_console(sendmail_t)
 term_dontaudit_use_generic_ptys(sendmail_t)
 
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
+
+domain_use_interactive_fds(sendmail_t)
+
+files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
+
 init_use_fds(sendmail_t)
 init_use_script_ptys(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
 init_read_utmp(sendmail_t)
 init_dontaudit_write_utmp(sendmail_t)
 init_rw_script_tmp_files(sendmail_t)
 
 auth_use_nsswitch(sendmail_t)
 
+# Read /usr/lib/sasl2/.*
 libs_read_lib_files(sendmail_t)
 
 logging_send_syslog_msg(sendmail_t)
 logging_dontaudit_write_generic_logs(sendmail_t)
 
 miscfiles_read_generic_certs(sendmail_t)
-miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
+userdom_dontaudit_list_user_home_dirs(sendmail_t)
 
-mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
-mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
-mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp")
+mta_read_config(sendmail_t)
+mta_etc_filetrans_aliases(sendmail_t)
+# Write to /etc/aliases and /etc/mail.
 mta_manage_aliases(sendmail_t)
+# Write to /var/spool/mail and /var/spool/mqueue.
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
-mta_read_config(sendmail_t)
 mta_sendmail_exec(sendmail_t)
 
 optional_policy(`
-	cfengine_dontaudit_write_log_files(sendmail_t)
+	cfengine_dontaudit_write_log(sendmail_t)
 ')
 
 optional_policy(`
@@ -134,8 +141,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	clamav_search_lib(sendmail_t)
-	clamav_stream_connect(sendmail_t)
+	antivirus_search_db(sendmail_t)
+	antivirus_stream_connect(sendmail_t)
 ')
 
 optional_policy(`
@@ -163,6 +170,10 @@ optional_policy(`
 	kerberos_use(sendmail_t)
 ')
 
+optional_policy(`
+	inn_write_inherited_news_lib(sendmail_t)
+')
+
 optional_policy(`
 	milter_stream_connect_all(sendmail_t)
 ')
@@ -171,6 +182,11 @@ optional_policy(`
 	munin_dontaudit_search_lib(sendmail_t)
 ')
 
+optional_policy(`
+	openshift_dontaudit_rw_inherited_fifo_files(sendmail_t)
+	openshift_rw_inherited_content(sendmail_t)
+')
+
 optional_policy(`
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
@@ -192,6 +208,10 @@ optional_policy(`
 	sasl_connect(sendmail_t)
 ')
 
+optional_policy(`
+	spamd_stream_connect(sendmail_t)
+')
+
 optional_policy(`
 	udev_read_db(sendmail_t)
 ')
@@ -206,8 +226,6 @@ optional_policy(`
 #
 
 optional_policy(`
-	mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
-	mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
-	mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
+	mta_filetrans_named_content(unconfined_sendmail_t)
 	unconfined_domain(unconfined_sendmail_t)
 ')
diff --git a/sensord.fc b/sensord.fc
index 8185d5a6be..9be989a082 100644
--- a/sensord.fc
+++ b/sensord.fc
@@ -1,5 +1,9 @@
+/lib/systemd/system/sensord.service		--	gen_context(system_u:object_r:sensord_unit_file_t,s0)
+
 /etc/rc\.d/init\.d/sensord	--	gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
 
 /usr/sbin/sensord	--	gen_context(system_u:object_r:sensord_exec_t,s0)
 
+/var/log/sensor.*		gen_context(system_u:object_r:sensord_log_t,s0)
+
 /var/run/sensord\.pid	--	gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
index d204752b3a..85631b346f 100644
--- a/sensord.if
+++ b/sensord.if
@@ -1,35 +1,81 @@
-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an sensord environment.
+##	Execute sensord in the sensord domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sensord_domtrans',`
+	gen_require(`
+		type sensord_t, sensord_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, sensord_exec_t, sensord_t)
+')
+########################################
+## <summary>
+##	Execute sensord server in the sensord domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`sensord_systemctl',`
+	gen_require(`
+		type sensord_t;
+		type sensord_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 sensord_unit_file_t:file read_file_perms;
+	allow $1 sensord_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, sensord_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an sensord environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`sensord_admin',`
 	gen_require(`
-		type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
+		type sensord_t;
+		type sensord_unit_file_t;
+		type sensord_log_t;
+		type sensord_var_run_t;
 	')
 
 	allow $1 sensord_t:process { ptrace signal_perms };
 	ps_process_pattern($1, sensord_t)
 
-	init_labeled_script_domtrans($1, sensord_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 sensord_initrc_exec_t system_r;
-	allow $2 system_r;
+	sensord_systemctl($1)
+	admin_pattern($1, sensord_unit_file_t)
+	allow $1 sensord_unit_file_t:service all_service_perms;
 
-	files_search_pids($1)
+	admin_pattern($1, sensord_log_t)
 	admin_pattern($1, sensord_var_run_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/sensord.te b/sensord.te
index 5e82fd616c..ddb249dfbe 100644
--- a/sensord.te
+++ b/sensord.te
@@ -9,27 +9,38 @@ type sensord_t;
 type sensord_exec_t;
 init_daemon_domain(sensord_t, sensord_exec_t)
 
+type sensord_unit_file_t;
+systemd_unit_file(sensord_unit_file_t)
+
 type sensord_initrc_exec_t;
 init_script_file(sensord_initrc_exec_t)
 
 type sensord_var_run_t;
 files_pid_file(sensord_var_run_t)
 
+type sensord_log_t;
+logging_log_file(sensord_log_t)
+
 ########################################
 #
 # Local policy
 #
 
+allow sensord_t self:process { signal execmem };
+
 allow sensord_t self:fifo_file rw_fifo_file_perms;
 allow sensord_t self:unix_stream_socket create_stream_socket_perms;
 
+manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t)
+logging_log_filetrans(sensord_t, sensord_log_t, file)
+
 manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
 files_pid_filetrans(sensord_t, sensord_var_run_t, file)
 
-dev_read_sysfs(sensord_t)
+kernel_read_system_state(sensord_t)
 
-files_read_etc_files(sensord_t)
+dev_read_sysfs(sensord_t)
+dev_getattr_sysfs_fs(sensord_t)
 
 logging_send_syslog_msg(sensord_t)
 
-miscfiles_read_localization(sensord_t)
diff --git a/setroubleshoot.fc b/setroubleshoot.fc
index 0b3a971f4d..397a5225b0 100644
--- a/setroubleshoot.fc
+++ b/setroubleshoot.fc
@@ -1,9 +1,9 @@
 /usr/sbin/setroubleshootd	--	gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
 
-/usr/share/setroubleshoot/SetroubleshootFixit\.py*	--	gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
 
-/var/run/setroubleshoot(/.*)?	gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+/var/run/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
 
-/var/log/setroubleshoot(/.*)?	gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+/var/log/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
 
-/var/lib/setroubleshoot(/.*)?	gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+/var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
index 3a9a70befb..903109c987 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
@@ -1,9 +1,8 @@
-## <summary>SELinux troubleshooting service.</summary>
+## <summary>SELinux troubleshooting service</summary>
 
 ########################################
 ## <summary>
-##	Connect to setroubleshootd with a
-##	unix domain stream socket.
+##	Connect to setroubleshootd over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to connect to
-##	setroubleshootd with a unix
-##	domain stream socket.
+##	Dontaudit attempts to connect to setroubleshootd
+##	over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
 	dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
 ')
 
+#######################################
+## <summary>
+##	Send null signals to setroubleshoot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_signull',`
+	gen_require(`
+		type setroubleshootd_t;
+	')
+
+	allow $1 setroubleshootd_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an setroubleshoot environment.
+##	Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
+	gen_require(`
+		type setroubleshoot_fixit_t;
+	')
+
+	dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
+	dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an setroubleshoot environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
 #
 interface(`setroubleshoot_admin',`
 	gen_require(`
-		type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t;
-		type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+		type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
+		type setroubleshoot_var_lib_t;
 	')
 
-	allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t })
+	allow $1 setroubleshootd_t:process signal_perms;
+	ps_process_pattern($1, setroubleshootd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 setroubleshootd_t:process ptrace;
+	')
 
 	logging_list_logs($1)
 	admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
index ce6793506e..130eca9f16 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1)
 
 type setroubleshootd_t alias setroubleshoot_t;
 type setroubleshootd_exec_t;
-init_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
 
 type setroubleshoot_fixit_t;
 type setroubleshoot_fixit_exec_t;
-init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
 
 type setroubleshoot_var_lib_t;
 files_type(setroubleshoot_var_lib_t)
 
+# log files
 type setroubleshoot_var_log_t;
 logging_log_file(setroubleshoot_var_log_t)
 
+# pid files
 type setroubleshoot_var_run_t;
 files_pid_file(setroubleshoot_var_run_t)
 
 ########################################
 #
-# Local policy
+# setroubleshootd local policy
 #
 
-allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
+allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config };
+dontaudit setroubleshootd_t self:capability net_admin;
+
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
-allow setroubleshootd_t self:tcp_socket { accept listen };
-allow setroubleshootd_t self:unix_stream_socket { accept connectto listen };
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
 
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
 manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
 files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
 
-allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms;
-append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
-create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
-setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
 manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
 logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
 
+# pid file
 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
 manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
 manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t)
 kernel_read_network_state(setroubleshootd_t)
 kernel_dontaudit_list_all_proc(setroubleshootd_t)
 kernel_read_irq_sysctls(setroubleshootd_t)
+kernel_read_rpc_sysctls(setroubleshootd_t)
 kernel_read_unlabeled_state(setroubleshootd_t)
 
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
 corecmd_read_all_executables(setroubleshootd_t)
 
-corenet_all_recvfrom_unlabeled(setroubleshootd_t)
 corenet_all_recvfrom_netlabel(setroubleshootd_t)
 corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
 corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
-
-corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_generic_node(setroubleshootd_t)
 corenet_tcp_connect_smtp_port(setroubleshootd_t)
-corenet_tcp_sendrecv_smtp_port(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
 
 dev_read_urand(setroubleshootd_t)
 dev_read_sysfs(setroubleshootd_t)
@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
 dev_getattr_all_chr_files(setroubleshootd_t)
 dev_getattr_mtrr_dev(setroubleshootd_t)
 
-domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+domain_read_all_domains_state(setroubleshootd_t)
 domain_signull_all_domains(setroubleshootd_t)
 
-files_read_usr_files(setroubleshootd_t)
 files_list_all(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
 files_getattr_all_pipes(setroubleshootd_t)
@@ -109,37 +117,42 @@ init_read_utmp(setroubleshootd_t)
 init_dontaudit_write_utmp(setroubleshootd_t)
 
 libs_exec_ld_so(setroubleshootd_t)
+libs_exec_ldconfig(setroubleshootd_t)
 
 locallogin_dontaudit_use_fds(setroubleshootd_t)
 
 logging_send_audit_msgs(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)
 logging_stream_connect_dispatcher(setroubleshootd_t)
+logging_stream_connect_syslog(setroubleshootd_t)
 
-miscfiles_read_localization(setroubleshootd_t)
-
+seutil_read_bin_policy(setroubleshootd_t)
 seutil_read_config(setroubleshootd_t)
+seutil_read_default_contexts(setroubleshootd_t)
 seutil_read_file_contexts(setroubleshootd_t)
-seutil_read_bin_policy(setroubleshootd_t)
 
 userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
 
 optional_policy(`
-	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
-
-	optional_policy(`
-		abrt_dbus_chat(setroubleshootd_t)
-	')
+	abrt_dbus_chat(setroubleshootd_t)
 ')
 
 optional_policy(`
 	locate_read_lib_files(setroubleshootd_t)
 ')
 
+optional_policy(`
+	mock_getattr_lib(setroubleshootd_t)
+')
+
 optional_policy(`
 	modutils_read_module_config(setroubleshootd_t)
 ')
 
+optional_policy(`
+	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+')
+
 optional_policy(`
 	rpm_exec(setroubleshootd_t)
 	rpm_signull(setroubleshootd_t)
@@ -150,26 +163,36 @@ optional_policy(`
 
 ########################################
 #
-# Fixit local policy
+# setroubleshoot_fixit local policy
 #
 
 allow setroubleshoot_fixit_t self:capability sys_nice;
 allow setroubleshoot_fixit_t self:process { setsched getsched };
+dontaudit setroubleshoot_fixit_t self:process execmem;
 allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
 
 allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
 
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
 setroubleshoot_stream_connect(setroubleshoot_fixit_t)
 
 kernel_read_system_state(setroubleshoot_fixit_t)
+kernel_read_network_state(setroubleshoot_fixit_t)
 
 corecmd_exec_bin(setroubleshoot_fixit_t)
 corecmd_exec_shell(setroubleshoot_fixit_t)
 corecmd_getattr_all_executables(setroubleshoot_fixit_t)
 
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
+
+selinux_read_policy(setroubleshoot_fixit_t)
+
 seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
 
-files_read_usr_files(setroubleshoot_fixit_t)
 files_list_tmp(setroubleshoot_fixit_t)
 
 auth_use_nsswitch(setroubleshoot_fixit_t)
@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
 logging_send_audit_msgs(setroubleshoot_fixit_t)
 logging_send_syslog_msg(setroubleshoot_fixit_t)
 
-miscfiles_read_localization(setroubleshoot_fixit_t)
-
-userdom_read_all_users_state(setroubleshoot_fixit_t)
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
 userdom_signull_unpriv_users(setroubleshoot_fixit_t)
 
 optional_policy(`
 	dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
-	setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+')
 
-	optional_policy(`
-		policykit_dbus_chat(setroubleshoot_fixit_t)
-	')
+optional_policy(`
+	gnome_dontaudit_search_config(setroubleshoot_fixit_t)
 ')
 
 optional_policy(`
+	rpm_exec(setroubleshoot_fixit_t)
 	rpm_signull(setroubleshoot_fixit_t)
 	rpm_read_db(setroubleshoot_fixit_t)
 	rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
 	rpm_use_script_fds(setroubleshoot_fixit_t)
 ')
+
+optional_policy(`
+	policykit_dbus_chat(setroubleshoot_fixit_t)
+	userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --git a/sge.fc b/sge.fc
new file mode 100644
index 0000000000..160ddc2b8a
--- /dev/null
+++ b/sge.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/sge_execd	--	gen_context(system_u:object_r:sge_execd_exec_t,s0)
+/usr/bin/sge_shepherd  --  gen_context(system_u:object_r:sge_shepherd_exec_t,s0)
+
+/var/spool/gridengine(/.*)?       gen_context(system_u:object_r:sge_spool_t,s0)
+
diff --git a/sge.if b/sge.if
new file mode 100644
index 0000000000..30f0ec3526
--- /dev/null
+++ b/sge.if
@@ -0,0 +1,43 @@
+## <summary>Policy for gridengine MPI jobs</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  sge domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`sge_basic_types_template',`
+    gen_require(`
+        attribute sge_domain;
+    ')
+
+    type $1_t, sge_domain;
+    type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
+
+########################################
+## <summary>
+##	read/write sge_shepherd per tcp_socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sge_rw_tcp_sockets',`
+	gen_require(`
+		type sge_shepherd_t;
+		type sge_job_ssh_t;
+	')
+
+	allow $1 sge_shepherd_t:tcp_socket rw_socket_perms;
+	allow $1 sge_job_ssh_t:tcp_socket rw_socket_perms;
+')
diff --git a/sge.te b/sge.te
new file mode 100644
index 0000000000..ba26713d2b
--- /dev/null
+++ b/sge.te
@@ -0,0 +1,203 @@
+policy_module(sge, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sge to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(sge_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow sge to connect to the network using any TCP port
+## </p>
+## </desc>
+gen_tunable(sge_domain_can_network_connect, false)
+
+attribute sge_domain;
+
+sge_basic_types_template(sge_execd)
+init_daemon_domain(sge_execd_t, sge_execd_exec_t)
+
+type sge_spool_t;
+files_type(sge_spool_t)
+
+type sge_tmp_t;
+files_tmp_file(sge_tmp_t)
+
+sge_basic_types_template(sge_shepherd)
+application_domain(sge_shepherd_t, sge_shepherd_exec_t)
+role system_r types sge_shepherd_t;
+
+sge_basic_types_template(sge_job)
+application_domain(sge_job_t, sge_job_exec_t)
+corecmd_shell_entry_type(sge_job_t)
+role system_r types sge_job_t;
+
+#######################################
+#
+# sge_execd local policy
+#
+
+allow sge_execd_t self:capability { dac_read_search dac_override kill setuid chown setgid };
+allow sge_execd_t self:process { setsched signal setpgid };
+
+allow sge_execd_t sge_shepherd_t:process signal;
+
+
+relabelfrom_files_pattern(sge_execd_t, sge_tmp_t, sge_tmp_t)
+
+kernel_read_kernel_sysctls(sge_execd_t)
+
+corenet_tcp_bind_sge_port(sge_execd_t)
+corenet_tcp_connect_sge_port(sge_execd_t)
+
+dev_read_sysfs(sge_execd_t)
+
+files_exec_usr_files(sge_execd_t)
+files_search_spool(sge_execd_t)
+
+fs_getattr_xattr_fs(sge_execd_t)
+fs_read_cgroup_files(sge_execd_t)
+
+auth_use_nsswitch(sge_execd_t)
+
+libs_exec_ld_so(sge_execd_t)
+
+logging_send_syslog_msg(sge_execd_t)
+
+init_read_utmp(sge_execd_t)
+
+userdom_relabel_user_tmp_files(sge_execd_t)
+
+optional_policy(`
+	sendmail_domtrans(sge_execd_t)
+')
+
+######################################
+#
+# sge_shepherd local policy
+#
+
+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search dac_override };
+allow sge_shepherd_t self:process { setsched setrlimit setpgid };
+allow sge_shepherd_t self:process signal_perms;
+
+domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
+
+kernel_read_sysctl(sge_shepherd_t)
+kernel_read_kernel_sysctls(sge_shepherd_t)
+
+dev_read_sysfs(sge_shepherd_t)
+
+fs_getattr_all_fs(sge_shepherd_t)
+
+logging_send_syslog_msg(sge_shepherd_t)
+
+optional_policy(`
+	mta_send_mail(sge_shepherd_t)
+')
+
+optional_policy(`
+	ssh_domtrans(sge_shepherd_t)
+')
+
+optional_policy(`
+	unconfined_domain(sge_shepherd_t)
+')
+
+#####################################
+#
+# sge_job local policy
+#
+
+allow sge_shepherd_t sge_job_t:process signal_perms;
+
+corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
+
+kernel_read_kernel_sysctls(sge_job_t)
+
+term_use_all_terms(sge_job_t)
+
+logging_send_syslog_msg(sge_job_t)
+
+optional_policy(`
+	ssh_basic_client_template(sge_job, sge_job_t, system_r)
+	ssh_domtrans(sge_job_t)
+
+	allow sge_job_t sge_job_ssh_t:process sigkill;
+	allow sge_shepherd_t sge_job_ssh_t:process sigkill;
+
+	xserver_exec_xauth(sge_job_ssh_t)
+
+        tunable_policy(`sge_use_nfs',`
+            fs_list_auto_mountpoints(sge_job_ssh_t)
+            fs_manage_nfs_dirs(sge_job_ssh_t)
+            fs_manage_nfs_files(sge_job_ssh_t)
+            fs_read_nfs_symlinks(sge_job_ssh_t)
+        ')
+	')
+
+optional_policy(`
+	xserver_domtrans_xauth(sge_job_t)
+')
+
+optional_policy(`
+	unconfined_domain(sge_job_t)
+')
+
+#####################################
+#
+# sge_domain local policy
+#
+
+allow sge_domain self:fifo_file rw_fifo_file_perms;
+allow sge_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
+manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
+manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
+
+manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+manage_lnk_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
+files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
+
+kernel_read_network_state(sge_domain)
+
+corecmd_exec_bin(sge_domain)
+corecmd_exec_shell(sge_domain)
+
+domain_read_all_domains_state(sge_domain)
+
+
+dev_read_urand(sge_domain)
+
+tunable_policy(`sge_domain_can_network_connect',`
+    corenet_tcp_connect_all_ports(sge_domain)
+')
+
+tunable_policy(`sge_use_nfs',`
+    fs_list_auto_mountpoints(sge_domain)
+	fs_manage_nfs_dirs(sge_domain)
+	fs_manage_nfs_files(sge_domain)
+	fs_read_nfs_symlinks(sge_domain)
+	fs_exec_nfs_files(sge_domain)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(sge_domain)
+')
+
+optional_policy(`
+    hostname_exec(sge_domain)
+')
+
+optional_policy(`
+	nslcd_stream_connect(sge_domain)
+')
diff --git a/shorewall.if b/shorewall.if
index 1aeef8ac39..d5ce40a96d 100644
--- a/shorewall.if
+++ b/shorewall.if
@@ -1,4 +1,4 @@
-## <summary>Shoreline Firewall high-level tool for configuring netfilter.</summary>
+## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
 
 ########################################
 ## <summary>
@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',`
 		type shorewall_t, shorewall_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
 ')
 
@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',`
 		type shorewall_t, shorewall_var_lib_t;
 	')
 
-	files_search_var_lib($1)
 	domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
 ')
 
 #######################################
 ## <summary>
-##	Read shorewall configuration files.
+##	Read shorewall etc configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,47 +55,9 @@ interface(`shorewall_read_config',`
 	read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
 ')
 
-#######################################
-## <summary>
-##	Read shorewall pid files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`shorewall_read_pid_files',`
-	gen_require(`
-		type shorewall_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-#######################################
-## <summary>
-##	Read and write shorewall pid files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`shorewall_rw_pid_files',`
-	gen_require(`
-		type shorewall_var_run_t;
-	')
-
-	files_search_pids($1)
-	rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
 ######################################
 ## <summary>
-##	Read shorewall lib files.
+##      Read shorewall /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',`
 ## </param>
 #
 interface(`shorewall_read_lib_files',`
-	gen_require(`
+        gen_require(`
 		type shorewall_var_lib_t;
-	')
+       ')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
 ')
 
 #######################################
 ## <summary>
-##	Read and write shorewall lib files.
+##      Read and write shorewall /var/lib files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##      <summary>
+##      Domain allowed access.
+##      </summary>
 ## </param>
 #
 interface(`shorewall_rw_lib_files',`
-	gen_require(`
-		type shorewall_var_lib_t;
-	')
+        gen_require(`
+                type shorewall_var_lib_t;
+       ')
 
-	files_search_var_lib($1)
-	rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
 ')
 
 #######################################
 ## <summary>
-##	Read shorewall temporary files.
+##	Read shorewall tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',`
 
 #######################################
 ## <summary>
-##	All of the rules required to
-##	administrate an shorewall environment.
+##	All of the rules required to administrate
+##	an shorewall environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the syslog domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`shorewall_admin',`
 	gen_require(`
-		type shorewall_t, shorewall_lock_t, shorewall_log_t;
-		type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t;
+		type shorewall_t, shorewall_lock_t;
+		type shorewall_log_t;
+		type shorewall_initrc_exec_t, shorewall_var_lib_t;
 		type shorewall_tmp_t, shorewall_etc_t;
 	')
 
-	allow $1 shorewall_t:process { ptrace signal_perms };
+	allow $1 shorewall_t:process signal_perms;
 	ps_process_pattern($1, shorewall_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 shorewall_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 shorewall_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	can_exec($1, shorewall_exec_t)
-
 	files_list_etc($1)
 	admin_pattern($1, shorewall_etc_t)
 
diff --git a/shorewall.te b/shorewall.te
index 7710b9f76b..04af4ec4d0 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t)
 # Local policy
 #
 
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+allow shorewall_t self:capability { dac_read_search dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
 dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal_perms;
 allow shorewall_t self:fifo_file rw_fifo_file_perms;
 allow shorewall_t self:netlink_socket create_socket_perms;
 
@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
 files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
 
 manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
 logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
 
 manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
 manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
 manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
 files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+allow shorewall_t shorewall_var_lib_t:file entrypoint;
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
 
 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
 
@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
 domain_read_all_domains_state(shorewall_t)
 
 files_getattr_kernel_modules(shorewall_t)
-files_read_usr_files(shorewall_t)
 files_search_kernel_modules(shorewall_t)
 
 fs_getattr_all_fs(shorewall_t)
@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
 logging_read_generic_logs(shorewall_t)
 logging_send_syslog_msg(shorewall_t)
 
-miscfiles_read_localization(shorewall_t)
-
 sysnet_domtrans_ifconfig(shorewall_t)
 
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
-userdom_use_user_terminals(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+userdom_use_inherited_user_ttys(shorewall_t)
+userdom_use_inherited_user_ptys(shorewall_t)
 
 optional_policy(`
 	brctl_domtrans(shorewall_t)
@@ -109,6 +109,10 @@ optional_policy(`
 	modutils_domtrans_insmod(shorewall_t)
 ')
 
+optional_policy(`
+	netutils_domtrans(shorewall_t)
+')
+
 optional_policy(`
 	ulogd_search_log(shorewall_t)
 ')
diff --git a/shutdown.fc b/shutdown.fc
index a91f33b0ff..631dbc1dc9 100644
--- a/shutdown.fc
+++ b/shutdown.fc
@@ -8,4 +8,4 @@
 
 /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
-/var/run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
+/var/run/shutdown\.pid		--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/shutdown.if b/shutdown.if
index d1706bf87f..3aa7c9fd14 100644
--- a/shutdown.if
+++ b/shutdown.if
@@ -1,30 +1,4 @@
-## <summary>System shutdown command.</summary>
-
-########################################
-## <summary>
-##	Role access for shutdown.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`shutdown_role',`
-	gen_require(`
-		type shutdown_t;
-	')
-
-	shutdown_run($2, $1)
-
-	allow $2 shutdown_t:process { ptrace signal_perms };
-	ps_process_pattern($2, shutdown_t)
-')
+## <summary>System shutdown command</summary>
 
 ########################################
 ## <summary>
@@ -43,13 +17,27 @@ interface(`shutdown_domtrans',`
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
+	init_reboot($1)
+	init_halt($1)
+
+	optional_policy(`
+		systemd_exec_systemctl($1)
+	init_reload_services($1)
+		init_stream_connect($1)
+		systemd_login_reboot($1)
+		systemd_login_halt($1)
+	')
+
+	ifdef(`hide_broken_symptoms', `
+		dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
+	')
 ')
 
 ########################################
 ## <summary>
-##	Execute shutdown in the shutdown
-##	domain, and allow the specified role
-##	the shutdown domain.
+##	Execute shutdown in the shutdown domain, and
+##	allow the specified role the shutdown domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -64,16 +52,62 @@ interface(`shutdown_domtrans',`
 #
 interface(`shutdown_run',`
 	gen_require(`
+		type shutdown_t;
 		attribute_role shutdown_roles;
 	')
 
-	shutdown_domtrans($1)
-	roleattribute $2 shutdown_roles;
+    shutdown_domtrans($1)
+    roleattribute $2 shutdown_roles;
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to shutdown.
+##	Role access for shutdown
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`shutdown_role',`
+	gen_require(`
+              type shutdown_t;
+	')
+
+    shutdown_run($2, $1)
+
+    allow $2 shutdown_t:process { ptrace signal_perms };
+    ps_process_pattern($2, shutdown_t)
+')
+
+########################################
+## <summary>
+##	Recieve sigchld from shutdown
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`shutdown_send_sigchld',`
+	gen_require(`
+              type shutdown_t;
+	')
+
+	allow shutdown_t $1:process signal;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	shutdown over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -81,17 +115,19 @@ interface(`shutdown_run',`
 ##	</summary>
 ## </param>
 #
-interface(`shutdown_signal',`
+interface(`shutdown_dbus_chat',`
 	gen_require(`
 		type shutdown_t;
+		class dbus send_msg;
 	')
 
-	allow shutdown_t $1:process signal;
+	allow $1 shutdown_t:dbus send_msg;
+	allow shutdown_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Get attributes of shutdown executable files.
+##	Get attributes of shutdown executable.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/shutdown.te b/shutdown.te
index e2544e147c..2196974f59 100644
--- a/shutdown.te
+++ b/shutdown.te
@@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t)
 # Local policy
 #
 
-allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
+allow shutdown_t self:capability { dac_read_search dac_override kill setuid sys_nice sys_tty_config };
 allow shutdown_t self:process { setsched signal signull };
 allow shutdown_t self:fifo_file manage_fifo_file_perms;
 allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
 
 mls_file_write_to_clearance(shutdown_t)
 
-term_use_all_terms(shutdown_t)
+term_use_all_inherited_terms(shutdown_t)
 
 auth_use_nsswitch(shutdown_t)
 auth_write_login_records(shutdown_t)
@@ -56,8 +56,6 @@ init_telinit(shutdown_t)
 logging_search_logs(shutdown_t)
 logging_send_audit_msgs(shutdown_t)
 
-miscfiles_read_localization(shutdown_t)
-
 optional_policy(`
 	cron_system_entry(shutdown_t, shutdown_exec_t)
 ')
@@ -68,10 +66,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-	oddjob_dontaudit_rw_fifo_files(shutdown_t)
-	oddjob_sigchld(shutdown_t)
+    oddjob_dontaudit_rw_fifo_file(shutdown_t)
+    oddjob_sigchld(shutdown_t)
+')
+
+optional_policy(`
+	rhev_sigchld_agentd(shutdown_t)
 ')
 
 optional_policy(`
 	xserver_dontaudit_write_log(shutdown_t)
+	xserver_xdm_append_log(shutdown_t)
 ')
diff --git a/slocate.te b/slocate.te
index 7292dc0645..26fc8f4bc9 100644
--- a/slocate.te
+++ b/slocate.te
@@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t)
 dev_getattr_all_chr_files(locate_t)
 
 files_list_all(locate_t)
+files_list_isid_type_dirs(locate_t)
+files_getattr_isid_type(locate_t)
 files_dontaudit_read_all_symlinks(locate_t)
 files_getattr_all_files(locate_t)
+files_getattr_all_chr_files(locate_t)
+files_getattr_all_blk_files(locate_t)
 files_getattr_all_pipes(locate_t)
 files_getattr_all_sockets(locate_t)
 files_read_etc_runtime_files(locate_t)
@@ -62,7 +66,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
 
 auth_use_nsswitch(locate_t)
 
-miscfiles_read_localization(locate_t)
 
 ifdef(`enable_mls',`
 	files_dontaudit_getattr_all_dirs(locate_t)
@@ -71,3 +74,8 @@ ifdef(`enable_mls',`
 optional_policy(`
 	cron_system_entry(locate_t, locate_exec_t)
 ')
+
+optional_policy(`
+	mock_getattr_lib(locate_t)
+')
+
diff --git a/slpd.if b/slpd.if
index ca32e89463..98278dd2cd 100644
--- a/slpd.if
+++ b/slpd.if
@@ -1,5 +1,42 @@
 ## <summary>OpenSLP server daemon to dynamically register services.</summary>
 
+########################################
+## <summary>
+##	Transition to slpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`slpd_domtrans',`
+	gen_require(`
+		type slpd_t, slpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, slpd_exec_t, slpd_t)
+')
+
+########################################
+## <summary>
+##	Execute slpd server in the slpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`slpd_initrc_domtrans',`
+	gen_require(`
+		type slpd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -26,7 +63,7 @@ interface(`slpd_admin',`
 	allow $1 slpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, slpd_t)
 
-	init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+	slpd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 slpd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -36,4 +73,10 @@ interface(`slpd_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, slpd_var_run_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+
 ')
diff --git a/slpd.te b/slpd.te
index 731512a664..4ce76cd9c3 100644
--- a/slpd.te
+++ b/slpd.te
@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
 # Local policy
 #
 
-allow slpd_t self:capability { kill setgid setuid };
+allow slpd_t self:capability { kill net_admin setgid setuid };
 allow slpd_t self:process signal;
 allow slpd_t self:fifo_file rw_fifo_file_perms;
 allow slpd_t self:tcp_socket { accept listen };
@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file)
 manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
 files_pid_filetrans(slpd_t, slpd_var_run_t, file)
 
+kernel_read_system_state(slpd_t)
+kernel_read_network_state(slpd_t)
+
 corenet_all_recvfrom_unlabeled(slpd_t)
 corenet_all_recvfrom_netlabel(slpd_t)
 corenet_tcp_sendrecv_generic_if(slpd_t)
@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
 corenet_tcp_bind_svrloc_port(slpd_t)
 corenet_udp_bind_svrloc_port(slpd_t)
 
+corenet_udp_bind_dhcpc_port(slpd_t)
+
+dev_read_urand(slpd_t)
+
 auth_use_nsswitch(slpd_t)
 
-miscfiles_read_localization(slpd_t)
+logging_send_syslog_msg(slpd_t)
+
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
index 59eb07fa94..4626942ae2 100644
--- a/slrnpull.te
+++ b/slrnpull.te
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
 files_pid_file(slrnpull_var_run_t)
 
 type slrnpull_spool_t;
-files_type(slrnpull_spool_t)
+files_spool_file(slrnpull_spool_t)
 
 type slrnpull_log_t;
 logging_log_file(slrnpull_log_t)
@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t)
 
 domain_use_interactive_fds(slrnpull_t)
 
-files_read_etc_files(slrnpull_t)
 files_search_spool(slrnpull_t)
 
 fs_getattr_all_fs(slrnpull_t)
@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t)
 
 logging_send_syslog_msg(slrnpull_t)
 
-miscfiles_read_localization(slrnpull_t)
-
 userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
 userdom_dontaudit_search_user_home_dirs(slrnpull_t)
 
diff --git a/smartmon.if b/smartmon.if
index e0644b5cfc..ea347ccd52 100644
--- a/smartmon.if
+++ b/smartmon.if
@@ -42,9 +42,13 @@ interface(`smartmon_admin',`
 		type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
 	')
 
-	allow $1 fsdaemon_t:process { ptrace signal_perms };
+	allow $1 fsdaemon_t:process signal_perms;
 	ps_process_pattern($1, fsdaemon_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 fsdaemon_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
index 9cf6582d27..052179c3fa 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
 # Local policy
 #
 
-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin };
 dontaudit fsdaemon_t self:capability sys_tty_config;
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
 
 corecmd_exec_all_executables(fsdaemon_t)
 
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
 dev_read_sysfs(fsdaemon_t)
 dev_read_urand(fsdaemon_t)
 
 domain_use_interactive_fds(fsdaemon_t)
 
 files_exec_etc_files(fsdaemon_t)
-files_read_etc_files(fsdaemon_t)
 files_read_etc_runtime_files(fsdaemon_t)
-files_read_usr_files(fsdaemon_t)
 
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
 
 mls_file_read_all_levels(fsdaemon_t)
 
+storage_create_fixed_disk_dev(fsdaemon_t)
+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
 storage_raw_read_removable_device(fsdaemon_t)
@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t)
 
 term_dontaudit_search_ptys(fsdaemon_t)
 
-application_signull(fsdaemon_t)
+domain_signull_all_domains(fsdaemon_t)
+
+auth_read_passwd(fsdaemon_t)
 
 init_read_utmp(fsdaemon_t)
 
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
 
 logging_send_syslog_msg(fsdaemon_t)
 
-miscfiles_read_localization(fsdaemon_t)
+seutil_sigchld_newrole(fsdaemon_t)
 
 sysnet_dns_name_resolve(fsdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
 userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+userdom_use_user_terminals(fsdaemon_t)
 
 tunable_policy(`smartmon_3ware',`
 	allow fsdaemon_t self:process setfscreate;
@@ -116,9 +125,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(fsdaemon_t)
+	udev_read_db(fsdaemon_t)
 ')
 
 optional_policy(`
-	udev_read_db(fsdaemon_t)
+	virt_read_images(fsdaemon_t)
 ')
diff --git a/smokeping.fc b/smokeping.fc
index 335981945e..a231ecb561 100644
--- a/smokeping.fc
+++ b/smokeping.fc
@@ -2,7 +2,7 @@
 
 /usr/sbin/smokeping	--	gen_context(system_u:object_r:smokeping_exec_t,s0)
 
-/usr/share/smokeping/cgi(/.*)?	gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
+/usr/share/smokeping/cgi(/.*)?	gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0)
 
 /var/lib/smokeping(/.*)?	gen_context(system_u:object_r:smokeping_var_lib_t,s0)
 
diff --git a/smokeping.if b/smokeping.if
index 1fa51c11ff..82e111c80e 100644
--- a/smokeping.if
+++ b/smokeping.if
@@ -158,8 +158,11 @@ interface(`smokeping_admin',`
 		type smokeping_var_run_t;
 	')
 
-	allow $1 smokeping_t:process { ptrace signal_perms };
+	allow $1 smokeping_t:process signal_perms;
 	ps_process_pattern($1, smokeping_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 smokeping_t:process ptrace;
+	')
 
 	smokeping_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
index ec031a0310..61a9f8c081 100644
--- a/smokeping.te
+++ b/smokeping.te
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
 #
 
 dontaudit smokeping_t self:capability { dac_read_search dac_override };
+allow smokeping_t self:process signal_perms;
 allow smokeping_t self:fifo_file rw_fifo_file_perms;
 allow smokeping_t self:unix_stream_socket { accept listen };
 
@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t)
 
 dev_read_urand(smokeping_t)
 
-files_read_usr_files(smokeping_t)
 files_search_tmp(smokeping_t)
 
 auth_use_nsswitch(smokeping_t)
@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
 
 logging_send_syslog_msg(smokeping_t)
 
-miscfiles_read_localization(smokeping_t)
-
 mta_send_mail(smokeping_t)
 
 netutils_domtrans_ping(smokeping_t)
@@ -60,17 +58,22 @@ netutils_domtrans_ping(smokeping_t)
 
 optional_policy(`
 	apache_content_template(smokeping_cgi)
+	apache_content_alias_template(smokeping_cgi, smokeping_cgi)
+
+	manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+	manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+	getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
 
-	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
-	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+	files_read_etc_files(smokeping_cgi_script_t)
+	files_search_tmp(smokeping_cgi_script_t)
+	files_search_var_lib(smokeping_cgi_script_t)
 
-	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+	auth_read_passwd(smokeping_cgi_script_t)
 
-	files_read_etc_files(httpd_smokeping_cgi_script_t)
-	files_search_tmp(httpd_smokeping_cgi_script_t)
-	files_search_var_lib(httpd_smokeping_cgi_script_t)
+	logging_send_syslog_msg(smokeping_cgi_script_t)
 
-	sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+	sysnet_dns_name_resolve(smokeping_cgi_script_t)
 
-	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
+	netutils_domtrans_ping(smokeping_cgi_script_t)
 ')
diff --git a/smoltclient.te b/smoltclient.te
index b3f2c6f260..4e629a10bc 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t)
 
 corenet_sendrecv_http_client_packets(smoltclient_t)
 corenet_tcp_connect_http_port(smoltclient_t)
+corenet_tcp_connect_http_cache_port(smoltclient_t)
 corenet_tcp_sendrecv_http_port(smoltclient_t)
 
 dev_read_sysfs(smoltclient_t)
@@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t)
 
 files_getattr_generic_locks(smoltclient_t)
 files_read_etc_runtime_files(smoltclient_t)
-files_read_usr_files(smoltclient_t)
 
 auth_use_nsswitch(smoltclient_t)
 
 logging_send_syslog_msg(smoltclient_t)
 
 miscfiles_read_hwdata(smoltclient_t)
-miscfiles_read_localization(smoltclient_t)
 
 optional_policy(`
 	abrt_stream_connect(smoltclient_t)
@@ -76,6 +75,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+    libs_exec_ldconfig(smoltclient_t)
+')
+
 optional_policy(`
 	rpm_exec(smoltclient_t)
 	rpm_read_db(smoltclient_t)
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 0000000000..4c3fcec7da
--- /dev/null
+++ b/smsd.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/smsd	--	gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+
+/usr/sbin/smsd		--	gen_context(system_u:object_r:smsd_exec_t,s0)
+
+/var/lib/smstools(/.*)?		gen_context(system_u:object_r:smsd_var_lib_t,s0)
+
+/var/log/smsd(/.*)?		gen_context(system_u:object_r:smsd_log_t,s0)
+
+/var/run/smsd(/.*)?		gen_context(system_u:object_r:smsd_var_run_t,s0)
+
+/var/spool/sms(/.*)?		gen_context(system_u:object_r:smsd_spool_t,s0)
diff --git a/smsd.if b/smsd.if
new file mode 100644
index 0000000000..52450c7003
--- /dev/null
+++ b/smsd.if
@@ -0,0 +1,240 @@
+## <summary>The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.</summary>
+
+########################################
+## <summary>
+##	Execute smsd in the smsd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`smsd_domtrans',`
+	gen_require(`
+		type smsd_t, smsd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, smsd_exec_t, smsd_t)
+')
+
+########################################
+## <summary>
+##	Execute smsd server in the smsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_initrc_domtrans',`
+	gen_require(`
+		type smsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read smsd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_read_log',`
+	gen_require(`
+		type smsd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, smsd_log_t, smsd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to smsd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_append_log',`
+	gen_require(`
+		type smsd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, smsd_log_t, smsd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage smsd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_manage_log',`
+	gen_require(`
+		type smsd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, smsd_log_t, smsd_log_t)
+	manage_files_pattern($1, smsd_log_t, smsd_log_t)
+	manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t)
+')
+########################################
+## <summary>
+##	Read smsd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_read_pid_files',`
+	gen_require(`
+		type smsd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, smsd_var_run_t, smsd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Search smsd spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_search_spool',`
+	gen_require(`
+		type smsd_spool_t;
+	')
+
+	allow $1 smsd_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read smsd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_read_spool_files',`
+	gen_require(`
+		type smsd_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, smsd_spool_t, smsd_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage smsd spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_manage_spool_files',`
+	gen_require(`
+		type smsd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, smsd_spool_t, smsd_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage smsd spool dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smsd_manage_spool_dirs',`
+	gen_require(`
+		type smsd_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an smsd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`smsd_admin',`
+	gen_require(`
+		type smsd_t;
+		type smsd_initrc_exec_t;
+		type smsd_log_t;
+		type smsd_var_run_t;
+		type smsd_spool_t;
+	')
+
+	allow $1 smsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, smsd_t)
+
+	smsd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 smsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, smsd_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, smsd_var_run_t)
+
+	files_search_spool($1)
+	admin_pattern($1, smsd_spool_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/smsd.te b/smsd.te
new file mode 100644
index 0000000000..1fad7b8dae
--- /dev/null
+++ b/smsd.te
@@ -0,0 +1,73 @@
+policy_module(smsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type smsd_t;
+type smsd_exec_t;
+init_daemon_domain(smsd_t, smsd_exec_t)
+
+type smsd_initrc_exec_t;
+init_script_file(smsd_initrc_exec_t)
+
+type smsd_log_t;
+logging_log_file(smsd_log_t)
+
+type smsd_var_lib_t;
+files_type(smsd_var_lib_t)
+
+type smsd_var_run_t;
+files_pid_file(smsd_var_run_t)
+
+type smsd_spool_t;
+files_type(smsd_spool_t)
+
+type smsd_tmp_t;
+files_tmp_file(smsd_tmp_t)
+
+########################################
+#
+# smsd local policy
+#
+
+allow smsd_t self:capability { kill setgid setuid };
+allow smsd_t self:process { fork signal };
+allow smsd_t self:fifo_file rw_fifo_file_perms;
+allow smsd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
+manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+logging_log_filetrans(smsd_t, smsd_log_t, { dir })
+
+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+
+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir })
+
+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
+can_exec(smsd_t, smsd_spool_t)
+
+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
+files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir })
+
+kernel_read_system_state(smsd_t)
+kernel_read_kernel_sysctls(smsd_t)
+
+corecmd_exec_shell(smsd_t)
+
+auth_use_nsswitch(smsd_t)
+
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/smstools.if b/smstools.if
index cbfe369a69..6594af373d 100644
--- a/smstools.if
+++ b/smstools.if
@@ -1,5 +1,81 @@
 ## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
 
+#######################################
+## <summary>
+##  Search smsd lib directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`smsd_search_lib',`
+    gen_require(`
+            type smsd_var_lib_t;
+    ')
+
+    allow $1 smsd_var_lib_t:dir search_dir_perms;
+    files_search_var_lib($1)
+')
+
+#######################################
+## <summary>
+##  Read smsd lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`smsd_read_lib_files',`
+    gen_require(`
+        type smsd_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Manage smsd lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`smsd_manage_lib_files',`
+    gen_require(`
+        type smsd_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Manage smsd lib directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`smsd_manage_lib_dirs',`
+    gen_require(`
+        type smsd_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -32,7 +108,7 @@ interface(`smstools_admin',`
 	role_transition $2 smsd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_config($1)
+	files_search_etc($1)
 	admin_pattern($1, smsd_conf_t)
 
 	files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
index 0000000000..0a43846a86
--- /dev/null
+++ b/snapper.fc
@@ -0,0 +1,15 @@
+/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
+/etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
+
+/var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
+
+/mnt/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+
+/usr/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+/var/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+/etc/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+/home/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+/home/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000000..6e3a54de7f
--- /dev/null
+++ b/snapper.if
@@ -0,0 +1,81 @@
+
+## <summary>policy for snapperd</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the snapperd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snapper_domtrans',`
+	gen_require(`
+		type snapperd_t, snapperd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, snapperd_exec_t, snapperd_t)
+    allow $1 snapperd_exec_t:file map;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	snapperd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snapper_dbus_chat',`
+	gen_require(`
+		type snapperd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 snapperd_t:dbus send_msg;
+	allow snapperd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Allow a domain to read inherited snapper pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snapper_read_inherited_pipe',`
+	gen_require(`
+		type snapperd_t;
+	')
+
+	allow $1 snapperd_t:fifo_file read_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow domain to create .smapshot
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`snapper_filetrans_named_content',`
+
+    gen_require(`
+        type snapperd_data_t;
+    ')
+    
+    files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
+')
+
diff --git a/snapper.te b/snapper.te
new file mode 100644
index 0000000000..5be6d3542b
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,88 @@
+policy_module(snapper, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type snapperd_t;
+type snapperd_exec_t;
+init_daemon_domain(snapperd_t, snapperd_exec_t)
+
+type snapperd_log_t;
+logging_log_file(snapperd_log_t)
+
+type snapperd_conf_t;
+files_config_file(snapperd_conf_t)
+
+type snapperd_data_t;
+files_type(snapperd_data_t)
+
+########################################
+#
+# snapperd local policy
+#
+allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin };
+allow snapperd_t self:process setsched;
+
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
+logging_log_filetrans(snapperd_t, snapperd_log_t, file)
+
+manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
+
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+allow snapperd_t snapperd_data_t:file relabelfrom;
+allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton };
+snapper_filetrans_named_content(snapperd_t)
+
+kernel_setsched(snapperd_t)
+
+domain_read_all_domains_state(snapperd_t)
+
+corecmd_exec_shell(snapperd_t)
+corecmd_exec_bin(snapperd_t)
+
+files_write_all_dirs(snapperd_t)
+files_setattr_all_mountpoints(snapperd_t)
+files_relabelto_all_mountpoints(snapperd_t)
+files_relabelfrom_isid_type(snapperd_t)
+files_read_all_files(snapperd_t)
+files_read_all_symlinks(snapperd_t)
+files_list_all(snapperd_t)
+files_manage_isid_type_dirs(snapperd_t)
+files_manage_non_security_dirs(snapperd_t)
+files_relabel_non_security_files(snapperd_t)
+
+fs_getattr_all_fs(snapperd_t)
+fs_mount_xattr_fs(snapperd_t)
+fs_unmount_xattr_fs(snapperd_t)
+
+storage_raw_read_fixed_disk(snapperd_t)
+
+auth_use_nsswitch(snapperd_t)
+
+optional_policy(`
+    cron_system_entry(snapperd_t, snapperd_exec_t)
+')
+
+optional_policy(`
+    dbus_system_domain(snapperd_t, snapperd_exec_t)
+	dbus_system_bus_client(snapperd_t)
+	dbus_connect_system_bus(snapperd_t)
+')
+
+optional_policy(`
+    mount_domtrans(snapperd_t)
+')
+
+optional_policy(`
+    lvm_domtrans(snapperd_t)
+')
+
diff --git a/snmp.fc b/snmp.fc
index 2f0a2f2059..1569e33695 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
 /etc/rc\.d/init\.d/(snmpd|snmptrapd)	--	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
 
-/usr/sbin/snmptrap	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/sbin/snmpd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
 /usr/sbin/snmptrapd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
 
 /usr/share/snmp/mibs/\.index	--	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@@ -10,9 +10,12 @@
 
 /var/lib/net-snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 /var/lib/snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/spool/snmptt(/.*)?	gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 
 /var/log/snmpd\.log.*	--	gen_context(system_u:object_r:snmpd_log_t,s0)
 
-/var/run/net-snmpd(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
-/var/run/snmpd(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/net-snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
 /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
index 7a9cc9df74..6085a4160d 100644
--- a/snmp.if
+++ b/snmp.if
@@ -1,5 +1,23 @@
 ## <summary>Simple network management protocol services.</summary>
 
+########################################
+## <summary>
+##	Send null signals to snmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_signull',`
+	gen_require(`
+		type snmpd_t;
+	')
+
+	allow $1 snmpd_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Connect to snmpd with a unix
@@ -57,8 +75,7 @@ interface(`snmp_udp_chat',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	snmp lib directories.
+##	Read snmpd lib content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -66,19 +83,57 @@ interface(`snmp_udp_chat',`
 ##	</summary>
 ## </param>
 #
-interface(`snmp_manage_var_lib_dirs',`
+interface(`snmp_read_snmp_var_lib_files',`
 	gen_require(`
 		type snmpd_var_lib_t;
 	')
 
 	files_search_var_lib($1)
+	allow $1 snmpd_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Read snmpd libraries directories
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`snmp_read_snmp_var_lib_dirs',`
+    gen_require(`
+        type snmpd_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    allow $1 snmpd_var_lib_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage snmpd libraries directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_manage_var_lib_dirs',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+
 	allow $1 snmpd_var_lib_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	snmp lib files.
+##	Manage snmpd libraries.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -98,7 +153,7 @@ interface(`snmp_manage_var_lib_files',`
 
 ########################################
 ## <summary>
-##	Read snmpd lib content.
+##	Manage snmpd libraries.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,14 +161,35 @@ interface(`snmp_manage_var_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`snmp_read_snmp_var_lib_files',`
+interface(`snmp_manage_var_lib_sock_files',`
 	gen_require(`
 		type snmpd_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	allow $1 snmpd_var_lib_t:dir list_dir_perms;
-	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+	manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to manage
+##	snmpd lib content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`snmp_dontaudit_manage_snmp_var_lib_files',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+
+	dontaudit $1 snmpd_var_lib_t:dir manage_dir_perms;
+	dontaudit $1 snmpd_var_lib_t:file manage_file_perms;
+	dontaudit $1 snmpd_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
@@ -179,8 +255,12 @@ interface(`snmp_admin',`
 		type snmpd_var_lib_t, snmpd_var_run_t;
 	')
 
-	allow $1 snmpd_t:process { ptrace signal_perms };
+	allow $1 snmpd_t:process signal_perms;
+
 	ps_process_pattern($1, snmpd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 snmpd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
index 9dcaeb8757..e8446db05e 100644
--- a/snmp.te
+++ b/snmp.te
@@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t)
 # Local policy
 #
 
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+allow snmpd_t self:capability { chown dac_read_search dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
 allow snmpd_t self:process { signal_perms getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
-allow snmpd_t self:unix_stream_socket { accept connectto listen };
-allow snmpd_t self:tcp_socket { accept listen };
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
 allow snmpd_t self:udp_socket connected_stream_socket_perms;
 
-allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t)
 logging_log_filetrans(snmpd_t, snmpd_log_t, file)
 
 manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t)
 kernel_read_fs_sysctls(snmpd_t)
 kernel_read_net_sysctls(snmpd_t)
 kernel_read_network_state(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_all_proc(snmpd_t)
 kernel_read_system_state(snmpd_t)
 
 corecmd_exec_bin(snmpd_t)
 corecmd_exec_shell(snmpd_t)
 
-corenet_all_recvfrom_unlabeled(snmpd_t)
 corenet_all_recvfrom_netlabel(snmpd_t)
 corenet_tcp_sendrecv_generic_if(snmpd_t)
 corenet_udp_sendrecv_generic_if(snmpd_t)
@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t)
 corenet_tcp_sendrecv_snmp_port(snmpd_t)
 corenet_udp_sendrecv_snmp_port(snmpd_t)
 
-corenet_sendrecv_snmp_client_packets(snmpd_t)
 corenet_tcp_connect_agentx_port(snmpd_t)
-corenet_sendrecv_snmp_server_packets(snmpd_t)
 corenet_tcp_bind_agentx_port(snmpd_t)
 corenet_udp_bind_agentx_port(snmpd_t)
 corenet_tcp_sendrecv_agentx_port(snmpd_t)
@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t)
 domain_read_all_domains_state(snmpd_t)
 domain_exec_all_entry_files(snmpd_t)
 
-files_read_usr_files(snmpd_t)
 files_read_etc_runtime_files(snmpd_t)
 files_search_home(snmpd_t)
 
@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t)
 storage_dontaudit_read_fixed_disk(snmpd_t)
 storage_dontaudit_read_removable_device(snmpd_t)
 storage_dontaudit_write_removable_device(snmpd_t)
+storage_getattr_fixed_disk_dev(snmpd_t)
+storage_getattr_removable_dev(snmpd_t)
 
 auth_use_nsswitch(snmpd_t)
 
 init_read_utmp(snmpd_t)
 init_dontaudit_write_utmp(snmpd_t)
+# need write to /var/run/systemd/notify
+init_write_pid_socket(snmpd_t)
 
 logging_send_syslog_msg(snmpd_t)
 
-miscfiles_read_localization(snmpd_t)
+sysnet_read_config(snmpd_t)
 
 seutil_dontaudit_search_config(snmpd_t)
 
@@ -131,7 +135,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	corosync_stream_connect(snmpd_t)
+    fstools_domtrans(snmpd_t)
+')
+
+optional_policy(`
+	rhcs_stream_connect_cluster(snmpd_t)
 ')
 
 optional_policy(`
@@ -140,6 +148,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_read_config(snmpd_t)
+    mta_read_aliases(snmpd_t)
 	mta_search_queue(snmpd_t)
 ')
 
diff --git a/snort.if b/snort.if
index 7d86b34857..5f581804e2 100644
--- a/snort.if
+++ b/snort.if
@@ -42,8 +42,11 @@ interface(`snort_admin',`
 		type snort_etc_t, snort_initrc_exec_t;
 	')
 
-	allow $1 snort_t:process { ptrace signal_perms };
+	allow $1 snort_t:process signal_perms;
 	ps_process_pattern($1, snort_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 snort_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, snort_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -51,11 +54,11 @@ interface(`snort_admin',`
 	allow $2 system_r;
 
 	admin_pattern($1, snort_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 
 	admin_pattern($1, snort_log_t)
-	logging_search_logs($1)
+	logging_list_logs($1)
 
 	admin_pattern($1, snort_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 ')
diff --git a/snort.te b/snort.te
index 1af72df55e..d545f2aea9 100644
--- a/snort.te
+++ b/snort.te
@@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t)
 # Local policy
 #
 
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search dac_override };
 dontaudit snort_t self:capability sys_tty_config;
 allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
 allow snort_t self:netlink_socket create_socket_perms;
-allow snort_t self:tcp_socket { accept listen };
+allow snort_t self:tcp_socket create_stream_socket_perms;
+allow snort_t self:udp_socket create_socket_perms;
 allow snort_t self:packet_socket create_socket_perms;
 allow snort_t self:socket create_socket_perms;
+# Snort IPS node. unverified.
 allow snort_t self:netlink_firewall_socket create_socket_perms;
 
 allow snort_t snort_etc_t:dir list_dir_perms;
@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
 allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-append_files_pattern(snort_t, snort_log_t, snort_log_t)
-create_files_pattern(snort_t, snort_log_t, snort_log_t)
-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
 logging_log_filetrans(snort_t, snort_log_t, { file dir })
 
 manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
 kernel_dontaudit_read_system_state(snort_t)
 kernel_read_network_state(snort_t)
 
-corenet_all_recvfrom_unlabeled(snort_t)
 corenet_all_recvfrom_netlabel(snort_t)
 corenet_tcp_sendrecv_generic_if(snort_t)
 corenet_udp_sendrecv_generic_if(snort_t)
@@ -86,18 +86,19 @@ dev_rw_generic_usb_dev(snort_t)
 
 domain_use_interactive_fds(snort_t)
 
-files_read_etc_files(snort_t)
 files_dontaudit_read_etc_runtime_files(snort_t)
 
 fs_getattr_all_fs(snort_t)
 fs_search_auto_mountpoints(snort_t)
 
+auth_read_passwd(snort_t)
+
+auth_use_nsswitch(snort_t)
+
 init_read_utmp(snort_t)
 
 logging_send_syslog_msg(snort_t)
 
-miscfiles_read_localization(snort_t)
-
 sysnet_dns_name_resolve(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
diff --git a/sosreport.if b/sosreport.if
index 634c6b4fa5..f6db7a796d 100644
--- a/sosreport.if
+++ b/sosreport.if
@@ -42,7 +42,7 @@ interface(`sosreport_run',`
 	')
 
 	sosreport_domtrans($1)
-	roleattribute $2 sospreport_roles;
+	roleattribute $2 sosreport_roles;
 ')
 
 ########################################
@@ -127,3 +127,22 @@ interface(`sosreport_delete_tmp_files',`
 	files_delete_tmp_dir_entry($1)
 	delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Send a null signal to sosreport.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sosreport_signull',`
+	gen_require(`
+		type sosreport_t;
+	')
+
+	allow $1 sosreport_t:process signull;
+')
+
diff --git a/sosreport.te b/sosreport.te
index f2f507dae3..ff7df2c9d3 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
 application_domain(sosreport_t, sosreport_exec_t)
 role sosreport_roles types sosreport_t;
 
-type sosreport_var_run_t;
-files_pid_file(sosreport_var_run_t)
-
 type sosreport_tmp_t;
 files_tmp_file(sosreport_tmp_t)
 
 type sosreport_tmpfs_t;
 files_tmpfs_file(sosreport_tmpfs_t)
 
+type sosreport_var_run_t;
+files_pid_file(sosreport_var_run_t)
+
 optional_policy(`
 	pulseaudio_tmpfs_content(sosreport_tmpfs_t)
 ')
@@ -31,12 +31,14 @@ optional_policy(`
 # Local policy
 #
 
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search dac_override };
 dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:process { setpgid setsched signal_perms };
 allow sosreport_t self:fifo_file rw_fifo_file_perms;
 allow sosreport_t self:tcp_socket { accept listen };
 allow sosreport_t self:unix_stream_socket { accept listen };
+allow sosreport_t self:rawip_socket create_socket_perms;
+allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
 manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
@@ -44,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
 files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
 files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
 
+manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
+files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
+
 manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
 fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
 
@@ -58,6 +66,18 @@ kernel_read_all_sysctls(sosreport_t)
 kernel_read_software_raid_state(sosreport_t)
 kernel_search_debugfs(sosreport_t)
 kernel_read_messages(sosreport_t)
+kernel_request_load_module(sosreport_t)
+
+corenet_all_recvfrom_netlabel(sosreport_t)
+corenet_tcp_sendrecv_generic_if(sosreport_t)
+corenet_tcp_sendrecv_generic_node(sosreport_t)
+corenet_tcp_sendrecv_generic_port(sosreport_t)
+corenet_tcp_bind_generic_node(sosreport_t)
+corenet_tcp_bind_all_rpc_ports(sosreport_t)
+corenet_udp_bind_all_rpc_ports(sosreport_t)
+corenet_tcp_connect_http_port(sosreport_t)
+corenet_tcp_connect_all_ports(sosreport_t)
+corenet_sendrecv_http_client_packets(sosreport_t)
 
 corecmd_exec_all_executables(sosreport_t)
 
@@ -69,6 +89,9 @@ dev_read_urand(sosreport_t)
 dev_read_raw_memory(sosreport_t)
 dev_read_sysfs(sosreport_t)
 dev_rw_generic_usb_dev(sosreport_t)
+dev_rw_lvm_control(sosreport_t)
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
 
 domain_getattr_all_domains(sosreport_t)
 domain_read_all_domains_state(sosreport_t)
@@ -83,7 +106,6 @@ files_list_all(sosreport_t)
 files_read_config_files(sosreport_t)
 files_read_generic_tmp_files(sosreport_t)
 files_read_non_auth_files(sosreport_t)
-files_read_usr_files(sosreport_t)
 files_read_var_lib_files(sosreport_t)
 files_read_var_symlinks(sosreport_t)
 files_read_kernel_modules(sosreport_t)
@@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t)
 files_etc_filetrans_etc_runtime(sosreport_t, file)
 
 fs_getattr_all_fs(sosreport_t)
+fs_getattr_all_dirs(sosreport_t)
 fs_list_inotifyfs(sosreport_t)
 
 storage_dontaudit_read_fixed_disk(sosreport_t)
 storage_dontaudit_read_removable_device(sosreport_t)
 
+term_getattr_pty_fs(sosreport_t)
+term_getattr_all_ptys(sosreport_t)
 term_use_generic_ptys(sosreport_t)
 
+# some config files do not have configfile attribute
+# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
+
 auth_use_nsswitch(sosreport_t)
+auth_dontaudit_read_shadow(sosreport_t)
 
 init_domtrans_script(sosreport_t)
+init_getattr_initctl(sosreport_t)
+init_status(sosreport_t)
+init_stream_connect(sosreport_t)
 
 libs_domtrans_ldconfig(sosreport_t)
+libs_use_ld_so(sosreport_t)
 
 logging_read_all_logs(sosreport_t)
 logging_send_syslog_msg(sosreport_t)
 
-miscfiles_read_localization(sosreport_t)
-
-modutils_read_module_deps(sosreport_t)
+sysnet_read_config(sosreport_t)
 
 optional_policy(`
 	abrt_manage_pid_files(sosreport_t)
@@ -118,6 +150,14 @@ optional_policy(`
 	abrt_stream_connect(sosreport_t)
 ')
 
+optional_policy(`
+    bootloader_exec(sosreport_t)
+')
+
+optional_policy(`
+	brctl_domtrans(sosreport_t)
+')
+
 optional_policy(`
 	cups_stream_connect(sosreport_t)
 ')
@@ -126,6 +166,20 @@ optional_policy(`
 	dmesg_domtrans(sosreport_t)
 ')
 
+optional_policy(`
+	iptables_domtrans(sosreport_t)
+')
+
+optional_policy(`
+    lvm_read_config(sosreport_t)
+    lvm_dontaudit_access_check_lock(sosreport_t)
+')
+
+optional_policy(`
+	# needed by modinfo
+	modutils_read_module_deps(sosreport_t)
+')
+
 optional_policy(`
 	fstools_domtrans(sosreport_t)
 ')
@@ -136,6 +190,14 @@ optional_policy(`
 	optional_policy(`
 		hal_dbus_chat(sosreport_t)
 	')
+
+    optional_policy(`
+        rpm_dbus_chat(sosreport_t)
+    ')
+
+    optional_policy(`
+        networkmanager_dbus_chat(sosreport_t)
+    ')
 ')
 
 optional_policy(`
@@ -146,14 +208,40 @@ optional_policy(`
 	mount_domtrans(sosreport_t)
 ')
 
+optional_policy(`
+    prelink_domtrans(sosreport_t)
+')
+
 optional_policy(`
 	pulseaudio_run(sosreport_t, sosreport_roles)
 ')
 
 optional_policy(`
-	rpm_exec(sosreport_t)
-	rpm_dontaudit_manage_db(sosreport_t)
-	rpm_read_db(sosreport_t)
+    rhsmcertd_manage_lib_files(sosreport_t)
+    rhsmcertd_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
+    rpm_dontaudit_manage_db(sosreport_t)
+    rpm_manage_cache(sosreport_t)
+    rpm_manage_log(sosreport_t)
+    rpm_manage_pid_files(sosreport_t)
+    rpm_named_filetrans(sosreport_t)
+    rpm_read_db(sosreport_t)
+    rpm_signull(sosreport_t)
+')
+
+optional_policy(`
+    setroubleshoot_signull(sosreport_t)
+')
+
+optional_policy(`
+    systemd_dbus_chat_hostnamed(sosreport_t)
+')
+
+optional_policy(`
+    unconfined_signull(sosreport_t)
+    unconfined_domain(sosreport_t)
 ')
 
 optional_policy(`
diff --git a/soundserver.if b/soundserver.if
index a5abc5a8db..b9eff74cb8 100644
--- a/soundserver.if
+++ b/soundserver.if
@@ -38,9 +38,13 @@ interface(`soundserver_admin',`
 		type soundd_state_t;
 	')
 
-	allow $1 soundd_t:process { ptrace signal_perms };
+	allow $1 soundd_t:process signal_perms;
 	ps_process_pattern($1, soundd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 soundd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, soundd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 soundd_initrc_exec_t system_r;
diff --git a/soundserver.te b/soundserver.te
index 0919e0c866..df28aadba4 100644
--- a/soundserver.te
+++ b/soundserver.te
@@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t)
 # Declarations
 #
 
-allow soundd_t self:capability dac_override;
+allow soundd_t self:capability { dac_read_search dac_override };
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
 allow soundd_t self:shm create_shm_perms;
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
 kernel_list_proc(soundd_t)
 kernel_read_proc_symlinks(soundd_t)
 
-corenet_all_recvfrom_unlabeled(soundd_t)
 corenet_all_recvfrom_netlabel(soundd_t)
 corenet_tcp_sendrecv_generic_if(soundd_t)
 corenet_tcp_sendrecv_generic_node(soundd_t)
@@ -81,7 +80,6 @@ dev_write_sound(soundd_t)
 
 domain_use_interactive_fds(soundd_t)
 
-files_read_etc_files(soundd_t)
 files_read_etc_runtime_files(soundd_t)
 
 fs_getattr_all_fs(soundd_t)
@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t)
 
 logging_send_syslog_msg(soundd_t)
 
-miscfiles_read_localization(soundd_t)
-
 sysnet_read_config(soundd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
index e9bd097b79..5724bcf0f2 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
@@ -1,20 +1,27 @@
-HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
-HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.razor(/.*)?      gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.pyzor(/.*)?		gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.razor(/.*)?     gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamd(/.*)?		gen_context(system_u:object_r:spamc_home_t,s0)
 
 /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/spampd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/spampd    --  gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/mimedefang.*	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
 
 /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamc	--	gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamd	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/sa-update	--	gen_context(system_u:object_r:spamd_update_exec_t,s0)
 
-/usr/sbin/spamd	--	gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/sbin/spampd	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spampd     --  gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/mimedefang	--	gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/mimedefang-multiplexor	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/libexec/mimedefang-wrapper --	gen_context(system_u:object_r:spamd_exec_t,s0)
 
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 /var/lib/spamassassin/compiled(/.*)?	gen_context(system_u:object_r:spamd_compiled_t,s0)
@@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)?	gen_context(system_u:object_r:spamd_home_t,s0)
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/spamd(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/spampd(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spampd(/.*)?      gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 /var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+/etc/pyzor(/.*)?		gen_context(system_u:object_r:spamd_etc_t, s0)
+/etc/razor(/.*)?        gen_context(system_u:object_r:spamd_etc_t,s0)
+/etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+
+/usr/bin/razor.*    --  gen_context(system_u:object_r:spamc_exec_t,s0)
+
+/var/lib/pyzord(/.*)?		gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/razor(/.*)?        gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
+/var/log/pyzord\.log.*	--	gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/razor-agent\.log.*	--    gen_context(system_u:object_r:spamd_log_t,s0)
+
+/usr/bin/pyzor		--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/pyzord		--	gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
index 1499b0bbfe..e695a62f34 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -2,39 +2,45 @@
 
 ########################################
 ## <summary>
-##	Role access for spamassassin.
+##	Role access for spamassassin
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`spamassassin_role',`
 	gen_require(`
 		type spamc_t, spamc_exec_t, spamc_tmp_t;
-		type spamassassin_t, spamassassin_exec_t, spamd_home_t;
+		type spamassassin_t, spamassassin_exec_t;
 		type spamassassin_home_t, spamassassin_tmp_t;
 	')
 
 	role $1 types { spamc_t spamassassin_t };
 
 	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+	allow $2 spamassassin_t:process signal_perms;
+	ps_process_pattern($2, spamassassin_t)
+
 	domtrans_pattern($2, spamc_exec_t, spamc_t)
 
-	allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
-	ps_process_pattern($2, { spamc_t spamassassin_t })
+	allow $2 spamc_t:process signal_perms;
+	ps_process_pattern($2, spamc_t)
 
-	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin")
-	userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
+	manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
 ')
 
 ########################################
@@ -53,13 +59,12 @@ interface(`spamassassin_exec',`
 		type spamassassin_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, spamassassin_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to spamd.
+##	Singnal the spam assassin daemon
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',`
 
 ########################################
 ## <summary>
-##	Execute spamd in the caller domain.
+##	Execute the spamassassin daemon
+##	program in the caller directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',`
 		type spamd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, spamd_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute spamc in the spamc domain.
+##	Execute spamassassin client in the spamassassin client domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',`
 		type spamc_t, spamc_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, spamc_exec_t, spamc_t)
+	allow $1 spamc_exec_t:file ioctl;
 ')
 
 ########################################
 ## <summary>
-##	Execute spamc in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`spamassassin_exec_client',`
-	gen_require(`
-		type spamc_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, spamc_exec_t)
-')
-
-########################################
-## <summary>
-##	Send kill signals to spamc.
+##	Send kill signal to spamassassin client
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',`
 
 ########################################
 ## <summary>
-##	Execute spamassassin standalone client
-##	in the user spamassassin domain.
+##	Manage spamc home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_domtrans_local_client',`
+interface(`spamassassin_manage_home_client',`
 	gen_require(`
-		type spamassassin_t, spamassassin_exec_t;
+		type spamc_home_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+	userdom_search_user_home_dirs($1)
+	manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+	manage_files_pattern($1, spamc_home_t, spamc_home_t)
+	manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	spamd home content.
+##	Read spamc home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',`
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_manage_spamd_home_content',`
+interface(`spamassassin_read_home_client',`
 	gen_require(`
-		type spamd_home_t;
+		type spamc_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	allow $1 spamd_home_t:dir manage_dir_perms;
-	allow $1 spamd_home_t:file manage_file_perms;
-	allow $1 spamd_home_t:lnk_file manage_lnk_file_perms;
+	list_dirs_pattern($1, spamc_home_t, spamc_home_t)
+	read_files_pattern($1, spamc_home_t, spamc_home_t)
+	read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Relabel spamd home content.
+##	Execute the spamassassin client
+##	program in the caller directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_relabel_spamd_home_content',`
+interface(`spamassassin_exec_client',`
 	gen_require(`
-		type spamd_home_t;
+		type spamc_exec_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 spamd_home_t:dir relabel_dir_perms;
-	allow $1 spamd_home_t:file relabel_file_perms;
-	allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms;
+	can_exec($1, spamc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the spamd home type.
+##	Execute spamassassin standalone client in the user spamassassin domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_home_filetrans_spamd_home',`
+interface(`spamassassin_domtrans_local_client',`
 	gen_require(`
-		type spamd_home_t;
+		type spamassassin_t, spamassassin_exec_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3)
+	domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
 ')
 
 ########################################
 ## <summary>
-##	Read spamd lib files.
+##	read spamd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
 	')
 
 	files_search_var_lib($1)
+	list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 	read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+	read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 ')
 
 ########################################
@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	Read spamd pid files.
+##	Read temporary spamd file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_read_spamd_pid_files',`
+interface(`spamassassin_read_spamd_tmp_files',`
 	gen_require(`
-		type spamd_var_run_t;
+		type spamd_tmp_t;
 	')
 
-	files_search_pids($1)
-	read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
+	files_search_tmp($1)
+	allow $1 spamd_tmp_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read temporary spamd files.
+##	Do not audit attempts to get attributes of temporary
+##	spamd sockets/
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_read_spamd_tmp_files',`
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 	gen_require(`
 		type spamd_tmp_t;
 	')
 
-	allow $1 spamd_tmp_t:file read_file_perms;
+	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get
-##	attributes of temporary spamd sockets.
+##	Connect to run spamd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed to connect.
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+interface(`spamd_stream_connect',`
 	gen_require(`
-		type spamd_tmp_t;
+		type spamd_t, spamd_var_run_t;
 	')
 
-	dontaudit $1 spamd_tmp_t:sock_file getattr;
+	files_search_pids($1)
+	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to spamd with a unix
-##	domain stream socket.
+##	Read spamd pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`spamassassin_stream_connect_spamd',`
+interface(`spamassassin_read_pid_files',`
 	gen_require(`
-		type spamd_t, spamd_var_run_t;
+		type spamd_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+	read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
 ')
 
+######################################
+## <summary>
+##  Transition to spamassassin named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`spamassassin_filetrans_home_content',`
+    gen_require(`
+        type spamc_home_t;
+    ')
+
+    userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
+    userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin")
+    userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
+    userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
+')
+
+######################################
+## <summary>
+##  Transition to spamassassin named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`spamassassin_filetrans_admin_home_content',`
+    gen_require(`
+        type spamc_home_t;
+    ')
+
+    userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
+    userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin")
+    userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
+    userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
+')
+
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an spamassassin environment.
+##	All of the rules required to administrate
+##	an spamassassin environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the spamassassin domain.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`spamassassin_admin',`
+interface(`spamassassin_spamd_admin',`
 	gen_require(`
 		type spamd_t, spamd_tmp_t, spamd_log_t;
 		type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
 		type spamd_initrc_exec_t;
 	')
 
-	allow $1 spamd_t:process { ptrace signal_perms };
+	allow $1 spamd_t:process signal_perms;
 	ps_process_pattern($1, spamd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 spamd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, spamd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -403,6 +423,4 @@ interface(`spamassassin_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, spamd_var_run_t)
-
-	spamassassin_role($2, $1)
 ')
diff --git a/spamassassin.te b/spamassassin.te
index cc58e3578f..c7a301d4fd 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
 
 ## <desc>
 ##	<p>
-##	Determine whether spamassassin
-##	clients can use the network.
+##	Allow user spamassassin clients to use the network.
 ##	</p>
 ## </desc>
 gen_tunable(spamassassin_can_network, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether spamd can manage
-##	generic user home content.
+##	Allow spamd to read/write user home directories.
 ##	</p>
 ## </desc>
-gen_tunable(spamd_enable_home_dirs, false)
+gen_tunable(spamd_enable_home_dirs, true)
+
+## <desc>
+##	<p>
+##	Allow spamd_update to connect to all ports.
+##	</p>
+## </desc>
+gen_tunable(spamd_update_can_network, false)
+
 
 type spamd_update_t;
 type spamd_update_exec_t;
-init_system_domain(spamd_update_t, spamd_update_exec_t)
-
-type spamassassin_t;
-type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
-userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
-
-type spamassassin_home_t;
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-userdom_user_home_content(spamassassin_home_t)
-
-type spamassassin_tmp_t;
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-userdom_user_tmp_file(spamassassin_tmp_t)
-
-type spamc_t;
-type spamc_exec_t;
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
-userdom_user_application_domain(spamc_t, spamc_exec_t)
-
-type spamc_tmp_t;
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-userdom_user_tmp_file(spamc_tmp_t)
+application_domain(spamd_update_t, spamd_update_exec_t)
+role system_r types spamd_update_t;
 
 type spamd_t;
 type spamd_exec_t;
@@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
 type spamd_compiled_t;
 files_type(spamd_compiled_t)
 
-type spamd_etc_t;
-files_config_file(spamd_etc_t)
-
-type spamd_home_t;
-userdom_user_home_content(spamd_home_t)
-
 type spamd_initrc_exec_t;
 init_script_file(spamd_initrc_exec_t)
 
@@ -72,87 +46,197 @@ type spamd_log_t;
 logging_log_file(spamd_log_t)
 
 type spamd_spool_t;
-files_type(spamd_spool_t)
+files_spool_file(spamd_spool_t)
 
 type spamd_tmp_t;
 files_tmp_file(spamd_tmp_t)
 
+# var/lib files
 type spamd_var_lib_t;
 files_type(spamd_var_lib_t)
 
 type spamd_var_run_t;
 files_pid_file(spamd_var_run_t)
 
-########################################
+ifdef(`distro_redhat',`
+	# spamassassin client executable
+	type spamc_t;
+	type spamc_exec_t;
+	application_domain(spamc_t, spamc_exec_t)
+	role system_r types spamc_t;
+
+	type spamd_etc_t;
+	files_config_file(spamd_etc_t)
+
+	typealias spamc_exec_t  alias spamassassin_exec_t;
+	typealias spamc_t alias spamassassin_t;
+
+	type spamc_home_t;
+	userdom_user_home_content(spamc_home_t)
+	typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+	typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+	typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+	typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+	type spamc_tmp_t;
+	files_tmp_file(spamc_tmp_t)
+	typealias spamc_tmp_t alias spamassassin_tmp_t;
+	typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+	typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+	typealias spamc_t alias pyzor_t;
+	typealias spamc_exec_t alias pyzor_exec_t;
+	typealias spamd_t alias pyzord_t;
+	typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+	typealias spamd_exec_t alias pyzord_exec_t;
+	typealias spamc_tmp_t alias pyzor_tmp_t;
+	typealias spamd_log_t alias pyzor_log_t;
+	typealias spamd_log_t alias pyzord_log_t;
+	typealias spamd_var_lib_t alias pyzor_var_lib_t;
+	typealias spamd_etc_t alias pyzor_etc_t;
+	typealias spamc_home_t alias pyzor_home_t;
+	typealias spamc_home_t alias user_pyzor_home_t;
+	typealias spamc_t alias razor_t;
+	typealias spamc_exec_t alias razor_exec_t;
+	typealias spamd_log_t alias razor_log_t;
+	typealias spamd_var_lib_t alias razor_var_lib_t;
+	typealias spamd_etc_t alias razor_etc_t;
+	typealias spamc_home_t alias razor_home_t;
+	typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+	typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+	typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+	type spamassassin_t;
+	type spamassassin_exec_t;
+	typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+	typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+	application_domain(spamassassin_t, spamassassin_exec_t)
+	ubac_constrained(spamassassin_t)
+
+	type spamassassin_home_t;
+	typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+	typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+	userdom_user_home_content(spamassassin_home_t)
+
+	type spamassassin_tmp_t;
+	typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+	typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+	files_tmp_file(spamassassin_tmp_t)
+	ubac_constrained(spamassassin_tmp_t)
+
+	type spamc_t;
+	type spamc_exec_t;
+	typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+	typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+	application_domain(spamc_t, spamc_exec_t)
+	ubac_constrained(spamc_t)
+
+	type spamc_tmp_t;
+	typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+	files_tmp_file(spamc_tmp_t)
+	ubac_constrained(spamc_tmp_t)
+')
+
+##############################
 #
-# Standalone local policy
+# Standalone program local policy
 #
 
 allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamassassin_t self:fd use;
 allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
 allow spamassassin_t self:unix_dgram_socket sendto;
-allow spamassassin_t self:unix_stream_socket { accept connectto listen };
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
 
 manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
 manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
 manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
 manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
 manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")
 
 manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
 manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
 files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
 
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_home_manager(spamassassin_t)
+
 kernel_read_kernel_sysctls(spamassassin_t)
 
 dev_read_urand(spamassassin_t)
 
-fs_getattr_all_fs(spamassassin_t)
 fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
 
 domain_use_interactive_fds(spamassassin_t)
 
-files_read_etc_files(spamassassin_t)
 files_read_etc_runtime_files(spamassassin_t)
 files_list_home(spamassassin_t)
-files_read_usr_files(spamassassin_t)
 files_dontaudit_search_var(spamassassin_t)
 
 logging_send_syslog_msg(spamassassin_t)
 
-miscfiles_read_localization(spamassassin_t)
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
 
 sysnet_dns_name_resolve(spamassassin_t)
 
+# set tunable if you have spamassassin do DNS lookups
 tunable_policy(`spamassassin_can_network',`
-	allow spamassassin_t self:tcp_socket { accept listen };
+	allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+	allow spamassassin_t self:udp_socket create_socket_perms;
 
-	corenet_all_recvfrom_unlabeled(spamassassin_t)
-	corenet_all_recvfrom_netlabel(spamassassin_t)
 	corenet_tcp_sendrecv_generic_if(spamassassin_t)
+	corenet_udp_sendrecv_generic_if(spamassassin_t)
 	corenet_tcp_sendrecv_generic_node(spamassassin_t)
+	corenet_udp_sendrecv_generic_node(spamassassin_t)
 	corenet_tcp_sendrecv_all_ports(spamassassin_t)
-
+	corenet_udp_sendrecv_all_ports(spamassassin_t)
 	corenet_tcp_connect_all_ports(spamassassin_t)
 	corenet_sendrecv_all_client_packets(spamassassin_t)
+	corenet_udp_bind_generic_node(spamassassin_t)
+	corenet_udp_bind_generic_port(spamassassin_t)
+	corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
+	sysnet_read_config(spamassassin_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(spamassassin_t)
-	fs_manage_nfs_files(spamassassin_t)
-	fs_manage_nfs_symlinks(spamassassin_t)
+tunable_policy(`spamd_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(spamd_t)
+	userdom_manage_user_home_content_files(spamd_t)
+	userdom_manage_user_home_content_symlinks(spamd_t)
+	userdom_exec_user_bin_files(spamd_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(spamassassin_t)
-	fs_manage_cifs_files(spamassassin_t)
-	fs_manage_cifs_symlinks(spamassassin_t)
+optional_policy(`
+	# Write pid file and socket in ~/.evolution/cache/tmp
+	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
 ')
 
 optional_policy(`
-	tunable_policy(`spamassassin_can_network && allow_ypbind',`
+	tunable_policy(`spamassassin_can_network && nis_enabled',`
 		nis_use_ypbind_uncond(spamassassin_t)
 	')
 ')
@@ -160,6 +244,8 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(spamassassin_t)
 	sendmail_stub(spamassassin_t)
+	sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
+	sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
 ')
 
 ########################################
@@ -167,72 +253,95 @@ optional_policy(`
 # Client local policy
 #
 
-allow spamc_t self:capability dac_override;
 allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamc_t self:fd use;
 allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
 allow spamc_t self:unix_dgram_socket sendto;
-allow spamc_t self:unix_stream_socket { accept connectto listen };
-allow spamc_t self:tcp_socket { accept listen };
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+can_exec(spamc_t, spamc_exec_t)
 
 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
 
-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin")
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_append_user_home_content_files(spamc_t)
+spamassassin_filetrans_home_content(spamc_t)
+spamassassin_filetrans_admin_home_content(spamc_t)
+# for /root/.pyzor
+allow spamc_t self:capability { dac_read_search  dac_override };
 
 list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+
+allow spamc_t spamd_etc_t:dir list_dir_perms;
+allow spamc_t spamd_etc_t:file read_file_perms;
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
+allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
 
 kernel_read_kernel_sysctls(spamc_t)
 kernel_read_system_state(spamc_t)
 
-corenet_all_recvfrom_unlabeled(spamc_t)
+corecmd_exec_bin(spamc_t)
+
 corenet_all_recvfrom_netlabel(spamc_t)
 corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
 corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_sendrecv_generic_node(spamc_t)
 corenet_tcp_sendrecv_all_ports(spamc_t)
-
-corenet_sendrecv_all_client_packets(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
 corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
 
-corecmd_exec_bin(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
 
-domain_use_interactive_fds(spamc_t)
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
 
-fs_getattr_all_fs(spamc_t)
-fs_search_auto_mountpoints(spamc_t)
+domain_use_interactive_fds(spamc_t)
 
 files_read_etc_runtime_files(spamc_t)
-files_read_usr_files(spamc_t)
 files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
 files_list_home(spamc_t)
 files_list_var_lib(spamc_t)
 
-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
 
-logging_send_syslog_msg(spamc_t)
+libs_exec_ldconfig(spamc_t)
 
-miscfiles_read_localization(spamc_t)
+logging_send_syslog_msg(spamc_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(spamc_t)
-	fs_manage_nfs_files(spamc_t)
-	fs_manage_nfs_symlinks(spamc_t)
-')
+auth_use_nsswitch(spamc_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(spamc_t)
-	fs_manage_cifs_files(spamc_t)
-	fs_manage_cifs_symlinks(spamc_t)
-')
+userdom_home_manager(spamc_t)
 
 optional_policy(`
 	abrt_stream_connect(spamc_t)
@@ -243,19 +352,31 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Allow connection to spamd socket above
 	evolution_stream_connect(spamc_t)
 ')
 
+optional_policy(`
+    cyrus_stream_connect(spamc_t)
+')
+
 optional_policy(`
 	milter_manage_spamass_state(spamc_t)
 ')
 
+optional_policy(`
+	postfix_domtrans_postdrop(spamc_t)
+	postfix_search_spool(spamc_t)
+	postfix_rw_local_pipes(spamc_t)
+	postfix_rw_inherited_master_pipes(spamc_t)
+')
+
 optional_policy(`
 	mta_send_mail(spamc_t)
 	mta_read_config(spamc_t)
 	mta_read_queue(spamc_t)
-	sendmail_rw_pipes(spamc_t)
 	sendmail_stub(spamc_t)
+	sendmail_rw_pipes(spamc_t)
 ')
 
 optional_policy(`
@@ -267,36 +388,40 @@ optional_policy(`
 
 ########################################
 #
-# Daemon local policy
+# Server local policy
 #
 
-allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc.  Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { kill setuid setgid dac_read_search dac_override sys_tty_config };
 dontaudit spamd_t self:capability sys_tty_config;
 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamd_t self:fd use;
 allow spamd_t self:fifo_file rw_fifo_file_perms;
+allow spamd_t self:sock_file read_sock_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
 allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
 
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+# needed by razor
+list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+read_lnk_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 
+can_exec(spamd_t, spamd_compiled_t)
 manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
 manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
 
-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
 logging_log_filetrans(spamd_t, spamd_log_t, file)
 
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
@@ -308,7 +433,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
 files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
 
-allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+# var/lib files for spamd
+manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 
@@ -317,12 +443,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
 
-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
+read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+
+can_exec(spamd_t, spamd_exec_t)
 
 kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)
 
-corenet_all_recvfrom_unlabeled(spamd_t)
 corenet_all_recvfrom_netlabel(spamd_t)
 corenet_tcp_sendrecv_generic_if(spamd_t)
 corenet_udp_sendrecv_generic_if(spamd_t)
@@ -331,78 +458,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
 corenet_tcp_sendrecv_all_ports(spamd_t)
 corenet_udp_sendrecv_all_ports(spamd_t)
 corenet_tcp_bind_generic_node(spamd_t)
-corenet_udp_bind_generic_node(spamd_t)
-
-corenet_sendrecv_spamd_server_packets(spamd_t)
 corenet_tcp_bind_spamd_port(spamd_t)
-
-corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_tcp_connect_spamd_port(spamd_t)
 corenet_tcp_connect_razor_port(spamd_t)
-
-corenet_sendrecv_smtp_client_packets(spamd_t)
 corenet_tcp_connect_smtp_port(spamd_t)
-
-corenet_sendrecv_generic_server_packets(spamd_t)
+corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_sendrecv_spamd_server_packets(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_node(spamd_t)
 corenet_udp_bind_generic_port(spamd_t)
-
-corenet_sendrecv_imaze_server_packets(spamd_t)
 corenet_udp_bind_imaze_port(spamd_t)
-
 corenet_dontaudit_udp_bind_all_ports(spamd_t)
-
-corecmd_exec_bin(spamd_t)
+corenet_sendrecv_imaze_server_packets(spamd_t)
+corenet_sendrecv_generic_server_packets(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
 
-domain_use_interactive_fds(spamd_t)
-
-files_read_usr_files(spamd_t)
-files_read_etc_runtime_files(spamd_t)
-
 fs_getattr_all_fs(spamd_t)
 fs_search_auto_mountpoints(spamd_t)
 
-auth_use_nsswitch(spamd_t)
 auth_dontaudit_read_shadow(spamd_t)
 
+corecmd_exec_bin(spamd_t)
+
+domain_use_interactive_fds(spamd_t)
+
+files_read_etc_runtime_files(spamd_t)
+# /var/lib/spamassin
+files_read_var_lib_files(spamd_t)
+
 init_dontaudit_rw_utmp(spamd_t)
 
+auth_use_nsswitch(spamd_t)
+
 libs_use_ld_so(spamd_t)
 libs_use_shared_libs(spamd_t)
 
 logging_send_syslog_msg(spamd_t)
 
-miscfiles_read_localization(spamd_t)
-
-sysnet_use_ldap(spamd_t)
-
 userdom_use_unpriv_users_fds(spamd_t)
-
-tunable_policy(`spamd_enable_home_dirs',`
-	userdom_manage_user_home_content_dirs(spamd_t)
-	userdom_manage_user_home_content_files(spamd_t)
-	userdom_manage_user_home_content_symlinks(spamd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(spamd_t)
-	fs_manage_nfs_files(spamd_t)
-	fs_manage_nfs_symlinks(spamd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(spamd_t)
-	fs_manage_cifs_files(spamd_t)
-	fs_manage_cifs_symlinks(spamd_t)
-')
+userdom_search_user_home_dirs(spamd_t)
+userdom_home_manager(spamd_t)
 
 optional_policy(`
-	amavis_manage_lib_files(spamd_t)
+	antivirus_stream_connect(spamd_t)
+	antivirus_manage_db(spamd_t)
 ')
 
 optional_policy(`
-	clamav_stream_connect(spamd_t)
+	exim_manage_spool_dirs(spamd_t)
+	exim_manage_spool_files(spamd_t)
 ')
 
 optional_policy(`
@@ -421,21 +529,17 @@ optional_policy(`
 ')
 
 optional_policy(`
-	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
-')
-
-optional_policy(`
-	exim_manage_spool_dirs(spamd_t)
-	exim_manage_spool_files(spamd_t)
+	milter_manage_spamass_state(spamd_t)
 ')
 
 optional_policy(`
-	milter_manage_spamass_state(spamd_t)
+	mysql_tcp_connect(spamd_t)
+	mysql_search_db(spamd_t)
+	mysql_stream_connect(spamd_t)
 ')
 
 optional_policy(`
-	mysql_stream_connect(spamd_t)
-	mysql_tcp_connect(spamd_t)
+    logwatch_manage_cache(spamd_t)
 ')
 
 optional_policy(`
@@ -443,8 +547,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	postgresql_stream_connect(spamd_t)
 	postgresql_tcp_connect(spamd_t)
+	postgresql_stream_connect(spamd_t)
 ')
 
 optional_policy(`
@@ -455,7 +559,17 @@ optional_policy(`
 optional_policy(`
 	razor_domtrans(spamd_t)
 	razor_read_lib_files(spamd_t)
-	razor_manage_home_content(spamd_t)
+')
+
+optional_policy(`
+	tunable_policy(`spamd_enable_home_dirs',`
+		razor_manage_user_home_files(spamd_t)
+	')
+')
+
+optional_policy(`
+    spamassassin_filetrans_home_content(spamd_t)
+    spamassassin_filetrans_admin_home_content(spamd_t)
 ')
 
 optional_policy(`
@@ -463,9 +577,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mta_send_mail(spamd_t)
 	sendmail_stub(spamd_t)
 	mta_read_config(spamd_t)
-	mta_send_mail(spamd_t)
 ')
 
 optional_policy(`
@@ -474,32 +588,32 @@ optional_policy(`
 
 ########################################
 #
-# Update local policy
+# spamd_update local policy
 #
 
-allow spamd_update_t self:capability dac_override;
 allow spamd_update_t self:fifo_file manage_fifo_file_perms;
 allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_update_t self:capability dac_read_search;
+dontaudit spamd_update_t self:capability dac_override;
 
 manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
 manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
 files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
 
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
 manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 
-kernel_read_system_state(spamd_update_t)
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
+
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
 
-corenet_all_recvfrom_unlabeled(spamd_update_t)
-corenet_all_recvfrom_netlabel(spamd_update_t)
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
+kernel_read_system_state(spamd_update_t)
 
-corenet_sendrecv_http_client_packets(spamd_update_t)
+# for updating rules 
 corenet_tcp_connect_http_port(spamd_update_t)
-corenet_tcp_sendrecv_http_port(spamd_update_t)
 
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
@@ -508,25 +622,26 @@ dev_read_urand(spamd_update_t)
 
 domain_use_interactive_fds(spamd_update_t)
 
-files_read_usr_files(spamd_update_t)
 
 auth_use_nsswitch(spamd_update_t)
 auth_dontaudit_read_shadow(spamd_update_t)
 
-miscfiles_read_localization(spamd_update_t)
+mta_read_config(spamd_update_t)
 
-userdom_use_user_terminals(spamd_update_t)
+userdom_search_admin_dir(spamd_update_t)
+userdom_use_inherited_user_ptys(spamd_update_t)
 
 optional_policy(`
 	cron_system_entry(spamd_update_t, spamd_update_exec_t)
 ')
 
-# probably want a solution same as httpd_use_gpg since this will
-# give spamd_update a path to users gpg keys
-# optional_policy(`
-#	gpg_domtrans(spamd_update_t)
-# ')
-
 optional_policy(`
-	mta_read_config(spamd_update_t)
+	gpg_domtrans(spamd_update_t)
+	gpg_manage_home_content(spamd_update_t)
+')
+
+tunable_policy(`spamd_update_can_network',`
+	corenet_sendrecv_all_client_packets(spamd_update_t)
+	corenet_tcp_connect_all_ports(spamd_update_t)
+	corenet_tcp_sendrecv_all_ports(spamd_update_t)
 ')
diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
new file mode 100644
index 0000000000..545f68233e
--- /dev/null
+++ b/speech-dispatcher.fc
@@ -0,0 +1,5 @@
+/usr/bin/speech-dispatcher		--	gen_context(system_u:object_r:speech-dispatcher_exec_t,s0)
+
+/usr/lib/systemd/system/speech-dispatcherd.service		--	gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0)
+
+/var/log/speech-dispatcher(/.*)?		gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
diff --git a/speech-dispatcher.if b/speech-dispatcher.if
new file mode 100644
index 0000000000..4cb9104629
--- /dev/null
+++ b/speech-dispatcher.if
@@ -0,0 +1,143 @@
+
+## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
+
+########################################
+## <summary>
+##	Execute speech-dispatcher in the speech-dispatcher domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`speech-dispatcher_domtrans',`
+	gen_require(`
+		type speech-dispatcher_t, speech-dispatcher_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t)
+')
+########################################
+## <summary>
+##	Read speech-dispatcher's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`speech-dispatcher_read_log',`
+	gen_require(`
+		type speech-dispatcher_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+')
+
+########################################
+## <summary>
+##	Append to speech-dispatcher log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`speech-dispatcher_append_log',`
+	gen_require(`
+		type speech-dispatcher_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+')
+
+########################################
+## <summary>
+##	Manage speech-dispatcher log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`speech-dispatcher_manage_log',`
+	gen_require(`
+		type speech-dispatcher_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+	manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+	manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
+')
+########################################
+## <summary>
+##	Execute speech-dispatcher server in the speech-dispatcher domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`speech-dispatcher_systemctl',`
+	gen_require(`
+		type speech-dispatcher_t;
+		type speech-dispatcher_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
+	allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, speech-dispatcher_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an speech-dispatcher environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`speech-dispatcher_admin',`
+	gen_require(`
+		type speech-dispatcher_t;
+		type speech-dispatcher_log_t;
+	    type speech-dispatcher_unit_file_t;
+	')
+
+	allow $1 speech-dispatcher_t:process { signal_perms };
+	ps_process_pattern($1, speech-dispatcher_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 speech-dispatcher_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, speech-dispatcher_log_t)
+
+	speech-dispatcher_systemctl($1)
+	admin_pattern($1, speech-dispatcher_unit_file_t)
+	allow $1 speech-dispatcher_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/speech-dispatcher.te b/speech-dispatcher.te
new file mode 100644
index 0000000000..4739473123
--- /dev/null
+++ b/speech-dispatcher.te
@@ -0,0 +1,61 @@
+policy_module(speech-dispatcher, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type speech-dispatcher_t;
+type speech-dispatcher_exec_t;
+init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
+application_executable_file(speech-dispatcher_exec_t)
+
+type speech-dispatcher_home_t;
+userdom_user_home_content(speech-dispatcher_home_t)
+
+type speech-dispatcher_log_t;
+logging_log_file(speech-dispatcher_log_t)
+
+type speech-dispatcher_unit_file_t;
+systemd_unit_file(speech-dispatcher_unit_file_t)
+
+type speech-dispatcher_tmp_t;
+files_tmp_file(speech-dispatcher_tmp_t)
+
+type speech-dispatcher_tmpfs_t;
+files_tmpfs_file(speech-dispatcher_tmpfs_t)
+
+########################################
+#
+# speech-dispatcher local policy
+#
+
+allow speech-dispatcher_t self:process signal_perms;
+
+allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms;
+allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms;
+allow speech-dispatcher_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
+logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir })
+
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t)
+files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file })
+
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t)
+fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file })
+
+manage_files_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t)
+manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t)
+manage_fifo_files_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t)
+userdom_filetrans_home_content(speech-dispatcher_t,speech-dispatcher_home_t, dir, ".speech-dispatcher")
+
+kernel_read_system_state(speech-dispatcher_t)
+
+auth_read_passwd(speech-dispatcher_t)
+
+corenet_tcp_connect_pdps_port(speech-dispatcher_t)
+
+dev_read_urand(speech-dispatcher_t)
+
diff --git a/speedtouch.te b/speedtouch.te
index b38b8b1801..eb36653b84 100644
--- a/speedtouch.te
+++ b/speedtouch.te
@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
 
 domain_use_interactive_fds(speedmgmt_t)
 
-files_read_etc_files(speedmgmt_t)
-files_read_usr_files(speedmgmt_t)
 
 fs_getattr_all_fs(speedmgmt_t)
 fs_search_auto_mountpoints(speedmgmt_t)
 
 logging_send_syslog_msg(speedmgmt_t)
 
-miscfiles_read_localization(speedmgmt_t)
-
 userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
 userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
 
diff --git a/squid.fc b/squid.fc
index 0a8b0f7c02..2a569691f0 100644
--- a/squid.fc
+++ b/squid.fc
@@ -1,20 +1,29 @@
-/etc/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
+/etc/rc\.d/init\.d/squid --	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
+/etc/squid/ssl_db(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
+/etc/lightsquid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
 
-/etc/rc\.d/init\.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/usr/libexec/squid/cache_swap\.sh	--		gen_context(system_u:object_r:squid_exec_t,s0)
 
-/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:squid_script_exec_t,s0)
+
+/usr/sbin/lightparser.pl --	gen_context(system_u:object_r:squid_cron_exec_t,s0)
 
 /usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)
 
 /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0)
 
 /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
 
 /var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)
 
-/var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/run/squid.*	gen_context(system_u:object_r:squid_var_run_t,s0)
+
+/var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
+/var/squidGuard(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 
-/var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
+/var/lib/ssl_db(/.*)?       gen_context(system_u:object_r:squid_cache_t,s0)
 
-/var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)
+/var/lightsquid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/squid.if b/squid.if
index 5e1f0534c7..e7820bce39 100644
--- a/squid.if
+++ b/squid.if
@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',`
 		type squid_t;
 	')
 
-	allow $1 squid_t:unix_stream_socket { getattr read write };
+	allow $1 squid_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',`
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`squid_dontaudit_search_cache',`
 	gen_require(`
@@ -213,9 +212,13 @@ interface(`squid_admin',`
 		type squid_initrc_exec_t, squid_tmp_t;
 	')
 
-	allow $1 squid_t:process { ptrace signal_perms };
+	allow $1 squid_t:process signal_perms;
 	ps_process_pattern($1, squid_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 squid_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, squid_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
index 03472ed9b2..4b272687e2 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
 files_type(squid_cache_t)
 
 type squid_conf_t;
-files_type(squid_conf_t)
+files_config_file(squid_conf_t)
 
 type squid_initrc_exec_t;
 init_script_file(squid_initrc_exec_t)
@@ -37,21 +37,28 @@ init_script_file(squid_initrc_exec_t)
 type squid_log_t;
 logging_log_file(squid_log_t)
 
+type squid_tmpfs_t;
+files_tmpfs_file(squid_tmpfs_t)
+
 type squid_tmp_t;
 files_tmp_file(squid_tmp_t)
 
-type squid_tmpfs_t;
-files_tmpfs_file(squid_tmpfs_t)
 
 type squid_var_run_t;
 files_pid_file(squid_var_run_t)
 
+type squid_cron_t;
+type squid_cron_exec_t;
+init_daemon_domain(squid_cron_t, squid_cron_exec_t)
+application_domain(squid_cron_t, squid_cron_exec_t)
+role system_r types squid_cron_t;
+
 ########################################
 #
 # Local policy
 #
 
-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+allow squid_t self:capability { setgid kill setuid dac_read_search dac_override sys_resource };
 dontaudit squid_t self:capability sys_tty_config;
 allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -68,6 +75,7 @@ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
 manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
 manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
 files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+filetrans_pattern(squid_t, squid_conf_t, squid_cache_t, dir, "ssl_db")
 
 allow squid_t squid_conf_t:dir list_dir_perms;
 allow squid_t squid_conf_t:file read_file_perms;
@@ -78,15 +86,19 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
 manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
 logging_log_filetrans(squid_t, squid_log_t, { file dir })
 
+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file })
+allow squid_t squid_tmpfs_t:file map;
+
 manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
 manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
 files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
 
-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
-fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
-
+manage_dirs_pattern(squid_t, squid_var_run_t, squid_var_run_t)
 manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
-files_pid_filetrans(squid_t, squid_var_run_t, file)
+manage_sock_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+files_pid_filetrans(squid_t, squid_var_run_t, { dir file sock_file })
 
 can_exec(squid_t, squid_exec_t)
 
@@ -94,7 +106,6 @@ kernel_read_kernel_sysctls(squid_t)
 kernel_read_system_state(squid_t)
 kernel_read_network_state(squid_t)
 
-corenet_all_recvfrom_unlabeled(squid_t)
 corenet_all_recvfrom_netlabel(squid_t)
 corenet_tcp_sendrecv_generic_if(squid_t)
 corenet_udp_sendrecv_generic_if(squid_t)
@@ -132,6 +143,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
 corenet_udp_sendrecv_gopher_port(squid_t)
 
 corenet_sendrecv_squid_server_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
 corenet_tcp_bind_squid_port(squid_t)
 corenet_udp_bind_squid_port(squid_t)
 corenet_tcp_sendrecv_squid_port(squid_t)
@@ -154,7 +166,6 @@ dev_read_urand(squid_t)
 domain_use_interactive_fds(squid_t)
 
 files_read_etc_runtime_files(squid_t)
-files_read_usr_files(squid_t)
 files_search_spool(squid_t)
 files_dontaudit_getattr_tmp_dirs(squid_t)
 files_getattr_home_dir(squid_t)
@@ -172,11 +183,11 @@ auth_use_nsswitch(squid_t)
 auth_domtrans_chk_passwd(squid_t)
 
 libs_exec_lib_files(squid_t)
+libs_exec_ldconfig(squid_t)
 
 logging_send_syslog_msg(squid_t)
 
 miscfiles_read_generic_certs(squid_t)
-miscfiles_read_localization(squid_t)
 
 userdom_use_unpriv_users_fds(squid_t)
 userdom_dontaudit_search_user_home_dirs(squid_t)
@@ -197,28 +208,31 @@ tunable_policy(`squid_use_tproxy',`
 
 optional_policy(`
 	apache_content_template(squid)
+	apache_content_alias_template(squid, squid)
 
-	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
-	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
-	corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-	corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
+	allow squid_script_t self:tcp_socket create_socket_perms;
 
-	corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
-	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
-	corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
+	corenet_all_recvfrom_unlabeled(squid_script_t)
+	corenet_all_recvfrom_netlabel(squid_script_t)
+	corenet_tcp_sendrecv_generic_if(squid_script_t)
+	corenet_tcp_sendrecv_generic_node(squid_script_t)
 
-	sysnet_dns_name_resolve(httpd_squid_script_t)
+	corenet_sendrecv_http_cache_client_packets(squid_script_t)
+	corenet_tcp_connect_http_cache_port(squid_script_t)
+	corenet_tcp_sendrecv_http_cache_port(squid_script_t)
 
-	squid_read_config(httpd_squid_script_t)
-')
+	corenet_tcp_connect_squid_port(squid_script_t)
 
-optional_policy(`
-	cron_system_entry(squid_t, squid_exec_t)
+	sysnet_dns_name_resolve(squid_script_t)
+
+	optional_policy(`
+		squid_read_config(squid_script_t)
+	')
 ')
 
 optional_policy(`
-	kerberos_manage_host_rcache(squid_t)
-	kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
+    kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
+    kerberos_manage_host_rcache(squid_t)
 ')
 
 optional_policy(`
@@ -236,3 +250,24 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(squid_t)
 ')
+
+########################################
+#
+# squid cron Local policy
+#
+manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
+manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
+manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
+files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid")
+
+read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t)
+
+read_files_pattern(squid_cron_t, squid_log_t, squid_log_t)
+
+corecmd_exec_bin(squid_cron_t)
+
+dev_read_urand(squid_cron_t)
+
+optional_policy(`
+	cron_system_entry(squid_cron_t, squid_cron_exec_t)
+')
diff --git a/sssd.fc b/sssd.fc
index dbb005acab..da2394c685 100644
--- a/sssd.fc
+++ b/sssd.fc
@@ -1,15 +1,23 @@
 /etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
 
-/etc/sssd(/.*)?	gen_context(system_u:object_r:sssd_conf_t,s0)
+/etc/sssd(/.*)?			gen_context(system_u:object_r:sssd_conf_t,s0)
 
-/usr/sbin/sssd	--	gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_kcm	--	gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_secrets	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 
-/var/lib/sss(/.*)?	gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/usr/lib/systemd/system/sssd.*      --      gen_context(system_u:object_r:sssd_unit_file_t,s0)
 
-/var/lib/sss/mc(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+/usr/libexec/sssd/selinux_child     --  gen_context(system_u:object_r:sssd_selinux_manager_exec_t,s0)
+
+/var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/mc(/.*)?		gen_context(system_u:object_r:sssd_public_t,s0)
 
 /var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
 
-/var/log/sssd(/.*)?	gen_context(system_u:object_r:sssd_var_log_t,s0)
+/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_log_t,s0)
 
-/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/secrets\.socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/\.heim_org\.h5l\.kcm-socket	-s	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
index a24045518c..2d4b9b2faf 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
-## <summary>System Security Services Daemon.</summary>
+## <summary>System Security Services Daemon</summary>
 
 #######################################
 ## <summary>
-##	Get attributes of sssd executable files.
+##  Allow a domain to getattr on sssd binary.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
 interface(`sssd_getattr_exec',`
-	gen_require(`
-		type sssd_exec_t;
-	')
+    gen_require(`
+        type sssd_t, sssd_exec_t;
+    ')
 
-	allow $1 sssd_exec_t:file getattr_file_perms;
+	allow $1 sssd_exec_t:file getattr;
 ')
 
 ########################################
@@ -33,14 +33,12 @@ interface(`sssd_domtrans',`
 		type sssd_t, sssd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, sssd_exec_t, sssd_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute sssd init scripts in
-##	the initrc domain.
+##	Execute sssd server in the sssd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -56,49 +54,91 @@ interface(`sssd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, sssd_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##     Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`sssd_systemctl',`
+       gen_require(`
+               type sssd_t;
+               type sssd_unit_file_t;
+       ')
+
+       systemd_exec_systemctl($1)
+	init_reload_services($1)
+       allow $1 sssd_unit_file_t:file read_file_perms;
+       allow $1 sssd_unit_file_t:service manage_service_perms;
+
+       ps_process_pattern($1, sssd_t)
+')
+
 #######################################
 ## <summary>
-##	Read sssd configuration content.
+##  Read sssd configuration.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`sssd_read_config',`
-	gen_require(`
-		type sssd_conf_t;
-	')
+    gen_require(`
+        type sssd_conf_t;
+    ')
 
-	files_search_etc($1)
-	list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
-	read_files_pattern($1, sssd_conf_t, sssd_conf_t)
+    files_search_etc($1)
+    list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
+    read_files_pattern($1, sssd_conf_t, sssd_conf_t)
 ')
 
 ######################################
 ## <summary>
-##	Write sssd configuration files.
+##  Write sssd configuration.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`sssd_write_config',`
-	gen_require(`
-		type sssd_conf_t;
-	')
+    gen_require(`
+        type sssd_conf_t;
+    ')
+
+    files_search_etc($1)
+    write_files_pattern($1, sssd_conf_t, sssd_conf_t)
+')
+
+#####################################
+## <summary>
+##  Write sssd configuration.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sssd_create_config',`
+    gen_require(`
+        type sssd_conf_t;
+    ')
 
-	files_search_etc($1)
-	write_files_pattern($1, sssd_conf_t, sssd_conf_t)
+    files_search_etc($1)
+    create_files_pattern($1, sssd_conf_t, sssd_conf_t)
 ')
 
 ####################################
 ## <summary>
-##	Create, read, write, and delete
-##	sssd configuration files.
+##  Manage sssd configuration.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
@@ -107,12 +147,12 @@ interface(`sssd_write_config',`
 ## </param>
 #
 interface(`sssd_manage_config',`
-	gen_require(`
-		type sssd_conf_t;
-	')
+    gen_require(`
+        type sssd_conf_t;
+    ')
 
-	files_search_etc($1)
-	manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
+    files_search_etc($1)
+    manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
 ')
 
 ########################################
@@ -131,14 +171,14 @@ interface(`sssd_read_public_files',`
 	')
 
 	sssd_search_lib($1)
-	allow $1 sssd_public_t:dir list_dir_perms;
+	list_dirs_pattern($1, sssd_public_t, sssd_public_t)
 	read_files_pattern($1, sssd_public_t, sssd_public_t)
+    allow $1 sssd_public_t:file map;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete
-##	sssd public files.
+##	Delete sssd public files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -146,18 +186,55 @@ interface(`sssd_read_public_files',`
 ##	</summary>
 ## </param>
 #
-interface(`sssd_manage_public_files',`
+interface(`sssd_delete_public_files',`
 	gen_require(`
 		type sssd_public_t;
 	')
 
 	sssd_search_lib($1)
-	manage_files_pattern($1, sssd_public_t, sssd_public_t)
+	allow $1 sssd_public_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Dontaudit read sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_read_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	dontaudit $1 sssd_public_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Manage sssd public files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`sssd_manage_public_files',`
+    gen_require(`
+        type sssd_public_t;
+    ')
+
+    sssd_search_lib($1)
+    manage_files_pattern($1, sssd_public_t, sssd_public_t)
 ')
 
 ########################################
 ## <summary>
-##	Read sssd pid files.
+##	Read sssd PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	sssd pid content.
+##	Manage sssd var_run files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -216,8 +292,7 @@ interface(`sssd_search_lib',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	sssd lib directories.
+##	Do not audit attempts to search sssd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -233,6 +308,24 @@ interface(`sssd_dontaudit_search_lib',`
 	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read sssd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_read_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_var_lib_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read sssd lib files.
@@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Connect to sssd with a unix
-##	domain stream socket.
+##	Connect to sssd over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -317,8 +409,148 @@ interface(`sssd_stream_connect',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an sssd environment.
+##	Dontaudit attempts to connect to sssd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_stream_connect',`
+	gen_require(`
+		type sssd_t, sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_t:unix_stream_socket connectto;
+	dontaudit $1 sssd_var_lib_t:sock_file { read write };
+')
+
+########################################
+## <summary>
+##	Connect to sssd over a unix stream socket in /var/run.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_run_stream_connect',`
+	gen_require(`
+		type sssd_t, sssd_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t)
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to connect to sssd over a unix stream socket in /var/run.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_run_stream_connect',`
+	gen_require(`
+		type sssd_t, sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_t:unix_stream_socket connectto;
+	dontaudit $1 sssd_var_run_t:sock_file { read write };
+')
+
+#######################################
+## <summary>
+##     Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sssd_manage_keys',`
+    gen_require(`
+        type sssd_t;
+    ')
+
+    allow $1 sssd_t:key manage_key_perms;
+    allow sssd_t $1:key manage_key_perms;
+')
+
+#######################################
+## <summary>
+##  Allow attempts to read and write to
+##  sssd pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sssd_rw_inherited_pipes',`
+    gen_require(`
+        type sssd_t;
+    ')
+
+    allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##  Allow caller to signull sssd.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sssd_signull',`
+	gen_require(`
+		type sssd_t;
+	')
+
+	allow $1 sssd_t:process signull;
+')
+
+########################################
+## <summary>
+##	Transition to sssd named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_filetrans_named_content',`
+	gen_require(`
+		type sssd_var_run_t;
+		type sssd_var_log_t;
+		type sssd_var_lib_t;
+		type sssd_public_t;
+		type sssd_conf_t;
+	')
+
+	files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket")
+	logging_log_filetrans($1, sssd_var_log_t, dir, "sssd")
+	files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss")
+	filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc")
+	filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf")
+	files_etc_filetrans($1, sssd_conf_t, dir, "sssd")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an sssd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -327,7 +559,7 @@ interface(`sssd_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the sssd domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -335,27 +567,29 @@ interface(`sssd_stream_connect',`
 interface(`sssd_admin',`
 	gen_require(`
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
-		type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
-		type sssd_log_t;
+		type sssd_unit_file_t;
 	')
 
-	allow $1 sssd_t:process { ptrace signal_perms };
+	allow $1 sssd_t:process signal_perms;
 	ps_process_pattern($1, sssd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 sssd_t:process ptrace;
+	')
 
+	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 sssd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
-	admin_pattern($1, sssd_conf_t)
+	sssd_manage_pids($1)
 
-	files_search_var_lib($1)
-	admin_pattern($1, { sssd_var_lib_t sssd_public_t })
+	sssd_manage_lib_files($1)
 
-	files_search_pids($1)
-	admin_pattern($1, sssd_var_run_t)
+	admin_pattern($1, sssd_public_t)
+
+	sssd_systemctl($1)
+	admin_pattern($1, sssd_unit_file_t)
+	allow $1 sssd_unit_file_t:service all_service_perms;
 
-	logging_search_logs($1)
-	admin_pattern($1, sssd_log_t)
 ')
diff --git a/sssd.te b/sssd.te
index 2d8db1fa3b..07cf9c8ac6 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,51 +28,58 @@ logging_log_file(sssd_var_log_t)
 type sssd_var_run_t;
 files_pid_file(sssd_var_run_t)
 
+type sssd_unit_file_t;
+systemd_unit_file(sssd_unit_file_t)
+
+type sssd_selinux_manager_t;
+type sssd_selinux_manager_exec_t;
+application_domain(sssd_selinux_manager_t, sssd_selinux_manager_exec_t)
+role system_r types sssd_selinux_manager_t;
+
 ########################################
 #
-# Local policy
+# sssd local policy
 #
 
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
 allow sssd_t self:capability2 block_suspend;
-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid};
 allow sssd_t self:fifo_file rw_fifo_file_perms;
 allow sssd_t self:key manage_key_perms;
-allow sssd_t self:unix_stream_socket { accept connectto listen };
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
+list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
 
 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
 manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+allow sssd_t sssd_public_t:file map;
 
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+allow sssd_t sssd_var_lib_t:file map;
 files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
 
-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
-create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
-setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
 logging_log_filetrans(sssd_t, sssd_var_log_t, file)
 
 manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
 
 kernel_read_network_state(sssd_t)
 kernel_read_system_state(sssd_t)
+kernel_request_load_module(sssd_t)
 
-corenet_all_recvfrom_unlabeled(sssd_t)
-corenet_all_recvfrom_netlabel(sssd_t)
-corenet_udp_sendrecv_generic_if(sssd_t)
-corenet_udp_sendrecv_generic_node(sssd_t)
-corenet_udp_sendrecv_all_ports(sssd_t)
-corenet_udp_bind_generic_node(sssd_t)
-
-corenet_sendrecv_generic_server_packets(sssd_t)
 corenet_udp_bind_generic_port(sssd_t)
 corenet_dontaudit_udp_bind_all_ports(sssd_t)
+corenet_tcp_connect_kerberos_password_port(sssd_t)
+corenet_tcp_connect_smbd_port(sssd_t)
+corenet_tcp_connect_http_port(sssd_t)
+corenet_tcp_connect_http_cache_port(sssd_t)
 
 corecmd_exec_bin(sssd_t)
 
@@ -83,28 +90,36 @@ domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
 
 files_list_tmp(sssd_t)
-files_read_etc_files(sssd_t)
 files_read_etc_runtime_files(sssd_t)
-files_read_usr_files(sssd_t)
 files_list_var_lib(sssd_t)
 
 fs_list_inotifyfs(sssd_t)
+fs_getattr_xattr_fs(sssd_t)
 
 selinux_validate_context(sssd_t)
+seutil_read_config(sssd_t)
 
 seutil_read_file_contexts(sssd_t)
 # sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
-# seutil_rw_login_config_dirs(sssd_t)
-# seutil_manage_login_config_files(sssd_t)
+seutil_rw_login_config_dirs(sssd_t)
+seutil_manage_login_config_files(sssd_t)
+
+seutil_dontaudit_access_check_load_policy(sssd_t)
+seutil_dontaudit_access_check_setfiles(sssd_t)
+seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
+seutil_dontaudit_access_check_semanage_module_store(sssd_t)
 
 mls_file_read_to_clearance(sssd_t)
 mls_socket_read_to_clearance(sssd_t)
 mls_socket_write_to_clearance(sssd_t)
 mls_trusted_object(sssd_t)
 
+# auth_use_nsswitch(sssd_t)
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
 auth_manage_cache(sssd_t)
+# Bogus allow because we don't handle keyring properly in code.
+auth_login_manage_key(sssd_t)
 
 init_read_utmp(sssd_t)
 
@@ -112,18 +127,74 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 
 miscfiles_read_generic_certs(sssd_t)
-miscfiles_read_localization(sssd_t)
+miscfiles_dontaudit_access_check_cert(sssd_t)
+miscfiles_map_generic_certs(sssd_t)
 
 sysnet_dns_name_resolve(sssd_t)
 sysnet_use_ldap(sssd_t)
 
+userdom_manage_tmp_role(system_r, sssd_t)
+userdom_manage_all_users_keys(sssd_t)
+userdom_dbus_send_all_users(sssd_t)
+userdom_home_reader(sssd_t)
+
 optional_policy(`
 	dbus_system_bus_client(sssd_t)
 	dbus_connect_system_bus(sssd_t)
 ')
 
 optional_policy(`
-	kerberos_read_config(sssd_t)
 	kerberos_manage_host_rcache(sssd_t)
-	kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+	kerberos_read_home_content(sssd_t)
+    kerberos_rw_config(sssd_t)
+    kerberos_rw_keytab(sssd_t)
+')
+
+optional_policy(`
+	dirsrv_stream_connect(sssd_t)
 ')
+
+optional_policy(`
+	ldap_stream_connect(sssd_t)
+	ldap_read_certs(sssd_t)
+')
+
+optional_policy(`
+    samba_manage_var_dirs(sssd_t)
+    samba_manage_var_files(sssd_t)
+')
+
+optional_policy(`
+	systemd_login_read_pid_files(sssd_t)
+')
+
+optional_policy(`
+    realmd_read_var_lib(sssd_t)
+')
+
+########################################
+#
+# sssd SELinux manager local policy
+#
+
+allow sssd_selinux_manager_t self:capability { setgid setuid };
+dontaudit sssd_selinux_manager_t self:capability net_admin;
+
+domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
+allow sssd_t sssd_selinux_manager_exec_t:file map;
+
+init_ioctl_stream_sockets(sssd_selinux_manager_t)
+
+logging_send_audit_msgs(sssd_selinux_manager_t)
+
+seutil_semanage_policy(sssd_selinux_manager_t)
+seutil_manage_file_contexts(sssd_selinux_manager_t)
+seutil_manage_config(sssd_selinux_manager_t)
+seutil_manage_login_config(sssd_selinux_manager_t)
+seutil_manage_default_contexts(sssd_selinux_manager_t)
+seutil_manage_default_contexts_dirs(sssd_selinux_manager_t)
+
+seutil_exec_setfiles(sssd_selinux_manager_t)
+logging_dontaudit_search_audit_logs(sssd_selinux_manager_t)
+
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 0000000000..0ccce5918f
--- /dev/null
+++ b/stapserver.fc
@@ -0,0 +1,7 @@
+/usr/bin/stap-server		--	gen_context(system_u:object_r:stapserver_exec_t,s0)
+
+/var/lib/stap-server(/.*)?		gen_context(system_u:object_r:stapserver_var_lib_t,s0)
+
+/var/log/stap-server(/.*)?		gen_context(system_u:object_r:stapserver_log_t,s0)
+
+/var/run/stap-server(/.*)?		gen_context(system_u:object_r:stapserver_var_run_t,s0)
diff --git a/stapserver.if b/stapserver.if
new file mode 100644
index 0000000000..80c6480555
--- /dev/null
+++ b/stapserver.if
@@ -0,0 +1,151 @@
+
+## <summary> Instrumentation System Server </summary>
+
+########################################
+## <summary>
+##	Execute stapserver in the stapserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`stapserver_domtrans',`
+	gen_require(`
+		type stapserver_t, stapserver_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, stapserver_exec_t, stapserver_t)
+')
+########################################
+## <summary>
+##	Read stapserver's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`stapserver_read_log',`
+	gen_require(`
+		type stapserver_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, stapserver_log_t, stapserver_log_t)
+')
+
+########################################
+## <summary>
+##	Append to stapserver log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stapserver_append_log',`
+	gen_require(`
+		type stapserver_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, stapserver_log_t, stapserver_log_t)
+')
+
+########################################
+## <summary>
+##	Manage stapserver log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stapserver_manage_log',`
+	gen_require(`
+		type stapserver_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
+	manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
+	manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
+')
+########################################
+## <summary>
+##	Read stapserver PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stapserver_read_pid_files',`
+	gen_require(`
+		type stapserver_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 stapserver_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##      Manage stapserver lib files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`stapserver_manage_lib',`
+        gen_require(`
+                type stapserver_var_lib_t;
+        ')
+
+        manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
+        manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an stapserver environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`stapserver_admin',`
+	gen_require(`
+		type stapserver_t;
+		type stapserver_log_t;
+		type stapserver_var_run_t;
+	')
+
+	allow $1 stapserver_t:process { ptrace signal_perms };
+	ps_process_pattern($1, stapserver_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, stapserver_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, stapserver_var_run_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/systemtap.te b/stapserver.te
similarity index 62%
rename from systemtap.te
rename to stapserver.te
index ffde368643..fbfffa42ab 100644
--- a/systemtap.te
+++ b/stapserver.te
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.0)
+policy_module(stapserver, 1.1.0)
 
 ########################################
 #
@@ -9,12 +9,6 @@ type stapserver_t;
 type stapserver_exec_t;
 init_daemon_domain(stapserver_t, stapserver_exec_t)
 
-type stapserver_initrc_exec_t;
-init_script_file(stapserver_initrc_exec_t)
-
-type stapserver_conf_t;
-files_config_file(stapserver_conf_t)
-
 type stapserver_var_lib_t;
 files_type(stapserver_var_lib_t)
 
@@ -24,50 +18,64 @@ logging_log_file(stapserver_log_t)
 type stapserver_var_run_t;
 files_pid_file(stapserver_var_run_t)
 
+type stapserver_tmp_t;
+files_tmp_file(stapserver_tmp_t)
+
 ########################################
 #
-# Local policy
+# stapserver local policy
 #
 
-allow stapserver_t self:capability { dac_override kill setuid setgid };
-allow stapserver_t self:process { setrlimit setsched signal };
+#runuser
+allow stapserver_t self:capability { setuid setgid };
+allow stapserver_t self:process setsched;
+
+allow stapserver_t self:capability { dac_read_search dac_override kill sys_ptrace};
+allow stapserver_t self:process { setrlimit signal };
+
 allow stapserver_t self:fifo_file rw_fifo_file_perms;
 allow stapserver_t self:key write;
-allow stapserver_t self:unix_stream_socket { accept listen };
-allow stapserver_t self:tcp_socket create_stream_socket_perms;
-
-allow stapserver_t stapserver_conf_t:file read_file_perms;
+allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
+allow stapserver_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
 manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
 files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
 
 manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
 
+manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
+manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
+manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
+files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir })
+allow stapserver_t stapserver_tmp_t:file map;
+
 manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
 manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
 files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
 
-kernel_read_kernel_sysctls(stapserver_t)
 kernel_read_system_state(stapserver_t)
+kernel_read_kernel_sysctls(stapserver_t)
+files_list_kernel_modules(stapserver_t)
 
 corecmd_exec_bin(stapserver_t)
 corecmd_exec_shell(stapserver_t)
 
 domain_read_all_domains_state(stapserver_t)
+domain_use_interactive_fds(stapserver_t)
 
-dev_read_rand(stapserver_t)
 dev_read_sysfs(stapserver_t)
+dev_read_rand(stapserver_t)
 dev_read_urand(stapserver_t)
 
 files_list_tmp(stapserver_t)
-files_read_usr_files(stapserver_t)
 files_search_kernel_modules(stapserver_t)
 
+fs_search_cgroup_dirs(stapserver_t)
+fs_getattr_all_fs(stapserver_t)
+
 auth_use_nsswitch(stapserver_t)
 
 init_read_utmp(stapserver_t)
@@ -75,11 +83,17 @@ init_read_utmp(stapserver_t)
 logging_send_audit_msgs(stapserver_t)
 logging_send_syslog_msg(stapserver_t)
 
-miscfiles_read_localization(stapserver_t)
+#lspci
 miscfiles_read_hwdata(stapserver_t)
 
+systemd_dbus_chat_logind(stapserver_t)
+
 userdom_use_user_terminals(stapserver_t)
 
+optional_policy(`
+    avahi_dbus_chat(stapserver_t)
+')
+
 optional_policy(`
 	consoletype_exec(stapserver_t)
 ')
@@ -99,3 +113,4 @@ optional_policy(`
 optional_policy(`
 	rpm_exec(stapserver_t)
 ')
+
diff --git a/stunnel.fc b/stunnel.fc
index 49dd63ca10..ae2e798f55 100644
--- a/stunnel.fc
+++ b/stunnel.fc
@@ -5,3 +5,5 @@
 /usr/sbin/stunnel	--	gen_context(system_u:object_r:stunnel_exec_t,s0)
 
 /var/run/stunnel(/.*)?	gen_context(system_u:object_r:stunnel_var_run_t,s0)
+
+/var/log/stunnel.* 		--	gen_context(system_u:object_r:stunnel_log_t,s0)
diff --git a/stunnel.te b/stunnel.te
index 27a8480bc9..89b475bcb7 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t)
 type stunnel_etc_t;
 files_config_file(stunnel_etc_t)
 
+type stunnel_log_t;
+logging_log_file(stunnel_log_t)
+
 type stunnel_tmp_t;
 files_tmp_file(stunnel_tmp_t)
 
@@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t)
 # Local policy
 #
 
-allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:capability { setgid setuid sys_nice sys_chroot };
 dontaudit stunnel_t self:capability sys_tty_config;
-allow stunnel_t self:process signal_perms;
+allow stunnel_t self:process { setsched signal_perms };
 allow stunnel_t self:fifo_file rw_fifo_file_perms;
 allow stunnel_t self:tcp_socket { accept listen };
 allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
 allow stunnel_t stunnel_etc_t:file read_file_perms;
 allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
 
+allow stunnel_t stunnel_log_t:file manage_file_perms;
+logging_log_filetrans(stunnel_t, stunnel_log_t, file)
+
 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
 manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
 files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
@@ -48,7 +54,6 @@ kernel_read_network_state(stunnel_t)
 
 corecmd_exec_bin(stunnel_t)
 
-corenet_all_recvfrom_unlabeled(stunnel_t)
 corenet_all_recvfrom_netlabel(stunnel_t)
 corenet_tcp_sendrecv_generic_if(stunnel_t)
 corenet_tcp_sendrecv_generic_node(stunnel_t)
@@ -75,7 +80,6 @@ auth_use_nsswitch(stunnel_t)
 logging_send_syslog_msg(stunnel_t)
 
 miscfiles_read_generic_certs(stunnel_t)
-miscfiles_read_localization(stunnel_t)
 
 userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
 userdom_dontaudit_search_user_home_dirs(stunnel_t)
@@ -105,4 +109,5 @@ optional_policy(`
 gen_require(`
 	type stunnel_port_t;
 ')
+
 allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/svnserve.fc b/svnserve.fc
index effffd0285..0d5c275de9 100644
--- a/svnserve.fc
+++ b/svnserve.fc
@@ -1,8 +1,15 @@
-/etc/rc\.d/init\.d/svnserve	--	gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
+/etc/rc.d/init.d/svnserve	--	gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
 
-/usr/bin/svnserve	--	gen_context(system_u:object_r:svnserve_exec_t,s0)
+/usr/bin/svnserve		--	gen_context(system_u:object_r:svnserve_exec_t,s0)
 
-/var/lib/subversion/repo(/.*)?	gen_context(system_u:object_r:svnserve_content_t,s0)
+/lib/systemd/system/svnserve\.service                --      gen_context(system_u:object_r:svnserve_unit_file_t,s0)
+/usr/lib/systemd/system/svnserve\.service                --      gen_context(system_u:object_r:svnserve_unit_file_t,s0)
 
-/var/run/svnserve(/.*)?	gen_context(system_u:object_r:svnserve_var_run_t,s0)
-/var/run/svnserve\.pid	--	gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve(/.*)?			gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve.pid		--	gen_context(system_u:object_r:svnserve_var_run_t,s0)
+
+/var/svn(/.*)?                  gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
+/var/lib/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
+
+/var/log/svnserve(/.*)?					gen_context(system_u:object_r:svnserve_log_t,s0)
diff --git a/svnserve.if b/svnserve.if
index 2ac91b6e0a..a97033d2b7 100644
--- a/svnserve.if
+++ b/svnserve.if
@@ -1,35 +1,119 @@
-## <summary>Server for the svn repository access method.</summary>
+
+## <summary>policy for svnserve</summary>
+
+
+########################################
+## <summary>
+##	Transition to svnserve.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`svnserve_domtrans',`
+	gen_require(`
+		type svnserve_t, svnserve_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, svnserve_exec_t, svnserve_t)
+')
+
+
+########################################
+## <summary>
+##	Execute svnserve server in the svnserve domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`svnserve_initrc_domtrans',`
+	gen_require(`
+		type svnserve_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##      Execute svnserve server in the svnserve domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`svnserve_systemctl',`
+        gen_require(`
+                type svnserve_t;
+                type svnserve_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        allow $1 svnserve_unit_file_t:file read_file_perms;
+        allow $1 svnserve_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, svnserve_t)
+')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an svnserve environment.
+##	Read svnserve PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`svnserve_read_pid_files',`
+	gen_require(`
+		type svnserve_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 svnserve_var_run_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an svnserve environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`svnserve_admin',`
 	gen_require(`
-		type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t;
+		type svnserve_t;
+		type svnserve_var_run_t;
+		type svnserve_unit_file_t;
 	')
 
 	allow $1 svnserve_t:process { ptrace signal_perms };
 	ps_process_pattern($1, svnserve_t)
 
-	init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 svnserve_initrc_exec_t system_r;
-	allow $2 system_r;
-
 	files_search_pids($1)
-	admin_pattern($1, httpd_var_run_t)
+	admin_pattern($1, svnserve_var_run_t)
+
+	svnserve_systemctl($1)
+	admin_pattern($1, svnserve_unit_file_t)
+	allow $1 svnserve_unit_file_t:service all_service_perms;
+        optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
+
diff --git a/svnserve.te b/svnserve.te
index 49d688d66b..ed880b23c9 100644
--- a/svnserve.te
+++ b/svnserve.te
@@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
 type svnserve_initrc_exec_t;
 init_script_file(svnserve_initrc_exec_t)
 
+type svnserve_unit_file_t;
+systemd_unit_file(svnserve_unit_file_t)
+
 type svnserve_content_t;
 files_type(svnserve_content_t)
 
 type svnserve_var_run_t;
 files_pid_file(svnserve_var_run_t)
 
+type svnserve_tmp_t;
+files_tmp_file(svnserve_tmp_t)
+
+type svnserve_log_t;
+logging_log_file(svnserve_log_t)
+
 ########################################
 #
 # Local policy
@@ -27,15 +36,29 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
 allow svnserve_t self:tcp_socket create_stream_socket_perms;
 allow svnserve_t self:unix_stream_socket { listen accept };
 
+manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
+manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
+manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
+files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir })
+
 manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
 manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+allow svnserve_t svnserve_content_t:file { execute execute_no_trans };
 
 manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
 manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
 files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
 
-files_read_etc_files(svnserve_t)
-files_read_usr_files(svnserve_t)
+manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
+manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t)
+logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file })
+
+kernel_read_system_state(svnserve_t)
+
+auth_use_nsswitch(svnserve_t)
+
+corecmd_exec_bin(svnserve_t)
+corecmd_exec_shell(svnserve_t)
 
 corenet_all_recvfrom_unlabeled(svnserve_t)
 corenet_all_recvfrom_netlabel(svnserve_t)
@@ -52,8 +75,20 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
 corenet_udp_bind_svn_port(svnserve_t)
 corenet_udp_sendrecv_svn_port(svnserve_t)
 
-logging_send_syslog_msg(svnserve_t)
+dev_read_rand(svnserve_t)
+dev_read_urand(svnserve_t)
 
-miscfiles_read_localization(svnserve_t)
+logging_send_syslog_msg(svnserve_t)
 
 sysnet_dns_name_resolve(svnserve_t)
+
+optional_policy(`
+	kerberos_use(svnserve_t)
+    kerberos_read_keytab(svnserve_t)
+    kerberos_manage_host_rcache(svnserve_t)
+    kerberos_tmp_filetrans_host_rcache(svnserve_t, "svn_0")
+')
+
+optional_policy(`
+    sasl_connect(svnserve_t)
+')
diff --git a/swift.fc b/swift.fc
new file mode 100644
index 0000000000..6d897bc25f
--- /dev/null
+++ b/swift.fc
@@ -0,0 +1,36 @@
+/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/bin/swift-container-auditor	--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-sync		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-updater	--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-container-reconciler	--	gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/bin/swift-object-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-info		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-expirer   --  gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-replicator		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/bin/swift-proxy-server         --  gen_context(system_u:object_r:swift_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
+
+/var/lock/swift.*                   gen_context(system_u:object_r:swift_lock_t,s0)
+/var/cache/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_run_t,s0)
+
+/var/lib/swift(/.*)?                gen_context(system_u:object_r:swift_data_t,s0)
+
+# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)?		gen_context(system_u:object_r:swift_data_t,s0)
+
+# This is specific to RHOS's packstack utility
+ifdef(`distro_redhat', `
+/srv/loopback-device(/.*)?		gen_context(system_u:object_r:swift_data_t,s0)
+')
diff --git a/swift.if b/swift.if
new file mode 100644
index 0000000000..af26807a78
--- /dev/null
+++ b/swift.if
@@ -0,0 +1,156 @@
+
+## <summary>policy for swift</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the swift domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`swift_domtrans',`
+	gen_require(`
+		type swift_t, swift_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, swift_exec_t, swift_t)
+')
+
+########################################
+## <summary>
+##	Read swift PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`swift_read_pid_files',`
+	gen_require(`
+		type swift_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, swift_var_run_t, swift_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage swift data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`swift_manage_data_files',`
+	gen_require(`
+		type swift_data_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, swift_data_t, swift_data_t)
+	manage_dirs_pattern($1, swift_data_t, swift_data_t)
+')
+
+#####################################
+## <summary>
+##	Read and write swift lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`swift_manage_lock',`
+	gen_require(`
+		type swift_lock_t;
+	')
+
+	files_search_locks($1)
+    manage_files_pattern($1, swift_lock_t, swift_lock_t)
+')
+
+#######################################
+## <summary>
+##  Transition content labels to swift named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`swift_filetrans_named_lock',`
+    gen_require(`
+        type swift_lock_t;
+    ')
+
+    files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
+')
+
+########################################
+## <summary>
+##	Execute swift server in the swift domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`swift_systemctl',`
+	gen_require(`
+		type swift_t;
+		type swift_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 swift_unit_file_t:file read_file_perms;
+	allow $1 swift_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, swift_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an swift environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`swift_admin',`
+	gen_require(`
+		type swift_t;
+		type swift_var_run_t;
+	type swift_unit_file_t;
+	')
+
+	allow $1 swift_t:process { ptrace signal_perms };
+	ps_process_pattern($1, swift_t)
+
+	files_search_pids($1)
+	admin_pattern($1, swift_var_run_t)
+
+	swift_systemctl($1)
+	admin_pattern($1, swift_unit_file_t)
+	allow $1 swift_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/swift.te b/swift.te
new file mode 100644
index 0000000000..c2f086fe70
--- /dev/null
+++ b/swift.te
@@ -0,0 +1,129 @@
+policy_module(swift, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##	Determine whether swift can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(swift_can_network, false)
+
+
+type swift_t;
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
+type swift_lock_t;
+files_lock_file(swift_lock_t)
+
+type swift_tmp_t;
+files_tmp_file(swift_tmp_t)
+
+type swift_tmpfs_t;
+files_tmpfs_file(swift_tmpfs_t)
+
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
+
+type swift_var_run_t;
+files_pid_file(swift_var_run_t)
+
+type swift_unit_file_t;
+systemd_unit_file(swift_unit_file_t)
+
+type swift_data_t;
+files_type(swift_data_t)
+
+########################################
+#
+# swift local policy
+#
+
+allow swift_t self:process signal;
+
+allow swift_t self:fifo_file rw_fifo_file_perms;
+allow swift_t self:tcp_socket create_stream_socket_perms;
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
+manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
+files_lock_filetrans(swift_t, swift_lock_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+files_pid_filetrans(swift_t, swift_var_run_t, { dir })
+
+# swift makes use of rsync, so we need to give rsync permissions
+# to edit swift_data_t files as well as swift_t those permissions
+manage_dirs_pattern(swift_t, swift_data_t, swift_data_t)
+manage_files_pattern(swift_t, swift_data_t, swift_data_t)
+
+kernel_dgram_send(swift_t)
+kernel_read_system_state(swift_t)
+kernel_read_network_state(swift_t)
+
+# bug in swift
+corenet_tcp_bind_xserver_port(swift_t)
+
+corenet_tcp_bind_swift_port(swift_t)
+corenet_tcp_bind_http_cache_port(swift_t)
+
+corenet_tcp_connect_xserver_port(swift_t)
+corenet_tcp_connect_swift_port(swift_t)
+corenet_tcp_connect_keystone_port(swift_t)
+corenet_tcp_connect_memcache_port(swift_t)
+corenet_tcp_connect_all_ephemeral_ports(swift_t)
+
+corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
+
+dev_read_urand(swift_t)
+
+domain_use_interactive_fds(swift_t)
+
+files_dontaudit_search_home(swift_t)
+
+fs_getattr_all_fs(swift_t)
+
+auth_use_nsswitch(swift_t)
+
+libs_exec_ldconfig(swift_t)
+
+logging_send_syslog_msg(swift_t)
+
+userdom_dontaudit_search_user_home_dirs(swift_t)
+
+tunable_policy(`swift_can_network',`
+	corenet_sendrecv_all_client_packets(swift_t)
+	corenet_tcp_connect_all_ports(swift_t)
+	corenet_tcp_sendrecv_all_ports(swift_t)
+')
+
+optional_policy(`
+    apache_search_config(swift_t)
+')
+
+optional_policy(`
+    rpm_exec(swift_t)
+    rpm_dontaudit_manage_db(swift_t)
+')
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
index 0000000000..b7db25411d
--- /dev/null
+++ b/swift_alias.fc
@@ -0,0 +1 @@
+# Empty
diff --git a/swift_alias.if b/swift_alias.if
new file mode 100644
index 0000000000..3fed1a374f
--- /dev/null
+++ b/swift_alias.if
@@ -0,0 +1,2 @@
+
+## <summary>swift_alias policy module</summary>
diff --git a/swift_alias.te b/swift_alias.te
new file mode 100644
index 0000000000..6e39c4ffff
--- /dev/null
+++ b/swift_alias.te
@@ -0,0 +1,26 @@
+policy_module(swift_alias, 1.0.0)
+
+#
+# swift_alias.pp policy replaces swift.pp policy
+# which is a part of openstack-selinux.rpm package
+#
+
+########################################
+#
+# Declarations
+#
+
+#call stub interfaces for basic types
+init_stub_initrc()
+corecmd_stub_bin()
+files_stub_var_run()
+files_stub_var()
+systemd_stub_unit_file()
+
+typealias initrc_t alias swift_t;
+typealias bin_t alias swift_exec_t;
+typealias var_run_t alias swift_var_run_t;
+typealias systemd_unit_file_t alias swift_unit_file_t;
+typealias var_t alias swift_data_t;
+
+
diff --git a/sxid.te b/sxid.te
index 01a9d0acd6..154872e4bf 100644
--- a/sxid.te
+++ b/sxid.te
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
 corecmd_exec_bin(sxid_t)
 corecmd_exec_shell(sxid_t)
 
-corenet_all_recvfrom_unlabeled(sxid_t)
 corenet_all_recvfrom_netlabel(sxid_t)
 corenet_tcp_sendrecv_generic_if(sxid_t)
 corenet_udp_sendrecv_generic_if(sxid_t)
@@ -66,7 +65,7 @@ fs_list_all(sxid_t)
 
 term_dontaudit_use_console(sxid_t)
 
-files_read_non_auth_files(sxid_t)
+files_read_non_security_files(sxid_t)
 auth_dontaudit_getattr_shadow(sxid_t)
 
 init_use_fds(sxid_t)
@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t)
 
 logging_send_syslog_msg(sxid_t)
 
-miscfiles_read_localization(sxid_t)
-
 sysnet_read_config(sxid_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
index b92f6775a5..efb2f855c4 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t)
 # Local policy
 #
 
-allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
+allow sysstat_t self:capability { dac_read_search dac_override sys_admin sys_resource sys_tty_config };
 allow sysstat_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
 manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
 
@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t)
 kernel_read_fs_sysctls(sysstat_t)
 kernel_read_rpc_sysctls(sysstat_t)
 
+corecmd_exec_shell(sysstat_t)
 corecmd_exec_bin(sysstat_t)
 
 dev_read_sysfs(sysstat_t)
@@ -45,12 +44,15 @@ dev_read_urand(sysstat_t)
 
 files_search_var(sysstat_t)
 files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
 
-fs_getattr_xattr_fs(sysstat_t)
+fs_getattr_all_fs(sysstat_t)
 fs_list_inotifyfs(sysstat_t)
 
+storage_getattr_fixed_disk_dev(sysstat_t)
+
 term_use_console(sysstat_t)
-term_use_all_terms(sysstat_t)
+term_use_all_inherited_terms(sysstat_t)
 
 auth_use_nsswitch(sysstat_t)
 
@@ -60,10 +62,9 @@ locallogin_use_fds(sysstat_t)
 
 logging_send_syslog_msg(sysstat_t)
 
-miscfiles_read_localization(sysstat_t)
-
 userdom_dontaudit_list_user_home_dirs(sysstat_t)
 
 optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
 ')
+
diff --git a/systemtap.fc b/systemtap.fc
deleted file mode 100644
index 1710cbbe8f..0000000000
--- a/systemtap.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/etc/stap-server(/.*)?	--	gen_context(system_u:object_r:stapserver_conf_t,s0)
-
-/etc/rc\.d/init\.d/stap-server	--	gen_context(system_u:object_r:stapserver_initrc_exec_t,s0)
-
-/usr/bin/stap-server	--	gen_context(system_u:object_r:stapserver_exec_t,s0)
-
-/var/lib/stap-server(/.*)?	gen_context(system_u:object_r:stapserver_var_lib_t,s0)
-
-/var/log/stap-server(/.*)?	gen_context(system_u:object_r:stapserver_log_t,s0)
-
-/var/run/stap-server(/.*)?	gen_context(system_u:object_r:stapserver_var_run_t,s0)
diff --git a/systemtap.if b/systemtap.if
deleted file mode 100644
index c755e2d93c..0000000000
--- a/systemtap.if
+++ /dev/null
@@ -1,45 +0,0 @@
-## <summary>instrumentation system for Linux.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an stapserver environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`stapserver_admin',`
-	gen_require(`
-		type stapserver_t, stapserver_conf_t, stapserver_log_t;
-		type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
-	')
-
-	allow $1 stapserver_t:process { ptrace signal_perms };
-	ps_process_pattern($1, stapserver_t)
-
-	init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 stapserver_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_etc($1)
-	admin_pattern($1, stapserver_conf_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, stapserver_var_lib_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, stapserver_log_t)
-
-	files_search_pids($1)
-	admin_pattern($1, stapserver_var_run_t)
-')
diff --git a/tangd.fc b/tangd.fc
new file mode 100644
index 0000000000..530593ba51
--- /dev/null
+++ b/tangd.fc
@@ -0,0 +1,10 @@
+/usr/lib/systemd/system/tang.*		--	gen_context(system_u:object_r:tangd_unit_file_t,s0)
+/usr/lib/systemd/system/tangd-keygen.* --	gen_context(system_u:object_r:tangd_unit_file_t,s0)
+
+/usr/libexec/tangd		--	gen_context(system_u:object_r:tangd_exec_t,s0)
+/usr/libexec/tangd-keygen		--	gen_context(system_u:object_r:tangd_exec_t,s0)
+/usr/libexec/tangd-update		--	gen_context(system_u:object_r:tangd_exec_t,s0)
+
+/var/cache/tang(/.*)?		gen_context(system_u:object_r:tangd_cache_t,s0)
+
+/var/db/tang(/.*)?		gen_context(system_u:object_r:tangd_db_t,s0)
diff --git a/tangd.if b/tangd.if
new file mode 100644
index 0000000000..37c8b69087
--- /dev/null
+++ b/tangd.if
@@ -0,0 +1,40 @@
+## <summary>policy for tangd</summary>
+
+########################################
+## <summary>
+##	Execute tangd_exec_t in the tangd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tangd_domtrans',`
+	gen_require(`
+		type tangd_t, tangd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, tangd_exec_t, tangd_t)
+')
+
+######################################
+## <summary>
+##	Execute tangd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tangd_exec',`
+	gen_require(`
+		type tangd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, tangd_exec_t)
+')
+
diff --git a/tangd.te b/tangd.te
new file mode 100644
index 0000000000..ee4c6a4502
--- /dev/null
+++ b/tangd.te
@@ -0,0 +1,49 @@
+policy_module(tangd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tangd_t;
+type tangd_exec_t;
+init_daemon_domain(tangd_t, tangd_exec_t)
+
+type tangd_unit_file_t;
+systemd_unit_file(tangd_unit_file_t)
+
+type tangd_cache_t;
+files_pid_file(tangd_cache_t)
+
+type tangd_db_t;
+files_type(tangd_db_t)
+
+########################################
+#
+# tangd local policy
+#
+allow tangd_t self:capability { dac_read_search dac_override };
+
+allow tangd_t self:fifo_file rw_fifo_file_perms;
+allow tangd_t self:unix_stream_socket create_stream_socket_perms;
+allow tangd_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(tangd_t, tangd_cache_t, tangd_cache_t)
+manage_lnk_files_pattern(tangd_t, tangd_cache_t, tangd_cache_t)
+manage_dirs_pattern(tangd_t, tangd_cache_t, tangd_cache_t)
+files_var_filetrans(tangd_t, tangd_cache_t, { file dir lnk_file })
+
+manage_files_pattern(tangd_t, tangd_db_t, tangd_db_t)
+manage_dirs_pattern(tangd_t, tangd_db_t, tangd_db_t)
+
+kernel_read_system_state(tangd_t)
+
+auth_read_passwd(tangd_t)
+
+corenet_tcp_bind_generic_node(tangd_t)
+corenet_tcp_bind_http_port(tangd_t)
+corenet_tcp_bind_tangd_port(tangd_t)
+
+corecmd_exec_bin(tangd_t)
+
+miscfiles_read_certs(tangd_t)
diff --git a/targetd.fc b/targetd.fc
new file mode 100644
index 0000000000..c1ef0535ff
--- /dev/null
+++ b/targetd.fc
@@ -0,0 +1,5 @@
+/etc/target(/.*)?		gen_context(system_u:object_r:targetd_etc_rw_t,s0)
+
+/usr/bin/targetd		--	gen_context(system_u:object_r:targetd_exec_t,s0)
+
+/usr/lib/systemd/system/targetd.*		--	gen_context(system_u:object_r:targetd_unit_file_t,s0)
diff --git a/targetd.if b/targetd.if
new file mode 100644
index 0000000000..a6e216c732
--- /dev/null
+++ b/targetd.if
@@ -0,0 +1,167 @@
+
+## <summary> Targetd  is  a service to allow the remote configuration of block device volumes and file systems within dedicated pools </summary>
+
+########################################
+## <summary>
+##	Execute targetd_exec_t in the targetd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`targetd_domtrans',`
+	gen_require(`
+		type targetd_t, targetd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, targetd_exec_t, targetd_t)
+')
+
+######################################
+## <summary>
+##	Execute targetd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`targetd_exec',`
+	gen_require(`
+		type targetd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, targetd_exec_t)
+')
+
+########################################
+## <summary>
+##	Search targetd conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`targetd_search_conf',`
+	gen_require(`
+		type targetd_etc_rw_t;
+	')
+
+	allow $1 targetd_etc_rw_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read targetd conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`targetd_read_conf_files',`
+	gen_require(`
+		type targetd_etc_rw_t;
+	')
+
+	allow $1 targetd_etc_rw_t:dir list_dir_perms;
+	read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Manage targetd conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`targetd_manage_conf_files',`
+	gen_require(`
+		type targetd_etc_rw_t;
+	')
+
+	manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Execute targetd server in the targetd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`targetd_systemctl',`
+	gen_require(`
+		type targetd_t;
+		type targetd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 targetd_unit_file_t:file read_file_perms;
+	allow $1 targetd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, targetd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an targetd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`targetd_admin',`
+	gen_require(`
+		type targetd_t;
+		type targetd_etc_rw_t;
+	type targetd_unit_file_t;
+	')
+
+	allow $1 targetd_t:process { signal_perms };
+	ps_process_pattern($1, targetd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 targetd_t:process ptrace;
+    ')
+
+	files_search_etc($1)
+	admin_pattern($1, targetd_etc_rw_t)
+
+	targetd_systemctl($1)
+	admin_pattern($1, targetd_unit_file_t)
+	allow $1 targetd_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
index 0000000000..3496fd830a
--- /dev/null
+++ b/targetd.te
@@ -0,0 +1,115 @@
+policy_module(targetd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type targetd_t;
+type targetd_exec_t;
+init_daemon_domain(targetd_t, targetd_exec_t)
+
+type targetd_etc_rw_t;
+files_type(targetd_etc_rw_t)
+
+type targetd_unit_file_t;
+systemd_unit_file(targetd_unit_file_t)
+
+type targetd_tmp_t;
+files_tmp_file(targetd_tmp_t)
+
+########################################
+#
+# targetd local policy
+#
+
+allow targetd_t self:capability { ipc_lock sys_admin sys_nice };
+allow targetd_t self:fifo_file rw_fifo_file_perms;
+allow targetd_t self:unix_stream_socket create_stream_socket_perms;
+allow targetd_t self:unix_dgram_socket create_socket_perms;
+allow targetd_t self:tcp_socket { accept listen };
+allow targetd_t self:netlink_route_socket r_netlink_socket_perms;
+allow targetd_t self:process { setfscreate setsched };
+
+manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t)
+files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file })
+
+manage_dirs_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
+manage_files_pattern(targetd_t, targetd_tmp_t, targetd_tmp_t)
+files_tmp_filetrans(targetd_t, targetd_tmp_t, { file dir })
+
+files_rw_isid_type_dirs(targetd_t)
+
+fs_getattr_xattr_fs(targetd_t)
+fs_manage_configfs_files(targetd_t)
+fs_manage_configfs_lnk_files(targetd_t)
+fs_manage_configfs_dirs(targetd_t)
+fs_read_nfsd_files(targetd_t)
+
+kernel_rw_rpc_sysctls(targetd_t)
+kernel_get_sysvipc_info(targetd_t)
+kernel_read_system_state(targetd_t)
+kernel_read_network_state(targetd_t)
+kernel_load_module(targetd_t)
+kernel_request_load_module(targetd_t)
+kernel_dgram_send(targetd_t)
+
+rpc_read_exports(targetd_t)
+
+storage_raw_rw_fixed_disk(targetd_t)
+
+auth_use_nsswitch(targetd_t)
+
+corecmd_exec_shell(targetd_t)
+corecmd_exec_bin(targetd_t)
+
+corenet_tcp_bind_generic_node(targetd_t)
+corenet_tcp_bind_lsm_plugin_port(targetd_t)
+
+dev_rw_sysfs(targetd_t)
+dev_read_urand(targetd_t)
+dev_rw_lvm_control(targetd_t)
+dev_getattr_loop_control(targetd_t)
+
+libs_exec_ldconfig(targetd_t)
+
+seutil_dontaudit_read_module_store(targetd_t)
+
+storage_raw_read_fixed_disk(targetd_t)
+storage_raw_read_removable_device(targetd_t)
+
+sysnet_read_config(targetd_t)
+
+optional_policy(`
+    gnome_read_generic_data_home_dirs(targetd_t)
+')
+
+optional_policy(`
+   lvm_read_config(targetd_t)
+   lvm_map_config(targetd_t)
+   lvm_write_metadata(targetd_t)
+   lvm_manage_metadata(targetd_t)
+   lvm_manage_lock(targetd_t)
+   lvm_rw_pipes(targetd_t)
+   lvm_stream_connect(targetd_t)
+')
+
+optional_policy(`
+    modutils_read_module_config(targetd_t)
+    modutils_dontaudit_exec_insmod(targetd_t)
+')
+
+optional_policy(`
+    rpc_manage_nfs_state_data(targetd_t)
+')
+
+optional_policy(`
+    rpm_dontaudit_read_db(targetd_t)
+    rpm_dontaudit_exec(targetd_t)
+')
+
+optional_policy(`
+   udev_read_pid_files(targetd_t)
+')
+
diff --git a/tcpd.te b/tcpd.te
index 2d6d2c23d6..db18a804b4 100644
--- a/tcpd.te
+++ b/tcpd.te
@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
 manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
 files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
 
-corenet_all_recvfrom_unlabeled(tcpd_t)
 corenet_all_recvfrom_netlabel(tcpd_t)
 corenet_tcp_sendrecv_generic_if(tcpd_t)
 corenet_tcp_sendrecv_generic_node(tcpd_t)
@@ -31,15 +30,12 @@ corenet_tcp_sendrecv_all_ports(tcpd_t)
 
 fs_getattr_xattr_fs(tcpd_t)
 
-corecmd_search_bin(tcpd_t)
+corecmd_exec_bin(tcpd_t)
 
-files_read_etc_files(tcpd_t)
 files_dontaudit_search_var(tcpd_t)
 
 logging_send_syslog_msg(tcpd_t)
 
-miscfiles_read_localization(tcpd_t)
-
 sysnet_read_config(tcpd_t)
 
 inetd_domtrans_child(tcpd_t)
diff --git a/tcsd.if b/tcsd.if
index b42ec1d832..91b8f71dc6 100644
--- a/tcsd.if
+++ b/tcsd.if
@@ -138,8 +138,11 @@ interface(`tcsd_admin',`
 		type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t;
 	')
 
-	allow $1 tcsd_t:process { ptrace signal_perms };
+	allow $1 tcsd_t:process signal_perms;
 	ps_process_pattern($1, tcsd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 tcsd_t:process ptrace;
+	')
 
 	tcsd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
index b26d44a8ce..5a79afdb58 100644
--- a/tcsd.te
+++ b/tcsd.te
@@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t)
 # Local policy
 #
 
-allow tcsd_t self:capability { dac_override setuid };
+allow tcsd_t self:capability { dac_read_search  dac_override setuid };
 allow tcsd_t self:process { signal sigkill };
 allow tcsd_t self:tcp_socket { accept listen };
 
@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
 dev_read_urand(tcsd_t)
 dev_rw_tpm(tcsd_t)
 
-files_read_usr_files(tcsd_t)
-
 auth_use_nsswitch(tcsd_t)
 
 init_read_utmp(tcsd_t)
 
 logging_send_syslog_msg(tcsd_t)
-
-miscfiles_read_localization(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
index 6c7f8f8a39..03fc880795 100644
--- a/telepathy.fc
+++ b/telepathy.fc
@@ -1,35 +1,23 @@
-HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
+HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
 HOME_DIR/\.cache/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
 HOME_DIR/\.cache/telepathy/logger(/.*)?	gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-HOME_DIR/\.cache/telepathy/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.cache/wocky(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
-HOME_DIR/\.mission-control(/.*)?	gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)?		gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)?		gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.cache/wocky(/.*)?			gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/\.mission-control(/.*)?		gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
 HOME_DIR/\.local/share/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_data_home_t,s0)
-HOME_DIR/\.local/share/telepathy/mission-control(/.*)?	gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
-HOME_DIR/\.telepathy-sunshine(/.*)?	gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
-HOME_DIR/\.local/share/TpLogger(/.*)?	gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)?		gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
+HOME_DIR/\.telepathy-sunshine(/.*)?		gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+HOME_DIR/\.local/share/TpLogger(/.*)?		gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
 
-/usr/lib/telepathy/mission-control-5	--	gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
-/usr/lib/telepathy/telepathy-butterfly	--	gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/lib/telepathy/telepathy-gabble	--	gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
-/usr/lib/telepathy/telepathy-haze	--	gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/lib/telepathy/telepathy-idle	--	gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
-/usr/lib/telepathy/telepathy-logger	--	gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
-/usr/lib/telepathy/telepathy-salut	--	gen_context(system_u:object_r:telepathy_salut_exec_t,s0)
-/usr/lib/telepathy/telepathy-sofiasip	--	gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/lib/telepathy/telepathy-rakia	--	gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/lib/telepathy/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
-/usr/lib/telepathy/telepathy-sunshine	--	gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
-
-/usr/libexec/mission-control-5	--	gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
-/usr/libexec/telepathy-butterfly	--	gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/libexec/telepathy-gabble	--	gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
-/usr/libexec/telepathy-haze	--	gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
-/usr/libexec/telepathy-idle	--	gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
-/usr/libexec/telepathy-logger	--	gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
-/usr/libexec/telepathy-salut	--	gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
-/usr/libexec/telepathy-sofiasip	--	gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/libexec/telepathy-rakia	--	gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
-/usr/libexec/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
-/usr/libexec/telepathy-sunshine	--	gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
+/usr/libexec/mission-control-5		--	gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+/usr/libexec/telepathy-butterfly	--	gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble		--	gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze		--	gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-idle		--	gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-logger		--	gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/libexec/telepathy-salut		--	gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip		--	gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-rakia        --  gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine		--	gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
index 42946bc10b..9f70e4cf17 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
 
 #######################################
 ## <summary>
-##	The template to define a telepathy domain.
+##	Creates basic types for telepathy
+##	domain
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
 template(`telepathy_domain_template',`
 	gen_require(`
-		attribute telepathy_domain, telepathy_executable, telepathy_tmp_content;
+		attribute telepathy_domain;
+		attribute telepathy_executable;
 	')
 
 	type telepathy_$1_t, telepathy_domain;
 	type telepathy_$1_exec_t, telepathy_executable;
-	userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+	application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+	ubac_constrained(telepathy_$1_t)
 
-	type telepathy_$1_tmp_t, telepathy_tmp_content;
+	type telepathy_$1_tmp_t;
 	userdom_user_tmp_file(telepathy_$1_tmp_t)
 
+	kernel_read_system_state(telepathy_$1_t)
+
 	auth_use_nsswitch(telepathy_$1_t)
 ')
 
 #######################################
 ## <summary>
-##	The role template for the telepathy module.
+##	Role access for telepathy domains
+##	that executes via dbus-session
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for window manager applications.
-##	</p>
-## </desc>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="user_role">
 ##	<summary>
 ##	The role associated with the user domain.
@@ -51,10 +45,15 @@ template(`telepathy_domain_template',`
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
+## <param name="domain_prefix">
+##	<summary>
+##	User domain prefix to be used.
+##	</summary>
+## </param>
 #
-template(`telepathy_role_template',`
+template(`telepathy_role',`
 	gen_require(`
-		attribute telepathy_domain, telepathy_tmp_content;
+		attribute telepathy_domain;
 		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
 		type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
 		type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
 		type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
 		type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
 		type telepathy_msn_exec_t;
-
-		type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
-		type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
-		type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
 	')
 
-	role $2 types telepathy_domain;
-
-	allow $3 telepathy_domain:process { ptrace signal_perms };
-	ps_process_pattern($3, telepathy_domain)
+	role $1 types telepathy_domain;
 
-	telepathy_gabble_stream_connect($3)
-	telepathy_msn_stream_connect($3)
-	telepathy_salut_stream_connect($3)
+	allow $2 telepathy_domain:process signal_perms;
+	ps_process_pattern($2, telepathy_domain)
 
-	dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
-	dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
-	dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
-	dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
-	dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
-	dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
-	dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
-	dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
-	dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
+	telepathy_gabble_stream_connect($2)
+	telepathy_msn_stream_connect($2)
+	telepathy_salut_stream_connect($2)
 
-	allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+	dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+	dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+	dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
+	dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
+	dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
+	dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
+	dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+	dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+	dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
 
-	allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
-	allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
-	allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
-
-	filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-	# gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
-
-	filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
-	# gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
-
-	userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
-	filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
-	# gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
-
-	userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
-
-	# gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
-	# gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy")
-
-	allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
-	allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	telepathy_dbus_chat($2)
 ')
 
 ########################################
 ## <summary>
-##	Connect to gabble with a unix
-##	domain stream socket.
+##	Stream connect to Telepathy Gabble
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`telepathy_gabble_stream_connect',`
+interface(`telepathy_gabble_stream_connect', `
 	gen_require(`
 		type telepathy_gabble_t, telepathy_gabble_tmp_t;
 	')
 
-	files_search_tmp($1)
 	stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Send dbus messages to and from
-##	gabble.
+##	Allow Telepathy Gabble to stream connect to a domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`telepathy_gabble_stream_connect_to', `
+	gen_require(`
+		type telepathy_gabble_t;
+	')
+
+	stream_connect_pattern(telepathy_gabble_t, $2, $2, $1)
+')
+
+########################################
+## <summary>
+##	Send DBus messages to and from
+##	Telepathy Gabble.
+## </summary>
+## <param name="domain">
+## 	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`telepathy_gabble_dbus_chat',`
+interface(`telepathy_gabble_dbus_chat', `
 	gen_require(`
 		type telepathy_gabble_t;
 		class dbus send_msg;
@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Read mission control process state files.
+##	Read telepathy mission control state.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
 	')
 
 	kernel_search_proc($1)
-	allow $1 telepathy_mission_control_t:dir list_dir_perms;
-	allow $1 telepathy_mission_control_t:file read_file_perms;
-	allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms;
+	ps_process_pattern($1, telepathy_mission_control_t)
 ')
 
 #######################################
 ## <summary>
-##	Connect to msn with a unix
-##	domain stream socket.
+##	Stream connect to telepathy MSN managers
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
 ##	</summary>
 ## </param>
 #
-interface(`telepathy_msn_stream_connect',`
+interface(`telepathy_msn_stream_connect', `
 	gen_require(`
 		type telepathy_msn_t, telepathy_msn_tmp_t;
 	')
 
-	files_search_tmp($1)
 	stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Connect to salut with a unix
-##	domain stream socket.
+##	Stream connect to Telepathy Salut
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`telepathy_salut_stream_connect',`
+interface(`telepathy_salut_stream_connect', `
 	gen_require(`
 		type telepathy_salut_t, telepathy_salut_tmp_t;
 	')
 
-	files_search_tmp($1)
 	stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+	files_search_tmp($1)
+')
+
+#######################################
+## <summary>
+##	Send DBus messages to and from
+##	all Telepathy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_dbus_chat',`
+	gen_require(`
+		attribute telepathy_domain;
+		class dbus send_msg;
+	')
+
+	allow $1 telepathy_domain:dbus send_msg;
+	allow telepathy_domain $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+##	Execute telepathy executable
+##	in the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a telepathy executable
+##	in the specified domain.  This allows
+##	the specified domain to execute any file
+##	on these filesystems in the specified
+##	domain. 
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`telepathy_command_domtrans', `
+	gen_require(`
+		attribute telepathy_executable;
+	')
+
+	allow $2 telepathy_executable:file entrypoint;
+	domain_transition_pattern($1, telepathy_executable, $2)
+	type_transition $1 telepathy_executable:process $2;
+
+	# needs to dbus chat with unconfined_t and unconfined_dbusd_t
+	optional_policy(`
+		telepathy_dbus_chat($1)
+		telepathy_dbus_chat($2)
+	')
+')
+
+########################################
+## <summary>
+##	Create telepathy content in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_filetrans_home_content',`
+	gen_require(`
+		type telepathy_mission_control_cache_home_t;
+		type telepathy_mission_control_home_t;
+		type telepathy_logger_cache_home_t;
+		type telepathy_gabble_cache_home_t;
+		type telepathy_sunshine_home_t;
+		type telepathy_logger_data_home_t;
+		type telepathy_cache_home_t, telepathy_data_home_t;
+		type telepathy_mission_control_data_home_t;
+	')
+
+	filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+	filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
+	filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+
+	filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+
+	userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
+	userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+
+	optional_policy(`
+		gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+		gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")	
+		gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
+		gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
+
+		gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
+		gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+	')
+')
+
+######################################
+## <summary>
+##	Execute telepathy in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`telepathy_exec',`
+	gen_require(`
+		attribute telepathy_executable;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, telepathy_executable)
 ')
diff --git a/telepathy.te b/telepathy.te
index 9afcbc95c2..b19622dc66 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
 
 ########################################
 #
-# Declarations
+# Declarations.
 #
 
 ## <desc>
-##	<p>
-##	Determine whether telepathy connection
-##	managers can connect to generic tcp ports.
-##	</p>
+## <p>
+## Allow the Telepathy connection managers
+## to connect to any generic TCP port.
+## </p>
 ## </desc>
 gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
 
 ## <desc>
-##	<p>
-##	Determine whether telepathy connection
-##	managers can connect to any port.
-##	</p>
+## <p>
+## Allow the Telepathy connection managers
+## to connect to any network port.
+## </p>
 ## </desc>
 gen_tunable(telepathy_connect_all_ports, false)
 
 attribute telepathy_domain;
 attribute telepathy_executable;
-attribute telepathy_tmp_content;
 
 telepathy_domain_template(gabble)
 
@@ -67,179 +66,157 @@ userdom_user_home_content(telepathy_sunshine_home_t)
 
 #######################################
 #
-# Gabble local policy
+# Telepathy Gabble local policy.
 #
 
-allow telepathy_gabble_t self:tcp_socket { accept listen };
+allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
 allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
 
-# ~/.cache/telepathy/gabble/caps-cache.db-journal
-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
-
 manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
 manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
 files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
 
-corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+# ~/.cache/telepathy/gabble/caps-cache.db-journal
+optional_policy(`
+	manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+	manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+	filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir)
+	# ~/.cache/wocky
+	gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir)
+')
+
 corenet_all_recvfrom_netlabel(telepathy_gabble_t)
 corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
 corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
-
-corenet_sendrecv_http_client_packets(telepathy_gabble_t)
 corenet_tcp_connect_http_port(telepathy_gabble_t)
-corenet_tcp_sendrecv_http_port(telepathy_gabble_t)
-
-corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
 corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
-corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t)
-
-corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
 corenet_tcp_connect_vnc_port(telepathy_gabble_t)
-corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t)
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
 
 dev_read_rand(telepathy_gabble_t)
 
 files_read_config_files(telepathy_gabble_t)
-files_read_usr_files(telepathy_gabble_t)
+
+fs_getattr_all_fs(telepathy_gabble_t)
 
 miscfiles_read_all_certs(telepathy_gabble_t)
 
 tunable_policy(`telepathy_connect_all_ports',`
-	corenet_sendrecv_all_client_packets(telepathy_gabble_t)
 	corenet_tcp_connect_all_ports(telepathy_gabble_t)
 	corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
+	corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
 ')
 
 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
-	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
 	corenet_tcp_connect_generic_port(telepathy_gabble_t)
-	corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(telepathy_gabble_t)
-	fs_manage_nfs_files(telepathy_gabble_t)
+	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(telepathy_gabble_t)
-	fs_manage_cifs_files(telepathy_gabble_t)
-')
+userdom_home_manager(telepathy_gabble_t)
 
 optional_policy(`
 	dbus_system_bus_client(telepathy_gabble_t)
 ')
 
-# optional_policy(`
-	# ~/.config/dconf/user
-	# gnome_manage_generic_home_content(telepathy_gabble_t)
-# ')
+optional_policy(`
+	gnome_manage_home_config(telepathy_gabble_t)
+')
 
 #######################################
 #
-# Idle local policy
+# Telepathy Idle local policy.
 #
 
 corenet_all_recvfrom_netlabel(telepathy_idle_t)
-corenet_all_recvfrom_unlabeled(telepathy_idle_t)
 corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
 corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
-
-corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
 corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
-corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t)
-
-corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
 corenet_tcp_connect_ircd_port(telepathy_idle_t)
-corenet_tcp_sendrecv_ircd_port(telepathy_idle_t)
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
 
 dev_read_rand(telepathy_idle_t)
 
-files_read_usr_files(telepathy_idle_t)
-
 tunable_policy(`telepathy_connect_all_ports',`
-	corenet_sendrecv_all_client_packets(telepathy_idle_t)
 	corenet_tcp_connect_all_ports(telepathy_idle_t)
 	corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
+	corenet_udp_sendrecv_all_ports(telepathy_idle_t)
 ')
 
 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
-	corenet_sendrecv_generic_client_packets(telepathy_idle_t)
 	corenet_tcp_connect_generic_port(telepathy_idle_t)
-	corenet_tcp_sendrecv_generic_port(telepathy_idle_t)
+	corenet_sendrecv_generic_client_packets(telepathy_idle_t)
 ')
 
 #######################################
 #
-# Logger local policy
+# Telepathy Logger local policy.
 #
 
 allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
 
 manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
 manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
 
 manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
 manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
 
-files_read_usr_files(telepathy_logger_t)
+optional_policy(`
+	gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
+')
+
 files_search_pids(telepathy_logger_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(telepathy_logger_t)
-	fs_manage_nfs_files(telepathy_logger_t)
-')
+fs_getattr_all_fs(telepathy_logger_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(telepathy_logger_t)
-	fs_manage_cifs_files(telepathy_logger_t)
-')
+userdom_home_manager(telepathy_logger_t)
 
-# optional_policy(`
+optional_policy(`
 	# ~/.config/dconf/user
-	# gnome_manage_generic_home_content(telepathy_logger_t)
-# ')
+	gnome_manage_home_config(telepathy_logger_t)
+')
 
 #######################################
 #
-# Mission-Control local policy
+# Telepathy Mission-Control local policy.
 #
-
 allow telepathy_mission_control_t self:process setsched;
 
 manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+userdom_search_user_home_dirs(telepathy_mission_control_t)
+
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
 
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+manage_sock_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+exec_files_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t)
+files_tmp_filetrans(telepathy_mission_control_t, telepathy_mission_control_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_mission_control_t, telepathy_mission_control_tmp_t, { dir file sock_file })
+
+optional_policy(`
+	gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
+	gnome_manage_home_config(telepathy_mission_control_t)
+')
 
 manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
 
 dev_read_rand(telepathy_mission_control_t)
 
-files_list_tmp(telepathy_mission_control_t)
-files_read_usr_files(telepathy_mission_control_t)
+fs_getattr_all_fs(telepathy_mission_control_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(telepathy_mission_control_t)
-	fs_manage_nfs_files(telepathy_mission_control_t)
-')
+files_list_tmp(telepathy_mission_control_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(telepathy_mission_control_t)
-	fs_manage_cifs_files(telepathy_mission_control_t)
-')
+userdom_home_manager(telepathy_mission_control_t)
 
 optional_policy(`
 	dbus_system_bus_client(telepathy_mission_control_t)
@@ -248,59 +225,47 @@ optional_policy(`
 		devicekit_dbus_chat_power(telepathy_mission_control_t)
 	')
 	optional_policy(`
-		gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
+		gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
 	')
 	optional_policy(`
 		networkmanager_dbus_chat(telepathy_mission_control_t)
 	')
 ')
 
-# optional_policy(`
-	# ~/.config/dconf/user
-	# gnome_manage_generic_home_content(telepathy_mission_control_t)
-# ')
+# ~/.cache/.mc_connections.
+optional_policy(`
+	manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+	gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
 
 #######################################
 #
-# Butterfly and Haze local policy
+# Telepathy Butterfly and Haze local policy.
 #
 
 allow telepathy_msn_t self:process setsched;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
 
 manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-
 userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
-
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
 can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
 
 corenet_all_recvfrom_netlabel(telepathy_msn_t)
-corenet_all_recvfrom_unlabeled(telepathy_msn_t)
 corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
 corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
-
-corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_tcp_bind_generic_node(telepathy_msn_t)
 corenet_tcp_connect_http_port(telepathy_msn_t)
-corenet_tcp_sendrecv_http_port(telepathy_msn_t)
-
-corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
 corenet_tcp_connect_mmcc_port(telepathy_msn_t)
-corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t)
-
-corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
 corenet_tcp_connect_msnp_port(telepathy_msn_t)
-corenet_tcp_sendrecv_msnp_port(telepathy_msn_t)
-
-corenet_sendrecv_sip_client_packets(telepathy_msn_t)
 corenet_tcp_connect_sip_port(telepathy_msn_t)
-corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
-
-corecmd_exec_bin(telepathy_msn_t)
-corecmd_exec_shell(telepathy_msn_t)
-
-files_read_usr_files(telepathy_msn_t)
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
 
 init_read_state(telepathy_msn_t)
 
@@ -310,18 +275,19 @@ logging_send_syslog_msg(telepathy_msn_t)
 
 miscfiles_read_all_certs(telepathy_msn_t)
 
-# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
-
 tunable_policy(`telepathy_connect_all_ports',`
-	corenet_sendrecv_all_client_packets(telepathy_msn_t)
 	corenet_tcp_connect_all_ports(telepathy_msn_t)
 	corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
+	corenet_udp_sendrecv_all_ports(telepathy_msn_t)
 ')
 
 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
-	corenet_sendrecv_generic_client_packets(telepathy_msn_t)
 	corenet_tcp_connect_generic_port(telepathy_msn_t)
-	corenet_tcp_sendrecv_generic_port(telepathy_msn_t)
+	corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+')
+
+optional_policy(`
+	gnome_read_gconf_home_files(telepathy_msn_t)
 ')
 
 optional_policy(`
@@ -332,43 +298,33 @@ optional_policy(`
 	')
 ')
 
-# optional_policy(`
-	# ~/.config/dconf/user
-	# gnome_manage_generic_home_content(telepathy_msn_t)
-# ')
-
 #######################################
 #
-# Salut local policy
+# Telepathy Salut local policy.
 #
 
-allow telepathy_salut_t self:tcp_socket { accept listen };
+allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
 
 manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
 files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
 
 corenet_all_recvfrom_netlabel(telepathy_salut_t)
-corenet_all_recvfrom_unlabeled(telepathy_salut_t)
 corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
 corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
 corenet_tcp_bind_generic_node(telepathy_salut_t)
-
-corenet_sendrecv_presence_server_packets(telepathy_salut_t)
 corenet_tcp_bind_presence_port(telepathy_salut_t)
-corenet_sendrecv_presence_client_packets(telepathy_salut_t)
 corenet_tcp_connect_presence_port(telepathy_salut_t)
-corenet_tcp_sendrecv_presence_port(telepathy_salut_t)
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
 
 tunable_policy(`telepathy_connect_all_ports',`
-	corenet_sendrecv_all_client_packets(telepathy_salut_t)
 	corenet_tcp_connect_all_ports(telepathy_salut_t)
 	corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
+	corenet_udp_sendrecv_all_ports(telepathy_salut_t)
 ')
 
 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
-	corenet_sendrecv_generic_client_packets(telepathy_salut_t)
 	corenet_tcp_connect_generic_port(telepathy_salut_t)
-	corenet_tcp_sendrecv_generic_port(telepathy_salut_t)
+	corenet_sendrecv_generic_client_packets(telepathy_salut_t)
 ')
 
 optional_policy(`
@@ -381,73 +337,51 @@ optional_policy(`
 
 #######################################
 #
-# Sofiasip local policy
+# Telepathy Sofiasip local policy.
 #
 
-allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
-allow telepathy_sofiasip_t self:tcp_socket { accept listen };
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
 
 corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
 corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
 corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
 corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
 corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
 corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
 corenet_raw_bind_generic_node(telepathy_sofiasip_t)
-
-corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
 corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
-corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
-
 corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
-
-corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
 corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
-corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t)
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
 
 kernel_request_load_module(telepathy_sofiasip_t)
 
 tunable_policy(`telepathy_connect_all_ports',`
-	corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
 	corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
 	corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+	corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
 ')
 
 tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
-	corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
 	corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
-	corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t)
+	corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
 ')
 
 #######################################
 #
-# Sunshine local policy
+# Telepathy Sunshine local policy.
 #
 
 manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
 manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
-userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
 
 manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
 files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
 
-can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
-
-corecmd_exec_bin(telepathy_sunshine_t)
-
-files_read_usr_files(telepathy_sunshine_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(telepathy_sunshine_t)
-	fs_manage_nfs_files(telepathy_sunshine_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(telepathy_sunshine_t)
-	fs_manage_cifs_files(telepathy_sunshine_t)
-')
-
 optional_policy(`
 	xserver_read_xdm_pid(telepathy_sunshine_t)
 	xserver_stream_connect(telepathy_sunshine_t)
@@ -455,31 +389,51 @@ optional_policy(`
 
 #######################################
 #
-# Common telepathy domain local policy
+# telepathy domains common policy
 #
 
 allow telepathy_domain self:process { getsched signal sigkill };
 allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+optional_policy(`
+	gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+')
 
-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
+corecmd_exec_bin(telepathy_domain)
+corecmd_exec_shell(telepathy_domain)
 
 dev_read_urand(telepathy_domain)
 
-kernel_read_system_state(telepathy_domain)
-
 fs_getattr_all_fs(telepathy_domain)
 fs_search_auto_mountpoints(telepathy_domain)
+fs_rw_inherited_tmpfs_files(telepathy_domain)
 
-miscfiles_read_localization(telepathy_domain)
+userdom_search_user_tmp_dirs(telepathy_domain)
+userdom_search_user_home_dirs(telepathy_domain)
 
 optional_policy(`
 	automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
 ')
 
+optional_policy(`
+	gnome_read_generic_cache_files(telepathy_domain)
+	gnome_write_generic_cache_files(telepathy_domain)
+	gnome_filetrans_config_home_content(telepathy_domain)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(telepathy_domain)
+	systemd_write_inhibit_pipes(telepathy_domain)
+')
+
+optional_policy(`
+	telepathy_dbus_chat(telepathy_domain)
+')
+
 optional_policy(`
 	xserver_rw_xdm_pipes(telepathy_domain)
 ')
+
diff --git a/telnet.te b/telnet.te
index d7c8633695..0d3d4392ad 100644
--- a/telnet.te
+++ b/telnet.te
@@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t)
 # Local policy
 #
 
-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override };
 allow telnetd_t self:process signal_perms;
 allow telnetd_t self:fifo_file rw_fifo_file_perms;
-allow telnetd_t self:tcp_socket { accept listen };
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
 term_create_pty(telnetd_t, telnetd_devpts_t)
 
 allow telnetd_t telnetd_keytab_t:file read_file_perms;
 
 manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
 manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
 
 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
 files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
@@ -48,7 +51,6 @@ kernel_read_kernel_sysctls(telnetd_t)
 kernel_read_system_state(telnetd_t)
 kernel_read_network_state(telnetd_t)
 
-corenet_all_recvfrom_unlabeled(telnetd_t)
 corenet_all_recvfrom_netlabel(telnetd_t)
 corenet_tcp_sendrecv_generic_if(telnetd_t)
 corenet_tcp_sendrecv_generic_node(telnetd_t)
@@ -63,7 +65,6 @@ dev_read_urand(telnetd_t)
 
 domain_interactive_fd(telnetd_t)
 
-files_read_usr_files(telnetd_t)
 files_read_etc_runtime_files(telnetd_t)
 files_search_home(telnetd_t)
 
@@ -76,12 +77,12 @@ init_rw_utmp(telnetd_t)
 
 logging_send_syslog_msg(telnetd_t)
 
-miscfiles_read_localization(telnetd_t)
-
 seutil_read_config(telnetd_t)
 
 userdom_search_user_home_dirs(telnetd_t)
 userdom_setattr_user_ptys(telnetd_t)
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_nfs(telnetd_t)
@@ -93,7 +94,7 @@ tunable_policy(`use_samba_home_dirs',`
 
 optional_policy(`
 	kerberos_read_keytab(telnetd_t)
-	kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
 	kerberos_manage_host_rcache(telnetd_t)
 	kerberos_use(telnetd_t)
 ')
diff --git a/tftp.fc b/tftp.fc
index 3dd87daf5f..0d13384b01 100644
--- a/tftp.fc
+++ b/tftp.fc
@@ -1,9 +1,9 @@
-/etc/(x)?inetd\.d/tftp	--	gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/(x)?inetd\.d/tftp	--	gen_context(system_u:object_r:tftpd_etc_t,s0)
 
 /usr/sbin/atftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
 /usr/sbin/in\.tftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
 
-/tftpboot	-d	gen_context(system_u:object_r:tftpdir_t,s0)
-/tftpboot/.*	gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot		-d	gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.*			gen_context(system_u:object_r:tftpdir_t,s0)
 
-/var/lib/tftpboot(/.*)?	gen_context(system_u:object_r:tftpdir_rw_t,s0)
+/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/tftp.if b/tftp.if
index 9957e300d8..cd2132109e 100644
--- a/tftp.if
+++ b/tftp.if
@@ -1,8 +1,8 @@
-## <summary>Trivial file transfer protocol daemon.</summary>
+## <summary>Trivial file transfer protocol daemon</summary>
 
 ########################################
 ## <summary>
-##	Read tftp content files.
+##	Read tftp content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -13,18 +13,21 @@
 interface(`tftp_read_content',`
 	gen_require(`
 		type tftpdir_t;
+		type tftpdir_rw_t;
 	')
 
-	files_search_var_lib($1)
-	allow $1 tftpdir_t:dir list_dir_perms;
-	allow $1 tftpdir_t:file read_file_perms;
-	allow $1 tftpdir_t:lnk_file read_lnk_file_perms;
+	list_dirs_pattern($1, tftpdir_t, tftpdir_t)
+	read_files_pattern($1, tftpdir_t, tftpdir_t)
+	read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+
+	list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+	read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+	read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	tftp rw content.
+##	Search tftp /var/lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -32,20 +35,18 @@ interface(`tftp_read_content',`
 ##	</summary>
 ## </param>
 #
-interface(`tftp_manage_rw_content',`
+interface(`tftp_search_rw_content',`
 	gen_require(`
 		type tftpdir_rw_t;
 	')
 
+	search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 	files_search_var_lib($1)
-	allow $1 tftpdir_rw_t:dir manage_dir_perms;
-	allow $1 tftpdir_rw_t:file manage_file_perms;
-	allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read tftpd configuration files.
+##	Allow read tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -53,19 +54,18 @@ interface(`tftp_manage_rw_content',`
 ##	</summary>
 ## </param>
 #
-interface(`tftp_read_config_files',`
+interface(`tftp_read_rw_content',`
 	gen_require(`
-		type tftpd_conf_t;
+		type tftpdir_rw_t;
 	')
 
-	files_search_etc($1)
-	allow $1 tftpd_conf_t:file read_file_perms;
+	files_search_var_lib($1)
+	read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	tftpd configuration files.
+##	Allow write tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,55 +73,83 @@ interface(`tftp_read_config_files',`
 ##	</summary>
 ## </param>
 #
-interface(`tftp_manage_config_files',`
+interface(`tftp_write_rw_content',`
 	gen_require(`
-		type tftpd_conf_t;
+		type tftpdir_rw_t;
 	')
 
-	files_search_etc($1)
-	allow $1 tftpd_conf_t:file manage_file_perms;
+	files_search_var_lib($1)
+	write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in etc directories
-##	with tftp conf type.
+##	Manage tftp /var/lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
+#
+interface(`tftp_manage_rw_content',`
+	gen_require(`
+		type tftpdir_rw_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+##	Read tftp config files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Class of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`tftp_read_config',`
+	gen_require(`
+		type tftpd_etc_t;
+	')
+
+	read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage tftp config files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`tftp_etc_filetrans_config',`
+interface(`tftp_manage_config',`
 	gen_require(`
-		type tftp_conf_t;
+		type tftpd_etc_t;
 	')
 
-	files_etc_filetrans($1, tftp_conf_t, $2, $3)
+ 	manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
+	files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
 ')
 
 ########################################
 ## <summary>
 ##	Create objects in tftpdir directories
-##	with a private type.
+##	with specified types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private_type">
+## <param name="file_type">
 ##	<summary>
 ##	Private file type.
 ##	</summary>
@@ -131,25 +159,38 @@ interface(`tftp_etc_filetrans_config',`
 ##	Class of the object being created.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
 interface(`tftp_filetrans_tftpdir',`
 	gen_require(`
 		type tftpdir_rw_t;
 	')
 
+	filetrans_pattern($1, tftpdir_rw_t, $2, $3)
 	files_search_var_lib($1)
-	filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an tftp environment.
+##	Transition to tftp named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tftp_filetrans_named_content',`
+	gen_require(`
+		type tftpd_etc_t;
+	')
+
+	files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an tftp environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',`
 interface(`tftp_admin',`
 	gen_require(`
 		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
-		type tftpd_conf_t;
 	')
 
-	allow $1 tftpd_t:process { ptrace signal_perms };
+	allow $1 tftpd_t:process signal_perms;
 	ps_process_pattern($1, tftpd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 tftpd_t:process ptrace;
+	')
 
-	files_search_etc($1)
-	admin_pattern($1, tftpd_conf_t)
+	files_list_var_lib($1)
 
-	files_search_var_lib($1)
-	admin_pattern($1, { tftpdir_t tftpdir_rw_t })
+	admin_pattern($1, tftpdir_rw_t)
+
+	admin_pattern($1, tftpdir_t)
 
 	files_list_pids($1)
 	admin_pattern($1, tftpd_var_run_t)
+
+	tftp_manage_config($1)
 ')
diff --git a/tftp.te b/tftp.te
index cfaa2a19c8..a9bc6f1ff7 100644
--- a/tftp.te
+++ b/tftp.te
@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether tftp can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
 ## </desc>
 gen_tunable(tftp_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Determine whether tftp can manage
-##	generic user home content.
-##	</p>
+## <p>
+## Allow tftp to read and write files in the user home directories
+## </p>
 ## </desc>
-gen_tunable(tftp_enable_homedir, false)
+gen_tunable(tftp_home_dir, false)
 
 type tftpd_t;
 type tftpd_exec_t;
 init_daemon_domain(tftpd_t, tftpd_exec_t)
 
-type tftpd_conf_t;
-files_config_file(tftpd_conf_t)
-
 type tftpd_var_run_t;
 files_pid_file(tftpd_var_run_t)
 
@@ -39,6 +33,9 @@ files_type(tftpdir_t)
 type tftpdir_rw_t;
 files_type(tftpdir_rw_t)
 
+type tftpd_etc_t;
+files_config_file(tftpd_etc_t)
+
 ########################################
 #
 # Local policy
@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t)
 
 allow tftpd_t self:capability { setgid setuid sys_chroot };
 dontaudit tftpd_t self:capability sys_tty_config;
-allow tftpd_t self:tcp_socket { accept listen };
-allow tftpd_t self:unix_stream_socket { accept listen };
-
-allow tftpd_t tftpd_conf_t:file read_file_perms;
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
+allow tftpd_t self:udp_socket create_socket_perms;
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow tftpd_t tftpdir_t:dir list_dir_perms;
 allow tftpd_t tftpdir_t:file read_file_perms;
 allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
 
+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
+
 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
 manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
 manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
 kernel_read_system_state(tftpd_t)
 kernel_read_kernel_sysctls(tftpd_t)
 
-corenet_all_recvfrom_unlabeled(tftpd_t)
 corenet_all_recvfrom_netlabel(tftpd_t)
+corenet_tcp_sendrecv_generic_if(tftpd_t)
 corenet_udp_sendrecv_generic_if(tftpd_t)
+corenet_tcp_sendrecv_generic_node(tftpd_t)
 corenet_udp_sendrecv_generic_node(tftpd_t)
+corenet_tcp_sendrecv_all_ports(tftpd_t)
+corenet_udp_sendrecv_all_ports(tftpd_t)
+corenet_tcp_bind_generic_node(tftpd_t)
 corenet_udp_bind_generic_node(tftpd_t)
-
-corenet_sendrecv_tftp_server_packets(tftpd_t)
 corenet_udp_bind_tftp_port(tftpd_t)
-corenet_udp_sendrecv_tftp_port(tftpd_t)
+corenet_sendrecv_tftp_server_packets(tftpd_t)
 
 dev_read_sysfs(tftpd_t)
 
+fs_getattr_all_fs(tftpd_t)
+fs_search_auto_mountpoints(tftpd_t)
+
 domain_use_interactive_fds(tftpd_t)
 
 files_read_etc_runtime_files(tftpd_t)
@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t)
 files_read_var_symlinks(tftpd_t)
 files_search_var(tftpd_t)
 
-fs_getattr_all_fs(tftpd_t)
-fs_search_auto_mountpoints(tftpd_t)
-
 auth_use_nsswitch(tftpd_t)
 
 logging_send_syslog_msg(tftpd_t)
 
-miscfiles_read_localization(tftpd_t)
 miscfiles_read_public_files(tftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
 userdom_dontaudit_use_user_terminals(tftpd_t)
-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file })
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
+
+userdom_home_manager(tftpd_t)
 
 tunable_policy(`tftp_anon_write',`
 	miscfiles_manage_public_files(tftpd_t)
 ')
 
-tunable_policy(`tftp_enable_homedir',`
-	allow tftpd_t self:capability { dac_override dac_read_search };
+tunable_policy(`tftp_home_dir',`
+    allow tftpd_t self:capability { dac_override dac_read_search };
 
+	# allow access to /home
 	files_list_home(tftpd_t)
-	userdom_manage_user_home_content_dirs(tftpd_t)
-	userdom_manage_user_home_content_files(tftpd_t)
-	userdom_manage_user_home_content_symlinks(tftpd_t)
+    userdom_read_user_home_content_files(tftpd_t)
+    userdom_manage_user_home_content(tftpd_t)
+
+    auth_read_all_dirs_except_shadow(tftpd_t)
+    auth_read_all_files_except_shadow(tftpd_t)
+    auth_read_all_symlinks_except_shadow(tftpd_t)
+',`
+	# Needed for permissive mode, to make sure everything gets labeled correctly
+	userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
 ')
 
-tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(tftpd_t)
-	fs_manage_nfs_files(tftpd_t)
-	fs_read_nfs_symlinks(tftpd_t)
+tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
+    fs_manage_nfs_files(tftpd_t)
+    fs_read_nfs_symlinks(tftpd_t)
 ')
 
-tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',`
-	fs_manage_cifs_dirs(tftpd_t)
-	fs_manage_cifs_files(tftpd_t)
-	fs_read_cifs_symlinks(tftpd_t)
+tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
+    fs_manage_cifs_files(tftpd_t)
+    fs_read_cifs_symlinks(tftpd_t)
 ')
 
 optional_policy(`
diff --git a/tgtd.fc b/tgtd.fc
index 38389e6754..ae0f9ab51f 100644
--- a/tgtd.fc
+++ b/tgtd.fc
@@ -1,7 +1,4 @@
-/etc/rc\.d/init\.d/tgtd	--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
-
-/usr/sbin/tgtd	--	gen_context(system_u:object_r:tgtd_exec_t,s0)
-
-/var/lib/tgtd(/.*)?	gen_context(system_u:object_r:tgtd_var_lib_t,s0)
-
-/var/run/tgtd.*	-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)
+/etc/rc\.d/init\.d/tgtd		--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/sbin/tgtd			--	gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)?			gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.*			gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/tgtd.if b/tgtd.if
index 5406b6ee8b..dc5b46e280 100644
--- a/tgtd.if
+++ b/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
 	files_search_tmp($1)
 	admin_pattern($1, tgtd_tmp_t)
 
-	files_search_tmpfs($1)
+	fs_search_tmpfs($1)
 	admin_pattern($1, tgtd_tmpfs_t)
 ')
diff --git a/tgtd.te b/tgtd.te
index d010963868..65498f7a4a 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
 # Local policy
 #
 
-allow tgtd_t self:capability sys_resource;
-allow tgtd_t self:capability2 block_suspend;
+allow tgtd_t self:capability { dac_read_search dac_override ipc_lock sys_resource sys_rawio sys_admin };
+allow tgtd_t self:capability2 { block_suspend wake_alarm };
 allow tgtd_t self:process { setrlimit signal };
 allow tgtd_t self:fifo_file rw_fifo_file_perms;
 allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
 
 kernel_read_system_state(tgtd_t)
 kernel_read_fs_sysctls(tgtd_t)
+kernel_read_network_state(tgtd_t)
 
 corenet_all_recvfrom_netlabel(tgtd_t)
-corenet_all_recvfrom_unlabeled(tgtd_t)
 corenet_tcp_sendrecv_generic_if(tgtd_t)
 corenet_tcp_sendrecv_generic_node(tgtd_t)
 corenet_tcp_bind_generic_node(tgtd_t)
 
 corenet_sendrecv_iscsi_server_packets(tgtd_t)
 corenet_tcp_bind_iscsi_port(tgtd_t)
+corenet_tcp_connect_isns_port(tgtd_t)
 corenet_tcp_sendrecv_iscsi_port(tgtd_t)
 
 corenet_sendrecv_iscsi_client_packets(tgtd_t)
@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t)
 
 dev_read_sysfs(tgtd_t)
 
-files_read_etc_files(tgtd_t)
+files_list_mnt(tgtd_t)
 
 fs_read_anon_inodefs_files(tgtd_t)
 
+miscfiles_read_generic_certs(tgtd_t)
+
 storage_manage_fixed_disk(tgtd_t)
+storage_read_scsi_generic(tgtd_t)
+storage_write_scsi_generic(tgtd_t)
 
 logging_send_syslog_msg(tgtd_t)
 
-miscfiles_read_localization(tgtd_t)
-
 optional_policy(`
 	iscsi_manage_semaphores(tgtd_t)
 ')
diff --git a/thin.fc b/thin.fc
new file mode 100644
index 0000000000..1f8a9086c0
--- /dev/null
+++ b/thin.fc
@@ -0,0 +1,12 @@
+/usr/bin/thin		--	gen_context(system_u:object_r:thin_exec_t,s0)
+
+/usr/bin/aeolus-configserver-thinwrapper	--	gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
+
+/var/lib/aeolus-configserver(/.*)?	gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
+
+/var/log/aeolus-configserver(/.*)?  gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
+/var/log/thin\.log.*	             --	gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/aeolus-configserver(/.*)?	gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
+/var/run/aeolus/thin\.pid	--	gen_context(system_u:object_r:thin_var_run_t,s0)
+/var/run/thin(/.*)?		     gen_context(system_u:object_r:thin_var_run_t,s0)
diff --git a/thin.if b/thin.if
new file mode 100644
index 0000000000..5e3637e639
--- /dev/null
+++ b/thin.if
@@ -0,0 +1,64 @@
+## <summary>thin policy</summary>
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  thin daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`thin_domain_template',`
+    gen_require(`
+        attribute thin_domain;
+    ')
+
+    type $1_t, thin_domain;
+    type $1_exec_t;
+    init_daemon_domain($1_t, $1_exec_t)
+
+	can_exec($1_t, $1_exec_t)
+
+	kernel_read_system_state($1_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`thin_exec',`
+    gen_require(`
+	type thin_exec_t;
+    ')
+
+    can_exec($1, thin_exec_t)
+')
+
+#####################################
+## <summary>
+##	Connect to thin over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`thin_stream_connect',`
+	gen_require(`
+		type thin_t, thin_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
+')
diff --git a/thin.te b/thin.te
new file mode 100644
index 0000000000..e66fc8c34b
--- /dev/null
+++ b/thin.te
@@ -0,0 +1,115 @@
+policy_module(thin, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute thin_domain;
+
+thin_domain_template(thin)
+
+type thin_log_t;
+logging_log_file(thin_log_t)
+
+type thin_var_run_t;
+files_pid_file(thin_var_run_t)
+
+thin_domain_template(thin_aeolus_configserver)
+
+type thin_aeolus_configserver_lib_t;
+files_type(thin_aeolus_configserver_lib_t)
+
+type thin_aeolus_configserver_log_t;
+logging_log_file(thin_aeolus_configserver_log_t)
+
+type thin_aeolus_configserver_var_run_t;
+files_pid_file(thin_aeolus_configserver_var_run_t)
+
+########################################
+#
+# thin_domain local policy
+#
+
+allow thin_domain self:process signal;
+
+allow thin_domain self:fifo_file rw_fifo_file_perms;
+allow thin_domain self:tcp_socket create_stream_socket_perms;
+
+# we want to stay in a new thin domain if we call thin binary from a script
+# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
+can_exec(thin_domain, thin_exec_t)
+
+corecmd_exec_bin(thin_domain)
+corecmd_exec_shell(thin_domain)
+
+corenet_tcp_bind_generic_node(thin_domain)
+
+dev_read_rand(thin_domain)
+dev_read_urand(thin_domain)
+
+
+auth_read_passwd(thin_domain)
+
+miscfiles_read_certs(thin_domain)
+
+
+fs_search_auto_mountpoints(thin_domain)
+
+init_read_utmp(thin_domain)
+
+kernel_read_kernel_sysctls(thin_domain)
+
+optional_policy(`
+    apache_read_sys_content(thin_domain)
+')
+
+optional_policy(`
+	sysnet_read_config(thin_domain)
+')
+
+########################################
+#
+# thin local policy
+#
+
+allow thin_t self:capability { setuid kill setgid dac_read_search  dac_override };
+allow thin_t self:capability2 block_suspend;
+
+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
+allow thin_t self:udp_socket create_socket_perms;
+allow thin_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(thin_t, thin_log_t, thin_log_t)
+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
+logging_log_filetrans(thin_t, thin_log_t, { file dir })
+
+manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file })
+
+corenet_tcp_bind_ntop_port(thin_t)
+corenet_tcp_connect_postgresql_port(thin_t)
+
+#######################################
+#
+# thin aeolus configserver local policy
+#
+
+allow thin_aeolus_configserver_t self:capability { setuid setgid };
+
+corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)
+
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
+files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
+
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
+logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
+
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
index 0000000000..115bf6c42f
--- /dev/null
+++ b/thumb.fc
@@ -0,0 +1,17 @@
+HOME_DIR/\.thumbnails(/.*)?	gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/\.cache/thumbnails(/.*)?	gen_context(system_u:object_r:thumb_home_t,s0)
+HOME_DIR/missfont\.log.*		gen_context(system_u:object_r:thumb_home_t,s0)
+
+/usr/bin/evince-thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gsf-office-thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-[^/]*-thumbnailer(.sh)?	--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/raw-thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/shotwell-video-thumbnailer	--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/totem-video-thumbnailer	--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/whaaw-thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/[^/]*thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/ffmpegthumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/mate-thumbnail-font		--	gen_context(system_u:object_r:thumb_exec_t,s0)
+
+/usr/lib/tumbler-?[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
index 0000000000..d371f62f60
--- /dev/null
+++ b/thumb.if
@@ -0,0 +1,153 @@
+
+## <summary>policy for thumb</summary>
+
+########################################
+## <summary>
+##	Transition to thumb.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thumb_domtrans',`
+	gen_require(`
+		type thumb_t, thumb_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, thumb_exec_t, thumb_t)
+	dontaudit thumb_t $1:unix_stream_socket { getattr read write };
+')
+
+########################################
+## <summary>
+##	NNP Transition to thumb.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thumb_nnp_domtrans',`
+	gen_require(`
+		type thumb_t;
+	')
+
+	allow $1 thumb_t:process2 { nnp_transition nosuid_transition };
+
+')
+
+########################################
+## <summary>
+##	Execute thumb in the thumb domain, and
+##	allow the specified role the thumb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the thumb domain.
+##	</summary>
+## </param>
+#
+interface(`thumb_run',`
+	gen_require(`
+		type thumb_t;
+	')
+
+	thumb_domtrans($1)
+	thumb_nnp_domtrans($1)
+	role $2 types thumb_t;
+
+	allow $1 thumb_t:process signal_perms;
+
+	dontaudit thumb_t $1:dir list_dir_perms;
+	dontaudit thumb_t $1:file read_file_perms;
+	dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
+    
+    allow thumb_t $1:shm create_shm_perms;
+	allow thumb_t $1:sem create_sem_perms;
+')
+
+########################################
+## <summary>
+##	Role access for thumb
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`thumb_role',`
+	gen_require(`
+		type thumb_t;
+		class dbus send_msg;
+	')
+
+	thumb_run($2, $1)
+
+	ps_process_pattern($2, thumb_t)
+	allow thumb_t $2:unix_stream_socket connectto;
+
+	thumb_dbus_chat($2)
+	thumb_filetrans_home_content($2)
+')
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      thumb over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`thumb_dbus_chat',`
+        gen_require(`
+                type thumb_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 thumb_t:dbus send_msg;
+        allow thumb_t $1:dbus send_msg;
+	ps_process_pattern(thumb_t, $1)
+')
+
+########################################
+## <summary>
+##	Create thumb content in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`thumb_filetrans_home_content',`
+
+	gen_require(`
+		type thumb_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
+	userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
+
+	optional_policy(`
+		gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+	')
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
index 0000000000..a66e74723f
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,164 @@
+policy_module(thumb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type thumb_t;
+type thumb_exec_t;
+application_domain(thumb_t, thumb_exec_t)
+ubac_constrained(thumb_t)
+userdom_home_manager(thumb_t)
+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
+ubac_constrained(thumb_tmp_t)
+
+type thumb_home_t;
+userdom_user_home_content(thumb_home_t)
+
+type thumb_tmpfs_t;
+files_tmpfs_file(thumb_tmpfs_t)
+
+########################################
+#
+# thumb local policy
+#
+
+allow thumb_t self:process { setsched signal signull setrlimit };
+dontaudit thumb_t self:capability sys_tty_config;
+dontaudit thumb_t self:process setfscreate;
+
+tunable_policy(`deny_execmem',`',`
+	allow thumb_t self:process execmem;
+')
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
+allow thumb_t self:shm create_shm_perms;
+allow thumb_t self:sem create_sem_perms;
+
+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
+userdom_dontaudit_access_check_user_content(thumb_t)
+userdom_rw_inherited_user_tmp_files(thumb_t)
+userdom_manage_home_texlive(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
+fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file })
+
+can_exec(thumb_t, thumb_exec_t)
+
+kernel_read_system_state(thumb_t)
+
+corecmd_exec_bin(thumb_t)
+corecmd_exec_shell(thumb_t)
+
+corenet_tcp_connect_xserver_port(thumb_t)
+corenet_dontaudit_tcp_connect_all_ports(thumb_t)
+
+dev_read_sysfs(thumb_t)
+dev_read_urand(thumb_t)
+dev_dontaudit_rw_dri(thumb_t)
+dev_rw_xserver_misc(thumb_t)
+dev_read_video_dev(thumb_t)
+dev_write_video_dev(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+domain_dontaudit_read_all_domains_state(thumb_t)
+
+files_read_non_security_files(thumb_t)
+files_map_non_security_files(thumb_t)
+
+fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
+fs_rw_inherited_tmpfs_files(thumb_t)
+fs_mmap_removable_files(thumb_t)
+
+auth_read_passwd(thumb_t)
+
+tunable_policy(`selinuxuser_execmod',`
+	libs_legacy_use_shared_libs(thumb_t)
+')
+
+miscfiles_read_fonts(thumb_t)
+miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
+
+sysnet_read_config(thumb_t)
+
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_exec_user_home_content_files(thumb_t)
+userdom_dontaudit_write_user_tmp_files(thumb_t)
+userdom_dontaudit_delete_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
+
+userdom_use_user_terminals(thumb_t)
+
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
+xserver_dontaudit_read_xdm_pid(thumb_t)
+xserver_dontaudit_xdm_tmp_dirs(thumb_t)
+xserver_stream_connect(thumb_t)
+xserver_use_user_fonts(thumb_t)
+
+optional_policy(`
+    bumblebee_stream_connect(thumb_t)
+')
+
+optional_policy(`
+    dbus_exec_dbusd(thumb_t)
+    dbus_connect_session_bus(thumb_t)
+	dbus_stream_connect_session_bus(thumb_t)
+	dbus_chat_session_bus(thumb_t)
+')
+
+optional_policy(`
+	# .config
+	gnome_dontaudit_search_config(thumb_t)
+	gnome_dontaudit_write_config_files(thumb_t)
+    gnome_append_home_config(thumb_t)
+	gnome_append_generic_cache_files(thumb_t)
+	gnome_read_generic_data_home_files(thumb_t)
+	gnome_dontaudit_rw_generic_cache_files(thumb_t)
+	gnome_manage_gstreamer_home_files(thumb_t)
+	gnome_manage_gstreamer_home_dirs(thumb_t)
+	gnome_exec_gstreamer_home_files(thumb_t)
+	gnome_create_generic_cache_dir(thumb_t)
+	gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+	gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
+
+optional_policy(`
+	sssd_dontaudit_stream_connect(thumb_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_write_sock_file(thumb_t)
+')
+
+optional_policy(`
+	nslcd_dontaudit_write_sock_file(thumb_t)
+')
+
+tunable_policy(`nis_enabled',`
+	corenet_dontaudit_udp_bind_all_ports(thumb_t)
+	corenet_dontaudit_udp_bind_generic_node(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
index 5e867da56e..b25ea6e08b 100644
--- a/thunderbird.te
+++ b/thunderbird.te
@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
 
 corecmd_exec_shell(thunderbird_t)
 
-corenet_all_recvfrom_unlabeled(thunderbird_t)
 corenet_all_recvfrom_netlabel(thunderbird_t)
 corenet_tcp_sendrecv_generic_if(thunderbird_t)
 corenet_tcp_sendrecv_generic_node(thunderbird_t)
@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t)
 dev_dontaudit_search_sysfs(thunderbird_t)
 
 files_list_tmp(thunderbird_t)
-files_read_usr_files(thunderbird_t)
 files_read_etc_runtime_files(thunderbird_t)
 files_read_var_files(thunderbird_t)
 files_read_var_symlinks(thunderbird_t)
@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t)
 auth_use_nsswitch(thunderbird_t)
 
 miscfiles_read_fonts(thunderbird_t)
-miscfiles_read_localization(thunderbird_t)
 
 userdom_write_user_tmp_sockets(thunderbird_t)
 
@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t)
 
 userdom_manage_user_home_content_dirs(thunderbird_t)
 userdom_manage_user_home_content_files(thunderbird_t)
-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
+userdom_filetrans_home_content(thunderbird_t)
 
 xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
 xserver_read_xdm_tmp_files(thunderbird_t)
 xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(thunderbird_t)
-	fs_manage_nfs_files(thunderbird_t)
-	fs_manage_nfs_symlinks(thunderbird_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(thunderbird_t)
-	fs_manage_cifs_files(thunderbird_t)
-	fs_manage_cifs_symlinks(thunderbird_t)
-')
+# Access ~/.thunderbird
+userdom_home_manager(thunderbird_t)
 
 ifndef(`enable_mls',`
 	fs_search_removable(thunderbird_t)
diff --git a/timidity.te b/timidity.te
index 97cd15589c..49321a5bf0 100644
--- a/timidity.te
+++ b/timidity.te
@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
 kernel_read_kernel_sysctls(timidity_t)
 kernel_read_system_state(timidity_t)
 
-corenet_all_recvfrom_unlabeled(timidity_t)
 corenet_all_recvfrom_netlabel(timidity_t)
 corenet_tcp_sendrecv_generic_if(timidity_t)
 corenet_udp_sendrecv_generic_if(timidity_t)
@@ -51,8 +50,6 @@ dev_write_sound(timidity_t)
 
 domain_use_interactive_fds(timidity_t)
 
-files_read_etc_files(timidity_t)
-files_read_usr_files(timidity_t)
 files_search_tmp(timidity_t)
 
 fs_search_auto_mountpoints(timidity_t)
diff --git a/tlp.fc b/tlp.fc
new file mode 100644
index 0000000000..eef708d929
--- /dev/null
+++ b/tlp.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*))		--	gen_context(system_u:object_r:tlp_unit_file_t,s0)
+
+/usr/sbin/tlp		--	gen_context(system_u:object_r:tlp_exec_t,s0)
+
+/var/lib/tlp(/.*)?		gen_context(system_u:object_r:tlp_var_lib_t,s0)
+
+/var/run/tlp(/.*)?		gen_context(system_u:object_r:tlp_var_run_t,s0)
diff --git a/tlp.if b/tlp.if
new file mode 100644
index 0000000000..368e188425
--- /dev/null
+++ b/tlp.if
@@ -0,0 +1,184 @@
+
+## <summary>policy for tlp</summary>
+
+########################################
+## <summary>
+##	Execute tlp_exec_t in the tlp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tlp_domtrans',`
+	gen_require(`
+		type tlp_t, tlp_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, tlp_exec_t, tlp_t)
+')
+
+######################################
+## <summary>
+##	Execute tlp in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tlp_exec',`
+	gen_require(`
+		type tlp_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, tlp_exec_t)
+')
+
+########################################
+## <summary>
+##	Search tlp conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tlp_search_conf',`
+	gen_require(`
+		type tlp_etc_rw_t;
+	')
+
+	allow $1 tlp_etc_rw_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read tlp conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tlp_read_conf_files',`
+	gen_require(`
+		type tlp_etc_rw_t;
+	')
+
+	allow $1 tlp_etc_rw_t:dir list_dir_perms;
+	read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Manage tlp conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tlp_manage_conf_files',`
+	gen_require(`
+		type tlp_etc_rw_t;
+	')
+
+	manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Execute tlp server in the tlp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tlp_systemctl',`
+	gen_require(`
+		type tlp_t;
+		type tlp_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 tlp_unit_file_t:file read_file_perms;
+	allow $1 tlp_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, tlp_t)
+')
+
+########################################
+## <summary>
+##	Read all dbus pid files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tlp_manage_pid_files',`
+	gen_require(`
+		type tlp_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an tlp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tlp_admin',`
+	gen_require(`
+		type tlp_t;
+		type tlp_etc_rw_t;
+	type tlp_unit_file_t;
+	')
+
+	allow $1 tlp_t:process { signal_perms };
+	ps_process_pattern($1, tlp_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 tlp_t:process ptrace;
+    ')
+
+	files_search_etc($1)
+	admin_pattern($1, tlp_etc_rw_t)
+
+	tlp_systemctl($1)
+	admin_pattern($1, tlp_unit_file_t)
+	allow $1 tlp_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
index 0000000000..80e71067a3
--- /dev/null
+++ b/tlp.te
@@ -0,0 +1,95 @@
+policy_module(tlp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tlp_t;
+type tlp_exec_t;
+init_daemon_domain(tlp_t, tlp_exec_t)
+
+type tlp_var_run_t;
+files_pid_file(tlp_var_run_t)
+
+type tlp_var_lib_t;
+files_type(tlp_var_lib_t)
+
+type tlp_unit_file_t;
+systemd_unit_file(tlp_unit_file_t)
+
+########################################
+#
+# tlp local policy
+#
+allow tlp_t self:capability { net_admin sys_rawio };
+allow tlp_t self:unix_stream_socket create_stream_socket_perms;
+allow tlp_t self:udp_socket create_socket_perms;
+allow tlp_t self:unix_dgram_socket create_socket_perms;
+allow tlp_t self:netlink_generic_socket create_socket_perms;
+
+manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
+files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
+
+manage_dirs_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t)
+manage_files_pattern(tlp_t, tlp_var_lib_t, tlp_var_lib_t)
+files_var_lib_filetrans(tlp_t, tlp_var_lib_t, dir)
+
+kernel_read_system_state(tlp_t)
+kernel_read_network_state(tlp_t)
+kernel_read_fs_sysctls(tlp_t)
+kernel_rw_fs_sysctls(tlp_t)
+kernel_rw_kernel_sysctl(tlp_t)
+kernel_rw_vm_sysctls(tlp_t)
+kernel_create_rpc_sysctls(tlp_t)
+
+auth_read_passwd(tlp_t)
+
+corecmd_exec_bin(tlp_t)
+
+dev_list_sysfs(tlp_t)
+dev_manage_sysfs(tlp_t)
+dev_rw_cpu_microcode(tlp_t)
+dev_rw_wireless(tlp_t)
+
+files_read_kernel_modules(tlp_t)
+files_map_kernel_modules(tlp_t)
+files_load_kernel_modules(tlp_t)
+
+modutils_exec_insmod(tlp_t)
+modutils_read_module_config(tlp_t)
+
+logging_send_syslog_msg(tlp_t)
+
+storage_raw_read_fixed_disk(tlp_t)
+storage_raw_read_removable_device(tlp_t)
+storage_raw_write_removable_device(tlp_t)
+
+sysnet_exec_ifconfig(tlp_t)
+
+optional_policy(`
+    dbus_stream_connect_system_dbusd(tlp_t)
+    dbus_system_bus_client(tlp_t)
+')
+
+optional_policy(`
+    fstools_exec(tlp_t)
+')
+
+optional_policy(`
+    mount_domtrans(tlp_t)
+')
+
+optional_policy(`
+    sssd_read_public_files(tlp_t)
+    sssd_stream_connect(tlp_t)
+')
+
+optional_policy(`
+    systemd_rfkill_domtrans(tlp_t)
+')
+
+optional_policy(`
+	udev_domtrans(tlp_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f951..0aca5b5fb2 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -5,37 +5,74 @@ policy_module(tmpreaper, 1.7.1)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether tmpreaper can use
+##	nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(tmpreaper_use_nfs, false)
+
+
+## <desc>
+##	<p>
+##	Determine whether tmpreaper can use
+##	cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(tmpreaper_use_cifs, false)
+
+## <desc>
+## <p>
+## Determine whether tmpreaper can use samba_share files
+## </p>
+## </desc>
+gen_tunable(tmpreaper_use_samba, false)
+
 type tmpreaper_t;
 type tmpreaper_exec_t;
 init_system_domain(tmpreaper_t, tmpreaper_exec_t)
+application_domain(tmpreaper_t, tmpreaper_exec_t)
+init_nnp_daemon_domain(tmpreaper_t)
 
 ########################################
 #
 # Local Policy
 #
 
-allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner sys_ptrace };
 allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
 
 kernel_list_unlabeled(tmpreaper_t)
 kernel_read_system_state(tmpreaper_t)
+kernel_read_network_state(tmpreaper_t)
+kernel_delete_unlabeled(tmpreaper_t)
+kernel_dontaudit_getattr_all_sysctls(tmpreaper_t)
 
 dev_read_urand(tmpreaper_t)
+dev_getattr_all_chr_files(tmpreaper_t)
+dev_getattr_all_blk_files(tmpreaper_t)
+dev_getattr_mtrr_dev(tmpreaper_t)
 
 corecmd_exec_bin(tmpreaper_t)
 corecmd_exec_shell(tmpreaper_t)
 
+domain_read_all_domains_state(tmpreaper_t)
+domain_getattr_all_sockets(tmpreaper_t)
+domain_getattr_all_pipes(tmpreaper_t)
+
 fs_getattr_xattr_fs(tmpreaper_t)
 fs_list_all(tmpreaper_t)
+fs_setattr_tmpfs_dirs(tmpreaper_t)
+fs_delete_tmpfs_files(tmpreaper_t)
 
-files_getattr_all_dirs(tmpreaper_t)
-files_getattr_all_files(tmpreaper_t)
 files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
-files_setattr_all_tmp_dirs(tmpreaper_t)
+files_delete_all_non_security_files(tmpreaper_t)
+files_setattr_non_security_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
 
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 
@@ -45,7 +82,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
 
 logging_send_syslog_msg(tmpreaper_t)
 
-miscfiles_read_localization(tmpreaper_t)
 miscfiles_delete_man_pages(tmpreaper_t)
 
 ifdef(`distro_debian',`
@@ -53,10 +89,33 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_redhat',`
-	userdom_list_all_user_home_content(tmpreaper_t)
+	userdom_list_user_home_content(tmpreaper_t)
+	userdom_list_admin_dir(tmpreaper_t)
 	userdom_delete_all_user_home_content_dirs(tmpreaper_t)
 	userdom_delete_all_user_home_content_files(tmpreaper_t)
+	userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
 	userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
+	userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
+')
+
+tunable_policy(`tmpreaper_use_nfs',`
+	fs_setattr_nfs_dirs(tmpreaper_t)
+')
+
+	optional_policy(`
+        tunable_policy(`tmpreaper_use_samba',`
+            samba_setattr_samba_share_dirs(tmpreaper_t)
+    ')
+')
+
+tunable_policy(`tmpreaper_use_cifs',`
+	fs_setattr_cifs_dirs(tmpreaper_t)
+')
+
+	optional_policy(`
+        tunable_policy(`tmpreaper_use_samba',`
+            samba_setattr_samba_share_dirs(tmpreaper_t)
+    ')
 ')
 
 optional_policy(`
@@ -64,6 +123,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	apache_delete_sys_content_rw(tmpreaper_t)
 	apache_list_cache(tmpreaper_t)
 	apache_delete_cache_dirs(tmpreaper_t)
 	apache_delete_cache_files(tmpreaper_t)
@@ -79,7 +139,19 @@ optional_policy(`
 ')
 
 optional_policy(`
-	lpd_manage_spool(tmpreaper_t)
+    lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
+	mandb_delete_cache(tmpreaper_t)
+')
+
+optional_policy(`
+	sandbox_list(tmpreaper_t)
+	sandbox_delete_dirs(tmpreaper_t)
+	sandbox_delete_files(tmpreaper_t)
+	sandbox_delete_sock_files(tmpreaper_t)
+	sandbox_setattr_dirs(tmpreaper_t)
 ')
 
 optional_policy(`
@@ -89,3 +161,8 @@ optional_policy(`
 optional_policy(`
 	rpm_manage_cache(tmpreaper_t)
 ')
+
+optional_policy(`
+        ntp_manage_log(tmpreaper_t)
+')
+
diff --git a/tomcat.fc b/tomcat.fc
new file mode 100644
index 0000000000..1a401e3667
--- /dev/null
+++ b/tomcat.fc
@@ -0,0 +1,13 @@
+/usr/lib/systemd/system/tomcat.service		--	gen_context(system_u:object_r:tomcat_unit_file_t,s0)
+
+/usr/sbin/tomcat(6)?	--	gen_context(system_u:object_r:tomcat_exec_t,s0)
+/usr/libexec/tomcat/server  --  gen_context(system_u:object_r:tomcat_exec_t,s0)
+
+/var/cache/tomcat6?(/.*)?		gen_context(system_u:object_r:tomcat_cache_t,s0)
+
+/var/lib/tomcat6?(/.*)?		gen_context(system_u:object_r:tomcat_var_lib_t,s0)
+/var/lib/tomcats?(/.*)?		gen_context(system_u:object_r:tomcat_var_lib_t,s0)
+
+/var/log/tomcat6?(/.*)?		gen_context(system_u:object_r:tomcat_log_t,s0)
+
+/var/run/tomcat6?\.pid		--	gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/tomcat.if b/tomcat.if
new file mode 100644
index 0000000000..6e6923b7e4
--- /dev/null
+++ b/tomcat.if
@@ -0,0 +1,399 @@
+
+## <summary>policy for tomcat</summary>
+
+######################################
+## <summary>
+##      Creates types and rules for a basic
+##      tomcat daemon domain.
+## </summary>
+## <param name="prefix">
+##      <summary>
+##      Prefix for the domain.
+##      </summary>
+## </param>
+#
+template(`tomcat_domain_template',`
+        gen_require(`
+                attribute tomcat_domain;
+        ')
+
+	type $1_t, tomcat_domain;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_cache_t;
+	files_type($1_cache_t)
+
+	type $1_log_t;
+	logging_log_file($1_log_t)
+
+	type $1_var_lib_t;
+	files_type($1_var_lib_t)
+
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	type $1_tmp_t;
+	files_tmp_file($1_tmp_t)
+
+	##################################
+	#
+	# Local policy
+	#
+
+	manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
+	manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
+	manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
+	files_var_filetrans($1_t, $1_cache_t, { dir file })
+
+	manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
+	manage_files_pattern($1_t, $1_log_t, $1_log_t)
+	manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { dir file })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
+	allow $1_t $1_var_lib_t:file map;
+
+	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
+
+	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir lnk_file })
+	allow $1_t $1_tmp_t:file map;
+
+	can_exec($1_t, $1_exec_t)
+
+	kernel_read_system_state($1_t)
+
+	logging_send_syslog_msg($1_t)
+')
+
+########################################
+## <summary>
+##	Transition to tomcat.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tomcat_domtrans',`
+	gen_require(`
+		type tomcat_t, tomcat_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, tomcat_exec_t, tomcat_t)
+')
+
+########################################
+## <summary>
+##	Search tomcat cache directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_search_cache',`
+	gen_require(`
+		type tomcat_cache_t;
+	')
+
+	allow $1 tomcat_cache_t:dir search_dir_perms;
+	files_search_var($1)
+')
+
+########################################
+## <summary>
+##	Read tomcat cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_read_cache_files',`
+	gen_require(`
+		type tomcat_cache_t;
+	')
+
+	files_search_var($1)
+	read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	tomcat cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_manage_cache_files',`
+	gen_require(`
+		type tomcat_cache_t;
+	')
+
+	files_search_var($1)
+	manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage tomcat cache dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_manage_cache_dirs',`
+	gen_require(`
+		type tomcat_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
+')
+
+########################################
+## <summary>
+##	Read tomcat's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tomcat_read_log',`
+	gen_require(`
+		type tomcat_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, tomcat_log_t, tomcat_log_t)
+')
+
+########################################
+## <summary>
+##	Append to tomcat log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_append_log',`
+	gen_require(`
+		type tomcat_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, tomcat_log_t, tomcat_log_t)
+')
+
+########################################
+## <summary>
+##	Manage tomcat log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_manage_log',`
+	gen_require(`
+		type tomcat_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
+	manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
+	manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
+')
+
+########################################
+## <summary>
+##	Search tomcat lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_search_lib',`
+	gen_require(`
+		type tomcat_var_lib_t;
+	')
+
+	allow $1 tomcat_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read tomcat lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_read_lib_files',`
+	gen_require(`
+		type tomcat_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage tomcat lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_manage_lib_files',`
+	gen_require(`
+		type tomcat_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage tomcat lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_manage_lib_dirs',`
+	gen_require(`
+		type tomcat_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read tomcat PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tomcat_read_pid_files',`
+	gen_require(`
+		type tomcat_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tomcat_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute tomcat server in the tomcat domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tomcat_systemctl',`
+	gen_require(`
+		type tomcat_t;
+		type tomcat_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 tomcat_unit_file_t:file read_file_perms;
+	allow $1 tomcat_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, tomcat_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an tomcat environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`tomcat_admin',`
+	gen_require(`
+		type tomcat_t;
+		type tomcat_cache_t;
+		type tomcat_log_t;
+		type tomcat_var_lib_t;
+		type tomcat_var_run_t;
+	type tomcat_unit_file_t;
+	')
+
+	allow $1 tomcat_t:process { ptrace signal_perms };
+	ps_process_pattern($1, tomcat_t)
+
+	files_search_var($1)
+	admin_pattern($1, tomcat_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, tomcat_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, tomcat_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, tomcat_var_run_t)
+
+	tomcat_systemctl($1)
+	admin_pattern($1, tomcat_unit_file_t)
+	allow $1 tomcat_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
index 0000000000..4f16df698e
--- /dev/null
+++ b/tomcat.te
@@ -0,0 +1,168 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow tomcat to read rpm database.
+## </p>
+## </desc>
+gen_tunable(tomcat_read_rpm_db, false)
+
+## <desc>
+## <p>
+## Allow tomcat to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(tomcat_use_execmem, false)
+
+## <desc>
+## <p>
+## Allow tomcat to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(tomcat_can_network_connect_db, false)
+
+attribute tomcat_domain;
+
+tomcat_domain_template(tomcat)
+
+type tomcat_unit_file_t;
+systemd_unit_file(tomcat_unit_file_t)
+
+########################################
+#
+# tomcat local policy
+#
+
+allow tomcat_t self:capability setgid;
+
+allow tomcat_t self:process execmem;
+allow tomcat_t self:process { signal signull };
+
+allow tomcat_t self:tcp_socket { accept listen };
+
+auth_use_nsswitch(tomcat_t)
+
+# Temporary fix, while missing SELinux policies for HSM
+init_stream_connect_script(tomcat_t)
+
+optional_policy(`
+    pki_manage_tomcat_cert(tomcat_t)
+    pki_manage_apache_log_files(tomcat_t)
+    pki_manage_tomcat_lib(tomcat_t)
+    pki_manage_tomcat_etc_rw(tomcat_t)
+    pki_search_log_dirs(tomcat_t)
+    pki_manage_tomcat_pid(tomcat_t)
+    pki_manage_tomcat_log(tomcat_t)
+    pki_manage_common_files(tomcat_t)
+    pki_exec_common_files(tomcat_t)
+    pki_stream_connect(tomcat_t)
+')
+
+optional_policy(`
+    ipa_read_lib(tomcat_t)
+	ipa_read_tmp(tomcat_t)
+')
+
+########################################
+#
+# tomcat domain policy
+#
+
+allow tomcat_t self:capability { dac_read_search dac_override setuid kill };
+
+allow tomcat_t self:process { execmem setcap setsched signal signull };
+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
+allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
+
+# we want to stay in a new tomcat domain if we call tomcat binary from a script
+# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t
+can_exec(tomcat_domain, tomcat_exec_t)
+
+kernel_read_network_state(tomcat_domain)
+kernel_search_network_sysctl(tomcat_domain)
+kernel_read_net_sysctls(tomcat_domain)
+kernel_read_usermodehelper_state(tomcat_domain)
+
+corecmd_exec_bin(tomcat_domain)
+corecmd_exec_shell(tomcat_domain)
+
+corenet_tcp_bind_generic_node(tomcat_domain)
+corenet_udp_bind_generic_node(tomcat_domain)
+corenet_tcp_bind_http_port(tomcat_domain)
+corenet_tcp_bind_http_cache_port(tomcat_domain)
+corenet_tcp_bind_mxi_port(tomcat_domain)
+corenet_tcp_bind_transproxy_port(tomcat_domain)
+corenet_tcp_bind_bctp_port(tomcat_domain)
+corenet_tcp_connect_http_cache_port(tomcat_domain)
+corenet_tcp_connect_http_port(tomcat_domain)
+corenet_tcp_connect_ldap_port(tomcat_domain)
+corenet_tcp_connect_mxi_port(tomcat_domain)
+corenet_tcp_connect_transproxy_port(tomcat_domain)
+corenet_tcp_connect_amqp_port(tomcat_domain)
+corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
+corenet_tcp_connect_unreserved_ports(tomcat_domain)
+corenet_tcp_bind_jboss_management_port(tomcat_domain)
+corenet_tcp_connect_smtp_port(tomcat_domain)
+
+dev_dontaudit_append_rand(tomcat_domain)
+dev_read_rand(tomcat_domain)
+dev_read_urand(tomcat_domain)
+dev_read_sysfs(tomcat_domain)
+
+domain_use_interactive_fds(tomcat_domain)
+
+libs_exec_ldconfig(tomcat_domain)
+
+files_delete_usr_dirs(tomcat_domain)
+files_manage_usr_files(tomcat_domain)
+
+fs_getattr_all_fs(tomcat_domain)
+fs_read_hugetlbfs_files(tomcat_domain)
+fs_read_cgroup_files(tomcat_domain)
+fs_search_cgroup_dirs(tomcat_domain)
+
+sysnet_dns_name_resolve(tomcat_domain)
+
+optional_policy(`
+    cobbler_read_lib_files(tomcat_domain)
+')
+
+optional_policy(`
+	# needed by FreeIPA
+	ldap_stream_connect(tomcat_domain)
+	ldap_read_certs(tomcat_domain)
+')
+
+optional_policy(`
+    mta_send_mail(tomcat_domain)
+')
+
+optional_policy(`
+	tomcat_search_lib(tomcat_domain)
+')
+
+tunable_policy(`tomcat_read_rpm_db',`
+    rpm_exec(tomcat_domain)
+    rpm_read_db(tomcat_domain)
+')
+
+tunable_policy(`tomcat_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(tomcat_domain)
+	corenet_tcp_connect_mssql_port(tomcat_domain)
+	corenet_tcp_connect_mongod_port(tomcat_domain)
+	corenet_sendrecv_mssql_client_packets(tomcat_domain)
+	corenet_tcp_connect_oracle_port(tomcat_domain)
+	corenet_sendrecv_oracle_client_packets(tomcat_domain)
+    corenet_tcp_connect_postgresql_port(tomcat_domain)
+    corenet_tcp_connect_mysqld_port(tomcat_domain)
+    corenet_tcp_connect_redis_port(tomcat_domain)
+')
+
+tunable_policy(`tomcat_use_execmem',`
+	allow tomcat_domain self:process { execmem execstack };
+')
diff --git a/tor.fc b/tor.fc
index dce42ecc55..b6b67bffe2 100644
--- a/tor.fc
+++ b/tor.fc
@@ -5,6 +5,8 @@
 /usr/bin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)
 /usr/sbin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)
 
+/usr/lib/systemd/system/tor.*         --      gen_context(system_u:object_r:tor_unit_file_t,s0)
+
 /var/lib/tor(/.*)?	gen_context(system_u:object_r:tor_var_lib_t,s0)
 /var/lib/tor-data(/.*)?	gen_context(system_u:object_r:tor_var_lib_t,s0)
 
diff --git a/tor.if b/tor.if
index 61c2e07d61..3b860953c4 100644
--- a/tor.if
+++ b/tor.if
@@ -19,6 +19,30 @@ interface(`tor_domtrans',`
 	domtrans_pattern($1, tor_exec_t, tor_t)
 ')
 
+#######################################
+## <summary>
+##      Execute tor server in the tor domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`tor_systemctl',`
+        gen_require(`
+                type tor_t;
+                type tor_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        allow $1 tor_unit_file_t:file read_file_perms;
+        allow $1 tor_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, tor_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -39,12 +63,18 @@ interface(`tor_domtrans',`
 interface(`tor_admin',`
 	gen_require(`
 		type tor_t, tor_var_log_t, tor_etc_t;
-		type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;
+		type tor_var_lib_t, tor_var_run_t;
+		type tor_initrc_exec_t;
+		type tor_unit_file_t;
 	')
 
-	allow $1 tor_t:process { ptrace signal_perms };
+	allow $1 tor_t:process signal_perms;
 	ps_process_pattern($1, tor_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 tor_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, tor_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 tor_initrc_exec_t system_r;
@@ -61,4 +91,13 @@ interface(`tor_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, tor_var_run_t)
+
+	tor_systemctl($1)
+	admin_pattern($1, tor_unit_file_t)
+	allow $1 tor_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/tor.te b/tor.te
index 5ceacde8c1..9c178da360 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
 ## </desc>
 gen_tunable(tor_bind_all_unreserved_ports, false)
 
+## <desc>
+## <p>
+## Allow tor to act as a relay
+## </p>
+## </desc>
+gen_tunable(tor_can_network_relay, false)
+
 type tor_t;
 type tor_exec_t;
 init_daemon_domain(tor_t, tor_exec_t)
@@ -33,12 +40,15 @@ type tor_var_run_t;
 files_pid_file(tor_var_run_t)
 init_daemon_run_dir(tor_var_run_t, "tor")
 
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { dac_read_search dac_override setgid setuid sys_tty_config };
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };
@@ -52,6 +62,7 @@ manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
+allow tor_t tor_var_lib_t:file map;
 
 allow tor_t tor_var_log_t:dir setattr_dir_perms;
 append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
@@ -77,7 +88,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
 corenet_udp_sendrecv_generic_node(tor_t)
 corenet_tcp_bind_generic_node(tor_t)
 corenet_udp_bind_generic_node(tor_t)
-
 corenet_sendrecv_dns_server_packets(tor_t)
 corenet_udp_bind_dns_port(tor_t)
 corenet_udp_sendrecv_dns_port(tor_t)
@@ -85,6 +95,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
 corenet_sendrecv_tor_server_packets(tor_t)
 corenet_tcp_bind_tor_port(tor_t)
 corenet_tcp_sendrecv_tor_port(tor_t)
+corenet_tcp_bind_hplip_port(tor_t)
 
 corenet_sendrecv_all_client_packets(tor_t)
 corenet_tcp_connect_all_ports(tor_t)
@@ -98,19 +109,22 @@ dev_read_urand(tor_t)
 domain_use_interactive_fds(tor_t)
 
 files_read_etc_runtime_files(tor_t)
-files_read_usr_files(tor_t)
 
 auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
-miscfiles_read_localization(tor_t)
-
 tunable_policy(`tor_bind_all_unreserved_ports',`
 	corenet_sendrecv_all_server_packets(tor_t)
 	corenet_tcp_bind_all_unreserved_ports(tor_t)
 ')
 
+tunable_policy(`tor_can_network_relay',`
+    # allow httpd to work as a relay
+	corenet_tcp_connect_all_ephemeral_ports(tor_t)
+	corenet_tcp_bind_http_port(tor_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')
diff --git a/transproxy.te b/transproxy.te
index 34973ee4cb..1c9a4c6139 100644
--- a/transproxy.te
+++ b/transproxy.te
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
 kernel_list_proc(transproxy_t)
 kernel_read_proc_symlinks(transproxy_t)
 
-corenet_all_recvfrom_unlabeled(transproxy_t)
 corenet_all_recvfrom_netlabel(transproxy_t)
 corenet_tcp_sendrecv_generic_if(transproxy_t)
 corenet_tcp_sendrecv_generic_node(transproxy_t)
@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t)
 
 domain_use_interactive_fds(transproxy_t)
 
-files_read_etc_files(transproxy_t)
 
 fs_getattr_all_fs(transproxy_t)
 fs_search_auto_mountpoints(transproxy_t)
 
 logging_send_syslog_msg(transproxy_t)
 
-miscfiles_read_localization(transproxy_t)
-
 sysnet_read_config(transproxy_t)
 
 userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
diff --git a/tripwire.te b/tripwire.te
index 03aa6b7f01..53c0c73665 100644
--- a/tripwire.te
+++ b/tripwire.te
@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
 # Local policy
 #
 
-allow tripwire_t self:capability { setgid setuid dac_override };
+allow tripwire_t self:capability { setgid setuid dac_read_search dac_override };
 
 allow tripwire_t tripwire_etc_t:dir list_dir_perms;
 allow tripwire_t tripwire_etc_t:file read_file_perms;
@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
 
 logging_send_syslog_msg(tripwire_t)
 
-userdom_use_user_terminals(tripwire_t)
+userdom_use_inherited_user_terminals(tripwire_t)
 
 optional_policy(`
 	cron_system_entry(tripwire_t, tripwire_exec_t)
@@ -107,9 +107,7 @@ files_search_etc(twadmin_t)
 
 logging_send_syslog_msg(twadmin_t)
 
-miscfiles_read_localization(twadmin_t)
-
-userdom_use_user_terminals(twadmin_t)
+userdom_use_inherited_user_terminals(twadmin_t)
 
 ########################################
 #
@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t)
 
 logging_send_syslog_msg(twprint_t)
 
-miscfiles_read_localization(twprint_t)
-
-userdom_use_user_terminals(twprint_t)
+userdom_use_inherited_user_terminals(twprint_t)
 
 ########################################
 #
@@ -150,6 +146,4 @@ files_read_all_files(siggen_t)
 
 logging_send_syslog_msg(siggen_t)
 
-miscfiles_read_localization(siggen_t)
-
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
diff --git a/tuned.if b/tuned.if
index e29db63a2b..061fb983c9 100644
--- a/tuned.if
+++ b/tuned.if
@@ -119,9 +119,13 @@ interface(`tuned_admin',`
 		type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
 	')
 
-	allow $1 tuned_t:process { ptrace signal_perms };
+	allow $1 tuned_t:process signal_perms;
 	ps_process_pattern($1, tuned_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 tuned_t:process ptrace;
+	')
+
 	tuned_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
index 393a330739..76390e2f6a 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
 type tuned_log_t;
 logging_log_file(tuned_log_t)
 
+type tuned_tmp_t;
+files_tmp_file(tuned_tmp_t)
+
 type tuned_var_run_t;
 files_pid_file(tuned_var_run_t)
 
@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t)
 # Local policy
 #
 
-allow tuned_t self:capability { sys_admin sys_nice };
-dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
+dontaudit tuned_t self:capability { dac_read_search dac_override sys_tty_config };
+allow tuned_t self:process {  setsched signal };
 allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow tuned_t self:netlink_socket create_socket_perms;
+allow tuned_t self:udp_socket create_socket_perms;
+allow tuned_t self:socket create_socket_perms;
 
 read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
 exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
@@ -41,22 +48,29 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
 files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
 
 manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
-append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-logging_log_filetrans(tuned_t, tuned_log_t, file)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
+can_exec(tuned_t, tuned_tmp_t)
 
 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
 manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
 files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+allow tuned_t tuned_var_run_t:file  relabel_file_perms;
+can_exec(tuned_t, tuned_var_run_t)
 
 kernel_read_system_state(tuned_t)
 kernel_read_network_state(tuned_t)
 kernel_read_kernel_sysctls(tuned_t)
 kernel_request_load_module(tuned_t)
 kernel_rw_kernel_sysctl(tuned_t)
-kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_usermodehelper_state(tuned_t)
 kernel_rw_vm_sysctls(tuned_t)
+kernel_setsched(tuned_t)
+kernel_rw_all_sysctls(tuned_t)
 
 corecmd_exec_bin(tuned_t)
 corecmd_exec_shell(tuned_t)
@@ -64,31 +78,64 @@ corecmd_exec_shell(tuned_t)
 dev_getattr_all_blk_files(tuned_t)
 dev_getattr_all_chr_files(tuned_t)
 dev_read_urand(tuned_t)
+dev_rw_cpu_microcode(tuned_t)
 dev_rw_sysfs(tuned_t)
 dev_rw_netcontrol(tuned_t)
 
-files_read_usr_files(tuned_t)
+files_dontaudit_all_access_check(tuned_t)
 files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
+
+fs_getattr_all_fs(tuned_t)
+fs_search_all(tuned_t)
+fs_rw_hugetlbfs_files(tuned_t)
 
-fs_getattr_xattr_fs(tuned_t)
+auth_use_nsswitch(tuned_t)
 
 logging_send_syslog_msg(tuned_t)
+#bug in tuned
+logging_manage_syslog_config(tuned_t)
+logging_filetrans_named_conf(tuned_t)
 
-miscfiles_read_localization(tuned_t)
+mount_read_pid_files(tuned_t)
+
+modutils_domtrans_insmod(tuned_t)
 
 udev_read_pid_files(tuned_t)
 
 userdom_dontaudit_search_user_home_dirs(tuned_t)
 
+optional_policy(`
+	dbus_system_bus_client(tuned_t)
+	dbus_connect_system_bus(tuned_t)
+')
+
+optional_policy(`
+	dmidecode_domtrans(tuned_t)
+')
+
+# to allow disk tuning
 optional_policy(`
 	fstools_domtrans(tuned_t)
 ')
 
+optional_policy(`
+	gnome_dontaudit_search_config(tuned_t)
+')
+
+optional_policy(`
+	libs_exec_ldconfig(tuned_t)
+')
+
 optional_policy(`
 	mount_domtrans(tuned_t)
 ')
 
+optional_policy(`
+	policykit_dbus_chat(tuned_t)
+')
+
+# to allow network interface tuning
 optional_policy(`
 	sysnet_domtrans_ifconfig(tuned_t)
 ')
@@ -96,3 +143,7 @@ optional_policy(`
 optional_policy(`
 	unconfined_dbus_send(tuned_t)
 ')
+
+optional_policy(`
+    unconfined_domain(tuned_t)
+')
diff --git a/tvtime.if b/tvtime.if
index 1bb0f7c78a..372be2f213 100644
--- a/tvtime.if
+++ b/tvtime.if
@@ -1,5 +1,23 @@
 ## <summary>High quality television application.</summary>
 
+#######################################
+## <summary>
+##  Transition to alsa named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`tvtime_filetrans_home_content',`
+    gen_require(`
+        type tvtime_home_t;
+    ')
+
+    userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime")
+')
+
 ########################################
 ## <summary>
 ##	Role access for tvtime
diff --git a/tvtime.te b/tvtime.te
index afd2d6c3fc..3ce900e99b 100644
--- a/tvtime.te
+++ b/tvtime.te
@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
 manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
 manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
 manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
-userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
 
 manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
 manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t)
 dev_read_sound(tvtime_t)
 dev_read_urand(tvtime_t)
 
-files_read_usr_files(tvtime_t)
 
 fs_getattr_all_fs(tvtime_t)
 fs_search_auto_mountpoints(tvtime_t)
@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t)
 auth_use_nsswitch(tvtime_t)
 
 miscfiles_read_fonts(tvtime_t)
-miscfiles_read_localization(tvtime_t)
 
-userdom_use_user_terminals(tvtime_t)
+userdom_use_inherited_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(tvtime_t)
-	fs_manage_nfs_files(tvtime_t)
-	fs_manage_nfs_symlinks(tvtime_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(tvtime_t)
-	fs_manage_cifs_files(tvtime_t)
-	fs_manage_cifs_symlinks(tvtime_t)
-')
+# X access, Home files
+userdom_home_manager(tvtime_t)
 
 optional_policy(`
 	xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
diff --git a/tzdata.te b/tzdata.te
index 221c43b846..2b9c49ac1b 100644
--- a/tzdata.te
+++ b/tzdata.te
@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
 
 locallogin_dontaudit_use_fds(tzdata_t)
 
-miscfiles_read_localization(tzdata_t)
 miscfiles_manage_localization(tzdata_t)
 miscfiles_etc_filetrans_localization(tzdata_t)
 
-userdom_use_user_terminals(tzdata_t)
+userdom_use_inherited_user_terminals(tzdata_t)
 
 optional_policy(`
 	postfix_search_spool(tzdata_t)
diff --git a/ucspitcp.te b/ucspitcp.te
index 7745b72e66..329c3d899b 100644
--- a/ucspitcp.te
+++ b/ucspitcp.te
@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
 corenet_tcp_bind_generic_node(rblsmtpd_t)
 corenet_udp_bind_generic_port(rblsmtpd_t)
 
-files_read_etc_files(rblsmtpd_t)
 files_search_var(rblsmtpd_t)
 
 optional_policy(`
@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t)
 corenet_sendrecv_generic_server_packets(ucspitcp_t)
 corenet_udp_bind_generic_port(ucspitcp_t)
 
-files_read_etc_files(ucspitcp_t)
 files_search_var(ucspitcp_t)
 
 sysnet_read_config(ucspitcp_t)
diff --git a/ulogd.if b/ulogd.if
index 9b95c3ef76..a892845bb0 100644
--- a/ulogd.if
+++ b/ulogd.if
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
 		type ulogd_var_log_t, ulogd_initrc_exec_t;
 	')
 
-	allow $1 ulogd_t:process { ptrace signal_perms };
+	allow $1 ulogd_t:process signal_perms;
 	ps_process_pattern($1, ulogd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ulogd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
index de35e5f4c3..e710f37a7a 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -29,8 +29,12 @@ logging_log_file(ulogd_var_log_t)
 allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
 allow ulogd_t self:process setsched;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
 allow ulogd_t self:netlink_socket create_socket_perms;
-allow ulogd_t self:tcp_socket create_stream_socket_perms;
+allow ulogd_t self:netlink_netfilter_socket create_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
+allow ulogd_t self:unix_dgram_socket create_socket_perms;
 
 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
 
@@ -42,10 +46,10 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
 
-files_read_etc_files(ulogd_t)
-files_read_usr_files(ulogd_t)
+kernel_request_load_module(ulogd_t)
+kernel_dgram_send(ulogd_t)
 
-miscfiles_read_localization(ulogd_t)
+logging_send_syslog_msg(ulogd_t)
 
 sysnet_dns_name_resolve(ulogd_t)
 
diff --git a/uml.if b/uml.if
index ab5c1d0dae..d13105ea79 100644
--- a/uml.if
+++ b/uml.if
@@ -32,7 +32,7 @@ interface(`uml_role',`
 	allow uml_t $2:unix_dgram_socket sendto;
 
 	ps_process_pattern($2, uml_t)
-	allow $2 uml_t:process { ptrace signal_perms };
+	allow $2 uml_t:process signal_perms;
 
 	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
diff --git a/uml.te b/uml.te
index b68bd49ff7..da0c6912f3 100644
--- a/uml.te
+++ b/uml.te
@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
 
 corecmd_exec_bin(uml_t)
 
-corenet_all_recvfrom_unlabeled(uml_t)
 corenet_all_recvfrom_netlabel(uml_t)
 corenet_tcp_sendrecv_generic_if(uml_t)
 corenet_tcp_sendrecv_generic_node(uml_t)
@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t)
 
 libs_exec_lib_files(uml_t)
 
-userdom_use_user_terminals(uml_t)
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_inherited_user_terminals(uml_t)
 userdom_attach_admin_tun_iface(uml_t)
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -132,10 +137,6 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(uml_t)
 ')
 
-optional_policy(`
-	seutil_use_newrole_fds(uml_t)
-')
-
 optional_policy(`
 	virt_attach_tun_iface(uml_t)
 ')
@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t)
 
 logging_send_syslog_msg(uml_switch_t)
 
-miscfiles_read_localization(uml_switch_t)
-
 userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
 userdom_dontaudit_search_user_home_dirs(uml_switch_t)
 
diff --git a/updfstab.te b/updfstab.te
index 5ceb912497..232e9ac930 100644
--- a/updfstab.te
+++ b/updfstab.te
@@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
 # Local policy
 #
 
-allow updfstab_t self:capability dac_override;
+allow updfstab_t self:capability { dac_read_search  dac_override };
 dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
 allow updfstab_t self:process signal_perms;
 allow updfstab_t self:fifo_file rw_fifo_file_perms;
@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
 logging_search_logs(updfstab_t)
 logging_send_syslog_msg(updfstab_t)
 
-miscfiles_read_localization(updfstab_t)
-
 seutil_read_config(updfstab_t)
 seutil_read_default_contexts(updfstab_t)
 seutil_read_file_contexts(updfstab_t)
@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t)
 userdom_dontaudit_search_user_home_content(updfstab_t)
 userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
 
-optional_policy(`
-	auth_domtrans_pam_console(updfstab_t)
-')
+auth_use_nsswitch(updfstab_t)
+auth_domtrans_pam_console(updfstab_t)
 
 optional_policy(`
 	dbus_system_bus_client(updfstab_t)
diff --git a/uptime.if b/uptime.if
index 01a3234b64..19f4724757 100644
--- a/uptime.if
+++ b/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 
diff --git a/uptime.te b/uptime.te
index 58397dc31a..e6b6a34726 100644
--- a/uptime.te
+++ b/uptime.te
@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
 init_script_file(uptimed_initrc_exec_t)
 
 type uptimed_spool_t;
-files_type(uptimed_spool_t)
+files_spool_file(uptimed_spool_t)
 
 type uptimed_var_run_t;
 files_pid_file(uptimed_var_run_t)
@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t)
 
 logging_send_syslog_msg(uptimed_t)
 
-miscfiles_read_localization(uptimed_t)
-
 userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
 userdom_dontaudit_search_user_home_dirs(uptimed_t)
 
diff --git a/usbmodules.te b/usbmodules.te
index 279e511df1..4f79ad6978 100644
--- a/usbmodules.te
+++ b/usbmodules.te
@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
 dev_list_usbfs(usbmodules_t)
 dev_rw_usbfs(usbmodules_t)
 
-files_list_etc(usbmodules_t)
-
 term_read_console(usbmodules_t)
 term_write_console(usbmodules_t)
 
@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t)
 
 miscfiles_read_hwdata(usbmodules_t)
 
-modutils_read_module_deps(usbmodules_t)
-
-userdom_use_user_terminals(usbmodules_t)
+userdom_use_inherited_user_terminals(usbmodules_t)
 
 optional_policy(`
 	hotplug_read_config(usbmodules_t)
 ')
+
+optional_policy(`
+	modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
index 220f6add14..ccbb5dabcb 100644
--- a/usbmuxd.fc
+++ b/usbmuxd.fc
@@ -1,3 +1,6 @@
 /usr/sbin/usbmuxd	--	gen_context(system_u:object_r:usbmuxd_exec_t,s0)
 
-/var/run/usbmuxd.*	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.*	 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/usr/lib/systemd/system/usbmuxd.*	--	gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
+
+/var/lib/lockdown(/.*)? 	gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
index 1ec5e996bc..5b6c80bbad 100644
--- a/usbmuxd.if
+++ b/usbmuxd.if
@@ -38,3 +38,67 @@ interface(`usbmuxd_stream_connect',`
 	files_search_pids($1)
 	stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
 ')
+
+########################################
+## <summary>
+##	Execute usbmuxd server in the usbmuxd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`usbmuxd_systemctl',`
+	gen_require(`
+		type usbmuxd_t;
+		type usbmuxd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 usbmuxd_unit_file_t:file read_file_perms;
+	allow $1 usbmuxd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, usbmuxd_t)
+')
+
+#####################################
+## <summary>
+##	All of the rules required to administrate
+##	an usbmuxd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the usbmuxd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`usbmuxd_admin',`
+	gen_require(`
+		type usbmuxd_t,usbmuxd_var_run_t;
+		type usbmuxd_unit_file_t;
+	')
+
+	allow $1 usbmuxd_t:process { signal_perms };
+	ps_process_pattern($1, usbmuxd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 usbmuxd_t:process ptrace;
+	')
+
+	allow $2 system_r;
+
+	files_list_pids($1)
+	admin_pattern($1, usbmuxd_var_run_t)
+
+	usbmuxd_systemctl($1)
+	admin_pattern($1, usbmuxd_unit_file_t)
+	allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
index 34a891755c..933baa42d6 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,58 @@ roleattribute system_r usbmuxd_roles;
 
 type usbmuxd_t;
 type usbmuxd_exec_t;
+init_system_domain(usbmuxd_t, usbmuxd_exec_t)
 application_domain(usbmuxd_t, usbmuxd_exec_t)
 role usbmuxd_roles types usbmuxd_t;
 
 type usbmuxd_var_run_t;
 files_pid_file(usbmuxd_var_run_t)
 
+type usbmuxd_var_lib_t;
+files_type(usbmuxd_var_lib_t)
+
+type usbmuxd_unit_file_t;
+systemd_unit_file(usbmuxd_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow usbmuxd_t self:capability { kill setgid setuid };
-allow usbmuxd_t self:process { signal signull };
+allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
+allow usbmuxd_t self:process { signal_perms setrlimit };
 allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow usbmuxd_t self:unix_stream_socket connectto;
 
 manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
 manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
 manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
 files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
 
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
+manage_lnk_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t)
+files_var_lib_filetrans(usbmuxd_t, usbmuxd_var_lib_t, { dir file })
+
 kernel_read_kernel_sysctls(usbmuxd_t)
 kernel_read_system_state(usbmuxd_t)
 
 dev_read_sysfs(usbmuxd_t)
+dev_read_urand(usbmuxd_t)
 dev_rw_generic_usb_dev(usbmuxd_t)
 
 auth_use_nsswitch(usbmuxd_t)
 
-miscfiles_read_localization(usbmuxd_t)
-
 logging_send_syslog_msg(usbmuxd_t)
+
+seutil_dontaudit_read_file_contexts(usbmuxd_t)
+
+optional_policy(`
+    udev_read_pid_files(usbmuxd_t)
+')
+
+optional_policy(`
+	virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/userhelper.fc b/userhelper.fc
index c416a833e9..cd83b89ee2 100644
--- a/userhelper.fc
+++ b/userhelper.fc
@@ -1,5 +1,10 @@
-/etc/security/console\.apps(/.*)?	gen_context(system_u:object_r:userhelper_conf_t,s0)
+#
+# /etc
+#
+/etc/security/console\.apps(/.*)?		gen_context(system_u:object_r:userhelper_conf_t,s0)
 
-/usr/bin/consolehelper	--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
-
-/usr/sbin/userhelper	--	gen_context(system_u:object_r:userhelper_exec_t,s0)
\ No newline at end of file
+#
+# /usr
+#
+/usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
index 98b51fd0b4..c7e44cada9 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
-## <summary>A wrapper that helps users run system programs.</summary>
+## <summary>SELinux utility to run a shell with a new role</summary>
 
 #######################################
 ## <summary>
@@ -23,9 +23,9 @@
 #
 template(`userhelper_role_template',`
 	gen_require(`
-		attribute userhelper_type, consolehelper_type;
-		attribute_role userhelper_roles, consolehelper_roles;
-		type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
+		attribute userhelper_type;
+		type userhelper_exec_t, userhelper_conf_t;
+		class dbus send_msg;
 	')
 
 	########################################
@@ -33,64 +33,123 @@ template(`userhelper_role_template',`
 	# Declarations
 	#
 
-	type $1_consolehelper_t, consolehelper_type;
-	userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
-	
-	role consolehelper_roles types $1_consolehelper_t;
-	roleattribute $2 consolehelper_roles;
-
 	type $1_userhelper_t, userhelper_type;
 	userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
-
 	domain_role_change_exemption($1_userhelper_t)
 	domain_obj_id_change_exemption($1_userhelper_t)
 	domain_interactive_fd($1_userhelper_t)
 	domain_subj_id_change_exemption($1_userhelper_t)
-	
-	role userhelper_roles types $1_userhelper_t;
-	roleattribute $2 userhelper_roles;
+	role $2 types $1_userhelper_t;
 
 	########################################
 	#
-	# Consolehelper local policy
+	# Local policy
 	#
+	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search  dac_override chown sys_tty_config };
+	allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_userhelper_t self:process setexec;
+	allow $1_userhelper_t self:fd use;
+	allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
+	allow $1_userhelper_t self:shm create_shm_perms;
+	allow $1_userhelper_t self:sem create_sem_perms;
+	allow $1_userhelper_t self:msgq create_msgq_perms;
+	allow $1_userhelper_t self:msg { send receive };
+	allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+	allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_userhelper_t self:unix_dgram_socket sendto;
+	allow $1_userhelper_t self:unix_stream_socket connectto;
+	allow $1_userhelper_t self:sock_file read_sock_file_perms;
+
+	#Transition to the derived domain.
+	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
 
-	allow $1_consolehelper_t $3:unix_stream_socket connectto;
+	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+	rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
 
-	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+	can_exec($1_userhelper_t, userhelper_exec_t)
 
-	allow $3 $1_consolehelper_t:process { ptrace signal_perms };
-	ps_process_pattern($3, $1_consolehelper_t)
+	dontaudit $3 $1_userhelper_t:process signal;
 
-	auth_use_pam($1_consolehelper_t)
+	kernel_read_all_sysctls($1_userhelper_t)
+	kernel_getattr_debugfs($1_userhelper_t)
+	kernel_read_system_state($1_userhelper_t)
 
-	optional_policy(`
-		dbus_connect_all_session_bus($1_consolehelper_t)
+	# Execute shells
+	corecmd_exec_shell($1_userhelper_t)
+	# By default, revert to the calling domain when a program is executed
+	corecmd_bin_domtrans($1_userhelper_t, $3)
 
-		optional_policy(`
-			userhelper_dbus_chat_all_consolehelper($3)
-		')
-	')
+	# Inherit descriptors from the current session.
+	domain_use_interactive_fds($1_userhelper_t)
+	# for when the user types "exec userhelper" at the command line
+	domain_sigchld_interactive_fds($1_userhelper_t)
+
+	dev_read_urand($1_userhelper_t)
+	# Read /dev directories and any symbolic links.
+	dev_list_all_dev_nodes($1_userhelper_t)
+
+	files_list_var_lib($1_userhelper_t)
+	# Read the /etc/security/default_type file
+	files_read_etc_files($1_userhelper_t)
+	# Read /var.
+	files_read_var_files($1_userhelper_t)
+	files_read_var_symlinks($1_userhelper_t)
+	# for some PAM modules and for cwd
+	files_search_home($1_userhelper_t)
+
+	fs_search_auto_mountpoints($1_userhelper_t)
+	fs_read_nfs_files($1_userhelper_t)
+	fs_read_nfs_symlinks($1_userhelper_t)
+
+	# Allow $1_userhelper to obtain contexts to relabel TTYs
+	selinux_get_fs_mount($1_userhelper_t)
+	selinux_validate_context($1_userhelper_t)
+	selinux_compute_access_vector($1_userhelper_t)
+	selinux_compute_create_context($1_userhelper_t)
+	selinux_compute_relabel_context($1_userhelper_t)
+	selinux_compute_user_contexts($1_userhelper_t)
+
+	# Read the devpts root directory.
+	term_list_ptys($1_userhelper_t)
+	# Relabel terminals.
+	term_relabel_all_ttys($1_userhelper_t)
+	term_relabel_all_ptys($1_userhelper_t)
+	# Access terminals.
+	term_use_all_ttys($1_userhelper_t)
+	term_use_all_ptys($1_userhelper_t)
 
-	########################################
-	#
-	# Userhelper local policy
-	#
+	auth_domtrans_chk_passwd($1_userhelper_t)
+	auth_manage_pam_pid($1_userhelper_t)
+	auth_manage_var_auth($1_userhelper_t)
+	auth_search_pam_console_data($1_userhelper_t)
+	auth_use_nsswitch($1_userhelper_t)
 
-	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+	logging_send_syslog_msg($1_userhelper_t)
 
-	dontaudit $3 $1_userhelper_t:process signal;
+	# Inherit descriptors from the current session.
+	init_use_fds($1_userhelper_t)
+	# Write to utmp.
+	init_manage_utmp($1_userhelper_t)
+	init_pid_filetrans_utmp($1_userhelper_t)
 
-	corecmd_bin_domtrans($1_userhelper_t, $3)
 
-	auth_domtrans_chk_passwd($1_userhelper_t)
-	auth_use_nsswitch($1_userhelper_t)
+	seutil_read_config($1_userhelper_t)
+	seutil_read_default_contexts($1_userhelper_t)
 
+	# Allow $1_userhelper_t to transition to user domains.
 	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
 	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
 
+	ifdef(`distro_redhat',`
+		optional_policy(`
+			# Allow transitioning to rpm_t, for up2date
+			rpm_domtrans($1_userhelper_t)
+		')
+	')
+
 	optional_policy(`
 		tunable_policy(`! secure_mode',`
+			#if we are not in secure mode then we can transition to sysadm_t
 			sysadm_bin_spec_domtrans($1_userhelper_t)
 			sysadm_entry_spec_domtrans($1_userhelper_t)
 		')
@@ -99,7 +158,7 @@ template(`userhelper_role_template',`
 
 ########################################
 ## <summary>
-##	Search userhelper configuration directories.
+##	Search the userhelper configuration directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -118,7 +177,7 @@ interface(`userhelper_search_config',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-##	userhelper configuration directories.
+##	the userhelper configuration directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',`
 
 ########################################
 ## <summary>
-##	Send and receive messages from
-##	consolehelper over dbus.
+##	Do not audit attempts to write
+##	the userhelper configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userhelper_dbus_chat_all_consolehelper',`
+interface(`userhelper_dontaudit_write_config',`
 	gen_require(`
-		attribute consolehelper_type;
-		class dbus send_msg;
+		type userhelper_conf_t;
 	')
 
-	allow $1 consolehelper_type:dbus send_msg;
-	allow consolehelper_type $1:dbus send_msg;
+	dontaudit $1 userhelper_conf_t:file write;
 ')
 
 ########################################
 ## <summary>
-##	Use userhelper all userhelper file descriptors.
+##	Allow domain to use userhelper file descriptor.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to all userhelper.
+##	Allow domain to send sigchld to userhelper.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -206,10 +263,83 @@ interface(`userhelper_exec',`
 		type userhelper_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, userhelper_exec_t)
 ')
 
+#######################################
+## <summary>
+##	The role template for the consolehelper module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for consolehelper applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`userhelper_console_role_template',`
+	gen_require(`
+		type consolehelper_exec_t;
+		attribute consolehelper_domain;
+		class dbus send_msg;
+	')
+	type $1_consolehelper_t, consolehelper_domain;
+	domain_type($1_consolehelper_t)
+	domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
+	role $2 types $1_consolehelper_t;
+
+	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+	allow $3 $1_consolehelper_t:process signal;
+	allow $3 $1_consolehelper_t:dbus send_msg;
+	allow $1_consolehelper_t $3:dbus send_msg;
+	allow $1_consolehelper_t $3:unix_stream_socket connectto;
+
+	kernel_read_system_state($1_consolehelper_t)
+
+	auth_use_pam($1_consolehelper_t)
+
+	userdom_manage_tmp_role($2, $1_consolehelper_t)
+
+	optional_policy(`
+		dbus_connect_session_bus($1_consolehelper_t)
+	')
+
+	optional_policy(`
+		hddtemp_run($1_consolehelper_t, $2)
+	')
+
+	optional_policy(`
+		shutdown_run($1_consolehelper_t, $2)
+		shutdown_send_sigchld($3)
+	')
+
+	optional_policy(`
+		mock_run($1_consolehelper_t, $2)
+	')
+
+	optional_policy(`
+		xserver_run_xauth($1_consolehelper_t, $2)
+		xserver_read_xdm_pid($1_consolehelper_t)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Execute the consolehelper program
diff --git a/userhelper.te b/userhelper.te
index 42cfce06e2..b7e3e25326 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1)
 # Declarations
 #
 
-attribute consolehelper_type;
 attribute userhelper_type;
-
-attribute_role consolehelper_roles;
-attribute_role userhelper_roles;
+attribute consolehelper_domain;
 
 type userhelper_conf_t;
 files_config_file(userhelper_conf_t)
@@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t)
 
 ########################################
 #
-# Common consolehelper domain local policy
+# consolehelper local policy
 #
 
-allow consolehelper_type self:capability { setgid setuid dac_override };
-allow consolehelper_type self:process signal;
-allow consolehelper_type self:fifo_file rw_fifo_file_perms;
-allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
-allow consolehelper_type self:shm create_shm_perms;
-
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice }; 
+allow consolehelper_domain self:process { signal_perms getsched setsched };
 
-domain_use_interactive_fds(consolehelper_type)
+allow consolehelper_domain  userhelper_conf_t:file audit_access;
+dontaudit consolehelper_domain  userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
 
-kernel_read_system_state(consolehelper_type)
-kernel_read_kernel_sysctls(consolehelper_type)
+# Init script handling
+domain_use_interactive_fds(consolehelper_domain)
 
-corecmd_exec_bin(consolehelper_type)
+# internal communication is often done using fifo and unix sockets.
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
 
-dev_getattr_all_chr_files(consolehelper_type)
-dev_dontaudit_list_all_dev_nodes(consolehelper_type)
+kernel_read_kernel_sysctls(consolehelper_domain)
 
-files_read_config_files(consolehelper_type)
-files_read_usr_files(consolehelper_type)
+corecmd_exec_bin(consolehelper_domain)
 
-fs_getattr_all_dirs(consolehelper_type)
-fs_getattr_all_fs(consolehelper_type)
-fs_search_auto_mountpoints(consolehelper_type)
-files_search_mnt(consolehelper_type)
+dev_getattr_all_chr_files(consolehelper_domain)
+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
+dev_dontaudit_getattr_all(consolehelper_domain)
+fs_getattr_all_fs(consolehelper_domain)
+fs_getattr_all_dirs(consolehelper_domain)
 
-term_list_ptys(consolehelper_type)
+files_read_config_files(consolehelper_domain)
 
-auth_search_pam_console_data(consolehelper_type)
-auth_read_pam_pid(consolehelper_type)
+term_list_ptys(consolehelper_domain)
 
-miscfiles_read_localization(consolehelper_type)
-miscfiles_read_fonts(consolehelper_type)
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
 
-userhelper_exec(consolehelper_type)
+init_read_utmp(consolehelper_domain)
+init_telinit(consolehelper_domain)
 
-userdom_use_user_terminals(consolehelper_type)
+miscfiles_read_fonts(consolehelper_domain)
 
-# might want to make this consolehelper_tmp_t
-userdom_manage_user_tmp_dirs(consolehelper_type)
-userdom_manage_user_tmp_files(consolehelper_type)
-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userhelper_exec(consolehelper_domain)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_search_nfs(consolehelper_type)
-')
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
+userdom_search_admin_dir(consolehelper_domain)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_search_cifs(consolehelper_type)
+optional_policy(`
+	dbus_session_bus_client(consolehelper_domain)
+	optional_policy(`
+		devicekit_dbus_chat_disk(consolehelper_domain)
+	')
 ')
 
 optional_policy(`
-	shutdown_run(consolehelper_type, consolehelper_roles)
-	shutdown_signal(consolehelper_type)
+	gnome_read_gconf_home_files(consolehelper_domain)
 ')
 
 optional_policy(`
-	xserver_domtrans_xauth(consolehelper_type)
-	xserver_read_xdm_pid(consolehelper_type)
-	xserver_stream_connect(consolehelper_type)
+	xserver_read_home_fonts(consolehelper_domain)
+	xserver_stream_connect(consolehelper_domain)
+	xserver_admin_home_dir_filetrans_xauth(consolehelper_domain)
+	xserver_manage_user_xauth(consolehelper_domain)
 ')
 
-########################################
-#
-# Common userhelper domain local policy
-#
-
-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
-allow userhelper_type self:fd use;
-allow userhelper_type self:fifo_file rw_fifo_file_perms;
-allow userhelper_type self:shm create_shm_perms;
-allow userhelper_type self:sem create_sem_perms;
-allow userhelper_type self:msgq create_msgq_perms;
-allow userhelper_type self:msg { send receive };
-allow userhelper_type self:unix_dgram_socket sendto;
-allow userhelper_type self:unix_stream_socket { accept connectto listen };
-
-dontaudit userhelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
-
-can_exec(userhelper_type, userhelper_exec_t)
-
-kernel_read_all_sysctls(userhelper_type)
-kernel_getattr_debugfs(userhelper_type)
-kernel_read_system_state(userhelper_type)
-
-corecmd_exec_shell(userhelper_type)
-
-domain_use_interactive_fds(userhelper_type)
-domain_sigchld_interactive_fds(userhelper_type)
-
-dev_read_urand(userhelper_type)
-dev_list_all_dev_nodes(userhelper_type)
-
-files_list_var_lib(userhelper_type)
-files_read_var_files(userhelper_type)
-files_read_var_symlinks(userhelper_type)
-files_search_home(userhelper_type)
-
-fs_getattr_all_fs(userhelper_type)
-fs_search_auto_mountpoints(userhelper_type)
-
-selinux_get_fs_mount(userhelper_type)
-selinux_validate_context(userhelper_type)
-selinux_compute_access_vector(userhelper_type)
-selinux_compute_create_context(userhelper_type)
-selinux_compute_relabel_context(userhelper_type)
-selinux_compute_user_contexts(userhelper_type)
-
-term_list_ptys(userhelper_type)
-term_relabel_all_ttys(userhelper_type)
-term_relabel_all_ptys(userhelper_type)
-term_use_all_ttys(userhelper_type)
-term_use_all_ptys(userhelper_type)
-
-auth_manage_pam_pid(userhelper_type)
-auth_manage_var_auth(userhelper_type)
-auth_search_pam_console_data(userhelper_type)
-
-init_use_fds(userhelper_type)
-init_manage_utmp(userhelper_type)
-init_pid_filetrans_utmp(userhelper_type)
-
-logging_send_syslog_msg(userhelper_type)
-
-miscfiles_read_localization(userhelper_type)
-
-seutil_read_config(userhelper_type)
-seutil_read_default_contexts(userhelper_type)
+tunable_policy(`use_nfs_home_dirs',`
+	files_search_mnt(consolehelper_domain)
+	fs_search_nfs(consolehelper_domain)
+')
 
-optional_policy(`
-	rpm_domtrans(userhelper_type)
+tunable_policy(`use_samba_home_dirs',`
+	files_search_mnt(consolehelper_domain)
+	fs_search_cifs(consolehelper_domain)
 ')
diff --git a/usernetctl.if b/usernetctl.if
index 7deec55cf8..c542887da3 100644
--- a/usernetctl.if
+++ b/usernetctl.if
@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',`
 #
 interface(`usernetctl_run',`
 	gen_require(`
+		type usernetctl_t;
 		attribute_role usernetctl_roles;
 	')
 
diff --git a/usernetctl.te b/usernetctl.te
index f973af82ba..8606439919 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0)
 #
 
 attribute_role usernetctl_roles;
+roleattribute system_r usernetctl_roles;
 
 type usernetctl_t;
 type usernetctl_exec_t;
 application_domain(usernetctl_t, usernetctl_exec_t)
 domain_interactive_fd(usernetctl_t)
-role usernetctl_roles types usernetctl_t;
 
 ########################################
 #
 # Local policy
 #
 
-allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:capability { setuid setgid dac_read_search dac_override };
 allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow usernetctl_t self:fd use;
 allow usernetctl_t self:fifo_file rw_fifo_file_perms;
@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t)
 files_read_etc_runtime_files(usernetctl_t)
 files_list_pids(usernetctl_t)
 files_list_home(usernetctl_t)
-files_read_usr_files(usernetctl_t)
 
 fs_search_auto_mountpoints(usernetctl_t)
 
@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t)
 
 logging_send_syslog_msg(usernetctl_t)
 
-miscfiles_read_localization(usernetctl_t)
-
 seutil_read_config(usernetctl_t)
 
+sysnet_read_config(usernetctl_t)
+
 sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
 sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
 
-userdom_use_user_terminals(usernetctl_t)
-
-optional_policy(`
-	consoletype_run(usernetctl_t, usernetctl_roles)
-')
+userdom_use_inherited_user_terminals(usernetctl_t)
 
 optional_policy(`
 	hostname_exec(usernetctl_t)
@@ -73,6 +68,10 @@ optional_policy(`
 	modutils_run_insmod(usernetctl_t, usernetctl_roles)
 ')
 
+optional_policy(`
+	nis_use_ypbind(usernetctl_t)
+')
+
 optional_policy(`
 	ppp_run(usernetctl_t, usernetctl_roles)
 ')
diff --git a/uucp.if b/uucp.if
index af9acc0d3c..cdaf82e214 100644
--- a/uucp.if
+++ b/uucp.if
@@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`uucp_admin',`
@@ -104,14 +99,13 @@ interface(`uucp_admin',`
 		type uucpd_var_run_t, uucpd_initrc_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 uucpd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	allow $1 uucpd_t:process { ptrace signal_perms };
+	allow $1 uucpd_t:process signal_perms;
 	ps_process_pattern($1, uucpd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 uucpd_t:process ptrace;
+	')
+
 	logging_list_logs($1)
 	admin_pattern($1, uucpd_log_t)
 
diff --git a/uucp.te b/uucp.te
index 849f607b14..e01ec6d2e9 100644
--- a/uucp.te
+++ b/uucp.te
@@ -31,7 +31,7 @@ type uucpd_ro_t;
 files_type(uucpd_ro_t)
 
 type uucpd_spool_t;
-files_type(uucpd_spool_t)
+files_spool_file(uucpd_spool_t)
 
 type uucpd_log_t;
 logging_log_file(uucpd_log_t)
@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t)
 kernel_read_system_state(uucpd_t)
 kernel_read_network_state(uucpd_t)
 
-corenet_all_recvfrom_unlabeled(uucpd_t)
 corenet_all_recvfrom_netlabel(uucpd_t)
 corenet_tcp_sendrecv_generic_if(uucpd_t)
 corenet_tcp_sendrecv_generic_node(uucpd_t)
+corenet_udp_sendrecv_generic_node(uucpd_t)
+corenet_tcp_sendrecv_all_ports(uucpd_t)
+corenet_udp_sendrecv_all_ports(uucpd_t)
 
 corenet_sendrecv_ssh_client_packets(uucpd_t)
 corenet_tcp_connect_ssh_port(uucpd_t)
 corenet_tcp_sendrecv_ssh_port(uucpd_t)
 
+corenet_tcp_bind_uucpd_port(uucpd_t)
+corenet_tcp_connect_uucpd_port(uucpd_t)
+
 corecmd_exec_bin(uucpd_t)
 corecmd_exec_shell(uucpd_t)
 
@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t)
 
 logging_send_syslog_msg(uucpd_t)
 
-miscfiles_read_localization(uucpd_t)
+mta_send_mail(uucpd_t)
 
 optional_policy(`
 	cron_system_entry(uucpd_t, uucpd_exec_t)
@@ -124,10 +129,6 @@ optional_policy(`
 	kerberos_use(uucpd_t)
 ')
 
-optional_policy(`
-	mta_send_mail(uucpd_t)
-')
-
 optional_policy(`
 	ssh_exec(uucpd_t)
 ')
@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t)
 logging_search_logs(uux_t)
 logging_send_syslog_msg(uux_t)
 
-miscfiles_read_localization(uux_t)
-
 optional_policy(`
 	mta_send_mail(uux_t)
 	mta_read_queue(uux_t)
+')
+
+optional_policy(`
 	sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
 ')
+
+optional_policy(`
+	postfix_rw_inherited_master_pipes(uux_t)
+')
diff --git a/uuidd.if b/uuidd.if
index 6e48653331..6abf74a905 100644
--- a/uuidd.if
+++ b/uuidd.if
@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',`
 #
 interface(`uuidd_stream_connect_manager',`
 	gen_require(`
-		type uuidd_t, uuidd_var_run_t;
+		type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
 	')
 
 	files_search_pids($1)
 	stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
+	stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
 ')
 
 ########################################
@@ -180,6 +181,9 @@ interface(`uuidd_admin',`
 
 	allow $1 uuidd_t:process signal_perms;
 	ps_process_pattern($1, uuidd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 uuidd_t:process ptrace;
+	')
 
 	uuidd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/uuidd.te b/uuidd.te
index f8e52fc97b..b283c25f72 100644
--- a/uuidd.te
+++ b/uuidd.te
@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
 
 domain_use_interactive_fds(uuidd_t)
 
-files_read_etc_files(uuidd_t)
 
-miscfiles_read_localization(uuidd_t)
diff --git a/uwimap.te b/uwimap.te
index acdc78ae70..9e5ee472d9 100644
--- a/uwimap.te
+++ b/uwimap.te
@@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t)
 # Local policy
 #
 
-allow imapd_t self:capability { dac_override setgid setuid sys_resource };
+allow imapd_t self:capability { dac_read_search  dac_override setgid setuid sys_resource };
 dontaudit imapd_t self:capability sys_tty_config;
 allow imapd_t self:process signal_perms;
 allow imapd_t self:fifo_file rw_fifo_file_perms;
@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
 kernel_list_proc(imapd_t)
 kernel_read_proc_symlinks(imapd_t)
 
-corenet_all_recvfrom_unlabeled(imapd_t)
 corenet_all_recvfrom_netlabel(imapd_t)
 corenet_tcp_sendrecv_generic_if(imapd_t)
 corenet_tcp_sendrecv_generic_node(imapd_t)
@@ -56,8 +55,6 @@ dev_read_urand(imapd_t)
 
 domain_use_interactive_fds(imapd_t)
 
-files_read_etc_files(imapd_t)
-
 fs_getattr_all_fs(imapd_t)
 fs_search_auto_mountpoints(imapd_t)
 
@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t)
 
 logging_send_syslog_msg(imapd_t)
 
-miscfiles_read_localization(imapd_t)
-
 sysnet_dns_name_resolve(imapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(imapd_t)
diff --git a/varnishd.if b/varnishd.if
index 1c35171d83..2cba4dfeaa 100644
--- a/varnishd.if
+++ b/varnishd.if
@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',`
 #
 interface(`varnishd_admin_varnishlog',`
 	gen_require(`
+		type varnishd_t;
 		type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
 		type varnishlog_var_run_t;
 	')
 
-	allow $1 varnishlog_t:process { ptrace signal_perms };
+	allow $1 varnishlog_t:process signal_perms;
 	ps_process_pattern($1, varnishlog_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 varnishd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -196,9 +200,13 @@ interface(`varnishd_admin',`
 		type varnishd_initrc_exec_t;
 	')
 
-	allow $1 varnishd_t:process { ptrace signal_perms };
+	allow $1 varnishd_t:process signal_perms;
 	ps_process_pattern($1, varnishd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 varnishd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
index 9d4d8cbb09..3b30d5ac5e 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
 init_script_file(varnishd_initrc_exec_t)
 
 type varnishd_etc_t;
-files_type(varnishd_etc_t)
+files_config_file(varnishd_etc_t)
 
 type varnishd_tmp_t;
 files_tmp_file(varnishd_tmp_t)
@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
 files_pid_file(varnishlog_var_run_t)
 
 type varnishlog_log_t;
-files_type(varnishlog_log_t)
+logging_log_file(varnishlog_log_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { kill dac_read_search dac_override ipc_lock setuid setgid chown fowner fsetid };
 dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
 allow varnishd_t self:fifo_file rw_fifo_file_perms;
 allow varnishd_t self:tcp_socket { accept listen };
 
@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
 
 dev_read_urand(varnishd_t)
 
-files_read_usr_files(varnishd_t)
-
 fs_getattr_all_fs(varnishd_t)
 
 auth_use_nsswitch(varnishd_t)
 
 logging_send_syslog_msg(varnishd_t)
 
-miscfiles_read_localization(varnishd_t)
+sysnet_read_config(varnishd_t)
 
 tunable_policy(`varnishd_connect_any',`
 	corenet_sendrecv_all_client_packets(varnishd_t)
@@ -136,5 +134,6 @@ setattr_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
 logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
 
 read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
+allow varnishlog_t varnishd_var_lib_t:file map;
 
 files_search_var_lib(varnishlog_t)
diff --git a/vbetool.te b/vbetool.te
index 2a61f75266..cea4ee2203 100644
--- a/vbetool.te
+++ b/vbetool.te
@@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t;
 # Local policy
 #
 
-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:capability { dac_read_search dac_override sys_tty_config sys_admin };
+allow vbetool_t self:capability2 compromise_kernel;
 allow vbetool_t self:process execmem;
 
 dev_wx_raw_memory(vbetool_t)
@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t)
 
 term_use_unallocated_ttys(vbetool_t)
 
-miscfiles_read_localization(vbetool_t)
 
 tunable_policy(`vbetool_mmap_zero_ignore',`
 	dontaudit vbetool_t self:memprotect mmap_zero;
diff --git a/vdagent.if b/vdagent.if
index 31c752ea64..ef522355bd 100644
--- a/vdagent.if
+++ b/vdagent.if
@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',`
 ##	Get attributes of vdagent executable files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+##  <summary>
 ##	Domain allowed access.
-##	</summary>
+##  </summary>
 ## </param>
 #
 interface(`vdagent_getattr_exec_files',`
-	gen_require(`
-		type vdagent_exec_t;
-	')
+    gen_require(`
+        type vdagent_exec_t;
+    ')
 
 	allow $1 vdagent_exec_t:file getattr_file_perms;
 ')
@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',`
 ##	Get attributes of vdagent log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`vdagent_getattr_log',`
-	gen_require(`
-		type vdagent_log_t;
-	')
+    gen_require(`
+        type vdagent_log_t;
+    ')
 
-	logging_search_logs($1)
-	allow $1 vdagent_log_t:file getattr_file_perms;
+    logging_search_logs($1)
+    allow $1 vdagent_log_t:file getattr_file_perms;
 ')
 
 ########################################
@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',`
 ##	domain stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##      <summary>
+##      Domain allowed access.
+##      </summary>
 ## </param>
 #
 interface(`vdagent_stream_connect',`
-	gen_require(`
-		type vdagent_var_run_t, vdagent_t;
-	')
+        gen_require(`
+                type vdagent_var_run_t, vdagent_t;
+        ')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
+        files_search_pids($1)
+        stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
 ')
 
 ########################################
@@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`vdagent_admin',`
 	gen_require(`
@@ -120,6 +119,9 @@ interface(`vdagent_admin',`
 
 	allow $1 vdagent_t:process signal_perms;
 	ps_process_pattern($1, vdagent_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 vdagent_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
index 87da8a24d6..70531c93ee 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
 
 dontaudit vdagent_t self:capability sys_admin;
 allow vdagent_t self:process signal;
+
 allow vdagent_t self:fifo_file rw_fifo_file_perms;
 allow vdagent_t self:unix_stream_socket { accept listen };
 
@@ -39,23 +40,27 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
 setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
 logging_log_filetrans(vdagent_t, vdagent_log_t, file)
 
+kernel_request_load_module(vdagent_t)
+
 dev_rw_input_dev(vdagent_t)
 dev_rw_mtrr(vdagent_t)
 dev_read_sysfs(vdagent_t)
 dev_dontaudit_write_mtrr(vdagent_t)
 
-files_read_etc_files(vdagent_t)
-
 term_use_virtio_console(vdagent_t)
 
 init_read_state(vdagent_t)
 
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
+systemd_dbus_chat_logind(vdagent_t)
 
-miscfiles_read_localization(vdagent_t)
+logging_send_syslog_msg(vdagent_t)
 
 userdom_read_all_users_state(vdagent_t)
 
+xserver_read_xdm_state(vdagent_t)
+
 optional_policy(`
 	dbus_system_bus_client(vdagent_t)
 
diff --git a/vhostmd.if b/vhostmd.if
index 22edd58f83..c3a536427f 100644
--- a/vhostmd.if
+++ b/vhostmd.if
@@ -216,9 +216,13 @@ interface(`vhostmd_admin',`
 		type vhostmd_tmpfs_t;
 	')
 
-	allow $1 vhostmd_t:process { ptrace signal_perms };
+	allow $1 vhostmd_t:process signal_perms;
 	ps_process_pattern($1, vhostmd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 vhostmd_t:process ptrace;
+	')
+
 	vhostmd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 vhostmd_initrc_exec_t system_r;
diff --git a/vhostmd.te b/vhostmd.te
index 3d11c6a3d8..2eb57ded1c 100644
--- a/vhostmd.te
+++ b/vhostmd.te
@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
 # Local policy
 #
 
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:capability { dac_read_search dac_override ipc_lock setuid setgid };
 allow vhostmd_t self:process { setsched getsched signal };
 allow vhostmd_t self:fifo_file rw_fifo_file_perms;
 
@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
 dev_read_sysfs(vhostmd_t)
 
 files_list_tmp(vhostmd_t)
-files_read_usr_files(vhostmd_t)
 
 auth_use_nsswitch(vhostmd_t)
 
 logging_send_syslog_msg(vhostmd_t)
 
-miscfiles_read_localization(vhostmd_t)
-
 optional_policy(`
 	hostname_exec(vhostmd_t)
 ')
@@ -77,6 +74,8 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(vhostmd_t)
+	virt_write_content(vhostmd_t)
+    virt_rw_svirt_image(vhostmd_t)
 ')
 
 optional_policy(`
diff --git a/virt.fc b/virt.fc
index a4f20bcfcb..5172dcec43 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,51 +1,113 @@
-HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/VirtualMachines(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.virtinst(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.config/libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.config/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_home_t,s0)
 
-/etc/libvirt	-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/virtlogd.conf --   gen_context(system_u:object_r:virtlogd_etc_t,s0)
 /etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd --	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/virtlogd --  gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)
+/etc/xen		-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]*		--	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
-/etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/usr/libexec/libvirt_lxc --	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/libexec/qemu-bridge-helper		gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
 
-/etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)
-/etc/xen/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
-/etc/xen/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/xen/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
-
-/usr/libexec/libvirt_lxc	--	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
-/usr/libexec/qemu-bridge-helper	gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
-
-/usr/bin/virsh	--	gen_context(system_u:object_r:virsh_exec_t,s0)
-/usr/bin/virt-sandbox-service.*	--	gen_context(system_u:object_r:virsh_exec_t,s0)
-
-/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/sbin/fence_virtd	--	gen_context(system_u:object_r:virsh_exec_t,s0)
 /usr/sbin/libvirt-qmf	--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd --  gen_context(system_u:object_r:virtlogd_exec_t,s0)
+/usr/sbin/virtlogd --  gen_context(system_u:object_r:virtlogd_exec_t,s0)
+/usr/bin/virt-who   --  gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu-pr-helper   --  gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/xl		--	gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/xm		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 
 /var/cache/libvirt(/.*)?	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 
-/var/lib/libvirt(/.*)?	gen_context(system_u:object_r:virt_var_lib_t,s0)
-/var/lib/libvirt/boot(/.*)?	gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/images(/.*)?	gen_context(system_u:object_r:virt_image_t,s0)
-/var/lib/libvirt/isos(/.*)?	gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 
-/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+/var/lock/xl		--	gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/virtlogd\.pid	--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/virtlogd-sock	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/qemu-pr-helper\.sock	-s 		gen_context(system_u:object_r:virt_var_run_t,s0)
 
-/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 
-/var/run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
-/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
-/var/run/user/[^/]*/libguestfs(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
-/var/run/vdsm(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
+# support for AEOLUS project
+/usr/bin/imagefactory		--			gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/imgfac\.py		--			gen_context(system_u:object_r:virtd_exec_t,s0)
+/var/cache/oz(/.*)?					gen_context(system_u:object_r:virt_cache_t,s0)
+/var/lib/imagefactory/images(/.*)?	gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
+
+# add support vios-proxy-*
+/usr/bin/vios-proxy-host	--	gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/vios-proxy-guest	--  gen_context(system_u:object_r:virtd_exec_t,s0)
+
+#support for vdsm
+/usr/share/vdsm/vdsm    --       gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/respawn    --       gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/supervdsmServer    --       gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/daemonAdapter       --  gen_context(system_u:object_r:virtd_exec_t,s0)
+
+# support for nova-stack
+/usr/bin/nova-compute       --  gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+
+/etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+/var/run/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+
+/usr/libexec/qemu-ga(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
+/usr/lib/systemd/system/*virtlogd.*	gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
+
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+
+/usr/bin/qemu-ga                --      gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
+
+/var/lib/kubelet(/.*)?              gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/docker/vfs(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
+
+/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+
+/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index facdee8b32..b149565d04 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,104 @@
-## <summary>Libvirt virtualization API.</summary>
+## <summary>Libvirt virtualization API</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a virt domain.
+##	virtd_lxc_t stub interface.  No access allowed.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="domain" unused="true">
 ##	<summary>
-##	Domain prefix to be used.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`virt_domain_template',`
+interface(`virt_stub_lxc',`
 	gen_require(`
-		attribute_role virt_domain_roles;
-		attribute virt_image_type, virt_domain, virt_tmpfs_type;
-		attribute virt_ptynode, virt_tmp_type;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_t, virt_domain;
-	application_type($1_t)
-	qemu_entry_type($1_t)
-	domain_user_exemption_target($1_t)
-	mls_rangetrans_target($1_t)
-	mcs_constrained($1_t)
-	role virt_domain_roles types $1_t;
-
-	type $1_devpts_t, virt_ptynode;
-	term_pty($1_devpts_t)
-
-	type $1_tmp_t, virt_tmp_type;
-	files_tmp_file($1_tmp_t)
-
-	type $1_tmpfs_t, virt_tmpfs_type;
-	files_tmpfs_file($1_tmpfs_t)
-
-	optional_policy(`
-		pulseaudio_tmpfs_content($1_tmpfs_t)
+		type virtd_lxc_t;
 	')
+')
 
-	type $1_image_t, virt_image_type;
-	files_type($1_image_t)
-	dev_node($1_image_t)
-	dev_associate_sysfs($1_image_t)
-
-	########################################
-	#
-	# Policy
-	#
-
-	allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
-	term_create_pty($1_t, $1_devpts_t)
-
-	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
-	manage_files_pattern($1_t, $1_image_t, $1_image_t)
-	manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
-	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
-	manage_sock_files_pattern($1_t, $1_image_t, $1_image_t)
-	rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
-	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
-	fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
-
-	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
-
-	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-
-	optional_policy(`
-		pulseaudio_run($1_t, virt_domain_roles)
+########################################
+## <summary>
+##	svirt_sandbox_domain attribute stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_stub_svirt_sandbox_domain',`
+	gen_require(`
+		attribute svirt_sandbox_domain;
 	')
+')
 
-	optional_policy(`
-		xserver_rw_shm($1_t)
+########################################
+## <summary>
+##	container_file_t stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_stub_svirt_sandbox_file',`
+	gen_require(`
+		type container_file_t;
 	')
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a virt lxc domain.
+##	Creates types and rules for a basic
+##	qemu process domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
-template(`virt_lxc_domain_template',`
+template(`virt_domain_template',`
 	gen_require(`
-		attribute_role svirt_lxc_domain_roles;
-		attribute svirt_lxc_domain;
+		attribute virt_image_type, virt_domain;
+		attribute virt_tmpfs_type;
+		attribute virt_ptynode;
+		type qemu_exec_t;
+		type virtlogd_t;
 	')
 
-	type $1_t, svirt_lxc_domain;
-	domain_type($1_t)
+	type $1_t, virt_domain;
+	application_domain($1_t, qemu_exec_t)
 	domain_user_exemption_target($1_t)
 	mls_rangetrans_target($1_t)
 	mcs_constrained($1_t)
-	role svirt_lxc_domain_roles types $1_t;
+	role system_r types $1_t;
+
+	type $1_devpts_t, virt_ptynode;
+	term_pty($1_devpts_t)
+
+	kernel_read_system_state($1_t)
+
+	auth_read_passwd($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+	term_create_pty($1_t, $1_devpts_t)
+
+	# Allow domain to write to pipes connected to virtlogd
+	allow $1_t virtlogd_t:fd use;
+	allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Make the specified type virt image type.
+##	Make the specified type usable as a virt image
 ## </summary>
 ## <param name="type">
 ##	<summary>
-##	Type to be used as a virtual image.
+##	Type to be used as a virtual image
 ##	</summary>
 ## </param>
 #
@@ -125,31 +109,32 @@ interface(`virt_image',`
 
 	typeattribute $1 virt_image_type;
 	files_type($1)
+
+	# virt images can be assigned to blk devices
 	dev_node($1)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute a domain transition to run virtd.
+##  Getattr on virt executable.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
-interface(`virt_domtrans',`
-	gen_require(`
-		type virtd_t, virtd_exec_t;
-	')
+interface(`virt_getattr_exec',`
+    gen_require(`
+        type virtd_exec_t;
+    ')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, virtd_exec_t, virtd_t)
+	allow $1 virtd_exec_t:file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run virt qmf.
+##	Execute a domain transition to run virt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -157,95 +142,71 @@ interface(`virt_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_domtrans_qmf',`
+interface(`virt_domtrans',`
 	gen_require(`
-		type virt_qmf_t, virt_qmf_exec_t;
+		type virtd_t, virtd_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+	domtrans_pattern($1, virtd_exec_t, virtd_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run virt bridgehelper.
+##	Execute virtd in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`virt_domtrans_bridgehelper',`
+interface(`virt_exec',`
 	gen_require(`
-		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
+		type virtd_exec_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
+	can_exec($1, virtd_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute bridgehelper in the bridgehelper
-##	domain, and allow the specified role
-##	the bridgehelper domain.
+##	Transition to virt_qmf.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
-interface(`virt_run_bridgehelper',`
+interface(`virt_domtrans_qmf',`
 	gen_require(`
-		attribute_role virt_bridgehelper_roles;
+		type virt_qmf_t, virt_qmf_exec_t;
 	')
 
-	virt_domtrans_bridgehelper($1)
-	roleattribute $2 virt_bridgehelper_roles;
+	corecmd_search_bin($1)
+	domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute virt domain in the their
-##	domain, and allow the specified
-##	role that virt domain.
+##  Transition to virt_bridgehelper.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+## <summary>
+##  Domain allowed to transition.
+## </summary>
 ## </param>
-#
-interface(`virt_run_virt_domain',`
+interface(`virt_domtrans_bridgehelper',`
 	gen_require(`
-		attribute virt_domain;
-		attribute_role virt_domain_roles;
+		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
 	')
 
-	allow $1 virt_domain:process { signal transition };
-	roleattribute $2 virt_domain_roles;
-
-	allow virt_domain $1:fd use;
-	allow virt_domain $1:fifo_file rw_fifo_file_perms;
-	allow virt_domain $1:process sigchld;
+	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Send generic signals to all virt domains.
+##	Connect to virt over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -253,17 +214,18 @@ interface(`virt_run_virt_domain',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_signal_all_virt_domains',`
+interface(`virt_stream_connect',`
 	gen_require(`
-		attribute virt_domain;
+		type virtd_t, virt_var_run_t;
 	')
 
-	allow $1 virt_domain:process signal;
+	files_search_pids($1)
+	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Send kill signals to all virt domains.
+##	Connect to svirt process over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -271,48 +233,36 @@ interface(`virt_signal_all_virt_domains',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_kill_all_virt_domains',`
+interface(`virt_stream_connect_svirt',`
 	gen_require(`
-		attribute virt_domain;
+		type svirt_t;
 	')
 
-	allow $1 virt_domain:process sigkill;
+    allow $1 svirt_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Execute svirt lxc domains in their
-##	domain, and allow the specified
-##	role that svirt lxc domain.
+##	Read and write to apmd unix
+##	stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`virt_run_svirt_lxc_domain',`
+interface(`virt_rw_stream_sockets_svirt',`
 	gen_require(`
-		attribute svirt_lxc_domain;
-		attribute_role svirt_lxc_domain_roles;
+		type svirt_t;
 	')
 
-	allow $1 svirt_lxc_domain:process { signal transition };
-	roleattribute $2 svirt_lxc_domain_roles;
-
-	allow svirt_lxc_domain $1:fd use;
-	allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
-	allow svirt_lxc_domain $1:process sigchld;
+	allow $1 svirt_t:unix_stream_socket { setopt getopt read write };
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Get attributes of virtd executable files.
+##	Allow domain to attach to virt TUN devices
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -320,18 +270,18 @@ interface(`virt_run_svirt_lxc_domain',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_getattr_virtd_exec_files',`
+interface(`virt_attach_tun_iface',`
 	gen_require(`
-		type virtd_exec_t;
+		type virtd_t;
 	')
 
-	allow $1 virtd_exec_t:file getattr_file_perms;
+	allow $1 virtd_t:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Connect to virt with a unix
-##	domain stream socket.
+##	Allow domain to attach to virt sandbox TUN devices
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -339,18 +289,18 @@ interface(`virt_getattr_virtd_exec_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_stream_connect',`
+interface(`virt_attach_sandbox_tun_iface',`
 	gen_require(`
-		type virtd_t, virt_var_run_t;
+		attribute svirt_sandbox_domain;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+	allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
+	allow $1 self:tun_socket relabelto;
 ')
 
 ########################################
 ## <summary>
-##	Attach to virt tun devices.
+##	Read virt config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -358,18 +308,20 @@ interface(`virt_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_attach_tun_iface',`
+interface(`virt_read_config',`
 	gen_require(`
-		type virtd_t;
+		type virt_etc_t, virt_etc_rw_t;
 	')
 
-	allow $1 virtd_t:tun_socket relabelfrom;
-	allow $1 self:tun_socket relabelto;
+	files_search_etc($1)
+	read_files_pattern($1, virt_etc_t, virt_etc_t)
+	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+	read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 
 ########################################
 ## <summary>
-##	Read virt configuration content.
+##	manage virt config files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -377,22 +329,20 @@ interface(`virt_attach_tun_iface',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_read_config',`
+interface(`virt_manage_config',`
 	gen_require(`
 		type virt_etc_t, virt_etc_rw_t;
 	')
 
 	files_search_etc($1)
-	allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
-	read_files_pattern($1, virt_etc_t, virt_etc_t)
-	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-	read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+	manage_files_pattern($1, virt_etc_t, virt_etc_t)
+	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt configuration content.
+##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -400,22 +350,17 @@ interface(`virt_read_config',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_config',`
+interface(`virt_getattr_content',`
 	gen_require(`
-		type virt_etc_t, virt_etc_rw_t;
+		type virt_content_t;
 	')
 
-	files_search_etc($1)
-	allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
-	manage_files_pattern($1, virt_etc_t, virt_etc_t)
-	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+    allow $1 virt_content_t:file getattr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt image files.
+##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -434,6 +379,7 @@ interface(`virt_read_content',`
 	read_files_pattern($1, virt_content_t, virt_content_t)
 	read_lnk_files_pattern($1, virt_content_t, virt_content_t)
 	read_blk_files_pattern($1, virt_content_t, virt_content_t)
+    read_chr_files_pattern($1, virt_content_t, virt_content_t)
 
 	tunable_policy(`virt_use_nfs',`
 		fs_list_nfs($1)
@@ -450,8 +396,7 @@ interface(`virt_read_content',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt content.
+##	Allow domain to write virt image files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -459,35 +404,17 @@ interface(`virt_read_content',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_virt_content',`
+interface(`virt_write_content',`
 	gen_require(`
 		type virt_content_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 virt_content_t:dir manage_dir_perms;
-	allow $1 virt_content_t:file manage_file_perms;
-	allow $1 virt_content_t:fifo_file manage_fifo_file_perms;
-	allow $1 virt_content_t:lnk_file manage_lnk_file_perms;
-	allow $1 virt_content_t:sock_file manage_sock_file_perms;
-	allow $1 virt_content_t:blk_file manage_blk_file_perms;
-
-	tunable_policy(`virt_use_nfs',`
-		fs_manage_nfs_dirs($1)
-		fs_manage_nfs_files($1)
-		fs_manage_nfs_symlinks($1)
-	')
-
-	tunable_policy(`virt_use_samba',`
-		fs_manage_cifs_dirs($1)
-		fs_manage_cifs_files($1)
-		fs_manage_cifs_symlinks($1)
-	')
+	allow $1 virt_content_t:file write_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel virt content.
+##	Read virt PID symlinks files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -495,53 +422,38 @@ interface(`virt_manage_virt_content',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_relabel_virt_content',`
+interface(`virt_read_pid_symlinks',`
 	gen_require(`
-		type virt_content_t;
+		type virt_var_run_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 virt_content_t:dir relabel_dir_perms;
-	allow $1 virt_content_t:file relabel_file_perms;
-	allow $1 virt_content_t:fifo_file relabel_fifo_file_perms;
-	allow $1 virt_content_t:lnk_file relabel_lnk_file_perms;
-	allow $1 virt_content_t:sock_file relabel_sock_file_perms;
-	allow $1 virt_content_t:blk_file relabel_blk_file_perms;
+	files_search_pids($1)
+	read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in user home
-##	directories with the virt content type.
+##	Read virt PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`virt_home_filetrans_virt_content',`
+interface(`virt_read_pid_files',`
 	gen_require(`
-		type virt_content_t;
+		type virt_var_run_t;
 	')
 
-	virt_home_filetrans($1, virt_content_t, $2, $3)
+	files_search_pids($1)
+	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+    read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	svirt home content.
+##	Manage virt pid directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -549,34 +461,21 @@ interface(`virt_home_filetrans_virt_content',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_svirt_home_content',`
+interface(`virt_manage_pid_dirs',`
 	gen_require(`
-		type svirt_home_t;
-	')
-
-	userdom_search_user_home_dirs($1)
-	allow $1 svirt_home_t:dir manage_dir_perms;
-	allow $1 svirt_home_t:file manage_file_perms;
-	allow $1 svirt_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 svirt_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 svirt_home_t:sock_file manage_sock_file_perms;
-
-	tunable_policy(`virt_use_nfs',`
-		fs_manage_nfs_dirs($1)
-		fs_manage_nfs_files($1)
-		fs_manage_nfs_symlinks($1)
+		type virt_var_run_t;
+		type virt_lxc_var_run_t;
 	')
 
-	tunable_policy(`virt_use_samba',`
-		fs_manage_cifs_dirs($1)
-		fs_manage_cifs_files($1)
-		fs_manage_cifs_symlinks($1)
-	')
+	files_search_pids($1)
+	manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
+	manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+	virt_filetrans_named_content($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel svirt home content.
+##	Manage virt pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -584,32 +483,36 @@ interface(`virt_manage_svirt_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_relabel_svirt_home_content',`
+interface(`virt_manage_pid_files',`
 	gen_require(`
-		type svirt_home_t;
+		type virt_var_run_t;
+		type virt_lxc_var_run_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 svirt_home_t:dir relabel_dir_perms;
-	allow $1 svirt_home_t:file relabel_file_perms;
-	allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
-	allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
-	allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
+	files_search_pids($1)
+	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+	manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in user home
-##	directories with the svirt home type.
+##	Create objects in the pid directory
+##	with a private type with a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
+## <param name="file">
+##	<summary>
+##	Type to which the created node will be transitioned.
+##	</summary>
+## </param>
+## <param name="class">
 ##	<summary>
-##	Class of the object being created.
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
@@ -618,54 +521,36 @@ interface(`virt_relabel_svirt_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_home_filetrans_svirt_home',`
+interface(`virt_pid_filetrans',`
 	gen_require(`
-		type svirt_home_t;
+		type virt_var_run_t;
 	')
 
-	virt_home_filetrans($1, svirt_home_t, $2, $3)
+	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	virt home directories with private
-##	home type.
+##	Search virt lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private_type">
-##	<summary>
-##	Private file type.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`virt_home_filetrans',`
+interface(`virt_search_lib',`
 	gen_require(`
-		type virt_home_t;
+		type virt_var_lib_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	filetrans_pattern($1, virt_home_t, $2, $3, $4)
+	allow $1 virt_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt home files.
+##	Read virt lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -673,54 +558,572 @@ interface(`virt_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_home_files',`
+interface(`virt_read_lib_files',`
 	gen_require(`
-		type virt_home_t;
+		type virt_var_lib_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	manage_files_pattern($1, virt_home_t, virt_home_t)
+	files_search_var_lib($1)
+	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+	list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t)
+	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt home content.
+##	Dontaudit inherited read virt lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_generic_virt_home_content',`
+interface(`virt_dontaudit_read_lib_files',`
 	gen_require(`
-		type virt_home_t;
+		type virt_var_lib_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 virt_home_t:dir manage_dir_perms;
-	allow $1 virt_home_t:file manage_file_perms;
-	allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 virt_home_t:sock_file manage_sock_file_perms;
+	dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	virt lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read virt's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_read_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	virt log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_append_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_log',`
+	gen_require(`
+		type virt_log_t;
+	')
+
+	manage_dirs_pattern($1, virt_log_t, virt_log_t)
+	manage_files_pattern($1, virt_log_t, virt_log_t)
+	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to getattr virt image direcories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_getattr_images',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to search virt image direcories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_search_images',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_images',`
+	gen_require(`
+		type virt_var_lib_t;
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:dir list_dir_perms;
+	list_dirs_pattern($1, virt_image_type, virt_image_type)
+	read_files_pattern($1, virt_image_type, virt_image_type)
+	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+	read_chr_files_pattern($1, virt_image_type, virt_image_type)
 
 	tunable_policy(`virt_use_nfs',`
-		fs_manage_nfs_dirs($1)
-		fs_manage_nfs_files($1)
-		fs_manage_nfs_symlinks($1)
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+		fs_read_nfs_symlinks($1)
+	')
+
+	tunable_policy(`virt_use_samba',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+		fs_read_cifs_symlinks($1)
+	')
+')
+
+########################################
+## <summary>
+##	Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+##	Allow domain to read/write virt image chr files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_rw_chr_files',`
+	gen_require(`
+		attribute virt_image_type;
+	')
+
+	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	svirt cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_cache',`
+	gen_require(`
+		type virt_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+	manage_files_pattern($1, virt_cache_t, virt_cache_t)
+	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_images',`
+	gen_require(`
+		type virt_var_lib_t;
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:dir list_dir_perms;
+	manage_dirs_pattern($1, virt_image_type, virt_image_type)
+	manage_files_pattern($1, virt_image_type, virt_image_type)
+	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+#######################################
+## <summary>
+##  Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`virt_manage_default_image_type',`
+    gen_require(`
+        type virt_var_lib_t;
+        type virt_image_t;
+    ')
+
+    virt_search_lib($1)
+    manage_dirs_pattern($1, virt_image_t, virt_image_t)
+    manage_files_pattern($1, virt_image_t, virt_image_t)
+    read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+')
+
+########################################
+## <summary>
+##	Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`virt_systemctl',`
+	gen_require(`
+		type virtd_unit_file_t;
+		type virtd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 virtd_unit_file_t:file read_file_perms;
+	allow $1 virtd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, virtd_t)
+')
+
+########################################
+## <summary>
+##	Ptrace the svirt domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`virt_ptrace',`
+	gen_require(`
+		attribute virt_domain;
+	')
+
+	allow $1 virt_domain:process ptrace;
+')
+
+#######################################
+## <summary>
+##	Execute Sandbox Files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_exec_sandbox_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	can_exec($1, container_file_t)
+')
+
+########################################
+## <summary>
+##	Allow any container_file_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_sandbox_entrypoint',`
+	gen_require(`
+		type container_file_t;
+	')
+	allow $1 container_file_t:file entrypoint;
+')
+
+#######################################
+## <summary>
+##	Read Sandbox Files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_read_sandbox_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	list_dirs_pattern($1, container_file_t, container_file_t)
+	read_files_pattern($1, container_file_t, container_file_t)
+	read_lnk_files_pattern($1, container_file_t, container_file_t)
+')
+
+#######################################
+## <summary>
+##	Manage Sandbox Files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_sandbox_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	manage_dirs_pattern($1, container_file_t, container_file_t)
+	manage_files_pattern($1, container_file_t, container_file_t)
+	manage_fifo_files_pattern($1, container_file_t, container_file_t)
+	manage_chr_files_pattern($1, container_file_t, container_file_t)
+	manage_lnk_files_pattern($1, container_file_t, container_file_t)
+	allow $1 container_file_t:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
+##	Getattr Sandbox File systems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_getattr_sandbox_filesystem',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:filesystem getattr;
+')
+
+#######################################
+## <summary>
+##	Relabel Sandbox File systems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_relabel_sandbox_filesystem',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:filesystem { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
+##	Mounton Sandbox Files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_mounton_sandbox_file',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:dir_file_class_set mounton;
+')
+
+#######################################
+## <summary>
+##	Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_stream_connect_sandbox',`
+	gen_require(`
+		attribute svirt_sandbox_domain;
+		type container_file_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, container_file_t, container_file_t, svirt_sandbox_domain)
+	ps_process_pattern(svirt_sandbox_domain, $1)
+')
+
+########################################
+## <summary>
+##	Execute qemu in the svirt domain, and
+##	allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+	gen_require(`
+		attribute virt_domain;
+		type virt_bridgehelper_t;
+		type svirt_image_t;
+		type svirt_socket_t;
+	')
+
+	allow $1 virt_domain:process transition;
+	role $2 types virt_domain;
+	role $2 types virt_bridgehelper_t;
+	role $2 types svirt_socket_t;
+
+	allow $1 virt_domain:process { sigkill sigstop signull signal };
+	allow $1 svirt_image_t:file { relabelfrom relabelto };
+	allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
+	allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
+	allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+
+	optional_policy(`
+		ptchown_run(virt_domain, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`virt_dontaudit_write_pipes',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	dontaudit $1 virtd_t:fd use;
+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Send a sigkill to virtual machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_kill_svirt',`
+	gen_require(`
+		attribute virt_domain;
 	')
 
-	tunable_policy(`virt_use_samba',`
-		fs_manage_cifs_dirs($1)
-		fs_manage_cifs_files($1)
-		fs_manage_cifs_symlinks($1)
-	')
+	allow $1 virt_domain:process sigkill;
 ')
 
 ########################################
 ## <summary>
-##	Relabel virt home content.
+##	Send a sigkill to virtd daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -728,52 +1131,35 @@ interface(`virt_manage_generic_virt_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_relabel_generic_virt_home_content',`
+interface(`virt_kill',`
 	gen_require(`
-		type virt_home_t;
+		type virtd_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 virt_home_t:dir relabel_dir_perms;
-	allow $1 virt_home_t:file relabel_file_perms;
-	allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
-	allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
-	allow $1 virt_home_t:sock_file relabel_sock_file_perms;
+	allow $1 virtd_t:process sigkill;
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in user home
-##	directories with the generic virt
-##	home type.
+##	Send a signal to virtd daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`virt_home_filetrans_virt_home',`
+interface(`virt_signal',`
 	gen_require(`
-		type virt_home_t;
+		type virtd_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+	allow $1 virtd_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Read virt pid files.
+##	Send null signal to virtd daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -781,19 +1167,17 @@ interface(`virt_home_filetrans_virt_home',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_read_pid_files',`
+interface(`virt_signull',`
 	gen_require(`
-		type virt_var_run_t;
+		type virtd_t;
 	')
 
-	files_search_pids($1)
-	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+	allow $1 virtd_t:process signull;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt pid files.
+##	Send a signal to virtual machines
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -801,18 +1185,17 @@ interface(`virt_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_pid_files',`
+interface(`virt_signal_svirt',`
 	gen_require(`
-		type virt_var_run_t;
+		attribute virt_domain;
 	')
 
-	files_search_pids($1)
-	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+	allow $1 virt_domain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Search virt lib directories.
+##	Send a signal to sandbox domains
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -820,18 +1203,17 @@ interface(`virt_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_search_lib',`
+interface(`virt_signal_sandbox',`
 	gen_require(`
-		type virt_var_lib_t;
+		attribute svirt_sandbox_domain;
 	')
 
-	files_search_var_lib($1)
-	allow $1 virt_var_lib_t:dir search_dir_perms;
+	allow $1 svirt_sandbox_domain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Read virt lib files.
+##	Manage virt home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -839,192 +1221,223 @@ interface(`virt_search_lib',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_read_lib_files',`
+interface(`virt_manage_home_files',`
 	gen_require(`
-		type virt_var_lib_t;
+		type virt_home_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, virt_home_t, virt_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt lib files.
+##	allow domain to read
+##	virt tmpfs files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed access
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_lib_files',`
+interface(`virt_read_tmpfs_files',`
 	gen_require(`
-		type virt_var_lib_t;
+		attribute virt_tmpfs_type;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+	allow $1 virt_tmpfs_type:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in virt pid
-##	directories with a private type.
+##	allow domain to manage
+##	virt tmpfs files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
+##	Domain allowed access
 ##	</summary>
 ## </param>
-## <param name="object">
+#
+interface(`virt_manage_tmpfs_files',`
+	gen_require(`
+		attribute virt_tmpfs_type;
+	')
+
+	allow $1 virt_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create .virt directory in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The object class of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`virt_filetrans_home_content',`
+	gen_require(`
+		type virt_home_t;
+		type svirt_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
+	optional_policy(`
+		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
+		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+		gnome_data_filetrans($1, svirt_home_t, dir, "images")
+		gnome_data_filetrans($1, svirt_home_t, dir, "boot")
+	')
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to Read virt_image_type devices.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <infoflow type="write" weight="10"/>
 #
-interface(`virt_pid_filetrans',`
+interface(`virt_dontaudit_read_chr_dev',`
 	gen_require(`
-		type virt_var_run_t;
+		attribute virt_image_type;
 	')
 
-	files_search_pids($1)
-	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read virt log files.
+##	Creates types and rules for a basic
+##	virt_lxc process domain.
 ## </summary>
-## <param name="domain">
+## <param name="prefix">
 ##	<summary>
-##	Domain allowed access.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`virt_read_log',`
+template(`virt_sandbox_domain_template',`
 	gen_require(`
-		type virt_log_t;
+		attribute svirt_sandbox_domain;
 	')
 
-	logging_search_logs($1)
-	read_files_pattern($1, virt_log_t, virt_log_t)
+	type $1_t, svirt_sandbox_domain;
+	domain_type($1_t)
+	domain_user_exemption_target($1_t)
+	mls_rangetrans_target($1_t)
+	mcs_constrained($1_t)
+	role system_r types $1_t;
+
+	logging_send_syslog_msg($1_t)
+
+	kernel_read_system_state($1_t)
 ')
 
 ########################################
 ## <summary>
-##	Append virt log files.
+##	Make the specified type usable as a lxc domain
 ## </summary>
-## <param name="domain">
+## <param name="type">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a lxc domain
 ##	</summary>
 ## </param>
 #
-interface(`virt_append_log',`
+template(`virt_sandbox_domain',`
 	gen_require(`
-		type virt_log_t;
+		attribute svirt_sandbox_domain;
 	')
 
-	logging_search_logs($1)
-	append_files_pattern($1, virt_log_t, virt_log_t)
+	typeattribute  $1 svirt_sandbox_domain;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt log files.
+##	Execute a qemu_exec_t in the callers domain
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
-interface(`virt_manage_log',`
+interface(`virt_exec_qemu',`
 	gen_require(`
-		type virt_log_t;
+		type qemu_exec_t;
 	')
 
-	logging_search_logs($1)
-	manage_dirs_pattern($1, virt_log_t, virt_log_t)
-	manage_files_pattern($1, virt_log_t, virt_log_t)
-	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+	can_exec($1, qemu_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Search virt image directories.
+##	Transition to virt named content
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`virt_search_images',`
+interface(`virt_filetrans_named_content',`
 	gen_require(`
-		attribute virt_image_type;
+		type virt_lxc_var_run_t;
+		type virt_var_run_t;
 	')
 
-	virt_search_lib($1)
-	allow $1 virt_image_type:dir search_dir_perms;
+	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
 ')
 
 ########################################
 ## <summary>
-##	Read virt image files.
+##	Execute qemu in the svirt domain, and
+##	allow the specified role the svirt domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`virt_read_images',`
+interface(`virt_transition_svirt_sandbox',`
 	gen_require(`
-		type virt_var_lib_t;
-		attribute virt_image_type;
+		attribute svirt_sandbox_domain;
 	')
 
-	virt_search_lib($1)
-	allow $1 virt_image_type:dir list_dir_perms;
-	list_dirs_pattern($1, virt_image_type, virt_image_type)
-	read_files_pattern($1, virt_image_type, virt_image_type)
-	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+	allow $1 svirt_sandbox_domain:process { transition signal_perms };
+	role $2 types svirt_sandbox_domain;
+	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
 
-	tunable_policy(`virt_use_nfs',`
-		fs_list_nfs($1)
-		fs_read_nfs_files($1)
-		fs_read_nfs_symlinks($1)
-	')
+	allow svirt_sandbox_domain $1:fd use;
 
-	tunable_policy(`virt_use_samba',`
-		fs_list_cifs($1)
-		fs_read_cifs_files($1)
-		fs_read_cifs_symlinks($1)
-	')
+	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
+	allow svirt_sandbox_domain $1:process sigchld;
+	ps_process_pattern($1, svirt_sandbox_domain)
 ')
 
 ########################################
 ## <summary>
-##	Read and write all virt image
-##	character files.
+##	Read the process state of virt sandbox containers
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1032,20 +1445,17 @@ interface(`virt_read_images',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_sandbox_read_state',`
 	gen_require(`
-		attribute virt_image_type;
+		attribute svirt_sandbox_domain;
 	')
 
-	virt_search_lib($1)
-	allow $1 virt_image_type:dir list_dir_perms;
-	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+	ps_process_pattern($1, svirt_sandbox_domain)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	svirt cache files.
+##	Read and write to svirt_image devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_svirt_cache',`
-	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-	virt_manage_virt_cache($1)
+interface(`virt_rw_svirt_dev',`
+	gen_require(`
+		type svirt_image_t;
+	')
+
+	allow $1 svirt_image_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt cache content.
+##	Read and write to svirt_images.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_virt_cache',`
+interface(`virt_rw_svirt_image',`
 	gen_require(`
-		type virt_cache_t;
+		type svirt_image_t;
 	')
 
-	files_search_var($1)
-	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-	manage_files_pattern($1, virt_cache_t, virt_cache_t)
-	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+	allow $1 svirt_image_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	virt image files.
+##	Read and write to svirt_image devices.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1091,36 +1499,36 @@ interface(`virt_manage_virt_cache',`
 ##	</summary>
 ## </param>
 #
-interface(`virt_manage_images',`
+interface(`virt_rlimitinh',`
 	gen_require(`
-		type virt_var_lib_t;
-		attribute virt_image_type;
+		type virtd_t;
 	')
 
-	virt_search_lib($1)
-	allow $1 virt_image_type:dir list_dir_perms;
-	manage_dirs_pattern($1, virt_image_type, virt_image_type)
-	manage_files_pattern($1, virt_image_type, virt_image_type)
-	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
-	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+    allow $1 virtd_t:process { rlimitinh };
+')
 
-	tunable_policy(`virt_use_nfs',`
-		fs_manage_nfs_dirs($1)
-		fs_manage_nfs_files($1)
-		fs_read_nfs_symlinks($1)
+########################################
+## <summary>
+##	Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_noatsecure',`
+	gen_require(`
+		type virtd_t;
 	')
 
-	tunable_policy(`virt_use_samba',`
-		fs_manage_cifs_files($1)
-		fs_manage_cifs_files($1)
-		fs_read_cifs_symlinks($1)
-	')
+    allow $1 virtd_t:process { noatsecure rlimitinh };
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an virt environment.
+##	All of the rules required to administrate
+##	an virt environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1136,50 +1544,137 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
-		attribute virt_domain, virt_image_type, virt_tmpfs_type;
-		attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
-		type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
-		type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
-		type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
-		type virt_var_run_t, virt_tmp_t, virt_log_t;
-		type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
-		type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+		attribute virt_domain;
+		attribute virt_system_domain;
+		attribute svirt_file_type;
+		attribute virt_file_type;
+		type virtd_initrc_exec_t;
 	')
 
-	allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
-	allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
-	ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
+	allow $1 virt_system_domain:process signal_perms;
+	allow $1 virt_domain:process signal_perms;
+	ps_process_pattern($1, virt_system_domain)
+	ps_process_pattern($1, virt_domain)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 virt_system_domain:process ptrace;
+		allow $1 virt_domain:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 virtd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	fs_search_tmpfs($1)
-	admin_pattern($1, virt_tmpfs_type)
+	allow $1 virt_domain:process signal_perms;
 
-	files_search_tmp($1)
-	admin_pattern($1, { virt_tmp_type virt_tmp_t })
+	admin_pattern($1, virt_file_type)
+	admin_pattern($1, svirt_file_type)
 
-	files_search_etc($1)
-	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+	virt_systemctl($1)
+	allow $1 virtd_unit_file_t:service all_service_perms;
 
-	logging_search_logs($1)
-	admin_pattern($1, virt_log_t)
+	virt_stream_connect_sandbox($1)
+	virt_stream_connect_svirt($1)
+	virt_stream_connect($1)
+')
+#######################################
+## <summary>
+##  Getattr on virt executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`virt_default_capabilities',`
+	gen_require(`
+		attribute sandbox_caps_domain;
+	')
 
-	files_search_pids($1)
-	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+	typeattribute $1 sandbox_caps_domain;
+')
 
-	files_search_var($1)
-	admin_pattern($1, svirt_cache_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
+########################################
+## <summary>
+##      Send and receive messages from
+##      virt over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`virt_dbus_chat',`
+        gen_require(`
+                type virtd_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 virtd_t:dbus send_msg;
+        allow virtd_t $1:dbus send_msg;
+        ps_process_pattern(virtd_t, $1)
+')
+
+
+########################################
+## <summary>
+##	Dontaudit read the process state (/proc/pid) of libvirt
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_dontaudit_read_state',`
+	gen_require(`
+		type virtd_t;
+	')
+
+	dontaudit $1 virtd_t:dir search_dir_perms;
+	dontaudit $1 virtd_t:file read_file_perms;
+	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+##	Send to libvirt with a unix dgram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_dgram_send',`
+	gen_require(`
+		type virtd_t, virt_var_run_t;
+	')
 
-	files_search_locks($1)
-	admin_pattern($1, virt_lock_t)
+	files_search_pids($1)
+	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+')
 
-	dev_list_all_dev_nodes($1)
-	allow $1 virt_ptynode:chr_file rw_term_perms;
+########################################
+## <summary>
+##  Manage svirt tmp files,dirs and sockfiles.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`virt_svirt_manage_tmp',`
+        gen_require(`
+                type svirt_tmp_t;
+        ')
+
+	manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
+	manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t)
+	manage_sock_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
 ')
+
diff --git a/virt.te b/virt.te
index f03dcf5673..2f3c112159 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,401 @@
-policy_module(virt, 1.7.4)
+policy_module(virt, 1.5.0)
 
 ########################################
 #
 # Declarations
 #
 
+gen_require(`
+    class passwd rootok;
+    class passwd passwd;
+')
+
+attribute virsh_transition_domain;
+attribute virt_ptynode;
+attribute virt_system_domain;
+attribute virt_domain;
+attribute virt_image_type;
+attribute virt_tmpfs_type;
+attribute svirt_file_type;
+attribute virt_file_type;
+attribute sandbox_net_domain;
+attribute sandbox_caps_domain;
+
+type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
+
+type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type;
+files_tmpfs_file(svirt_tmpfs_t)
+
+type svirt_image_t, virt_image_type, svirt_file_type;
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
+
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can use serial/parallel communication ports.
-##	</p>
+## <p>
+## Allow confined virtual guests to use serial/parallel communication ports
+## </p>
 ## </desc>
 gen_tunable(virt_use_comm, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can use executable memory and can make
-##	their stack executable.
-##	</p>
+## <p>
+## Allow virtual processes to run as userdomains
+## </p>
+## </desc>
+gen_tunable(virt_transition_userdomain, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use executable memory and executable stack
+## </p>
 ## </desc>
 gen_tunable(virt_use_execmem, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can use fuse file systems.
-##	</p>
+## <p>
+## Allow confined virtual guests to read fuse files
+## </p>
 ## </desc>
 gen_tunable(virt_use_fusefs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can use nfs file systems.
-##	</p>
+## <p>
+## Allow confined virtual guests to use glusterd
+## </p>
+## </desc>
+gen_tunable(virt_use_glusterd, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to manage nfs files
+## </p>
 ## </desc>
 gen_tunable(virt_use_nfs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can use cifs file systems.
-##	</p>
+## <p>
+## Allow confined virtual guests to manage cifs files
+## </p>
 ## </desc>
 gen_tunable(virt_use_samba, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can manage device configuration.
-##	</p>
+##  <p>
+##  Allow confined virtual guests to interact with the sanlock
+##  </p>
 ## </desc>
-gen_tunable(virt_use_sysfs, false)
+gen_tunable(virt_use_sanlock, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can use usb devices.
-##	</p>
+##  <p>
+##  Allow confined virtual guests to interact with rawip sockets
+##  </p>
 ## </desc>
-gen_tunable(virt_use_usb, false)
+gen_tunable(virt_use_rawip, false)
 
 ## <desc>
-##	<p>
-##	Determine whether confined virtual guests
-##	can interact with xserver.
-##	</p>
+## <p>
+## Allow confined virtual guests to interact with the xserver
+## </p>
 ## </desc>
 gen_tunable(virt_use_xserver, false)
 
-attribute virt_ptynode;
-attribute virt_domain;
-attribute virt_image_type;
-attribute virt_tmp_type;
-attribute virt_tmpfs_type;
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
+## Allow sandbox containers to send audit messages
+
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_audit, true)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use netlink system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_netlink, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use sys_admin system calls, for example mount
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_sys_admin, false)
 
-attribute svirt_lxc_domain;
+## <desc>
+## <p>
+## Allow sandbox containers to use mknod system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_mknod, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use all capabilities
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_all_caps, true)
 
-attribute_role virt_domain_roles;
-roleattribute system_r virt_domain_roles;
+## <desc>
+## <p>
+## Allow qemu-ga to read qemu-ga date.
+## </p>
+## </desc>
+gen_tunable(virt_read_qemu_ga_data, false)
 
-attribute_role virt_bridgehelper_roles;
-roleattribute system_r virt_bridgehelper_roles;
+## <desc>
+## <p>
+## Allow qemu-ga to manage qemu-ga date.
+## </p>
+## </desc>
+gen_tunable(virt_rw_qemu_ga_data, false)
 
-attribute_role svirt_lxc_domain_roles;
-roleattribute system_r svirt_lxc_domain_roles;
+## <desc>
+## <p>
+## Allow sandbox containers manage fuse files
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_fusefs, false)
 
 virt_domain_template(svirt)
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
 
-type virt_cache_t alias svirt_cache_t;
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
 files_type(virt_cache_t)
 
-type virt_etc_t;
+type virt_etc_t, virt_file_type;
 files_config_file(virt_etc_t)
 
-type virt_etc_rw_t;
+type virt_etc_rw_t, virt_file_type;
 files_type(virt_etc_rw_t)
 
-type virt_home_t;
+type virt_home_t, virt_file_type;
 userdom_user_home_content(virt_home_t)
 
-type svirt_home_t;
+type svirt_home_t, svirt_file_type;
 userdom_user_home_content(svirt_home_t)
 
-type svirt_var_run_t;
-files_pid_file(svirt_var_run_t)
-mls_trusted_object(svirt_var_run_t)
-
-type virt_image_t; # customizable
+# virt Image files
+type virt_image_t, virt_file_type; # customizable
 virt_image(virt_image_t)
 files_mountpoint(virt_image_t)
 
-type virt_content_t; # customizable
+# virt Image files
+type virt_content_t, virt_file_type; # customizable
 virt_image(virt_content_t)
 userdom_user_home_content(virt_content_t)
 
-type virt_lock_t;
-files_lock_file(virt_lock_t)
+type virt_tmp_t, virt_file_type;
+files_tmp_file(virt_tmp_t)
 
-type virt_log_t;
+type virt_log_t, virt_file_type;
 logging_log_file(virt_log_t)
 mls_trusted_object(virt_log_t)
 
-type virt_tmp_t;
-files_tmp_file(virt_tmp_t)
+type virt_lock_t, virt_file_type;
+files_lock_file(virt_lock_t)
 
-type virt_var_run_t;
+type virt_var_run_t, virt_file_type;
 files_pid_file(virt_var_run_t)
 
-type virt_var_lib_t;
+type virt_var_lib_t, virt_file_type;
 files_mountpoint(virt_var_lib_t)
 
-type virtd_t;
-type virtd_exec_t;
+type virtd_t, virt_system_domain;
+type virtd_exec_t, virt_file_type;
 init_daemon_domain(virtd_t, virtd_exec_t)
 domain_obj_id_change_exemption(virtd_t)
 domain_subj_id_change_exemption(virtd_t)
 
-type virtd_initrc_exec_t;
+type virtd_unit_file_t, virt_file_type;
+systemd_unit_file(virtd_unit_file_t)
+
+type virtd_initrc_exec_t, virt_file_type;
 init_script_file(virtd_initrc_exec_t)
 
 type virtd_keytab_t;
 files_type(virtd_keytab_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+type virtlogd_var_run_t;
+type virtlogd_etc_t;
+
+type virtlogd_unit_file_t;
+systemd_unit_file(virtlogd_unit_file_t)
+
+type virtlogd_initrc_exec_t;
+init_script_file(virtlogd_initrc_exec_t)
+
+
+type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+	init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+	init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
 ')
 
-type virt_qmf_t;
-type virt_qmf_exec_t;
+type virt_qmf_t, virt_system_domain;
+type virt_qmf_exec_t, virt_file_type;
 init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
 
-type virt_bridgehelper_t;
-type virt_bridgehelper_exec_t;
+type virt_bridgehelper_t, virt_system_domain;
 domain_type(virt_bridgehelper_t)
+
+type virt_bridgehelper_exec_t, virt_file_type;
 domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role virt_bridgehelper_roles types virt_bridgehelper_t;
+role system_r types virt_bridgehelper_t;
 
-type virtd_lxc_t;
-type virtd_lxc_exec_t;
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+# policy for qemu_ga
+type virt_qemu_ga_t, virt_system_domain;
+type virt_qemu_ga_exec_t, virt_file_type;
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 
-type virtd_lxc_var_run_t;
-files_pid_file(virtd_lxc_var_run_t)
+type virt_qemu_ga_var_run_t, virt_file_type;
+files_pid_file(virt_qemu_ga_var_run_t)
 
-type svirt_lxc_file_t;
-files_mountpoint(svirt_lxc_file_t)
-fs_noxattr_type(svirt_lxc_file_t)
-term_pty(svirt_lxc_file_t)
+type virt_qemu_ga_log_t, virt_file_type;
+logging_log_file(virt_qemu_ga_log_t)
 
-virt_lxc_domain_template(svirt_lxc_net)
+type virt_qemu_ga_tmp_t, virt_file_type;
+files_tmp_file(virt_qemu_ga_tmp_t)
 
-type virsh_t;
-type virsh_exec_t;
-init_system_domain(virsh_t, virsh_exec_t)
+type virt_qemu_ga_data_t, virt_file_type;
+files_type(virt_qemu_ga_data_t)
+
+type virt_qemu_ga_unconfined_exec_t, virt_file_type;
+application_executable_file(virt_qemu_ga_unconfined_exec_t)
 
 ########################################
 #
-# Common virt domain local policy
+# Declarations
 #
+attribute svirt_sandbox_domain;
 
-allow virt_domain self:process { signal getsched signull };
-allow virt_domain self:fifo_file rw_fifo_file_perms;
-allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
-allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
-allow virt_domain self:shm create_shm_perms;
-allow virt_domain self:tcp_socket create_stream_socket_perms;
-allow virt_domain self:unix_stream_socket { accept listen };
-allow virt_domain self:unix_dgram_socket sendto;
-
-allow virt_domain virtd_t:fd use;
-allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
-allow virt_domain virtd_t:process sigchld;
-
-dontaudit virt_domain virtd_t:unix_stream_socket { read write };
-
-manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-
-manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
-files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
-
-stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
-
-dontaudit virt_domain virt_tmpfs_type:file { read write };
-
-append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
-kernel_read_system_state(virt_domain)
-
-fs_getattr_xattr_fs(virt_domain)
-
-corecmd_exec_bin(virt_domain)
-corecmd_exec_shell(virt_domain)
-
-corenet_all_recvfrom_unlabeled(virt_domain)
-corenet_all_recvfrom_netlabel(virt_domain)
-corenet_tcp_sendrecv_generic_if(virt_domain)
-corenet_tcp_sendrecv_generic_node(virt_domain)
-corenet_tcp_bind_generic_node(virt_domain)
-
-corenet_sendrecv_vnc_server_packets(virt_domain)
-corenet_tcp_bind_vnc_port(virt_domain)
-corenet_tcp_sendrecv_vnc_port(virt_domain)
-
-corenet_sendrecv_virt_migration_server_packets(virt_domain)
-corenet_tcp_bind_virt_migration_port(virt_domain)
-corenet_sendrecv_virt_migration_client_packets(virt_domain)
-corenet_tcp_connect_virt_migration_port(virt_domain)
-corenet_tcp_sendrecv_virt_migration_port(virt_domain)
-
-corenet_rw_tun_tap_dev(virt_domain)
-
-dev_getattr_fs(virt_domain)
-dev_list_sysfs(virt_domain)
-dev_read_generic_symlinks(virt_domain)
-dev_read_rand(virt_domain)
-dev_read_sound(virt_domain)
-dev_read_urand(virt_domain)
-dev_write_sound(virt_domain)
-dev_rw_ksm(virt_domain)
-dev_rw_kvm(virt_domain)
-dev_rw_qemu(virt_domain)
-dev_rw_vhost(virt_domain)
-
-domain_use_interactive_fds(virt_domain)
-
-files_read_etc_files(virt_domain)
-files_read_mnt_symlinks(virt_domain)
-files_read_usr_files(virt_domain)
-files_read_var_files(virt_domain)
-files_search_all(virt_domain)
-
-fs_getattr_all_fs(virt_domain)
-fs_rw_anon_inodefs_files(virt_domain)
-fs_rw_tmpfs_files(virt_domain)
-fs_getattr_hugetlbfs(virt_domain)
-
-# fs_rw_inherited_nfs_files(virt_domain)
-# fs_rw_inherited_cifs_files(virt_domain)
-# fs_rw_inherited_noxattr_fs_files(virt_domain)
-
-storage_raw_write_removable_device(virt_domain)
-storage_raw_read_removable_device(virt_domain)
-
-term_use_all_terms(virt_domain)
-term_getattr_pty_fs(virt_domain)
-term_use_generic_ptys(virt_domain)
-term_use_ptmx(virt_domain)
-
-logging_send_syslog_msg(virt_domain)
-
-miscfiles_read_localization(virt_domain)
-miscfiles_read_public_files(virt_domain)
-
-sysnet_read_config(virt_domain)
-
-userdom_search_user_home_dirs(virt_domain)
-userdom_read_all_users_state(virt_domain)
-
-virt_run_bridgehelper(virt_domain, virt_domain_roles)
-virt_read_config(virt_domain)
-virt_read_lib_files(virt_domain)
-virt_read_content(virt_domain)
-virt_stream_connect(virt_domain)
-
-qemu_exec(virt_domain)
-
-tunable_policy(`virt_use_execmem',`
-	allow virt_domain self:process { execmem execstack };
-')
-
-tunable_policy(`virt_use_comm',`
-	term_use_unallocated_ttys(virt_domain)
-	dev_rw_printer(virt_domain)
-')
-
-tunable_policy(`virt_use_fusefs',`
-	fs_manage_fusefs_dirs(virt_domain)
-	fs_manage_fusefs_files(virt_domain)
-	fs_read_fusefs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_nfs',`
-	fs_manage_nfs_dirs(virt_domain)
-	fs_manage_nfs_files(virt_domain)
-	fs_manage_nfs_named_sockets(virt_domain)
-	fs_read_nfs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_samba',`
-	fs_manage_cifs_dirs(virt_domain)
-	fs_manage_cifs_files(virt_domain)
-	fs_manage_cifs_named_sockets(virt_domain)
-	fs_read_cifs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_sysfs',`
-	dev_rw_sysfs(virt_domain)
-')
-
-tunable_policy(`virt_use_usb',`
-	dev_rw_usbfs(virt_domain)
-	dev_read_sysfs(virt_domain)
-	fs_getattr_dos_fs(virt_domain)
-	fs_manage_dos_dirs(virt_domain)
-	fs_manage_dos_files(virt_domain)
-')
-
-optional_policy(`
-	tunable_policy(`virt_use_xserver',`
-		xserver_read_xdm_pid(virt_domain)
-		xserver_stream_connect(virt_domain)
-	')
-')
-
-optional_policy(`
-	dbus_read_lib_files(virt_domain)
-')
-
-optional_policy(`
-	nscd_use(virt_domain)
-')
+type virtd_lxc_t, virt_system_domain;
+type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
 
-optional_policy(`
-	samba_domtrans_smbd(virt_domain)
-')
+type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
 
-optional_policy(`
-	xen_rw_image_files(virt_domain)
-')
+# virt lxc container files
+type container_file_t, svirt_file_type;
+typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t };
+files_mountpoint(container_file_t)
 
 ########################################
 #
 # svirt local policy
 #
 
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
 
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
 corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
 corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
 corenet_udp_bind_all_ports(svirt_t)
 corenet_tcp_bind_all_ports(svirt_t)
-
-corenet_sendrecv_all_client_packets(svirt_t)
 corenet_tcp_connect_all_ports(svirt_t)
 
+init_dontaudit_read_state(svirt_t)
+
+virt_dontaudit_read_state(svirt_t)
+
+storage_rw_inherited_fixed_disk_dev(svirt_t)
+
+#######################################
+#
+# svirt_prot_exec local policy
+#
+
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
+corenet_udp_bind_generic_node(svirt_tcg_t)
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
+
 ########################################
 #
 # virtd local policy
 #
 
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability { chown dac_read_search dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:capability2 compromise_kernel;
 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+	# caused by some bogus kernel code
+	dontaudit virtd_t self:capability { sys_module };
+')
+
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
-allow virtd_t self:tcp_socket { accept listen };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms;
 allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow virtd_t self:rawip_socket create_socket_perms;
 allow virtd_t self:packet_socket create_socket_perms;
 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow virtd_t self:netlink_route_socket nlmsg_write;
-
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
-
-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-allow virtd_t svirt_lxc_domain:process signal_perms;
-
-allow virtd_t virtd_lxc_t:process { signal signull sigkill };
-
-domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
+allow virtd_t self:netlink_socket create_socket_perms;
 
 manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
 manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
 
 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
 
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
-allow virtd_t svirt_var_run_t:file relabel_file_perms;
-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain virtd_t:tun_socket attach_queue;
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
+
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+relabelfrom_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+relabelfrom_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
 
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -455,71 +405,62 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
-manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
-manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
-manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
-manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
-
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt")
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst")
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines")
-
+relabelto_dirs_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-
+allow virtd_t virt_image_type:dir { setattr rmdir };
 allow virtd_t virt_image_type:file relabel_file_perms;
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-
+allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
 manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
 
-# This needs a file context specification
 manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
 manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
 manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
 files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
-append_files_pattern(virtd_t, virt_log_t, virt_log_t)
-create_files_pattern(virtd_t, virt_log_t, virt_log_t)
-read_files_pattern(virtd_t, virt_log_t, virt_log_t)
-setattr_files_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+allow virtd_t virt_var_lib_t:file { relabelfrom relabelto };
 
 manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
-files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+files_pid_filetrans(virtd_t, virt_var_run_t, { file dir sock_file })
 
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
 
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 
-can_exec(virtd_t, virt_tmp_t)
 
-kernel_read_crypto_sysctls(virtd_t)
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
 kernel_read_kernel_sysctls(virtd_t)
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
-kernel_setsched(virtd_t)
+kernel_dontaudit_setsched(virtd_t)
+kernel_write_proc_files(virtd_t)
 
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
@@ -527,24 +468,16 @@ corecmd_exec_shell(virtd_t)
 corenet_all_recvfrom_netlabel(virtd_t)
 corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
-
-corenet_sendrecv_virt_server_packets(virtd_t)
 corenet_tcp_bind_virt_port(virtd_t)
-corenet_tcp_sendrecv_virt_port(virtd_t)
-
-corenet_sendrecv_vnc_server_packets(virtd_t)
 corenet_tcp_bind_vnc_port(virtd_t)
-corenet_sendrecv_vnc_client_packets(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
-corenet_tcp_sendrecv_vnc_port(virtd_t)
-
-corenet_sendrecv_soundd_client_packets(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
-corenet_tcp_sendrecv_soundd_port(virtd_t)
-
 corenet_rw_tun_tap_dev(virtd_t)
+corenet_relabel_tun_tap_dev(virtd_t)
 
+dev_rw_vfio_dev(virtd_t)
 dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
@@ -555,20 +488,26 @@ dev_rw_vhost(virtd_t)
 dev_setattr_generic_usb_dev(virtd_t)
 dev_relabel_generic_usb_dev(virtd_t)
 
+# Init script handling
 domain_use_interactive_fds(virtd_t)
 domain_read_all_domains_state(virtd_t)
+domain_signull_all_domains(virtd_t)
 
-files_read_usr_files(virtd_t)
+files_list_all_mountpoints(virtd_t)
 files_read_etc_runtime_files(virtd_t)
 files_search_all(virtd_t)
 files_read_kernel_modules(virtd_t)
 files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+files_relabelfrom_boot_files(virtd_t)
+files_relabelto_boot_files(virtd_t)
+files_manage_boot_files(virtd_t)
 
 # Manages /etc/sysconfig/system-config-firewall
-# files_relabelto_system_conf_files(virtd_t)
-# files_relabelfrom_system_conf_files(virtd_t)
-# files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
 
+fs_read_tmpfs_symlinks(virtd_t)
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_all_fs(virtd_t)
 fs_rw_anon_inodefs_files(virtd_t)
@@ -587,6 +526,7 @@ mls_net_write_within_range(virtd_t)
 mls_socket_write_to_clearance(virtd_t)
 mls_socket_read_to_clearance(virtd_t)
 mls_rangetrans_source(virtd_t)
+mls_file_upgrade(virtd_t)
 
 mcs_process_set_categories(virtd_t)
 
@@ -601,15 +541,18 @@ term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
 
-miscfiles_read_localization(virtd_t)
+init_dbus_chat(virtd_t)
+
 miscfiles_read_generic_certs(virtd_t)
 miscfiles_read_hwdata(virtd_t)
 
 modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
 modutils_manage_module_config(virtd_t)
 
 logging_send_syslog_msg(virtd_t)
 logging_send_audit_msgs(virtd_t)
+logging_stream_connect_syslog(virtd_t)
 
 selinux_validate_context(virtd_t)
 
@@ -620,18 +563,26 @@ seutil_read_file_contexts(virtd_t)
 sysnet_signull_ifconfig(virtd_t)
 sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
 
-userdom_read_all_users_state(virtd_t)
-
-ifdef(`hide_broken_symptoms',`
-	dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
 
-tunable_policy(`virt_use_fusefs',`
-	fs_manage_fusefs_dirs(virtd_t)
-	fs_manage_fusefs_files(virtd_t)
-	fs_read_fusefs_symlinks(virtd_t)
-')
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
@@ -640,7 +591,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 
 tunable_policy(`virt_use_samba',`
-	fs_manage_cifs_files(virtd_t)
+	fs_manage_cifs_dirs(virtd_t)
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
@@ -664,10 +615,6 @@ optional_policy(`
 		consolekit_dbus_chat(virtd_t)
 	')
 
-	optional_policy(`
-		firewalld_dbus_chat(virtd_t)
-	')
-
 	optional_policy(`
 		hal_dbus_chat(virtd_t)
 	')
@@ -675,11 +622,7 @@ optional_policy(`
 	optional_policy(`
 		networkmanager_dbus_chat(virtd_t)
 	')
-
-	optional_policy(`
-		policykit_dbus_chat(virtd_t)
-	')
-')
+')
 
 optional_policy(`
 	dmidecode_domtrans(virtd_t)
@@ -691,20 +634,26 @@ optional_policy(`
 	dnsmasq_kill(virtd_t)
 	dnsmasq_signull(virtd_t)
 	dnsmasq_create_pid_dirs(virtd_t)
-	dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
-	dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
+	dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
 	dnsmasq_manage_pid_files(virtd_t)
 ')
 
+optional_policy(`
+	firewalld_dbus_chat(virtd_t)
+')
+
 optional_policy(`
 	iptables_domtrans(virtd_t)
 	iptables_initrc_domtrans(virtd_t)
+	iptables_systemctl(virtd_t)
+
+	# Manages /etc/sysconfig/system-config-firewall
 	iptables_manage_config(virtd_t)
 ')
 
 optional_policy(`
-	kerberos_read_keytab(virtd_t)
-	kerberos_use(virtd_t)
+    kerberos_read_keytab(virtd_t)
+    kerberos_use(virtd_t)
 ')
 
 optional_policy(`
@@ -712,11 +661,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Run mount in the mount_t domain.
 	mount_domtrans(virtd_t)
 	mount_signal(virtd_t)
 ')
 
 optional_policy(`
+    numad_domtrans(virtd_t)
+    numad_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(virtd_t)
 	policykit_domtrans_auth(virtd_t)
 	policykit_domtrans_resolve(virtd_t)
 	policykit_read_lib(virtd_t)
@@ -726,10 +682,18 @@ optional_policy(`
 	qemu_exec(virtd_t)
 ')
 
+optional_policy(`
+	sanlock_stream_connect(virtd_t)
+')
+
 optional_policy(`
 	sasl_connect(virtd_t)
 ')
 
+optional_policy(`
+	setrans_manage_pid_files(virtd_t)
+')
+
 optional_policy(`
 	kernel_read_xen_state(virtd_t)
 	kernel_write_xen_state(virtd_t)
@@ -746,44 +710,371 @@ optional_policy(`
 	udev_read_pid_files(virtd_t)
 ')
 
+optional_policy(`
+	unconfined_domain(virtd_t)
+')
+
 ########################################
 #
-# Virsh local policy
+# virtlogd local policy
 #
 
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
-allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
-allow virsh_t self:tcp_socket { accept listen };
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
 
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
+files_config_file(virtlogd_etc_t)
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
+files_search_etc(virtlogd_t)
+allow virtlogd_t virt_etc_t:file read_file_perms;
+allow virtlogd_t virt_etc_t:lnk_file read_file_perms;
+allow virtlogd_t virt_etc_t:dir search;
 
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
+# context from other stuff in /var/run/libvirt
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
+# This lets systemd create the socket itself too
+files_pid_file(virtlogd_var_run_t)
 
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+# virtlogd creates a /var/run/virtlogd.pid file
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
 
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
 
-allow virsh_t svirt_lxc_domain:process transition;
+manage_dirs_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t)
 
-can_exec(virsh_t, virsh_exec_t)
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+kernel_read_network_state(virtlogd_t)
+
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
+
+auth_use_nsswitch(virtlogd_t)
+
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
+
+manage_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t)
+
+# Allow virtlogd to look at /proc/$PID/status
+# to authenticate the connecting libvirtd
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+tunable_policy(`virt_use_nfs',`
+	fs_append_nfs_files(virtlogd_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(virtlogd_t)
+')
+
+optional_policy(`
+    systemd_write_inhibit_pipes(virtlogd_t)
+    systemd_dbus_chat_logind(virtlogd_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
+
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
+kernel_ib_access_unlabeled_pkeys(virt_domain)
+
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
+append_files_pattern(virt_domain, virt_home_t, virt_home_t)
+manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
+
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
+allow svirt_t svirt_image_t:file map;
+allow svirt_t svirt_image_t:blk_file map;
+
+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file})
+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
+allow virt_domain svirt_tmpfs_t:file map;
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
+
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
+
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_dontaudit_getattr_all(virt_domain)
+dev_read_generic_symlinks(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_vfio_dev(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
+dev_rw_infiniband_dev(virt_domain)
+dev_rw_dri(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+
+fs_rw_cephfs_files(virt_domain)
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_inherited_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
+
+storage_raw_read_removable_device(virt_domain)
 
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+tunable_policy(`virt_use_execmem',`
+	allow virt_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+	alsa_read_rw_config(virt_domain)
+')
+
+optional_policy(`
+	nscd_dontaudit_write_sock_file(virt_domain)
+')
+
+optional_policy(`
+	nscd_dontaudit_read_pid(virt_domain)
+')
+
+optional_policy(`
+    openvswitch_stream_connect(svirt_t)
+')
+
+optional_policy(`
+	ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+	pulseaudio_dontaudit_exec(virt_domain)
+')
+
+optional_policy(`
+	sssd_dontaudit_stream_connect(virt_domain)
+	sssd_dontaudit_read_lib(virt_domain)
+	sssd_dontaudit_read_public_files(virt_domain)
+')
+
+optional_policy(`
+	virt_read_config(virt_domain)
+	virt_read_lib_files(virt_domain)
+	virt_read_content(virt_domain)
+	virt_stream_connect(virt_domain)
+	virt_read_pid_symlinks(virt_domain)
+	virt_domtrans_bridgehelper(virt_domain)
+')
+
+optional_policy(`
+	xserver_rw_shm(virt_domain)
+')
+
+tunable_policy(`virt_use_comm',`
+	term_use_unallocated_ttys(virt_domain)
+	dev_rw_printer(virt_domain)
+')
+
+tunable_policy(`virt_use_fusefs',`
+	fs_manage_fusefs_dirs(virt_domain)
+	fs_manage_fusefs_files(virt_domain)
+	fs_read_fusefs_symlinks(virt_domain)
+	fs_getattr_fusefs(virt_domain)
+')
+
+optional_policy(`
+    tunable_policy(`virt_use_glusterd',`
+        glusterd_manage_pid(virt_domain)
+    ')
+')
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(virt_domain)
+	fs_manage_nfs_files(virt_domain)
+	fs_manage_nfs_named_sockets(virt_domain)
+	fs_read_nfs_symlinks(virt_domain)
+	fs_getattr_nfs(virt_domain)
+')
+
+tunable_policy(`virt_use_samba',`
+	fs_manage_cifs_dirs(virt_domain)
+	fs_manage_cifs_files(virt_domain)
+	fs_manage_cifs_named_sockets(virt_domain)
+	fs_read_cifs_symlinks(virt_domain)
+	fs_getattr_cifs(virt_domain)
+')
+
+tunable_policy(`virt_use_usb',`
+	dev_rw_usbfs(virt_domain)
+	dev_read_sysfs(virt_domain)
+	fs_getattr_dos_fs(virt_domain)
+	fs_manage_dos_dirs(virt_domain)
+	fs_manage_dos_files(virt_domain)
+')
+
+optional_policy(`
+    tunable_policy(`virt_use_sanlock',`
+        sanlock_stream_connect(virt_domain)
+        sanlock_read_state(virt_domain)
+    ')
+')
+
+tunable_policy(`virt_use_rawip',`
+	allow virt_domain self:rawip_socket create_socket_perms;
+')
+
+optional_policy(`
+	tunable_policy(`virt_use_xserver',`
+		xserver_stream_connect(virt_domain)
+	')
+')
+
+########################################
+#
+# xm local policy
+#
+type virsh_t, virt_system_domain;
+type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
 virt_domtrans(virsh_t)
 virt_manage_images(virsh_t)
 virt_manage_config(virsh_t)
 virt_stream_connect(virsh_t)
 
-kernel_read_crypto_sysctls(virsh_t)
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+manage_dirs_pattern(virsh_t, container_file_t, container_file_t)
+manage_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_chr_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_lnk_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_sock_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_fifo_files_pattern(virsh_t, container_file_t, container_file_t)
+virt_transition_svirt_sandbox(virsh_t, system_r)
+
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_write_proc_files(virsh_t)
 kernel_read_system_state(virsh_t)
 kernel_read_network_state(virsh_t)
 kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +1085,18 @@ kernel_write_xen_state(virsh_t)
 corecmd_exec_bin(virsh_t)
 corecmd_exec_shell(virsh_t)
 
-corenet_all_recvfrom_unlabeled(virsh_t)
-corenet_all_recvfrom_netlabel(virsh_t)
 corenet_tcp_sendrecv_generic_if(virsh_t)
 corenet_tcp_sendrecv_generic_node(virsh_t)
-corenet_tcp_bind_generic_node(virsh_t)
-
-corenet_sendrecv_soundd_client_packets(virsh_t)
 corenet_tcp_connect_soundd_port(virsh_t)
-corenet_tcp_sendrecv_soundd_port(virsh_t)
 
 dev_read_rand(virsh_t)
 dev_read_urand(virsh_t)
 dev_read_sysfs(virsh_t)
 
 files_read_etc_runtime_files(virsh_t)
-files_read_etc_files(virsh_t)
-files_read_usr_files(virsh_t)
 files_list_mnt(virsh_t)
 files_list_tmp(virsh_t)
+# Some common macros (you might be able to remove some)
 
 fs_getattr_all_fs(virsh_t)
 fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +1105,25 @@ fs_search_auto_mountpoints(virsh_t)
 
 storage_raw_read_fixed_disk(virsh_t)
 
-term_use_all_terms(virsh_t)
+term_use_all_inherited_terms(virsh_t)
+term_dontaudit_use_generic_ptys(virsh_t)
+
+userdom_search_admin_dir(virsh_t)
+userdom_read_home_certs(virsh_t)
 
 init_stream_connect_script(virsh_t)
 init_rw_script_stream_sockets(virsh_t)
 init_use_fds(virsh_t)
 
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
+
+auth_read_passwd(virsh_t)
 
-miscfiles_read_localization(virsh_t)
+logging_send_syslog_msg(virsh_t)
 
 sysnet_dns_name_resolve(virsh_t)
 
-tunable_policy(`virt_use_fusefs',`
-	fs_manage_fusefs_dirs(virsh_t)
-	fs_manage_fusefs_files(virsh_t)
-	fs_read_fusefs_symlinks(virsh_t)
-')
+userdom_stream_connect(virsh_t)
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virsh_t)
@@ -855,15 +1141,21 @@ optional_policy(`
 	cron_system_entry(virsh_t, virsh_exec_t)
 ')
 
+optional_policy(`
+	rhcs_domtrans_fenced(virsh_t)
+')
+
 optional_policy(`
 	rpm_exec(virsh_t)
 ')
 
 optional_policy(`
 	xen_manage_image_dirs(virsh_t)
+	xen_read_image_files(virsh_t)
+	xen_read_lib_files(virsh_t)
 	xen_append_log(virsh_t)
 	xen_domtrans(virsh_t)
-	xen_read_xenstored_pid_files(virsh_t)
+	xen_read_pid_files_xenstored(virsh_t)
 	xen_stream_connect(virsh_t)
 	xen_stream_connect_xenstore(virsh_t)
 ')
@@ -888,49 +1180,66 @@ optional_policy(`
 	kernel_read_xen_state(virsh_ssh_t)
 	kernel_write_xen_state(virsh_ssh_t)
 
+	dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
 	files_search_tmp(virsh_ssh_t)
 
 	fs_manage_xenfs_dirs(virsh_ssh_t)
 	fs_manage_xenfs_files(virsh_ssh_t)
+
+	userdom_search_admin_dir(virsh_ssh_t)
 ')
 
 ########################################
 #
-# Lxc local policy
+# virt_lxc local policy
 #
+allow virtd_lxc_t self:bpf { map_read map_write prog_load map_create prog_run };
+allow virtd_lxc_t self:capability { dac_read_search dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
+allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
+allow virtd_lxc_t self:capability2 compromise_kernel;
 
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
 allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
 allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
-allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
-allow virtd_lxc_t self:unix_stream_socket { accept listen };
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow virtd_lxc_t self:packet_socket create_socket_perms;
+ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
 
-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
+files_entrypoint_all_files(virtd_lxc_t)
 
 allow virtd_lxc_t virt_image_type:dir mounton;
 manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
 
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
+
 allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
-
-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_chr_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+allow virtd_lxc_t container_file_t:dir_file_class_set { relabelto relabelfrom };
+allow virtd_lxc_t container_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(container_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
 
 storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
 
 kernel_read_all_sysctls(virtd_lxc_t)
 kernel_read_network_state(virtd_lxc_t)
 kernel_read_system_state(virtd_lxc_t)
+kernel_request_load_module(virtd_lxc_t)
 
 corecmd_exec_bin(virtd_lxc_t)
 corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1251,16 @@ dev_read_urand(virtd_lxc_t)
 
 domain_use_interactive_fds(virtd_lxc_t)
 
-files_associate_rootfs(svirt_lxc_file_t)
 files_search_all(virtd_lxc_t)
 files_getattr_all_files(virtd_lxc_t)
-files_read_usr_files(virtd_lxc_t)
 files_relabel_rootfs(virtd_lxc_t)
 files_mounton_non_security(virtd_lxc_t)
 files_mount_all_file_type_fs(virtd_lxc_t)
 files_unmount_all_file_type_fs(virtd_lxc_t)
 files_list_isid_type_dirs(virtd_lxc_t)
-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set)
 
+fs_read_fusefs_files(virtd_lxc_t)
 fs_getattr_all_fs(virtd_lxc_t)
 fs_manage_tmpfs_dirs(virtd_lxc_t)
 fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,15 +1272,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
 fs_unmount_all_fs(virtd_lxc_t)
 fs_relabelfrom_tmpfs(virtd_lxc_t)
 
+logging_send_audit_msgs(virtd_lxc_t)
+
 selinux_mount_fs(virtd_lxc_t)
 selinux_unmount_fs(virtd_lxc_t)
-selinux_get_enforce_mode(virtd_lxc_t)
-selinux_get_fs_mount(virtd_lxc_t)
-selinux_validate_context(virtd_lxc_t)
-selinux_compute_access_vector(virtd_lxc_t)
-selinux_compute_create_context(virtd_lxc_t)
-selinux_compute_relabel_context(virtd_lxc_t)
-selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
 
 term_use_generic_ptys(virtd_lxc_t)
 term_use_ptmx(virtd_lxc_t)
@@ -982,186 +1286,296 @@ auth_use_nsswitch(virtd_lxc_t)
 
 logging_send_syslog_msg(virtd_lxc_t)
 
-miscfiles_read_localization(virtd_lxc_t)
-
 seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
 seutil_read_default_contexts(virtd_lxc_t)
 
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+selinux_get_enforce_mode(virtd_lxc_t)
+selinux_get_fs_mount(virtd_lxc_t)
+selinux_validate_context(virtd_lxc_t)
+selinux_compute_access_vector(virtd_lxc_t)
+selinux_compute_create_context(virtd_lxc_t)
+selinux_compute_relabel_context(virtd_lxc_t)
+selinux_compute_user_contexts(virtd_lxc_t)
 
-########################################
-#
-# Common virt lxc domain local policy
-#
+sysnet_exec_ifconfig(virtd_lxc_t)
 
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
-allow svirt_lxc_domain self:sem create_sem_perms;
-allow svirt_lxc_domain self:shm create_shm_perms;
-allow svirt_lxc_domain self:msgq create_msgq_perms;
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+systemd_dbus_chat_machined(virtd_lxc_t)
 
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+userdom_read_admin_home_files(virtd_lxc_t)
 
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+optional_policy(`
+	container_exec_lib(virtd_lxc_t)
+')
 
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
+optional_policy(`
+	dbus_system_bus_client(virtd_lxc_t)
+	init_dbus_chat(virtd_lxc_t)
 
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+	optional_policy(`
+		hal_dbus_chat(virtd_lxc_t)
+	')
+')
 
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+optional_policy(`
+	gnome_read_generic_cache_files(virtd_lxc_t)
+')
 
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+optional_policy(`
+	setrans_manage_pid_files(virtd_lxc_t)
+')
 
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+optional_policy(`
+	unconfined_domain(virtd_lxc_t)
+')
 
-kernel_getattr_proc(svirt_lxc_domain)
-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+########################################
+#
+# svirt_sandbox_domain local policy
+#
+allow svirt_sandbox_domain self:key manage_key_perms;
+dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
+
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
+allow svirt_sandbox_domain self:msg all_msg_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
+allow svirt_sandbox_domain self:shm create_shm_perms;
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
+allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
+allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+tunable_policy(`deny_ptrace',`',`
+	allow svirt_sandbox_domain self:process ptrace;
+')
 
-corecmd_exec_all_executables(svirt_lxc_domain)
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+allow svirt_sandbox_domain container_file_t:file { execmod relabelfrom relabelto };
+
+allow svirt_sandbox_domain container_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+can_exec(svirt_sandbox_domain, container_file_t)
+allow svirt_sandbox_domain container_file_t:dir mounton;
+allow svirt_sandbox_domain container_file_t:filesystem getattr;
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_read_net_sysctls(svirt_sandbox_domain)
+kernel_rw_unix_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
+domain_dontaudit_link_keys(svirt_sandbox_domain)
+
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
+files_search_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+files_entrypoint_all_files(svirt_sandbox_domain)
+files_list_var(svirt_sandbox_domain)
+files_list_var_lib(svirt_sandbox_domain)
+files_search_all(svirt_sandbox_domain)
+files_read_config_files(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
+fs_rw_cephfs_files(svirt_sandbox_domain)
+
+fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain)
+fs_list_tmpfs(svirt_sandbox_domain)
+fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+fs_rw_onload_sockets(svirt_sandbox_domain)
+
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
+clock_read_adjtime(svirt_sandbox_domain)
+
+init_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
+
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
+systemd_read_unit_files(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
 
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-files_list_var(svirt_lxc_domain)
-files_list_var_lib(svirt_lxc_domain)
-files_search_all(svirt_lxc_domain)
-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
-files_read_usr_symlinks(svirt_lxc_domain)
+optional_policy(`
+	apache_exec_modules(svirt_sandbox_domain)
+	apache_read_sys_content(svirt_sandbox_domain)
+')
 
-fs_getattr_all_fs(svirt_lxc_domain)
-fs_list_inotifyfs(svirt_lxc_domain)
+optional_policy(`
+	gear_read_pid_files(svirt_sandbox_domain)
+')
 
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+optional_policy(`
+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
 
-auth_dontaudit_read_login_records(svirt_lxc_domain)
-auth_dontaudit_write_login_records(svirt_lxc_domain)
-auth_search_pam_console_data(svirt_lxc_domain)
+optional_policy(`
+	ssh_use_ptys(svirt_sandbox_domain)
+')
 
-clock_read_adjtime(svirt_lxc_domain)
+optional_policy(`
+	udev_read_pid_files(svirt_sandbox_domain)
+')
 
-init_read_utmp(svirt_lxc_domain)
-init_dontaudit_write_utmp(svirt_lxc_domain)
+optional_policy(`
+	userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
 
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(svirt_sandbox_domain)
+	fs_manage_nfs_files(svirt_sandbox_domain)
+	fs_manage_nfs_named_sockets(svirt_sandbox_domain)
+	fs_manage_nfs_symlinks(svirt_sandbox_domain)
+')
 
-miscfiles_read_localization(svirt_lxc_domain)
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
-miscfiles_read_fonts(svirt_lxc_domain)
+tunable_policy(`virt_use_samba',`
+	fs_manage_cifs_files(svirt_sandbox_domain)
+	fs_manage_cifs_dirs(svirt_sandbox_domain)
+	fs_manage_cifs_named_sockets(svirt_sandbox_domain)
+	fs_manage_cifs_symlinks(svirt_sandbox_domain)
+')
 
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+tunable_policy(`virt_sandbox_use_fusefs',`
+	fs_manage_fusefs_dirs(svirt_sandbox_domain)
+	fs_manage_fusefs_files(svirt_sandbox_domain)
+	fs_manage_fusefs_symlinks(svirt_sandbox_domain)
+')
 
 optional_policy(`
-	udev_read_pid_files(svirt_lxc_domain)
+    fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+    dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
 ')
 
 optional_policy(`
-	apache_exec_modules(svirt_lxc_domain)
-	apache_read_sys_content(svirt_lxc_domain)
+    container_read_share_files(svirt_sandbox_domain)
+	container_exec_share_files(svirt_sandbox_domain)
+	container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
+	container_use_ptys(svirt_sandbox_domain)
 ')
 
 ########################################
 #
-# Lxc net local policy
+# container_t local policy
 #
+virt_sandbox_domain_template(container)
+typealias container_t alias svirt_lxc_net_t;
+# Policy moved to container-selinux policy package
 
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
-allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-allow svirt_lxc_net_t self:socket create_socket_perms;
-allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+########################################
+#
+# svirt_lxc_net_t local policy
+#
+virt_sandbox_domain_template(svirt_qemu_net)
+typeattribute svirt_qemu_net_t sandbox_net_domain;
 
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execstack execmem };
 
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t)
-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t)
-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t)
-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
+	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
 
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
 
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
-dev_read_rand(svirt_lxc_net_t)
-dev_read_sysfs(svirt_lxc_net_t)
-dev_read_urand(svirt_lxc_net_t)
+dev_rw_kvm(svirt_qemu_net_t)
 
-files_read_kernel_modules(svirt_lxc_net_t)
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
 
-fs_mount_cgroup(svirt_lxc_net_t)
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 
-auth_use_nsswitch(svirt_lxc_net_t)
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 
-logging_send_audit_msgs(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_qemu_net_t)
 
-userdom_use_user_ptys(svirt_lxc_net_t)
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
 
-optional_policy(`
-	rpm_read_db(svirt_lxc_net_t)
-')
+files_read_kernel_modules(svirt_qemu_net_t)
 
-#######################################
-#
-# Prot exec local policy
-#
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
 
-allow svirt_prot_exec_t self:process { execmem execstack };
+logging_send_syslog_msg(svirt_qemu_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
+	logging_send_audit_msgs(svirt_qemu_net_t)
+')
+
+userdom_use_user_ptys(svirt_qemu_net_t)
 
 ########################################
 #
-# Qmf local policy
+# virt_qmf local policy
 #
-
 allow virt_qmf_t self:capability { sys_nice sys_tty_config };
 allow virt_qmf_t self:process { setsched signal };
 allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
-allow virt_qmf_t self:unix_stream_socket { accept listen };
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
@@ -1174,12 +1588,12 @@ dev_read_sysfs(virt_qmf_t)
 dev_read_rand(virt_qmf_t)
 dev_read_urand(virt_qmf_t)
 
+corenet_tcp_connect_matahari_port(virt_qmf_t)
+
 domain_use_interactive_fds(virt_qmf_t)
 
 logging_send_syslog_msg(virt_qmf_t)
 
-miscfiles_read_localization(virt_qmf_t)
-
 sysnet_read_config(virt_qmf_t)
 
 optional_policy(`
@@ -1192,9 +1606,8 @@ optional_policy(`
 
 ########################################
 #
-# Bridgehelper local policy
+# virt_bridgehelper local policy
 #
-
 allow virt_bridgehelper_t self:process { setcap getcap };
 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1620,249 @@ kernel_read_network_state(virt_bridgehelper_t)
 
 corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
-userdom_search_user_home_dirs(virt_bridgehelper_t)
-userdom_use_user_ptys(virt_bridgehelper_t)
+userdom_use_inherited_user_ptys(virt_bridgehelper_t)
+
+#######################################
+#
+# virt_qemu_ga local policy
+#
+
+allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
+
+allow virt_qemu_ga_t self:passwd passwd;
+
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+
+allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
+can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
+
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
+files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
+
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
+
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
+
+kernel_read_system_state(virt_qemu_ga_t)
+kernel_read_network_state(virt_qemu_ga_t)
+kernel_rw_kernel_sysctl(virt_qemu_ga_t)
+
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
+clock_read_adjtime(virt_qemu_ga_t)
+
+dev_getattr_apm_bios_dev(virt_qemu_ga_t)
+dev_rw_sysfs(virt_qemu_ga_t)
+dev_rw_realtime_clock(virt_qemu_ga_t)
+
+files_list_all_mountpoints(virt_qemu_ga_t)
+files_write_all_mountpoints(virt_qemu_ga_t)
+
+fs_list_all(virt_qemu_ga_t)
+fs_getattr_all_fs(virt_qemu_ga_t)
+
+term_use_virtio_console(virt_qemu_ga_t)
+term_use_all_ttys(virt_qemu_ga_t)
+term_use_unallocated_ttys(virt_qemu_ga_t)
+
+auth_use_nsswitch(virt_qemu_ga_t)
+
+logging_send_syslog_msg(virt_qemu_ga_t)
+logging_send_audit_msgs(virt_qemu_ga_t)
+
+init_read_utmp(virt_qemu_ga_t)
+
+modutils_exec_insmod(virt_qemu_ga_t)
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
+systemd_exec_systemctl(virt_qemu_ga_t)
+systemd_start_power_services(virt_qemu_ga_t)
+
+userdom_use_user_ptys(virt_qemu_ga_t)
+
+usermanage_domtrans_passwd(virt_qemu_ga_t)
+
+tunable_policy(`virt_read_qemu_ga_data',`
+    read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+    read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+')
+
+tunable_policy(`virt_rw_qemu_ga_data',`
+    manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+    manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+    manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
+')
+
+optional_policy(`
+    bootloader_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    clock_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    cron_initrc_domtrans(virt_qemu_ga_t)
+    cron_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    devicekit_manage_pid_files(virt_qemu_ga_t)
+    devicekit_read_log_files(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    fstools_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    rpm_dbus_chat(virt_qemu_ga_t)
+')
+
+optional_policy(`
+    shutdown_domtrans(virt_qemu_ga_t)
+')
+
+optional_policy(`
+	udev_read_pid_files(virt_qemu_ga_t)
+')
+
+#######################################
+#
+# qemu-ga  unconfined hook script local policy
+#
+
+optional_policy(`
+    type virt_qemu_ga_unconfined_t;
+    domain_type(virt_qemu_ga_unconfined_t)
+
+    domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
+    role system_r types virt_qemu_ga_unconfined_t;
+
+    domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
+
+    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
+    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
+    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
+
+    init_domtrans_script(virt_qemu_ga_unconfined_t)
+
+    optional_policy(`
+        unconfined_domain(virt_qemu_ga_unconfined_t)
+    ')
+')
+
+#######################################
+#
+# tye for svirt sockets
+#
+
+type svirt_socket_t;
+domain_type(svirt_socket_t)
+role system_r types svirt_socket_t;
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
+
+tunable_policy(`virt_transition_userdomain',`
+	userdom_transition(virtd_t)
+	userdom_transition(virtd_lxc_t)
+')
+
+########################################
+#
+# svirt_lxc_net_t local policy
+#
+virt_sandbox_domain_template(svirt_kvm_net)
+typeattribute svirt_kvm_net_t sandbox_net_domain;
+
+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
+
+tunable_policy(`virt_sandbox_use_netlink',`
+	allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
+	allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+	allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+term_use_generic_ptys(svirt_kvm_net_t)
+term_use_ptmx(svirt_kvm_net_t)
+
+dev_rw_kvm(svirt_kvm_net_t)
+
+manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t)
+
+list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t)
+
+kernel_read_network_state(svirt_kvm_net_t)
+kernel_read_irq_sysctls(svirt_kvm_net_t)
+
+dev_read_sysfs(svirt_kvm_net_t)
+dev_getattr_mtrr_dev(svirt_kvm_net_t)
+dev_read_rand(svirt_kvm_net_t)
+dev_read_urand(svirt_kvm_net_t)
+
+files_read_kernel_modules(svirt_kvm_net_t)
+
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_kvm_net_t)
+fs_manage_cgroup_dirs(svirt_kvm_net_t)
+fs_manage_cgroup_files(svirt_kvm_net_t)
+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_kvm_net_t)
+
+rpm_read_db(svirt_kvm_net_t)
+
+logging_send_syslog_msg(svirt_kvm_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
+	logging_send_audit_msgs(svirt_kvm_net_t)
+')
+
+userdom_use_user_ptys(svirt_kvm_net_t)
+
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
+allow sandbox_net_domain self:packet_socket create_socket_perms;
+allow sandbox_net_domain self:socket create_socket_perms;
+allow sandbox_net_domain self:rawip_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
+corenet_raw_bind_generic_node(sandbox_net_domain)
+corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
+
+optional_policy(`
+	sssd_stream_connect(sandbox_net_domain)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(sandbox_net_domain)
+')
+
+allow sandbox_caps_domain self:capability { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
diff --git a/vlock.te b/vlock.te
index 6b72968ea8..de409cc610 100644
--- a/vlock.te
+++ b/vlock.te
@@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
 
 init_dontaudit_rw_utmp(vlock_t)
 
-miscfiles_read_localization(vlock_t)
+logging_send_syslog_msg(vlock_t)
 
 userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmtools.fc b/vmtools.fc
new file mode 100644
index 0000000000..bcada182cc
--- /dev/null
+++ b/vmtools.fc
@@ -0,0 +1,8 @@
+/etc/vmware-tools(/.*)?       gen_context(system_u:object_r:vmtools_unconfined_exec_t,s0)
+
+/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
+/usr/bin/VGAuthService		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
+
+/usr/bin/vmware-user-suid-wrapper		--	gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
+
+/usr/lib/systemd/system/vmtoolsd.*		--	gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if
new file mode 100644
index 0000000000..f94feab67f
--- /dev/null
+++ b/vmtools.if
@@ -0,0 +1,143 @@
+## <summary>VMware Tools daemon</summary>
+
+########################################
+## <summary>
+##	Execute vmtools in the vmtools domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vmtools_domtrans',`
+	gen_require(`
+		type vmtools_t, vmtools_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, vmtools_exec_t, vmtools_t)
+')
+
+########################################
+## <summary>
+##	Execute vmtools in the vmtools domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vmtools_domtrans_helper',`
+	gen_require(`
+		type vmtools_helper_t, vmtools_helper_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
+')
+
+########################################
+## <summary>
+##	Execute vmtools helpers in the vmtools_heler domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the mozilla_plugin domain.
+##	</summary>
+## </param>
+#
+interface(`vmtools_run_helper',`
+	gen_require(`
+		attribute_role vmtools_helper_roles;
+	')
+
+    vmtools_domtrans_helper($1)
+	roleattribute $2 vmtools_helper_roles;
+')
+
+########################################
+## <summary>
+##	Execute vmtools server in the vmtools domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`vmtools_systemctl',`
+	gen_require(`
+		type vmtools_t;
+		type vmtools_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 vmtools_unit_file_t:file read_file_perms;
+	allow $1 vmtools_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, vmtools_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vmtools environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vmtools_admin',`
+	gen_require(`
+		type vmtools_t;
+		type vmtools_unit_file_t;
+	')
+
+	allow $1 vmtools_t:process { signal_perms };
+	ps_process_pattern($1, vmtools_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 vmtools_t:process ptrace;
+	')
+
+	vmtools_systemctl($1)
+	admin_pattern($1, vmtools_unit_file_t)
+	allow $1 vmtools_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	vmtools_unconfined over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmtools_unconfined_dbus_chat',`
+	gen_require(`
+		type vmtools_unconfined_t;
+		class dbus send_msg;
+	')
+
+	allow $1 vmtools_unconfined_t:dbus send_msg;
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
index 0000000000..c4f3b456bf
--- /dev/null
+++ b/vmtools.te
@@ -0,0 +1,136 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role vmtools_helper_roles;
+
+roleattribute system_r vmtools_helper_roles;
+
+type vmtools_t;
+type vmtools_exec_t;
+init_daemon_domain(vmtools_t, vmtools_exec_t)
+role vmtools_helper_roles types vmtools_t;
+
+type vmtools_helper_t;
+type vmtools_helper_exec_t;
+application_domain(vmtools_helper_t, vmtools_helper_exec_t)
+domain_system_change_exemption(vmtools_helper_t)
+role vmtools_helper_roles types vmtools_helper_t;
+
+type vmtools_unit_file_t;
+systemd_unit_file(vmtools_unit_file_t)
+
+type vmtools_tmp_t;
+files_tmp_file(vmtools_tmp_t)
+
+type vmtools_unconfined_exec_t;
+application_executable_file(vmtools_unconfined_exec_t)
+
+########################################
+#
+# vmtools local policy
+#
+
+allow vmtools_t self:capability { sys_time sys_rawio };
+allow vmtools_t self:fifo_file rw_fifo_file_perms;
+allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
+allow vmtools_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
+manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
+manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
+files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir })
+
+kernel_read_system_state(vmtools_t)
+kernel_read_network_state(vmtools_t)
+
+corecmd_exec_bin(vmtools_t)
+corecmd_exec_shell(vmtools_t)
+
+dev_read_urand(vmtools_t)
+dev_getattr_all_blk_files(vmtools_t)
+
+fs_getattr_all_fs(vmtools_t)
+
+auth_use_nsswitch(vmtools_t)
+
+#shutdown
+init_rw_utmp(vmtools_t)
+init_stream_connect(vmtools_t)
+init_telinit(vmtools_t)
+
+logging_send_syslog_msg(vmtools_t)
+
+systemd_exec_systemctl(vmtools_t)
+
+sysnet_domtrans_ifconfig(vmtools_t)
+
+xserver_stream_connect_xdm(vmtools_t)
+xserver_stream_connect(vmtools_t)
+
+optional_policy(`
+    networkmanager_dbus_chat(vmtools_t)
+')
+
+optional_policy(`
+    rpm_transition_script(vmtools_t,system_r)
+')
+
+optional_policy(`
+    vmware_filetrans_content(vmtools_t)
+    vmware_manage_log(vmtools_t)
+')
+
+optional_policy(`
+    unconfined_domain(vmtools_t)
+')
+
+########################################
+#
+# vmtools-helper local policy
+#
+
+domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
+can_exec(vmtools_helper_t, vmtools_helper_exec_t)
+
+corecmd_exec_bin(vmtools_helper_t)
+
+userdom_stream_connect(vmtools_helper_t)
+userdom_use_inherited_user_ttys(vmtools_helper_t)
+userdom_use_inherited_user_ptys(vmtools_helper_t)
+
+optional_policy(`
+    unconfined_domain(vmtools_helper_t)
+')
+
+########################################
+#
+# vmtools_unconfined_script_t local policy
+#
+
+optional_policy(`
+	type vmtools_unconfined_t;
+	domain_type(vmtools_unconfined_t)
+
+	domain_entry_file(vmtools_unconfined_t, vmtools_unconfined_exec_t)
+	role system_r types vmtools_unconfined_t;
+
+	domtrans_pattern(vmtools_t, vmtools_unconfined_exec_t, vmtools_unconfined_t)
+
+	allow vmtools_t vmtools_unconfined_exec_t:dir search_dir_perms;
+	allow vmtools_t vmtools_unconfined_exec_t:dir read_file_perms;
+	allow vmtools_t vmtools_unconfined_exec_t:file ioctl;
+
+	init_domtrans_script(vmtools_unconfined_t)
+
+    corecmd_exec_shell(vmtools_unconfined_t)
+    corecmd_shell_entry_type(vmtools_unconfined_t)
+    corecmd_shell_domtrans(vmtools_t, vmtools_unconfined_t)
+
+	optional_policy(`
+		unconfined_domain(vmtools_unconfined_t)
+	')
+')
diff --git a/vmware.if b/vmware.if
index 20a1fb2961..39d21a3047 100644
--- a/vmware.if
+++ b/vmware.if
@@ -26,7 +26,11 @@ interface(`vmware_role',`
 	domtrans_pattern($2, vmware_exec_t, vmware_t)
 
 	ps_process_pattern($2, vmware_t)
-	allow $2 vmware_t:process { ptrace signal_perms };
+	allow $2 vmware_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 vmware_t:process ptrace;
+	')
 
 	allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
@@ -112,3 +116,39 @@ interface(`vmware_append_log',`
 	logging_search_logs($1)
 	append_files_pattern($1, vmware_log_t, vmware_log_t)
 ')
+
+########################################
+## <summary>
+##	Transition to vmware content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_filetrans_content',`
+	gen_require(`
+		type vmware_log_t;
+	')
+
+	logging_log_filetrans($1, vmware_log_t, file)
+')
+
+########################################
+## <summary>
+##	Manage vmware log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vmware_manage_log',`
+	gen_require(`
+		type vmware_log_t;
+	')
+
+	manage_files_pattern($1, vmware_log_t, vmware_log_t)
+')
diff --git a/vmware.te b/vmware.te
index 4ad18944a8..dfe8d1f1a8 100644
--- a/vmware.te
+++ b/vmware.te
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
 # Host local policy
 #
 
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { net_admin sys_module };
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search dac_override };
 dontaudit vmware_host_t self:capability sys_tty_config;
 allow vmware_host_t self:process { execstack execmem signal_perms };
 allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t)
 kernel_read_kernel_sysctls(vmware_host_t)
 kernel_read_system_state(vmware_host_t)
 kernel_read_network_state(vmware_host_t)
+kernel_request_load_module(vmware_host_t)
 
-corenet_all_recvfrom_unlabeled(vmware_host_t)
 corenet_all_recvfrom_netlabel(vmware_host_t)
 corenet_tcp_sendrecv_generic_if(vmware_host_t)
 corenet_udp_sendrecv_generic_if(vmware_host_t)
@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t)
 dev_read_sysfs(vmware_host_t)
 dev_read_urand(vmware_host_t)
 dev_rw_vmware(vmware_host_t)
+dev_rw_generic_chr_files(vmware_host_t)
 
 domain_use_interactive_fds(vmware_host_t)
 domain_dontaudit_read_all_domains_state(vmware_host_t)
 
 files_list_tmp(vmware_host_t)
-files_read_etc_files(vmware_host_t)
 files_read_etc_runtime_files(vmware_host_t)
-files_read_usr_files(vmware_host_t)
 
 fs_getattr_all_fs(vmware_host_t)
 fs_search_auto_mountpoints(vmware_host_t)
@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t)
 
 logging_send_syslog_msg(vmware_host_t)
 
-miscfiles_read_localization(vmware_host_t)
-
 sysnet_dns_name_resolve(vmware_host_t)
 sysnet_domtrans_ifconfig(vmware_host_t)
 
+systemd_start_power_services(vmware_host_t)
+
 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
 userdom_dontaudit_search_user_home_dirs(vmware_host_t)
 
 netutils_domtrans_ping(vmware_host_t)
 
 optional_policy(`
-	hostname_exec(vmware_host_t)
+	unconfined_domain(vmware_host_t)
 ')
 
+optional_policy(`
+	hostname_exec(vmware_host_t)
+') 
+
 optional_policy(`
 	modutils_domtrans_insmod(vmware_host_t)
-')
+') 
 
 optional_policy(`
 	samba_read_config(vmware_host_t)
@@ -182,7 +186,7 @@ optional_policy(`
 # Guest local policy
 #
 
-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+allow vmware_t self:capability { dac_read_search dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
 dontaudit vmware_t self:capability sys_tty_config;
 allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow vmware_t self:process { execmem execstack };
@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t)
 
 domain_use_interactive_fds(vmware_t)
 
-files_read_etc_files(vmware_t)
 files_read_etc_runtime_files(vmware_t)
-files_read_usr_files(vmware_t)
 files_list_home(vmware_t)
 
 fs_getattr_all_fs(vmware_t)
@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t)
 libs_exec_ld_so(vmware_t)
 libs_read_lib_files(vmware_t)
 
-miscfiles_read_localization(vmware_t)
 
-userdom_use_user_terminals(vmware_t)
+userdom_use_inherited_user_terminals(vmware_t)
 userdom_list_user_home_dirs(vmware_t)
 
 sysnet_dns_name_resolve(vmware_t)
diff --git a/vnstatd.if b/vnstatd.if
index 137ac4458e..b644854c99 100644
--- a/vnstatd.if
+++ b/vnstatd.if
@@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`vnstatd_admin',`
 	gen_require(`
@@ -165,9 +164,13 @@ interface(`vnstatd_admin',`
 		type vnstatd_var_run_t;
 	')
 
-	allow $1 vnstatd_t:process { ptrace signal_perms };
+	allow $1 vnstatd_t:process signal_perms;
 	ps_process_pattern($1, vnstatd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 vnstatd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 vnstatd_initrc_exec_t system_r;
diff --git a/vnstatd.te b/vnstatd.te
index e2220ae7f0..85f393b418 100644
--- a/vnstatd.te
+++ b/vnstatd.te
@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
 
 manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
 
 manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
 manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
@@ -45,16 +45,14 @@ files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
 kernel_read_network_state(vnstatd_t)
 kernel_read_system_state(vnstatd_t)
 
-domain_use_interactive_fds(vnstatd_t)
+dev_read_sysfs(vnstatd_t)
 
-files_read_etc_files(vnstatd_t)
+domain_use_interactive_fds(vnstatd_t)
 
 fs_getattr_xattr_fs(vnstatd_t)
 
 logging_send_syslog_msg(vnstatd_t)
 
-miscfiles_read_localization(vnstatd_t)
-
 ########################################
 #
 # Client local policy
@@ -64,23 +62,19 @@ allow vnstat_t self:process signal;
 allow vnstat_t self:fifo_file rw_fifo_file_perms;
 allow vnstat_t self:unix_stream_socket { accept listen };
 
+files_search_var_lib(vnstat_t)
 manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
 
 kernel_read_network_state(vnstat_t)
 kernel_read_system_state(vnstat_t)
 
 domain_use_interactive_fds(vnstat_t)
 
-files_read_etc_files(vnstat_t)
-
 fs_getattr_xattr_fs(vnstat_t)
 
 logging_send_syslog_msg(vnstat_t)
 
-miscfiles_read_localization(vnstat_t)
-
 optional_policy(`
 	cron_system_entry(vnstat_t, vnstat_exec_t)
 ')
diff --git a/vpn.fc b/vpn.fc
index 524ac2f76d..076dcc3e63 100644
--- a/vpn.fc
+++ b/vpn.fc
@@ -1,7 +1,13 @@
-/sbin/vpnc	--	gen_context(system_u:object_r:vpnc_exec_t,s0)
+#
+# sbin
+#
+/sbin/vpnc		--	gen_context(system_u:object_r:vpnc_exec_t,s0)
 
+#
+# /usr
+#
 /usr/bin/openconnect	--	gen_context(system_u:object_r:vpnc_exec_t,s0)
 
-/usr/sbin/vpnc	--	gen_context(system_u:object_r:vpnc_exec_t,s0)
+/usr/sbin/vpnc		--	gen_context(system_u:object_r:vpnc_exec_t,s0)
 
-/var/run/vpnc(/.*)?	gen_context(system_u:object_r:vpnc_var_run_t,s0)
+/var/run/vpnc(/.*)?		gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/vpn.if b/vpn.if
index 7a7f34297b..afedcba80b 100644
--- a/vpn.if
+++ b/vpn.if
@@ -1,8 +1,8 @@
-## <summary>Virtual Private Networking client.</summary>
+## <summary>Virtual Private Networking client</summary>
 
 ########################################
 ## <summary>
-##	Execute vpn clients in the vpnc domain.
+##	Execute VPN clients in the vpnc domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,15 +15,13 @@ interface(`vpn_domtrans',`
 		type vpnc_t, vpnc_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, vpnc_exec_t, vpnc_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute vpn clients in the vpnc
-##	domain, and allow the specified
-##	role the vpnc domain.
+##	Execute VPN clients in the vpnc domain, and
+##	allow the specified role the vpnc domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -40,6 +38,7 @@ interface(`vpn_domtrans',`
 interface(`vpn_run',`
 	gen_require(`
 		attribute_role vpnc_roles;
+		type vpnc_t;
 	')
 
 	vpn_domtrans($1)
@@ -48,7 +47,7 @@ interface(`vpn_run',`
 
 ########################################
 ## <summary>
-##	Send kill signals to vpnc.
+##	Send VPN clients the kill signal.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -66,7 +65,7 @@ interface(`vpn_kill',`
 
 ########################################
 ## <summary>
-##	Send generic signals to vpnc.
+##	Send generic signals to VPN clients.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,7 +83,7 @@ interface(`vpn_signal',`
 
 ########################################
 ## <summary>
-##	Send null signals to vpnc.
+##	Send signull to VPN clients.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,7 +102,7 @@ interface(`vpn_signull',`
 ########################################
 ## <summary>
 ##	Send and receive messages from
-##	vpnc over dbus.
+##	Vpnc over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/vpn.te b/vpn.te
index 95b26d1260..3d74e70cc9 100644
--- a/vpn.te
+++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
 #
 
 attribute_role vpnc_roles;
+roleattribute system_r vpnc_roles;
 
 type vpnc_t;
 type vpnc_exec_t;
@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n
 allow vpnc_t self:process { getsched signal };
 allow vpnc_t self:fifo_file rw_fifo_file_perms;
 allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-allow vpnc_t self:tcp_socket { accept listen };
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
 allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
+# cjp: this needs to be fixed
 allow vpnc_t self:socket create_socket_perms;
 
 manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
@@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t)
 kernel_request_load_module(vpnc_t)
 kernel_rw_net_sysctls(vpnc_t)
 
-corenet_all_recvfrom_unlabeled(vpnc_t)
 corenet_all_recvfrom_netlabel(vpnc_t)
 corenet_tcp_sendrecv_generic_if(vpnc_t)
 corenet_udp_sendrecv_generic_if(vpnc_t)
@@ -58,38 +62,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
 corenet_tcp_sendrecv_all_ports(vpnc_t)
 corenet_udp_sendrecv_all_ports(vpnc_t)
 corenet_udp_bind_generic_node(vpnc_t)
-
-corenet_sendrecv_all_server_packets(vpnc_t)
 corenet_udp_bind_generic_port(vpnc_t)
-
-corenet_sendrecv_isakmp_server_packets(vpnc_t)
 corenet_udp_bind_isakmp_port(vpnc_t)
-
-corenet_sendrecv_generic_server_packets(vpnc_t)
 corenet_udp_bind_ipsecnat_port(vpnc_t)
-
-corenet_sendrecv_all_client_packets(vpnc_t)
 corenet_tcp_connect_all_ports(vpnc_t)
-
+corenet_sendrecv_all_client_packets(vpnc_t)
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
+corenet_sendrecv_generic_server_packets(vpnc_t)
 corenet_rw_tun_tap_dev(vpnc_t)
 
-corecmd_exec_all_executables(vpnc_t)
-
 dev_read_rand(vpnc_t)
 dev_read_urand(vpnc_t)
 dev_read_sysfs(vpnc_t)
 
 domain_use_interactive_fds(vpnc_t)
 
-files_exec_etc_files(vpnc_t)
-files_read_etc_runtime_files(vpnc_t)
-files_dontaudit_search_home(vpnc_t)
-
 fs_getattr_xattr_fs(vpnc_t)
 fs_getattr_tmpfs(vpnc_t)
 
-term_use_all_ptys(vpnc_t)
-term_use_all_ttys(vpnc_t)
+term_use_all_inherited_ptys(vpnc_t)
+term_use_all_inherited_ttys(vpnc_t)
+
+corecmd_exec_all_executables(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
 
 auth_use_nsswitch(vpnc_t)
 
@@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t)
 logging_send_syslog_msg(vpnc_t)
 logging_dontaudit_search_logs(vpnc_t)
 
-miscfiles_read_localization(vpnc_t)
-
-seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
 
 sysnet_run_ifconfig(vpnc_t, vpnc_roles)
 sysnet_etc_filetrans_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 
 userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
+userdom_search_admin_dir(vpnc_t)
 
 optional_policy(`
 	dbus_system_bus_client(vpnc_t)
@@ -124,8 +121,5 @@ optional_policy(`
 
 optional_policy(`
 	networkmanager_attach_tun_iface(vpnc_t)
-')
-
-optional_policy(`
-	seutil_use_newrole_fds(vpnc_t)
+	networkmanager_manage_pid_files(vpnc_t)
 ')
diff --git a/w3c.fc b/w3c.fc
index 463c799f46..227feaf345 100644
--- a/w3c.fc
+++ b/w3c.fc
@@ -1,4 +1,4 @@
-/usr/lib/cgi-bin/check	--	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/lib/cgi-bin/check	--	gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
 
-/usr/share/w3c-markup-validator(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
-/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/share/w3c-markup-validator(/.*)?	gen_context(system_u:object_r:w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:w3c_validator_script_exec_t,s0)
diff --git a/w3c.te b/w3c.te
index b14d6a9481..d7c79382da 100644
--- a/w3c.te
+++ b/w3c.te
@@ -6,29 +6,37 @@ policy_module(w3c, 1.1.0)
 #
 
 apache_content_template(w3c_validator)
+apache_content_alias_template(w3c_validator, w3c_validator)
+
+type w3c_validator_tmp_t;
+files_tmp_file(w3c_validator_tmp_t)
 
 ########################################
 #
 # Local policy
 #
+manage_dirs_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t)
+manage_files_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t)
+files_tmp_filetrans(w3c_validator_script_t, w3c_validator_tmp_t, { file dir })
+
 
-corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
-corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t)
+corenet_all_recvfrom_unlabeled(w3c_validator_script_t)
+corenet_all_recvfrom_netlabel(w3c_validator_script_t)
+corenet_tcp_sendrecv_generic_if(w3c_validator_script_t)
+corenet_tcp_sendrecv_generic_node(w3c_validator_script_t)
 
-corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t)
-corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_sendrecv_ftp_client_packets(w3c_validator_script_t)
+corenet_tcp_connect_ftp_port(w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t)
 
-corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t)
-corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_sendrecv_http_client_packets(w3c_validator_script_t)
+corenet_tcp_connect_http_port(w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(w3c_validator_script_t)
 
-corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t)
-corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t)
 
-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+miscfiles_read_generic_certs(w3c_validator_script_t)
 
-sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+sysnet_dns_name_resolve(w3c_validator_script_t)
diff --git a/watchdog.fc b/watchdog.fc
index eecd0e03b3..8df2e8ce75 100644
--- a/watchdog.fc
+++ b/watchdog.fc
@@ -1,7 +1,12 @@
 /etc/rc\.d/init\.d/watchdog	--	gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+/etc/watchdog\.d(/.*)?       gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
 
 /usr/sbin/watchdog	--	gen_context(system_u:object_r:watchdog_exec_t,s0)
 
+/usr/libexec/watchdog/scripts(/.*)?       gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
+
+/var/cache/watchdog(/.*)?   gen_context(system_u:object_r:watchdog_cache_t,s0)
+
 /var/log/watchdog.*	gen_context(system_u:object_r:watchdog_log_t,s0)
 
 /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.if b/watchdog.if
index 6461a77468..8fda2dd718 100644
--- a/watchdog.if
+++ b/watchdog.if
@@ -37,3 +37,21 @@ interface(`watchdog_admin',`
 	files_search_pids($1)
 	admin_pattern($1, watchdog_var_run_t)
 ')
+
+#######################################
+## <summary>
+##  Allow read watchdog_unconfined_t lnk files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`watchdog_unconfined_exec_read_lnk_files',`
+	gen_require(`
+		type watchdog_unconfined_exec_t;
+	')
+
+    read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t)
+')
diff --git a/watchdog.te b/watchdog.te
index 3548317cf8..fc3da17d6b 100644
--- a/watchdog.te
+++ b/watchdog.te
@@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
 type watchdog_initrc_exec_t;
 init_script_file(watchdog_initrc_exec_t)
 
+type watchdog_cache_t;
+files_type(watchdog_cache_t)
+
 type watchdog_log_t;
 logging_log_file(watchdog_log_t)
 
 type watchdog_var_run_t;
 files_pid_file(watchdog_var_run_t)
 
+type watchdog_unconfined_exec_t;
+application_executable_file(watchdog_unconfined_exec_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
 dontaudit watchdog_t self:capability sys_tty_config;
 allow watchdog_t self:process { setsched signal_perms };
 allow watchdog_t self:fifo_file rw_fifo_file_perms;
 allow watchdog_t self:tcp_socket { accept listen };
+allow watchdog_t self:rawip_socket create_socket_perms;
 
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+
+manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
 
 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
 files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
 
+kernel_read_network_state(watchdog_t)
 kernel_read_system_state(watchdog_t)
 kernel_read_kernel_sysctls(watchdog_t)
 kernel_unmount_proc(watchdog_t)
 
 corecmd_exec_shell(watchdog_t)
+corecmd_exec_bin(watchdog_t)
 
 corenet_all_recvfrom_unlabeled(watchdog_t)
 corenet_all_recvfrom_netlabel(watchdog_t)
@@ -63,7 +76,6 @@ domain_signull_all_domains(watchdog_t)
 domain_signal_all_domains(watchdog_t)
 domain_kill_all_domains(watchdog_t)
 
-files_read_etc_files(watchdog_t)
 files_manage_etc_runtime_files(watchdog_t)
 files_etc_filetrans_etc_runtime(watchdog_t, file)
 
@@ -72,16 +84,19 @@ fs_getattr_all_fs(watchdog_t)
 fs_search_auto_mountpoints(watchdog_t)
 
 auth_append_login_records(watchdog_t)
+auth_read_passwd(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
-miscfiles_read_localization(watchdog_t)
-
 sysnet_dns_name_resolve(watchdog_t)
 
 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
 userdom_dontaudit_search_user_home_dirs(watchdog_t)
 
+optional_policy(`
+    cron_system_entry(watchdog_t, watchdog_exec_t)
+')
+
 optional_policy(`
 	mta_send_mail(watchdog_t)
 ')
@@ -90,6 +105,10 @@ optional_policy(`
 	nis_use_ypbind(watchdog_t)
 ')
 
+optional_policy(`
+    rhcs_domtrans_fenced(watchdog_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(watchdog_t)
 ')
@@ -97,3 +116,32 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(watchdog_t)
 ')
+
+optional_policy(`
+	watchdog_unconfined_exec_read_lnk_files(watchdog_t)
+')
+
+########################################
+#
+# watchdog_unconfined_script_t local policy
+#
+
+optional_policy(`
+	type watchdog_unconfined_t;
+	domain_type(watchdog_unconfined_t)
+
+	domain_entry_file(watchdog_unconfined_t, watchdog_unconfined_exec_t)
+	role system_r types watchdog_unconfined_t;
+
+	domtrans_pattern(watchdog_t, watchdog_unconfined_exec_t, watchdog_unconfined_t)
+
+	allow watchdog_t watchdog_unconfined_exec_t:dir search_dir_perms;
+	allow watchdog_t watchdog_unconfined_exec_t:dir read_file_perms;
+	allow watchdog_t watchdog_unconfined_exec_t:file ioctl;
+
+	init_domtrans_script(watchdog_unconfined_t)
+
+	optional_policy(`
+		unconfined_domain(watchdog_unconfined_t)
+	')
+')
diff --git a/wdmd.fc b/wdmd.fc
index 66f11f7247..e051997a6d 100644
--- a/wdmd.fc
+++ b/wdmd.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/wdmd	--	gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
 
-/usr/sbin/wdmd	--	gen_context(system_u:object_r:wdmd_exec_t,s0)
+/usr/sbin/wdmd		--	gen_context(system_u:object_r:wdmd_exec_t,s0)
+
+/var/run/wdmd(/.*)?		gen_context(system_u:object_r:wdmd_var_run_t,s0)
+/var/run/checkquorum-timer  --  gen_context(system_u:object_r:wdmd_var_run_t,s0)
 
-/var/run/wdmd(/.*)?	gen_context(system_u:object_r:wdmd_var_run_t,s0)
diff --git a/wdmd.if b/wdmd.if
index 1e3aec07f0..d17ff392f1 100644
--- a/wdmd.if
+++ b/wdmd.if
@@ -1,29 +1,47 @@
-## <summary>Watchdog multiplexing daemon.</summary>
+
+## <summary>watchdog multiplexing daemon</summary>
 
 ########################################
 ## <summary>
-##	Connect to wdmd with a unix
-##	domain stream socket.
+##	Execute a domain transition to run wdmd.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wdmd_domtrans',`
+	gen_require(`
+		type wdmd_t, wdmd_exec_t;
+	')
+
+	domtrans_pattern($1, wdmd_exec_t, wdmd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute wdmd server in the wdmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
 ##	</summary>
 ## </param>
 #
-interface(`wdmd_stream_connect',`
+interface(`wdmd_initrc_domtrans',`
 	gen_require(`
-		type wdmd_t, wdmd_var_run_t;
+		type wdmd_initrc_exec_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
+	init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an wdmd environment.
+##	All of the rules required to administrate
+##	an wdmd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',`
 #
 interface(`wdmd_admin',`
 	gen_require(`
-		type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t;
+		type wdmd_t;
+		type wdmd_initrc_exec_t;
 	')
 
-	allow $1 wdmd_t:process { ptrace signal_perms };
+	allow $1 wdmd_t:process signal_perms;
 	ps_process_pattern($1, wdmd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 wdmd_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+	wdmd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 wdmd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+')
+
+######################################
+## <summary>
+##	Create, read, write, and delete wdmd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wdmd_manage_pid_files',`
+	gen_require(`
+		type wdmd_var_run_t;
+	')
+
 	files_search_pids($1)
-	admin_pattern($1, wdmd_var_run_t)
+	manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
+')
+
+########################################
+## <summary>
+##      Connect to wdmd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`wdmd_stream_connect',`
+        gen_require(`
+                type wdmd_t, wdmd_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
+')
+
+
+####################################
+## <summary>
+##  Allow the specified domain to read/write wdmd's tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`wdmd_rw_tmpfs',`
+    gen_require(`
+        type wdmd_tmpfs_t;
+    ')
+
+    rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
+
 ')
diff --git a/wdmd.te b/wdmd.te
index 4815a93f41..24dcf51740 100644
--- a/wdmd.te
+++ b/wdmd.te
@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
 dev_read_watchdog(wdmd_t)
 dev_write_watchdog(wdmd_t)
 
+fs_getattr_all_fs(wdmd_t)
 fs_read_anon_inodefs_files(wdmd_t)
 
 auth_use_nsswitch(wdmd_t)
 
 logging_send_syslog_msg(wdmd_t)
 
-miscfiles_read_localization(wdmd_t)
-
 optional_policy(`
-	corosync_initrc_domtrans(wdmd_t)
-	corosync_stream_connect(wdmd_t)
-	corosync_rw_tmpfs(wdmd_t)
+	rhcs_initrc_domtrans_cluster(wdmd_t)
+	rhcs_stream_connect_cluster(wdmd_t)
+	rhcs_rw_cluster_tmpfs(wdmd_t)
 ')
diff --git a/webadm.te b/webadm.te
index 2a6cae7736..d2752d9bb4 100644
--- a/webadm.te
+++ b/webadm.te
@@ -25,12 +25,21 @@ role webadm_r;
 
 userdom_base_user_template(webadm)
 
+type webadm_tmp_t;
+files_tmp_file(webadm_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource };
+
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
+can_exec(webadm_t, webadm_tmp_t)
 
 files_dontaudit_search_all_dirs(webadm_t)
 files_list_var(webadm_t)
@@ -38,12 +47,26 @@ files_list_var(webadm_t)
 selinux_get_enforce_mode(webadm_t)
 seutil_domtrans_setfiles(webadm_t)
 
+init_rw_pipes(webadm_t)
+init_status(webadm_t)
+
 logging_send_audit_msgs(webadm_t)
 logging_send_syslog_msg(webadm_t)
 
 userdom_dontaudit_search_user_home_dirs(webadm_t)
+userdom_dontaudit_manage_admin_files(webadm_t)
+
+optional_policy(`
+	apache_admin(webadm_t, webadm_r)
+')
+
+optional_policy(`
+    dbus_system_bus_client(webadm_t)
+')
 
-apache_admin(webadm_t, webadm_r)
+optional_policy(`
+    policykit_dbus_chat(webadm_t)
+')
 
 tunable_policy(`webadm_manage_user_files',`
 	userdom_manage_user_home_content_files(webadm_t)
diff --git a/webalizer.fc b/webalizer.fc
index 64baf679e3..76c753b1ac 100644
--- a/webalizer.fc
+++ b/webalizer.fc
@@ -6,4 +6,4 @@
 
 /var/lib/webalizer(/.*)?	gen_context(system_u:object_r:webalizer_var_lib_t,s0)
 
-/var/www/usage(/.*)?	gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
+/var/www/usage(/.*)?	gen_context(system_u:object_r:webalizer_rw_content_t,s0)
diff --git a/webalizer.te b/webalizer.te
index ae919b9a52..cdd9359d13 100644
--- a/webalizer.te
+++ b/webalizer.te
@@ -33,7 +33,7 @@ files_type(webalizer_write_t)
 # Local policy
 #
 
-allow webalizer_t self:capability dac_override;
+allow webalizer_t self:capability { dac_read_search dac_override };
 allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow webalizer_t self:fd use;
 allow webalizer_t self:fifo_file rw_fifo_file_perms;
@@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t)
 kernel_read_kernel_sysctls(webalizer_t)
 kernel_read_system_state(webalizer_t)
 
-files_read_etc_runtime_files(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
+corenet_tcp_sendrecv_generic_if(webalizer_t)
+corenet_tcp_sendrecv_generic_node(webalizer_t)
+corenet_tcp_sendrecv_all_ports(webalizer_t)
 
 fs_search_auto_mountpoints(webalizer_t)
 fs_getattr_xattr_fs(webalizer_t)
 fs_rw_anon_inodefs_files(webalizer_t)
 
-auth_use_nsswitch(webalizer_t)
+files_read_etc_runtime_files(webalizer_t)
 
 logging_list_logs(webalizer_t)
 logging_send_syslog_msg(webalizer_t)
 
-miscfiles_read_localization(webalizer_t)
+auth_use_nsswitch(webalizer_t)
+
 miscfiles_read_public_files(webalizer_t)
 
-userdom_use_user_terminals(webalizer_t)
+sysnet_dns_name_resolve(webalizer_t)
+sysnet_read_config(webalizer_t)
+
+userdom_use_inherited_user_terminals(webalizer_t)
 userdom_use_unpriv_users_fds(webalizer_t)
 userdom_dontaudit_search_user_home_content(webalizer_t)
 
 optional_policy(`
 	apache_read_log(webalizer_t)
 	apache_content_template(webalizer)
-	manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
-	manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+	apache_content_alias_template(webalizer, webalizer)
+	apache_manage_sys_content(webalizer_t)
 ')
 
 optional_policy(`
diff --git a/wine.if b/wine.if
index fd2b6cc1e6..9c4f14b880 100644
--- a/wine.if
+++ b/wine.if
@@ -1,46 +1,58 @@
-## <summary>Run Windows programs in Linux.</summary>
+## <summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
 
-########################################
+#######################################
 ## <summary>
-##	Role access for wine.
+##	The per role template for the wine module.
 ## </summary>
-## <param name="role">
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wine applications.
+##	</p>
+## </desc>
+## <param name="user_role">
 ##	<summary>
-##	Role allowed access.
+##	The role associated with the user domain.
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
-##	User domain for the role.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-interface(`wine_role',`
+template(`wine_role',`
 	gen_require(`
-		attribute_role wine_roles;
-		type wine_exec_t, wine_t, wine_tmp_t;
+		type wine_t;
 		type wine_home_t;
+		type wine_exec_t;
 	')
 
-	roleattribute $1 wine_roles;
-
-	domtrans_pattern($2, wine_exec_t, wine_t)
+	role $1 types wine_t;
 
+	domain_auto_trans($2, wine_exec_t, wine_t)
+	# Unrestricted inheritance from the caller.
+	allow $2 wine_t:process { noatsecure siginh rlimitinh };
+	allow wine_t $2:fd use;
+	allow wine_t $2:process { sigchld signull };
 	allow wine_t $2:unix_stream_socket connectto;
-	allow wine_t $2:process signull;
 
+	# Allow the user domain to signal/ps.
 	ps_process_pattern($2, wine_t)
-	allow $2 wine_t:process { ptrace signal_perms };
+	allow $2 wine_t:process signal_perms;
 
 	allow $2 wine_t:fd use;
-	allow $2 wine_t:shm { associate getattr };
-	allow $2 wine_t:shm rw_shm_perms;
+	allow $2 wine_t:shm { associate getattr  unix_read unix_write };
 	allow $2 wine_t:unix_stream_socket connectto;
 
-	allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
+	# X access, Home files
+	manage_dirs_pattern($2, wine_home_t, wine_home_t)
+	manage_files_pattern($2, wine_home_t, wine_home_t)
+	manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+	relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+	relabel_files_pattern($2, wine_home_t, wine_home_t)
+	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+
 ')
 
 #######################################
@@ -72,31 +84,26 @@ interface(`wine_role',`
 #
 template(`wine_role_template',`
 	gen_require(`
+		type wine_t;
+		attribute wine_domain;
 		type wine_exec_t;
 	')
 
-	type $1_wine_t;
-	userdom_user_application_domain($1_wine_t, wine_exec_t)
+	type $1_wine_t, wine_domain;
+	domain_type($1_wine_t)
+	domain_entry_file($1_wine_t, wine_exec_t)
+	ubac_constrained($1_wine_t)
 	role $2 types $1_wine_t;
-
-	allow $1_wine_t self:process { execmem execstack };
-
-	allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
-	ps_process_pattern($3, $1_wine_t)
-
+	allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
 	domtrans_pattern($3, wine_exec_t, $1_wine_t)
-
-	corecmd_bin_domtrans($1_wine_t, $3)
+	corecmd_bin_domtrans($1_wine_t, $1_t)
 
 	userdom_unpriv_usertype($1, $1_wine_t)
-	userdom_manage_user_tmpfs_files($1_wine_t)
+	userdom_manage_tmp_role($2, $1_wine_t)
+	userdom_manage_home_role($2 ,$1_wine_t)
 
 	domain_mmap_low($1_wine_t)
 
-	tunable_policy(`wine_mmap_zero_ignore',`
-		dontaudit $1_wine_t self:memprotect mmap_zero;
-	')
-
 	optional_policy(`
 		xserver_role($1_r, $1_wine_t)
 	')
@@ -123,9 +130,8 @@ interface(`wine_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute wine in the wine domain,
-##	and allow the specified role
-##	the wine domain.
+##	Execute wine in the wine domain, and
+##	allow the specified role the wine domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -140,11 +146,11 @@ interface(`wine_domtrans',`
 #
 interface(`wine_run',`
 	gen_require(`
-		attribute_role wine_roles;
+		type wine_t;
 	')
 
 	wine_domtrans($1)
-	roleattribute $2 wine_roles;
+	role $2 types wine_t;
 ')
 
 ########################################
@@ -165,3 +171,22 @@ interface(`wine_rw_shm',`
 
 	allow $1 wine_t:shm rw_shm_perms;
 ')
+
+########################################
+## <summary>
+##	Transition to wine named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wine_filetrans_named_content',`
+	gen_require(`
+		type wine_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
+')
+
diff --git a/wine.te b/wine.te
index 491b87b44a..2a79df4078 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
 ## </desc>
 gen_tunable(wine_mmap_zero_ignore, false)
 
+attribute wine_domain;
 attribute_role wine_roles;
 roleattribute system_r wine_roles;
 
-type wine_t;
+type wine_t, wine_domain;
 type wine_exec_t;
 userdom_user_application_domain(wine_t, wine_exec_t)
 role wine_roles types wine_t;
@@ -25,56 +26,63 @@ role wine_roles types wine_t;
 type wine_home_t;
 userdom_user_home_content(wine_home_t)
 
-type wine_tmp_t;
-userdom_user_tmp_file(wine_tmp_t)
-
 ########################################
 #
 # Local policy
 #
+domain_mmap_low(wine_t)
+
+optional_policy(`
+	unconfined_domain(wine_t)
+')
 
-allow wine_t self:process { execstack execmem execheap };
-allow wine_t self:fifo_file manage_fifo_file_perms;
 
-can_exec(wine_t, wine_exec_t)
+########################################
+#
+# Common wine domain policy
+#
 
-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+allow wine_domain self:process { execstack execmem execheap };
+allow wine_domain self:fifo_file manage_fifo_file_perms;
 
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+can_exec(wine_domain, wine_exec_t)
 
-domain_mmap_low(wine_t)
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
+userdom_tmpfs_filetrans(wine_domain, file)
+wine_filetrans_named_content(wine_domain)
 
-files_execmod_all_files(wine_t)
+files_execmod_all_files(wine_domain)
 
-userdom_use_user_terminals(wine_t)
+userdom_use_inherited_user_terminals(wine_domain)
 
 tunable_policy(`wine_mmap_zero_ignore',`
-	dontaudit wine_t self:memprotect mmap_zero;
+	dontaudit wine_domain self:memprotect mmap_zero;
 ')
 
 optional_policy(`
-	dbus_system_bus_client(wine_t)
+	dbus_system_bus_client(wine_domain)
 
 	optional_policy(`
-		hal_dbus_chat(wine_t)
+		hal_dbus_chat(wine_domain)
 	')
 
 	optional_policy(`
-		policykit_dbus_chat(wine_t)
+		policykit_dbus_chat(wine_domain)
 	')
 ')
 
 optional_policy(`
-	rtkit_scheduled(wine_t)
+    gnome_create_generic_cache_dir(wine_domain)
 ')
 
 optional_policy(`
-	unconfined_domain(wine_t)
+	rtkit_scheduled(wine_domain)
 ')
 
 optional_policy(`
-	xserver_read_xdm_pid(wine_t)
-	xserver_rw_shm(wine_t)
+	xserver_read_xdm_pid(wine_domain)
+	xserver_rw_shm(wine_domain)
 ')
+
diff --git a/wireshark.te b/wireshark.te
index ff6ef38592..436d3bf5ad 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
 # Local Policy
 #
 
-allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:capability { net_admin net_raw };
 allow wireshark_t self:process { signal getsched };
 allow wireshark_t self:fifo_file rw_fifo_file_perms;
 allow wireshark_t self:shm create_shm_perms;
@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t)
 dev_read_sysfs(wireshark_t)
 dev_read_urand(wireshark_t)
 
-files_read_usr_files(wireshark_t)
 
 fs_getattr_all_fs(wireshark_t)
 fs_list_inotifyfs(wireshark_t)
@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t)
 
 auth_use_nsswitch(wireshark_t)
 
-libs_read_lib_files(wireshark_t)
-
 miscfiles_read_fonts(wireshark_t)
-miscfiles_read_localization(wireshark_t)
 
 userdom_use_user_terminals(wireshark_t)
 
 userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(wireshark_t)
-	fs_manage_nfs_files(wireshark_t)
-	fs_manage_nfs_symlinks(wireshark_t)
-')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(wireshark_t)
-	fs_manage_cifs_files(wireshark_t)
-	fs_manage_cifs_symlinks(wireshark_t)
-')
+userdom_filetrans_home_content(wireshark_t)
 
-optional_policy(`
-	seutil_use_newrole_fds(wireshark_t)
-')
+userdom_home_manager(wireshark_t)
 
 optional_policy(`
 	userhelper_use_fd(wireshark_t)
diff --git a/wm.fc b/wm.fc
index 304ae09d36..c1d10a11b0 100644
--- a/wm.fc
+++ b/wm.fc
@@ -1,4 +1,4 @@
 /usr/bin/gnome-shell	--	gen_context(system_u:object_r:wm_exec_t,s0)
 /usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
 /usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)
-/usr/bin/twm	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
index 95f888d169..48fe249e15 100644
--- a/wm.if
+++ b/wm.if
@@ -1,4 +1,4 @@
-## <summary>X Window Managers.</summary>
+## <summary>X Window Managers</summary>
 
 #######################################
 ## <summary>
@@ -29,69 +29,58 @@
 #
 template(`wm_role_template',`
 	gen_require(`
-		attribute wm_domain;
 		type wm_exec_t;
+		class dbus send_msg;
+		attribute wm_domain;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
 	type $1_wm_t, wm_domain;
-	userdom_user_application_domain($1_wm_t, wm_exec_t)
+	domain_type($1_wm_t)
+	domain_entry_file($1_wm_t, wm_exec_t)
 	role $2 types $1_wm_t;
 
-	########################################
-	#
-	# Policy
-	#
-
 	allow $1_wm_t $3:unix_stream_socket connectto;
 	allow $3 $1_wm_t:unix_stream_socket connectto;
+	allow $3 $1_wm_t:process { signal sigchld signull };
+	allow $1_wm_t $3:process { signull sigkill };
 
-	allow $3 $1_wm_t:process { ptrace signal_perms };
-	ps_process_pattern($3, $1_wm_t)
+	allow $1_wm_t $3:dbus send_msg;
+	allow $3 $1_wm_t:dbus send_msg;
 
-	allow $1_wm_t $3:process { signull sigkill };
+	userdom_manage_home_role($2, $1_wm_t)
+	userdom_manage_tmp_role($2, $1_wm_t)
+	userdom_exec_user_tmp_files($1_wm_t)
 
 	domtrans_pattern($3, wm_exec_t, $1_wm_t)
 
 	corecmd_bin_domtrans($1_wm_t, $3)
 	corecmd_shell_domtrans($1_wm_t, $3)
 
+	auth_use_nsswitch($1_wm_t)
+
+	kernel_read_system_state($1_wm_t)
+
+	auth_use_nsswitch($1_wm_t)
+
 	mls_file_read_all_levels($1_wm_t)
 	mls_file_write_all_levels($1_wm_t)
 	mls_xwin_read_all_levels($1_wm_t)
 	mls_xwin_write_all_levels($1_wm_t)
 	mls_fd_use_all_levels($1_wm_t)
 
-	auth_use_nsswitch($1_wm_t)
-
-	xserver_role($2, $1_wm_t)
-	xserver_manage_core_devices($1_wm_t)
-
-	optional_policy(`
-		dbus_spec_session_bus_client($1, $1_wm_t)
-		dbus_system_bus_client($1_wm_t)
-
-		optional_policy(`
-			wm_dbus_chat($1, $3)
-		')
-	')
-
 	optional_policy(`
-		gnome_stream_connect_gkeyringd($1, $1_wm_t)
+		pulseaudio_run($1_wm_t, $2)
 	')
 
 	optional_policy(`
-		pulseaudio_run($1_wm_t, $2)
+		xserver_role($2, $1_wm_t)
+		xserver_manage_core_devices($1_wm_t)
 	')
 ')
 
 ########################################
 ## <summary>
-##	Execute wm in the caller domain.
+##	Execute the wm program in the wm domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,33 +93,5 @@ interface(`wm_exec',`
 		type wm_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, wm_exec_t)
 ')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	specified wm over dbus.
-## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`wm_dbus_chat',`
-	gen_require(`
-		type $1_wm_t;
-		class dbus send_msg;
-	')
-
-	allow $2 $1_wm_t:dbus send_msg;
-	allow $1_wm_t $2:dbus send_msg;
-')
diff --git a/wm.te b/wm.te
index 638d10fc69..5fb9960089 100644
--- a/wm.te
+++ b/wm.te
@@ -1,12 +1,12 @@
 policy_module(wm, 1.3.3)
 
+attribute wm_domain;
+
 ########################################
 #
 # Declarations
 #
 
-attribute wm_domain;
-
 type wm_exec_t;
 corecmd_executable_file(wm_exec_t)
 
@@ -18,11 +18,11 @@ corecmd_executable_file(wm_exec_t)
 allow wm_domain self:fifo_file rw_fifo_file_perms;
 allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
 allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
 allow wm_domain self:shm create_shm_perms;
 allow wm_domain self:unix_dgram_socket create_socket_perms;
 
-kernel_read_system_state(wm_domain)
-
+corecmd_dontaudit_access_all_executables(wm_domain)
 corecmd_getattr_all_executables(wm_domain)
 
 dev_read_sound(wm_domain)
@@ -31,12 +31,18 @@ dev_read_urand(wm_domain)
 dev_rw_wireless(wm_domain)
 dev_write_sound(wm_domain)
 
-files_read_usr_files(wm_domain)
-
 fs_getattr_all_fs(wm_domain)
 
+application_signull(wm_domain)
+
+init_read_state(wm_domain)
+
 miscfiles_read_fonts(wm_domain)
-miscfiles_read_localization(wm_domain)
+
+systemd_dbus_chat_logind(wm_domain)
+systemd_read_logind_sessions_files(wm_domain)
+systemd_write_inhibit_pipes(wm_domain)
+systemd_login_read_pid_files(wm_domain)
 
 userdom_manage_user_tmp_sockets(wm_domain)
 userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
@@ -45,24 +51,38 @@ userdom_manage_user_home_content_dirs(wm_domain)
 userdom_manage_user_home_content_files(wm_domain)
 userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
 
-optional_policy(`
-	accountsd_dbus_chat(wm_domain)
-')
-	
-optional_policy(`
-	bluetooth_dbus_chat(wm_domain)
-')		
+udev_read_pid_files(wm_domain)
 
 optional_policy(`
-	devicekit_dbus_chat_power(wm_domain)
+	gnome_stream_connect_gkeyringd(wm_domain)
 ')
 
 optional_policy(`
-	networkmanager_dbus_chat(wm_domain)
-')
+	dbus_system_bus_client(wm_domain)
+	dbus_session_bus_client(wm_domain)
+	optional_policy(`
+		accountsd_dbus_chat(wm_domain)
+	')
+	
+	optional_policy(`
+		bluetooth_dbus_chat(wm_domain)
+	')		
 
-optional_policy(`
-	policykit_dbus_chat(wm_domain)
+	optional_policy(`
+		devicekit_dbus_chat_power(wm_domain)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(wm_domain)
+	')
+
+	optional_policy(`
+		policykit_dbus_chat(wm_domain)
+	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind(wm_domain)
+	')
 ')
 
 optional_policy(`
@@ -72,3 +92,7 @@ optional_policy(`
 optional_policy(`
 	userhelper_exec_consolehelper(wm_domain)
 ')
+
+optional_policy(`
+	xserver_manage_core_devices(wm_domain)
+')
diff --git a/xen.fc b/xen.fc
index 42d83b02fc..651d1cb610 100644
--- a/xen.fc
+++ b/xen.fc
@@ -1,38 +1,42 @@
 /dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
 
-/usr/lib/xen-[^/]*/bin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xend	--	gen_context(system_u:object_r:xend_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/lib/xen-[^/]*/bin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)
-
 /usr/sbin/blktapctrl	--	gen_context(system_u:object_r:blktap_exec_t,s0)
 /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
 /usr/sbin/tapdisk	--	gen_context(system_u:object_r:blktap_exec_t,s0)
+
+#/usr/lib/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xend --	gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xm --	gen_context(system_u:object_r:xm_exec_t,s0)
+',`
 /usr/sbin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-/usr/sbin/xend	--	gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xend		--	gen_context(system_u:object_r:xend_exec_t,s0)
 /usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/sbin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/sbin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/sbin/oxenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
+')
 
-/var/lib/xen(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xen/images(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
-/var/lib/xend(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
 
 /var/log/evtchnd\.log.*	--	gen_context(system_u:object_r:evtchnd_var_log_t,s0)
-/var/log/xen(/.*)?	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xen-hotplug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend-debug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xenstored.*		gen_context(system_u:object_r:xenstored_var_log_t,s0)
 
 /var/run/evtchnd	-s	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /var/run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
-/var/run/xenconsoled\.pid	--	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
-/var/run/xend(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
-/var/run/xenner(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 
-/xen(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
+/xen(/.*)?			gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/xen.if b/xen.if
index f93558c5ac..16e29c1413 100644
--- a/xen.if
+++ b/xen.if
@@ -1,13 +1,13 @@
-## <summary>Xen hypervisor.</summary>
+## <summary>Xen hypervisor</summary>
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run xend.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed to transition.
-##	</summary>
+## 	</summary>
 ## </param>
 #
 interface(`xen_domtrans',`
@@ -15,18 +15,18 @@ interface(`xen_domtrans',`
 		type xend_t, xend_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, xend_exec_t, xend_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute xend in the caller domain.
+##	Allow the specified domain to execute xend
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
-##	</summary>
+## 	</summary>
 ## </param>
 #
 interface(`xen_exec',`
@@ -34,7 +34,6 @@ interface(`xen_exec',`
 		type xend_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, xend_exec_t)
 ')
 
@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',`
 	dontaudit $1 xend_t:fd use;
 ')
 
+#######################################
+## <summary>
+##  Read xend pid files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`xen_read_pid_files_xenstored',`
+    gen_require(`
+        type xenstored_var_run_t;
+    ')
+
+    files_search_pids($1)
+
+    read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
+')
+
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	xend image directories.
+##	Read xend lib files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
-##	</summary>
+## 	</summary>
 ## </param>
 #
-interface(`xen_manage_image_dirs',`
+interface(`xen_read_lib_files',`
 	gen_require(`
 		type xend_var_lib_t;
 	')
 
-	files_search_var_lib($1)
-	manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+	files_list_var_lib($1)
+	read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
 ')
 
 ########################################
@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',`
 ##	Read xend image files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
-##	</summary>
+## 	</summary>
 ## </param>
 #
 interface(`xen_read_image_files',`
@@ -111,18 +129,40 @@ interface(`xen_read_image_files',`
 	')
 
 	files_list_var_lib($1)
+
 	list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
 	read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write xend image files.
+##	Allow the specified domain to read/write
+##	xend image files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
-##	</summary>
+## 	</summary>
+## </param>
+#
+interface(`xen_manage_image_dirs',`
+	gen_require(`
+		type xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
 ## </param>
 #
 interface(`xen_rw_image_files',`
@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',`
 
 ########################################
 ## <summary>
-##	Append xend log files.
+##	Allow the specified domain to append
+##	xend log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -157,13 +198,13 @@ interface(`xen_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+##	Create, read, write, and delete the
 ##	xend log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## 	<summary>
 ##	Domain allowed access.
-##	</summary>
+## 	</summary>
 ## </param>
 #
 interface(`xen_manage_log',`
@@ -176,29 +217,11 @@ interface(`xen_manage_log',`
 	manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
 ')
 
-#######################################
-## <summary>
-##	Read xenstored pid files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xen_read_xenstored_pid_files',`
-	gen_require(`
-		type xenstored_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write
-##	Xen unix domain stream sockets.
+##	Xen unix domain stream sockets.  These
+##	are leaked file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
 
 ########################################
 ## <summary>
-##	Connect to xenstored with a unix
-##	domain stream socket.
+##	Connect to xenstored over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',`
 
 ########################################
 ## <summary>
-##	Connect to xend with a unix
-##	domain stream socket.
+##	Connect to xend over a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -270,16 +291,15 @@ interface(`xen_stream_connect',`
 interface(`xen_domtrans_xm',`
 	gen_require(`
 		type xm_t, xm_exec_t;
+		attribute virsh_transition_domain;
 	')
-
-	corecmd_search_bin($1)
+	typeattribute $1 virsh_transition_domain;
 	domtrans_pattern($1, xm_exec_t, xm_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to xm with a unix
-##	domain stream socket.
+##	Connect to xm over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',`
 #
 interface(`xen_stream_connect_xm',`
 	gen_require(`
-		type xm_t;
+		type xm_t, xenstored_var_run_t;
 	')
 
 	files_search_pids($1)
diff --git a/xen.te b/xen.te
index 6f736a9936..c1ba3ba4b9 100644
--- a/xen.te
+++ b/xen.te
@@ -4,39 +4,31 @@ policy_module(xen, 1.13.0)
 #
 # Declarations
 #
+attribute xm_transition_domain;
 
 ## <desc>
-##	<p>
-##	Determine whether xend can
-##	run blktapctrl and tapdisk.
+## <p>
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
 ## </p>
 ## </desc>
-gen_tunable(xend_run_blktap, false)
+gen_tunable(xend_run_blktap, true)
 
 ## <desc>
-##	<p>
-##	Determine whether xen can
-##	use fusefs file systems.
-##	</p>
+## <p>
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+## </p>
 ## </desc>
-gen_tunable(xen_use_fusefs, false)
+gen_tunable(xend_run_qemu, true)
 
 ## <desc>
-##	<p>
-##	Determine whether xen can
-##	use nfs file systems.
-##	</p>
+## <p>
+## Allow xen to manage nfs files
+## </p>
 ## </desc>
 gen_tunable(xen_use_nfs, false)
 
-## <desc>
-##	<p>
-##	Determine whether xen can
-##	use samba file systems.
-##	</p>
-## </desc>
-gen_tunable(xen_use_samba, false)
-
 type blktap_t;
 type blktap_exec_t;
 domain_type(blktap_t)
@@ -50,41 +42,55 @@ type evtchnd_t;
 type evtchnd_exec_t;
 init_daemon_domain(evtchnd_t, evtchnd_exec_t)
 
+# log files
 type evtchnd_var_log_t;
 logging_log_file(evtchnd_var_log_t)
 
+# pid files
 type evtchnd_var_run_t;
 files_pid_file(evtchnd_var_run_t)
 
+type qemu_dm_t;
+type qemu_dm_exec_t;
+domain_type(qemu_dm_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+# console ptys
 type xen_devpts_t;
 term_pty(xen_devpts_t)
 files_type(xen_devpts_t)
 
+# Xen Image files
 type xen_image_t; # customizable
 files_type(xen_image_t)
+# xen_image_t can be assigned to blk devices
 dev_node(xen_image_t)
-
-optional_policy(`
-	virt_image(xen_image_t)
-')
+virt_image(xen_image_t)
 
 type xenctl_t;
 files_type(xenctl_t)
 
 type xend_t;
 type xend_exec_t;
+domain_type(xend_t)
 init_daemon_domain(xend_t, xend_exec_t)
 
+# tmp files
 type xend_tmp_t;
 files_tmp_file(xend_tmp_t)
 
+# var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
+# for mounting an NFS store
 files_mountpoint(xend_var_lib_t)
 
+# log files
 type xend_var_log_t;
 logging_log_file(xend_var_log_t)
 
+# pid files
 type xend_var_run_t;
 files_pid_file(xend_var_run_t)
 files_mountpoint(xend_var_run_t)
@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t)
 type xenstored_tmp_t;
 files_tmp_file(xenstored_tmp_t)
 
+# var/lib files
 type xenstored_var_lib_t;
 files_type(xenstored_var_lib_t)
 files_mountpoint(xenstored_var_lib_t)
 
+# log files
 type xenstored_var_log_t;
 logging_log_file(xenstored_var_log_t)
 
+# pid files
 type xenstored_var_run_t;
 files_pid_file(xenstored_var_run_t)
-init_daemon_run_dir(xenstored_var_run_t, "xenstored")
 
 type xenconsoled_t;
 type xenconsoled_exec_t;
 init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
 
+# pid files
 type xenconsoled_var_run_t;
 files_pid_file(xenconsoled_var_run_t)
 
-type xm_t;
-type xm_exec_t;
-init_system_domain(xm_t, xm_exec_t)
-
 ########################################
 #
 # blktap local policy
 #
-
+# Do we need to allow execution of blktap?
 tunable_policy(`xend_run_blktap',`
+        # If yes, transition to its own domain.
 	domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
 
-	allow blktap_t self:fifo_file { read write };
+',`
+        # If no, then silently refuse to run it.
+	dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')
 
-	dev_read_sysfs(blktap_t)
-	dev_rw_xen(blktap_t)
+allow blktap_t self:fifo_file { read write };
 
-	files_read_etc_files(blktap_t)
+dev_read_sysfs(blktap_t)
+dev_rw_xen(blktap_t)
 
-	logging_send_syslog_msg(blktap_t)
 
-	miscfiles_read_localization(blktap_t)
+logging_send_syslog_msg(blktap_t)
 
-	xen_stream_connect_xenstore(blktap_t)
-',`
-	dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
-')
+xen_stream_connect_xenstore(blktap_t)
 
 #######################################
 #
@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',`
 #
 
 manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
 logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
 
 manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
@@ -158,30 +161,70 @@ manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
 manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
 files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
 
+########################################
+#
+# qemu-dm local policy
+#
+
+# TODO: This part of policy should be removed
+#       qemu-dm should run in xend_t domain
+
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+	allow qemu_dm_t self:capability sys_resource;
+	allow qemu_dm_t self:process setrlimit;
+	allow qemu_dm_t self:fifo_file { read write };
+	allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+
+	# If yes, transition to its own domain.
+	domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+
+	append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+
+	rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+
+	corenet_tcp_bind_generic_node(qemu_dm_t)
+	corenet_tcp_bind_vnc_port(qemu_dm_t)
+
+	dev_rw_xen(qemu_dm_t)
+
+
+	fs_manage_xenfs_dirs(qemu_dm_t)
+	fs_manage_xenfs_files(qemu_dm_t)
+
+
+	xen_stream_connect_xenstore(qemu_dm_t)
+',`
+        # If no, then silently refuse to run it.
+	dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
 ########################################
 #
 # xend local policy
 #
 
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
-dontaudit xend_t self:capability { sys_ptrace };
-allow xend_t self:process { setrlimit signal sigkill };
-dontaudit xend_t self:process ptrace;
+allow xend_t self:capability { dac_read_search dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
+allow xend_t self:process { signal sigkill };
+
+# needed by qemu_dm
+allow xend_t self:capability sys_resource;
+allow xend_t self:process setrlimit;
+
+# internal communication is often done using fifo and unix sockets.
 allow xend_t self:fifo_file rw_fifo_file_perms;
-allow xend_t self:unix_stream_socket { accept listen };
-allow xend_t self:tcp_socket { accept listen };
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
 allow xend_t self:packet_socket create_socket_perms;
 allow xend_t self:tun_socket create_socket_perms;
 
 allow xend_t xen_image_t:dir list_dir_perms;
 manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
 manage_files_pattern(xend_t, xen_image_t, xen_image_t)
 read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t)
-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t)
 rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file)
 
 allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(xend_t, xenctl_t, fifo_file)
@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
 manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
 files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
 
+# pid file
 manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
 manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
 manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
 manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
 files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
 
+# log files
 manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
 manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
 logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
 
+# var/lib files for xend
 manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
 manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
 manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
 manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
 files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
 
+# transition to store
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+
+# manage xenstored pid file
 manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
 
-allow xend_t xenstored_var_lib_t:dir list_dir_perms;
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
 
+# transition to console
 domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
-
-xen_stream_connect_xenstore(xend_t)
 
 kernel_read_kernel_sysctls(xend_t)
 kernel_read_system_state(xend_t)
@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
 kernel_read_xen_state(xend_t)
 kernel_rw_net_sysctls(xend_t)
 kernel_read_network_state(xend_t)
+kernel_request_load_module(xend_t)
 
 corecmd_exec_bin(xend_t)
 corecmd_exec_shell(xend_t)
 
-corenet_all_recvfrom_unlabeled(xend_t)
 corenet_all_recvfrom_netlabel(xend_t)
 corenet_tcp_sendrecv_generic_if(xend_t)
 corenet_tcp_sendrecv_generic_node(xend_t)
 corenet_tcp_sendrecv_all_ports(xend_t)
 corenet_tcp_bind_generic_node(xend_t)
-
-corenet_sendrecv_xen_server_packets(xend_t)
 corenet_tcp_bind_xen_port(xend_t)
-
-corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_tcp_bind_soundd_port(xend_t)
-
-corenet_sendrecv_generic_server_packets(xend_t)
 corenet_tcp_bind_generic_port(xend_t)
-
-corenet_sendrecv_vnc_server_packets(xend_t)
 corenet_tcp_bind_vnc_port(xend_t)
-
-corenet_sendrecv_xserver_client_packets(xend_t)
 corenet_tcp_connect_xserver_port(xend_t)
-
-corenet_sendrecv_xen_client_packets(xend_t)
 corenet_tcp_connect_xen_port(xend_t)
-
+corenet_sendrecv_xserver_client_packets(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_xen_client_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_rw_tun_tap_dev(xend_t)
 
-dev_getattr_all_chr_files(xend_t)
 dev_read_urand(xend_t)
+# run lsscsi
+dev_getattr_all_chr_files(xend_t)
 dev_filetrans_xen(xend_t)
 dev_rw_sysfs(xend_t)
 dev_rw_xen(xend_t)
 
 domain_dontaudit_read_all_domains_state(xend_t)
-domain_dontaudit_ptrace_all_domains(xend_t)
 
-files_read_etc_files(xend_t)
 files_read_kernel_symbol_table(xend_t)
 files_read_kernel_img(xend_t)
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t, file)
-files_read_usr_files(xend_t)
 files_read_default_symlinks(xend_t)
-files_search_mnt(xend_t)
 
-fs_getattr_all_fs(xend_t)
-fs_list_auto_mountpoints(xend_t)
-fs_read_dos_files(xend_t)
 fs_read_removable_blk_files(xend_t)
-fs_manage_xenfs_dirs(xend_t)
-fs_manage_xenfs_files(xend_t)
 
 storage_read_scsi_generic(xend_t)
 
@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
 
 logging_send_syslog_msg(xend_t)
 
-miscfiles_read_localization(xend_t)
+auth_read_passwd(xend_t)
+
 miscfiles_read_hwdata(xend_t)
 
 sysnet_domtrans_dhcpc(xend_t)
@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
 
 userdom_dontaudit_search_user_home_dirs(xend_t)
 
-tunable_policy(`xen_use_fusefs',`
-	fs_manage_fusefs_dirs(xend_t)
-	fs_manage_fusefs_files(xend_t)
-	fs_read_fusefs_symlinks(xend_t)
-')
-
-tunable_policy(`xen_use_nfs',`
-	fs_manage_nfs_dirs(xend_t)
-	fs_manage_nfs_files(xend_t)
-	fs_read_nfs_symlinks(xend_t)
-')
-
-tunable_policy(`xen_use_samba',`
-	fs_manage_cifs_dirs(xend_t)
-	fs_manage_cifs_files(xend_t)
-	fs_read_cifs_symlinks(xend_t)
-')
+xen_stream_connect_xenstore(xend_t)
 
 optional_policy(`
 	brctl_domtrans(xend_t)
@@ -342,7 +357,7 @@ optional_policy(`
 	mount_domtrans(xend_t)
 ')
 
-optional_policy(`
+optional_policy(`	
 	netutils_domtrans(xend_t)
 ')
 
@@ -351,6 +366,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	virt_manage_default_image_type(xend_t)
 	virt_search_images(xend_t)
 	virt_read_config(xend_t)
 ')
@@ -360,18 +376,14 @@ optional_policy(`
 # Xen console local policy
 #
 
-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:capability { dac_read_search dac_override fsetid ipc_lock };
 allow xenconsoled_t self:process setrlimit;
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
-allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
-
-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
 
+# pid file
 manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
 manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
 files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
 dev_filetrans_xen(xenconsoled_t)
 dev_rw_sysfs(xenconsoled_t)
 
-domain_dontaudit_ptrace_all_domains(xenconsoled_t)
-
-files_read_etc_files(xenconsoled_t)
-files_read_usr_files(xenconsoled_t)
 
 fs_list_tmpfs(xenconsoled_t)
 fs_manage_xenfs_dirs(xenconsoled_t)
@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
 
 term_create_pty(xenconsoled_t, xen_devpts_t)
 term_use_generic_ptys(xenconsoled_t)
-term_use_console(xenconsoled_t)
 
 init_use_fds(xenconsoled_t)
 init_use_script_ptys(xenconsoled_t)
 
-logging_search_logs(xenconsoled_t)
-
-miscfiles_read_localization(xenconsoled_t)
+auth_read_passwd(xenconsoled_t)
 
+xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
 optional_policy(`
@@ -415,25 +421,27 @@ optional_policy(`
 # Xen store local policy
 #
 
-allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
-allow xenstored_t self:unix_stream_socket { accept listen };
+allow xenstored_t self:capability { dac_read_search dac_override ipc_lock sys_resource };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
 manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
 manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
 files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
 
+# pid file
 manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
 manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
 manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
 files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
 
+# log files
 manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
 manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
 logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
 
+# var/lib files for xenstored
 manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
 manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
 manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 dev_read_sysfs(xenstored_t)
 
-files_read_etc_files(xenstored_t)
-files_read_usr_files(xenstored_t)
+
 
 fs_search_xenfs(xenstored_t)
 fs_manage_xenfs_files(xenstored_t)
 
 term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
 
 init_use_fds(xenstored_t)
 init_use_script_ptys(xenstored_t)
 
 logging_send_syslog_msg(xenstored_t)
 
-miscfiles_read_localization(xenstored_t)
-
 xen_append_log(xenstored_t)
 
-########################################
-#
-# xm local policy
-#
-
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
-allow xm_t self:fifo_file rw_fifo_file_perms;
-allow xm_t self:unix_stream_socket { accept connectto listen };
-allow xm_t self:tcp_socket { accept listen };
-
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-
-manage_files_pattern(xm_t, xen_image_t, xen_image_t)
-manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t)
-manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t)
-
-read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t)
-
-xen_manage_image_dirs(xm_t)
-xen_append_log(xm_t)
-xen_domtrans(xm_t)
-xen_stream_connect(xm_t)
-xen_stream_connect_xenstore(xm_t)
-
-can_exec(xm_t, xm_exec_t)
-
-kernel_read_system_state(xm_t)
-kernel_read_network_state(xm_t)
-kernel_read_kernel_sysctls(xm_t)
-kernel_read_sysctl(xm_t)
-kernel_read_xen_state(xm_t)
-kernel_write_xen_state(xm_t)
-
-corecmd_exec_bin(xm_t)
-corecmd_exec_shell(xm_t)
-
-corenet_all_recvfrom_unlabeled(xm_t)
-corenet_all_recvfrom_netlabel(xm_t)
-corenet_tcp_sendrecv_generic_if(xm_t)
-corenet_tcp_sendrecv_generic_node(xm_t)
-
-corenet_sendrecv_soundd_client_packets(xm_t)
-corenet_tcp_connect_soundd_port(xm_t)
-corenet_tcp_sendrecv_soundd_port(xm_t)
-
-dev_read_rand(xm_t)
-dev_read_urand(xm_t)
-dev_read_sysfs(xm_t)
-
-files_read_etc_runtime_files(xm_t)
-files_read_etc_files(xm_t)
-files_read_usr_files(xm_t)
-files_search_pids(xm_t)
-files_search_var_lib(xm_t)
-files_list_mnt(xm_t)
-files_list_tmp(xm_t)
-
-fs_getattr_all_fs(xm_t)
-fs_manage_xenfs_dirs(xm_t)
-fs_manage_xenfs_files(xm_t)
-fs_search_auto_mountpoints(xm_t)
-
-storage_raw_read_fixed_disk(xm_t)
-
-term_use_all_terms(xm_t)
-
-init_stream_connect_script(xm_t)
-init_rw_script_stream_sockets(xm_t)
-init_use_fds(xm_t)
-
-logging_send_syslog_msg(xm_t)
-
-miscfiles_read_localization(xm_t)
-
-sysnet_dns_name_resolve(xm_t)
-
-tunable_policy(`xen_use_fusefs',`
-	fs_manage_fusefs_dirs(xm_t)
-	fs_manage_fusefs_files(xm_t)
-	fs_read_fusefs_symlinks(xm_t)
-')
-
-tunable_policy(`xen_use_nfs',`
-	fs_manage_nfs_dirs(xm_t)
-	fs_manage_nfs_files(xm_t)
-	fs_read_nfs_symlinks(xm_t)
-')
-
-tunable_policy(`xen_use_samba',`
-	fs_manage_cifs_dirs(xm_t)
-	fs_manage_cifs_files(xm_t)
-	fs_read_cifs_symlinks(xm_t)
-')
-
 optional_policy(`
-	cron_system_entry(xm_t, xm_exec_t)
+	virt_read_config(xenstored_t)
 ')
 
+########################################
+#
+# SSH component local policy
+#
 optional_policy(`
-	dbus_system_bus_client(xm_t)
-
-	optional_policy(`
-		hal_dbus_chat(xm_t)
+	#Should have a boolean wrapping these
+	fs_list_auto_mountpoints(xend_t)
+	files_search_mnt(xend_t)
+	fs_getattr_all_fs(xend_t)
+	fs_read_dos_files(xend_t)
+	fs_manage_xenfs_dirs(xend_t)
+	fs_manage_xenfs_files(xend_t)
+
+	tunable_policy(`xen_use_nfs',`
+		fs_manage_nfs_files(xend_t)
+		fs_read_nfs_symlinks(xend_t)
 	')
 ')
-
-optional_policy(`
-	rpm_exec(xm_t)
-')
-
-optional_policy(`
-	vhostmd_rw_tmpfs_files(xm_t)
-	vhostmd_stream_connect(xm_t)
-	vhostmd_dontaudit_rw_stream_connect(xm_t)
-')
-
-optional_policy(`
-	virt_domtrans(xm_t)
-	virt_manage_images(xm_t)
-	virt_manage_config(xm_t)
-	virt_stream_connect(xm_t)
-')
-
-optional_policy(`
-	ssh_basic_client_template(xm, xm_t, system_r)
-
-	kernel_read_xen_state(xm_ssh_t)
-	kernel_write_xen_state(xm_ssh_t)
-
-	files_search_tmp(xm_ssh_t)
-
-	fs_manage_xenfs_dirs(xm_ssh_t)
-	fs_manage_xenfs_files(xm_ssh_t)
-')
diff --git a/xfs.te b/xfs.te
index 0928c5d6a6..b9bcf8824f 100644
--- a/xfs.te
+++ b/xfs.te
@@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t)
 # Local policy
 #
 
-allow xfs_t self:capability { dac_override setgid setuid };
+allow xfs_t self:capability { dac_read_search dac_override setgid setuid };
 dontaudit xfs_t self:capability sys_tty_config;
 allow xfs_t self:process { signal_perms setpgid };
 allow xfs_t self:unix_stream_socket { accept listen };
@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
 kernel_read_kernel_sysctls(xfs_t)
 kernel_read_system_state(xfs_t)
 
-corenet_all_recvfrom_unlabeled(xfs_t)
 corenet_all_recvfrom_netlabel(xfs_t)
 corenet_tcp_sendrecv_generic_if(xfs_t)
 corenet_tcp_sendrecv_generic_node(xfs_t)
@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t)
 domain_use_interactive_fds(xfs_t)
 
 files_read_etc_runtime_files(xfs_t)
-files_read_usr_files(xfs_t)
 
 auth_use_nsswitch(xfs_t)
 
@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")
 
 logging_send_syslog_msg(xfs_t)
 
-miscfiles_read_localization(xfs_t)
 miscfiles_read_fonts(xfs_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.if b/xguest.if
index 4f1d07d718..5c819abe86 100644
--- a/xguest.if
+++ b/xguest.if
@@ -1,4 +1,4 @@
-## <summary>Least privledge xwindows user role.</summary>
+## <summary>Least privileged xwindows user role.</summary>
 
 ########################################
 ## <summary>
diff --git a/xguest.te b/xguest.te
index a64aad347e..4ddc93c386 100644
--- a/xguest.te
+++ b/xguest.te
@@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether xguest can
-##	mount removable media.
-##	</p>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
 ## </desc>
-gen_tunable(xguest_mount_media, false)
+gen_tunable(xguest_mount_media, true)
 
 ## <desc>
-##	<p>
-##	Determine whether xguest can
-##	configure network manager.
-##	</p>
+## <p>
+## Allow xguest users to configure Network Manager and connect to apache ports
+## </p>
 ## </desc>
-gen_tunable(xguest_connect_network, false)
+gen_tunable(xguest_connect_network, true)
 
 ## <desc>
-##	<p>
-##	Determine whether xguest can
-##	use blue tooth devices.
-##	</p>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
 ## </desc>
-gen_tunable(xguest_use_bluetooth, false)
+gen_tunable(xguest_use_bluetooth, true)
 
 role xguest_r;
 
 userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
+
+init_dbus_chat(xguest_t)
+init_status(xguest_t)
+systemd_dontaudit_dbus_chat(xguest_t)
 
 ########################################
 #
 # Local policy
 #
 
-kernel_dontaudit_request_load_module(xguest_t)
+dontaudit xguest_t xguest_t : tcp_socket { listen };
 
 ifndef(`enable_mls',`
 	fs_exec_noxattr(xguest_t)
 
-	tunable_policy(`user_rw_noexattrfile',`
+	tunable_policy(`selinuxuser_rw_noexattrfile',`
 		fs_manage_noxattr_fs_files(xguest_t)
 		fs_manage_noxattr_fs_dirs(xguest_t)
+		# Write floppies 
 		storage_raw_read_removable_device(xguest_t)
 		storage_raw_write_removable_device(xguest_t)
 	',`
@@ -53,10 +56,23 @@ ifndef(`enable_mls',`
 	')
 ')
 
+optional_policy(`
+	# Dontaudit fusermount
+	mount_dontaudit_exec_fusermount(xguest_t)
+')
+
+kernel_dontaudit_request_load_module(xguest_t)
+kernel_read_software_raid_state(xguest_t)
+
+tunable_policy(`selinuxuser_execstack',`
+	allow xguest_t self:process execstack;
+')
+
+# Allow mounting of file systems
 optional_policy(`
 	tunable_policy(`xguest_mount_media',`
 		kernel_read_fs_sysctls(xguest_t)
-
+		kernel_request_load_module(xguest_t)
 		files_dontaudit_getattr_boot_dirs(xguest_t)
 		files_search_mnt(xguest_t)
 
@@ -65,10 +81,9 @@ optional_policy(`
 		fs_manage_noxattr_fs_dirs(xguest_t)
 		fs_getattr_noxattr_fs(xguest_t)
 		fs_read_noxattr_fs_symlinks(xguest_t)
+		fs_mount_fusefs(xguest_t)
 
 		auth_list_pam_console_data(xguest_t)
-
-		init_read_utmp(xguest_t)
 	')
 ')
 
@@ -84,12 +99,25 @@ optional_policy(`
 	')
 ')
 
+
 optional_policy(`
-	apache_role(xguest_r, xguest_t)
+    abrt_dontaudit_read_config(xguest_t)
+')
+
+optional_policy(`
+	colord_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+	chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+    thumb_role(xguest_r, xguest_t)
 ')
 
 optional_policy(`
-	gnomeclock_dontaudit_dbus_chat(xguest_t)
+	dbus_dontaudit_chat_system_bus(xguest_t)
 ')
 
 optional_policy(`
@@ -97,75 +125,78 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_role(xguest_r, xguest_t)
+	apache_role(xguest_r, xguest_t)
 ')
 
 optional_policy(`
-	mozilla_role(xguest_r, xguest_t)
+	mozilla_run_plugin(xguest_t, xguest_r)
 ')
 
 optional_policy(`
-	tunable_policy(`xguest_connect_network',`
-		kernel_read_network_state(xguest_t)
+	mount_run_fusermount(xguest_t, xguest_r)
+')
+
+optional_policy(`
+	pcscd_read_pid_files(xguest_t)
+	pcscd_stream_connect(xguest_t)
+')
+
+optional_policy(`
+	rhsmcertd_dontaudit_dbus_chat(xguest_t)
+')
 
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
 		networkmanager_dbus_chat(xguest_t)
 		networkmanager_read_lib_files(xguest_t)
+	')
+')
 
-		corenet_all_recvfrom_unlabeled(xguest_t)
-		corenet_all_recvfrom_netlabel(xguest_t)
+optional_policy(`
+	tunable_policy(`xguest_connect_network',`
+		kernel_read_network_state(xguest_t)
+
+		corenet_tcp_connect_pulseaudio_port(xguest_t)
 		corenet_tcp_sendrecv_generic_if(xguest_t)
 		corenet_raw_sendrecv_generic_if(xguest_t)
 		corenet_tcp_sendrecv_generic_node(xguest_t)
 		corenet_raw_sendrecv_generic_node(xguest_t)
-
-		corenet_sendrecv_pulseaudio_client_packets(xguest_t)
-		corenet_tcp_connect_pulseaudio_port(xguest_t)
-		corenet_tcp_sendrecv_pulseaudio_port(xguest_t)
-
-		corenet_sendrecv_http_client_packets(xguest_t)
-		corenet_tcp_connect_http_port(xguest_t)
+		corenet_tcp_connect_commplex_link_port(xguest_t)
 		corenet_tcp_sendrecv_http_port(xguest_t)
-
-		corenet_sendrecv_http_cache_client_packets(xguest_t)
-		corenet_tcp_connect_http_cache_port(xguest_t)
 		corenet_tcp_sendrecv_http_cache_port(xguest_t)
-
-		corenet_sendrecv_squid_client_packets(xguest_t)
-		corenet_tcp_connect_squid_port(xguest_t)
 		corenet_tcp_sendrecv_squid_port(xguest_t)
-
-		corenet_sendrecv_ftp_client_packets(xguest_t)
-		corenet_tcp_connect_ftp_port(xguest_t)
 		corenet_tcp_sendrecv_ftp_port(xguest_t)
-
-		corenet_sendrecv_ipp_client_packets(xguest_t)
-		corenet_tcp_connect_ipp_port(xguest_t)
 		corenet_tcp_sendrecv_ipp_port(xguest_t)
-
-		corenet_sendrecv_generic_client_packets(xguest_t)
+		corenet_tcp_connect_http_port(xguest_t)
+		corenet_tcp_connect_http_cache_port(xguest_t)
+		corenet_tcp_connect_squid_port(xguest_t)
+		corenet_tcp_connect_flash_port(xguest_t)
+		corenet_tcp_connect_ftp_port(xguest_t)
+		corenet_tcp_connect_ipp_port(xguest_t)
 		corenet_tcp_connect_generic_port(xguest_t)
-		corenet_tcp_sendrecv_generic_port(xguest_t)
-
-		corenet_sendrecv_soundd_client_packets(xguest_t)
 		corenet_tcp_connect_soundd_port(xguest_t)
-		corenet_tcp_sendrecv_soundd_port(xguest_t)
-
-		corenet_sendrecv_speech_client_packets(xguest_t)
-		corenet_tcp_connect_speech_port(xguest_t)
-		corenet_tcp_sendrecv_speech_port(xguest_t)
-
-		corenet_sendrecv_transproxy_client_packets(xguest_t)
-		corenet_tcp_connect_transproxy_port(xguest_t)
-		corenet_tcp_sendrecv_transproxy_port(xguest_t)
-
+		corenet_sendrecv_http_client_packets(xguest_t)
+		corenet_sendrecv_http_cache_client_packets(xguest_t)
+		corenet_sendrecv_squid_client_packets(xguest_t)
+		corenet_sendrecv_ftp_client_packets(xguest_t)
+		corenet_sendrecv_ipp_client_packets(xguest_t)
+		corenet_sendrecv_generic_client_packets(xguest_t)
+		# Should not need other ports
 		corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
 		corenet_dontaudit_tcp_bind_generic_port(xguest_t)
+		corenet_tcp_connect_speech_port(xguest_t)
+		corenet_tcp_sendrecv_transproxy_port(xguest_t)
+		corenet_tcp_connect_transproxy_port(xguest_t)
 	')
 ')
 
 optional_policy(`
-	pcscd_read_pid_files(xguest_t)
-	pcscd_stream_connect(xguest_t)
+	gen_require(`
+		type mozilla_t;
+	')
+
+	allow xguest_t mozilla_t:process transition;
+	role xguest_r types mozilla_t;
 ')
 
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/xprint.te b/xprint.te
index 3c44d8493b..ce5e69d696 100644
--- a/xprint.te
+++ b/xprint.te
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
 corecmd_exec_bin(xprint_t)
 corecmd_exec_shell(xprint_t)
 
-corenet_all_recvfrom_unlabeled(xprint_t)
 corenet_all_recvfrom_netlabel(xprint_t)
 corenet_tcp_sendrecv_generic_if(xprint_t)
 corenet_udp_sendrecv_generic_if(xprint_t)
@@ -46,9 +45,7 @@ dev_read_urand(xprint_t)
 
 domain_use_interactive_fds(xprint_t)
 
-files_read_etc_files(xprint_t)
 files_read_etc_runtime_files(xprint_t)
-files_read_usr_files(xprint_t)
 files_search_var_lib(xprint_t)
 files_search_tmp(xprint_t)
 
@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t)
 logging_send_syslog_msg(xprint_t)
 
 miscfiles_read_fonts(xprint_t)
-miscfiles_read_localization(xprint_t)
 
 sysnet_read_config(xprint_t)
 
diff --git a/xscreensaver.te b/xscreensaver.te
index 04096a0502..98a8205a72 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
 
 kernel_read_system_state(xscreensaver_t)
 
-files_read_usr_files(xscreensaver_t)
 
 auth_use_nsswitch(xscreensaver_t)
 auth_domtrans_chk_passwd(xscreensaver_t)
@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t)
 logging_send_audit_msgs(xscreensaver_t)
 logging_send_syslog_msg(xscreensaver_t)
 
-miscfiles_read_localization(xscreensaver_t)
-
-userdom_use_user_terminals(xscreensaver_t)
+userdom_use_inherited_user_ptys(xscreensaver_t)
+#access to .icons and ~/.xscreensaver
 userdom_read_user_home_content_files(xscreensaver_t)
 
 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.te b/yam.te
index 2695db25cf..c1ec893848 100644
--- a/yam.te
+++ b/yam.te
@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
 # Local policy
 #
 
-allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:capability { chown fowner fsetid dac_read_search dac_override };
 allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
 allow yam_t self:fd use;
 allow yam_t self:fifo_file rw_fifo_file_perms;
@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
 
 logging_send_syslog_msg(yam_t)
 
-miscfiles_read_localization(yam_t)
-
 seutil_read_config(yam_t)
 
-userdom_use_user_terminals(yam_t)
+sysnet_read_config(yam_t)
+
+userdom_use_inherited_user_terminals(yam_t)
 userdom_use_unpriv_users_fds(yam_t)
 userdom_search_user_home_dirs(yam_t)
 
diff --git a/zabbix.fc b/zabbix.fc
index c3b5a819e9..c384947f31 100644
--- a/zabbix.fc
+++ b/zabbix.fc
@@ -4,12 +4,22 @@
 /usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
 /usr/bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
 
-/usr/sbin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
 /usr/sbin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
+/usr/sbin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
 /usr/sbin/zabbix_server_mysql	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
 /usr/sbin/zabbix_server_pgsql	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
 /usr/sbin/zabbix_server_sqlite3	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy	        --	gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_mysql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_pgsql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/sbin/zabbix_proxy_sqlite3 --  gen_context(system_u:object_r:zabbix_exec_t,s0)
+
+/usr/lib/zabbix/externalscripts(/.*)?    gen_context(system_u:object_r:zabbix_script_exec_t,s0)
+
+/var/lib/zabbixsrv(/.*)?	gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+/var/lib/zabbix(/.*)?    gen_context(system_u:object_r:zabbix_var_lib_t,s0)
+/var/lib/zabbix/externalscripts(/.*)?    gen_context(system_u:object_r:zabbix_script_exec_t,s0)
 
-/var/log/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_log_t,s0)
+/var/log/zabbix.*	gen_context(system_u:object_r:zabbix_log_t,s0)
 
 /var/run/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/zabbix.if b/zabbix.if
index dd63de028f..7cf8202abf 100644
--- a/zabbix.if
+++ b/zabbix.if
@@ -1,4 +1,4 @@
-## <summary>Distributed infrastructure monitoring.</summary>
+## <summary>Distributed infrastructure monitoring</summary>
 
 ########################################
 ## <summary>
@@ -15,13 +15,30 @@ interface(`zabbix_domtrans',`
 		type zabbix_t, zabbix_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, zabbix_exec_t, zabbix_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to zabbit on the TCP network.
+##	Execute a domain transition to run zabbix_script.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zabbix_script_domtrans',`
+	gen_require(`
+		type zabbix_script_t, zabbix_script_exec_t;
+	')
+
+	domtrans_pattern($1, zabbix_script_exec_t, zabbix_script_t)
+')
+
+########################################
+## <summary>
+## 	Allow connectivity to the zabbix server
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -34,7 +51,7 @@ interface(`zabbix_tcp_connect',`
 		type zabbix_t;
 	')
 
-	corenet_sendrecv_zabbix_client_packets($1)
+	corenet_sendrecv_zabbix_agent_client_packets($1)
 	corenet_tcp_connect_zabbix_port($1)
 	corenet_tcp_recvfrom_labeled($1, zabbix_t)
 	corenet_tcp_sendrecv_zabbix_port($1)
@@ -42,7 +59,7 @@ interface(`zabbix_tcp_connect',`
 
 ########################################
 ## <summary>
-##	Read zabbix log files.
+##	Allow the specified domain to read zabbix's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -62,13 +79,34 @@ interface(`zabbix_read_log',`
 
 ########################################
 ## <summary>
-##	Append zabbix log files.
+##	Allow the specified domain to read zabbix's tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
+#
+interface(`zabbix_read_tmp',`
+	gen_require(`
+		type zabbix_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	zabbix log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
 #
 interface(`zabbix_append_log',`
 	gen_require(`
@@ -81,7 +119,7 @@ interface(`zabbix_append_log',`
 
 ########################################
 ## <summary>
-##	Read zabbix pid files.
+##	Read zabbix PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -100,7 +138,7 @@ interface(`zabbix_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Connect to zabbix agent on the TCP network.
+## 	Allow connectivity to a zabbix agent
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -110,7 +148,7 @@ interface(`zabbix_read_pid_files',`
 #
 interface(`zabbix_agent_tcp_connect',`
 	gen_require(`
-		type zabbix_agent_t;
+		type zabbix_t, zabbix_agent_t;
 	')
 
 	corenet_sendrecv_zabbix_agent_client_packets($1)
@@ -121,8 +159,8 @@ interface(`zabbix_agent_tcp_connect',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an zabbix environment.
+##	All of the rules required to administrate
+##	an zabbix environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -131,7 +169,7 @@ interface(`zabbix_agent_tcp_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the zabbix domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -139,16 +177,18 @@ interface(`zabbix_agent_tcp_connect',`
 interface(`zabbix_admin',`
 	gen_require(`
 		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
-		type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
-		type zabbit_tmpfs_t;
+		type zabbix_initrc_exec_t;
 	')
 
-	allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { zabbix_t zabbix_agent_t })
+	allow $1 zabbix_t:process signal_perms;
+	ps_process_pattern($1, zabbix_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 zabbix_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
+	init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
 	domain_system_change_exemption($1)
-	role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
+	role_transition $2 zabbix_initrc_exec_t system_r;
 	allow $2 system_r;
 
 	logging_list_logs($1)
@@ -156,10 +196,4 @@ interface(`zabbix_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, zabbix_var_run_t)
-
-	files_list_tmp($1)
-	admin_pattern($1, zabbix_tmp_t)
-
-	fs_list_tmpfs($1)
-	admin_pattern($1, zabbix_tmpfs_t)
 ')
diff --git a/zabbix.te b/zabbix.te
index 7f496c6177..569f9209f0 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,45 @@ policy_module(zabbix, 1.6.0)
 #
 
 ## <desc>
-##	<p>
+##  <p>
 ##	Determine whether zabbix can
 ##	connect to all TCP ports
 ##	</p>
 ## </desc>
 gen_tunable(zabbix_can_network, false)
 
-type zabbix_t;
+
+## <desc>
+## <p>
+## Allow Zabbix to run su/sudo.
+## </p>
+## </desc>
+gen_tunable(zabbix_run_sudo, false)
+
+gen_require(`
+    class passwd rootok;
+    class passwd passwd;
+')
+
+attribute zabbix_domain;
+
+type zabbix_t, zabbix_domain;
 type zabbix_exec_t;
 init_daemon_domain(zabbix_t, zabbix_exec_t)
 
 type zabbix_initrc_exec_t;
 init_script_file(zabbix_initrc_exec_t)
 
-type zabbix_agent_t;
+type zabbix_agent_t, zabbix_domain;
 type zabbix_agent_exec_t;
 init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
 
 type zabbix_agent_initrc_exec_t;
 init_script_file(zabbix_agent_initrc_exec_t)
 
+type zabbixd_var_lib_t;
+files_type(zabbixd_var_lib_t)
+
 type zabbix_log_t;
 logging_log_file(zabbix_log_t)
 
@@ -36,27 +54,62 @@ files_tmp_file(zabbix_tmp_t)
 type zabbix_tmpfs_t;
 files_tmpfs_file(zabbix_tmpfs_t)
 
+type zabbix_var_lib_t;
+files_type(zabbix_var_lib_t)
+
 type zabbix_var_run_t;
 files_pid_file(zabbix_var_run_t)
 
+type zabbix_script_t;
+type zabbix_script_exec_t;
+domain_type(zabbix_script_t)
+domain_entry_file(zabbix_script_t, zabbix_script_exec_t)
+application_executable_file(zabbix_script_exec_t)
+role system_r types zabbix_script_t;
+
+########################################
+#
+# zabbix domain local policy
+#
+
+allow zabbix_domain self:capability { setuid setgid };
+allow zabbix_domain self:process { setpgid setsched getsched signal_perms };
+allow zabbix_domain self:fifo_file rw_fifo_file_perms;
+allow zabbix_domain self:sem create_sem_perms;
+allow zabbix_domain self:shm create_shm_perms;
+allow zabbix_domain self:tcp_socket { accept listen };
+allow zabbix_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_all_sysctls(zabbix_domain)
+kernel_read_network_state(zabbix_domain)
+
+corenet_tcp_sendrecv_generic_if(zabbix_domain)
+corenet_tcp_sendrecv_generic_node(zabbix_domain)
+corenet_tcp_bind_generic_node(zabbix_domain)
+
+corecmd_exec_shell(zabbix_domain)
+corecmd_exec_bin(zabbix_domain)
+
+dev_read_sysfs(zabbix_domain)
+dev_read_urand(zabbix_domain)
+
 ########################################
 #
 # Local policy
 #
 
-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
-allow zabbix_t self:process { setsched signal_perms };
-allow zabbix_t self:fifo_file rw_fifo_file_perms;
-allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
-allow zabbix_t self:sem create_sem_perms;
-allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search dac_override };
+allow zabbix_t self:process { setrlimit };
+
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
 
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file })
 
 manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
 manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
@@ -70,13 +123,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
 files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
 
 kernel_read_system_state(zabbix_t)
-kernel_read_kernel_sysctls(zabbix_t)
 
 corenet_all_recvfrom_unlabeled(zabbix_t)
 corenet_all_recvfrom_netlabel(zabbix_t)
-corenet_tcp_sendrecv_generic_if(zabbix_t)
-corenet_tcp_sendrecv_generic_node(zabbix_t)
-corenet_tcp_bind_generic_node(zabbix_t)
 
 corenet_sendrecv_ftp_client_packets(zabbix_t)
 corenet_tcp_connect_ftp_port(zabbix_t)
@@ -85,37 +134,55 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
 corenet_sendrecv_http_client_packets(zabbix_t)
 corenet_tcp_connect_http_port(zabbix_t)
 corenet_tcp_sendrecv_http_port(zabbix_t)
+corenet_tcp_connect_smtp_port(zabbix_t)
 
 corenet_sendrecv_zabbix_server_packets(zabbix_t)
 corenet_tcp_bind_zabbix_port(zabbix_t)
 corenet_tcp_sendrecv_zabbix_port(zabbix_t)
 
-corecmd_exec_bin(zabbix_t)
-corecmd_exec_shell(zabbix_t)
-
-dev_read_urand(zabbix_t)
-
-files_read_usr_files(zabbix_t)
-
 auth_use_nsswitch(zabbix_t)
 
-miscfiles_read_localization(zabbix_t)
-
 zabbix_agent_tcp_connect(zabbix_t)
 
+logging_send_syslog_msg(zabbix_t)
+
 tunable_policy(`zabbix_can_network',`
 	corenet_sendrecv_all_client_packets(zabbix_t)
 	corenet_tcp_connect_all_ports(zabbix_t)
 	corenet_tcp_sendrecv_all_ports(zabbix_t)
 ')
 
+tunable_policy(`zabbix_run_sudo',`
+    allow zabbix_t self:capability { setuid setgid sys_resource };
+    allow zabbix_t self:process { setrlimit setsched };
+    allow zabbix_t self:key write;
+    allow zabbix_t self:passwd { passwd rootok };
+
+    auth_rw_lastlog(zabbix_t)
+    auth_rw_faillog(zabbix_t)
+    auth_exec_chkpwd(zabbix_t)
+
+    selinux_compute_access_vector(zabbix_t)
+
+    systemd_write_inherited_logind_sessions_pipes(zabbix_t)
+    systemd_dbus_chat_logind(zabbix_t)
+
+    xserver_exec_xauth(zabbix_t)
+')
+
 optional_policy(`
-	netutils_domtrans_ping(zabbix_t)
+    tunable_policy(`zabbix_run_sudo',`
+        sudo_exec(zabbix_t)
+        su_exec(zabbix_t)
+    ')
 ')
 
 optional_policy(`
 	mysql_stream_connect(zabbix_t)
-	mysql_tcp_connect(zabbix_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(zabbix_t)
 ')
 
 optional_policy(`
@@ -125,6 +192,7 @@ optional_policy(`
 
 optional_policy(`
 	snmp_read_snmp_var_lib_files(zabbix_t)
+	snmp_read_snmp_var_lib_dirs(zabbix_t)
 ')
 
 ########################################
@@ -132,18 +200,9 @@ optional_policy(`
 # Agent local policy
 #
 
-allow zabbix_agent_t self:capability { setuid setgid };
-allow zabbix_agent_t self:process { setsched getsched signal };
-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
-allow zabbix_agent_t self:sem create_sem_perms;
-allow zabbix_agent_t self:shm create_shm_perms;
-allow zabbix_agent_t self:tcp_socket { accept listen };
-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_agent_t self:process { setrlimit };
 
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
 
 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
 fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
@@ -151,16 +210,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
 manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
 files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
 
-kernel_read_all_sysctls(zabbix_agent_t)
 kernel_read_system_state(zabbix_agent_t)
-
-corecmd_read_all_executables(zabbix_agent_t)
+kernel_read_network_state(zabbix_agent_t)
 
 corenet_all_recvfrom_unlabeled(zabbix_agent_t)
 corenet_all_recvfrom_netlabel(zabbix_agent_t)
-corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
-corenet_tcp_sendrecv_generic_node(zabbix_agent_t)
-corenet_tcp_bind_generic_node(zabbix_agent_t)
+
+corecmd_read_all_executables(zabbix_agent_t)
 
 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
 corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
@@ -170,28 +226,108 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
 corenet_tcp_connect_ssh_port(zabbix_agent_t)
 corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
 
+corenet_sendrecv_ftp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_ftp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_ftp_port(zabbix_agent_t)
+
+corenet_sendrecv_http_client_packets(zabbix_agent_t)
+corenet_tcp_connect_http_port(zabbix_agent_t)
+corenet_tcp_sendrecv_http_port(zabbix_agent_t)
+
+corenet_sendrecv_innd_client_packets(zabbix_agent_t)
+corenet_tcp_connect_innd_port(zabbix_agent_t)
+corenet_tcp_sendrecv_innd_port(zabbix_agent_t)
+
+corenet_sendrecv_pop_client_packets(zabbix_agent_t)
+corenet_tcp_connect_pop_port(zabbix_agent_t)
+corenet_tcp_sendrecv_pop_port(zabbix_agent_t)
+
+corenet_tcp_connect_postgresql_port(zabbix_agent_t)
+
+corenet_sendrecv_smtp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_smtp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_smtp_port(zabbix_agent_t)
+
 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
 corenet_tcp_connect_zabbix_port(zabbix_agent_t)
 corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
 
+corenet_tcp_connect_redis_port(zabbix_agent_t)
+corenet_tcp_sendrecv_redis_port(zabbix_agent_t)
+
 dev_getattr_all_blk_files(zabbix_agent_t)
 dev_getattr_all_chr_files(zabbix_agent_t)
 
-domain_search_all_domains_state(zabbix_agent_t)
+domain_read_all_domains_state(zabbix_agent_t)
 
 files_getattr_all_dirs(zabbix_agent_t)
 files_getattr_all_files(zabbix_agent_t)
 files_read_all_symlinks(zabbix_agent_t)
-files_read_etc_files(zabbix_agent_t)
 
 fs_getattr_all_fs(zabbix_agent_t)
 
+auth_use_nsswitch(zabbix_agent_t)
+
 init_read_utmp(zabbix_agent_t)
 
 logging_search_logs(zabbix_agent_t)
 
-miscfiles_read_localization(zabbix_agent_t)
-
 sysnet_dns_name_resolve(zabbix_agent_t)
 
 zabbix_tcp_connect(zabbix_agent_t)
+
+zabbix_script_domtrans(zabbix_agent_t)
+
+tunable_policy(`zabbix_run_sudo',`
+    allow zabbix_agent_t self:capability { setuid setgid sys_resource };
+    allow zabbix_agent_t self:process { setrlimit setsched };
+    allow zabbix_agent_t self:key write;
+    allow zabbix_agent_t self:passwd { passwd rootok };
+
+    auth_rw_lastlog(zabbix_agent_t)
+    auth_rw_faillog(zabbix_agent_t)
+    auth_exec_chkpwd(zabbix_agent_t)
+
+    selinux_compute_access_vector(zabbix_agent_t)
+
+    systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t)
+    systemd_dbus_chat_logind(zabbix_agent_t)
+
+    xserver_exec_xauth(zabbix_agent_t)
+')
+
+optional_policy(`
+    tunable_policy(`zabbix_run_sudo',`
+        sudo_exec(zabbix_agent_t)
+        su_exec(zabbix_agent_t)
+    ')
+')
+
+optional_policy(`
+	dmidecode_domtrans(zabbix_agent_t)
+')
+
+optional_policy(`
+	hostname_exec(zabbix_agent_t)
+')
+
+########################################
+#
+# zabbix_script_t local policy
+#
+
+domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t)
+
+allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
+allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
+allow zabbix_t zabbix_script_exec_t:file ioctl;
+
+init_domtrans_script(zabbix_script_t)
+
+optional_policy(`
+    mta_send_mail(zabbix_script_t)
+')
+
+optional_policy(`
+    unconfined_domain(zabbix_script_t)
+')
diff --git a/zarafa.fc b/zarafa.fc
index faf99ed513..44e94fad9f 100644
--- a/zarafa.fc
+++ b/zarafa.fc
@@ -1,33 +1,34 @@
-/etc/zarafa(/.*)?	gen_context(system_u:object_r:zarafa_etc_t,s0)
+/etc/zarafa(/.*)?		gen_context(system_u:object_r:zarafa_etc_t,s0)
 
-/etc/rc\.d/init\.d/zarafa.*	--	gen_context(system_u:object_r:zarafa_initrc_exec_t,s0)
+/usr/bin/zarafa-dagent		--	gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+/usr/bin/zarafa-gateway		--	gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+/usr/bin/zarafa-ical		--	gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+/usr/bin/zarafa-indexer		--	gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-monitor		--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+/usr/bin/zarafa-search      --  gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-server		--	gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+/usr/bin/zarafa-spooler		--	gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
 
-/usr/bin/zarafa-dagent	--	gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
-/usr/bin/zarafa-gateway	--	gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
-/usr/bin/zarafa-ical	--	gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
-/usr/bin/zarafa-indexer	--	gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
-/usr/bin/zarafa-monitor	--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
-/usr/bin/zarafa-server	--	gen_context(system_u:object_r:zarafa_server_exec_t,s0)
-/usr/bin/zarafa-spooler	--	gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-
-/var/lib/zarafa(/.*)?	gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)?			gen_context(system_u:object_r:zarafa_var_lib_t,s0)
 /var/lib/zarafa-webaccess(/.*)?	gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-/var/lib/zarafa-webapp(/.*)?	gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
 
-/var/log/zarafa/dagent\.log.*	--	gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
+/var/log/zarafa/dagent\.log.*	    --  gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
 /var/log/zarafa/gateway\.log.*	--	gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
 /var/log/zarafa/ical\.log.*	--	gen_context(system_u:object_r:zarafa_ical_log_t,s0)
 /var/log/zarafa/indexer\.log.*	--	gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
 /var/log/zarafa/monitor\.log.*	--	gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
 /var/log/zarafa/server\.log.*	--	gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/search\.log.*   --  gen_context(system_u:object_r:zarafa_indexer_log_t,s0) 
 /var/log/zarafa/spooler\.log.*	--	gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
 
-/var/run/zarafa	-s	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-/var/run/zarafa-dagent\.pid	--	gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
+/var/run/zarafa			-s	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-dagent\.pid     --  gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
 /var/run/zarafa-gateway\.pid	--	gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
 /var/run/zarafa-ical\.pid	--	gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
-/var/run/zarafa-indexer	-s	gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-indexer		-s	gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
 /var/run/zarafa-indexer\.pid	--	gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
 /var/run/zarafa-monitor\.pid	--	gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
 /var/run/zarafa-server\.pid	--	gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-search\.pid --  gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
 /var/run/zarafa-spooler\.pid	--	gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/zarafa.if b/zarafa.if
index 36e32df6dc..3d089626ed 100644
--- a/zarafa.if
+++ b/zarafa.if
@@ -1,55 +1,59 @@
 ## <summary>Zarafa collaboration platform.</summary>
 
-#######################################
+######################################
 ## <summary>
-##	The template to define a zarafa domain.
+##	Creates types and rules for a basic
+##	zararfa init daemon domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix for the domain.
 ##	</summary>
 ## </param>
 #
 template(`zarafa_domain_template',`
 	gen_require(`
-		attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
+		attribute zarafa_domain;
 	')
 
-	########################################
+	##############################
 	#
-	# Declarations
+	# $1_t declarations
 	#
 
 	type zarafa_$1_t, zarafa_domain;
 	type zarafa_$1_exec_t;
 	init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
 
-	type zarafa_$1_log_t, zarafa_logfile;
+	type zarafa_$1_log_t;
 	logging_log_file(zarafa_$1_log_t)
 
-	type zarafa_$1_var_run_t, zarafa_pidfile;
+	type zarafa_$1_var_run_t;
 	files_pid_file(zarafa_$1_var_run_t)
 
-	########################################
+	##############################
 	#
-	# Policy
+	# $1_t local policy
 	#
 
 	manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
 	manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
 	files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
 
-	append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
-	create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
-	setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
-	logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file)
+	manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+	logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+
+	kernel_read_system_state(zarafa_$1_t)
 
 	auth_use_nsswitch(zarafa_$1_t)
+
+	logging_send_syslog_msg(zarafa_$1_t)
 ')
 
 ######################################
 ## <summary>
-##	search zarafa configuration directories.
+##	Allow the specified domain to search
+##	zarafa configuration dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -68,7 +72,7 @@ interface(`zarafa_search_config',`
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run zarafa deliver.
+##	Execute a domain transition to run zarafa_deliver.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',`
 		type zarafa_deliver_t, zarafa_deliver_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run zarafa server.
+##	Execute a domain transition to run zarafa_server.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',`
 		type zarafa_server_t, zarafa_server_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
 ')
 
 #######################################
 ## <summary>
-##	Connect to zarafa server with a unix
-##	domain stream socket.
+##	Connect to zarafa-server unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',`
 	stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
 ')
 
-########################################
+####################################
 ## <summary>
-##	All of the rules required to
-##	administrate an zarafa environment.
+##  Allow the specified domain to manage
+##  zarafa /var/lib files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
-## <rolecap/>
 #
-interface(`zarafa_admin',`
-	gen_require(`
-		attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
-		type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t;
-		type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t;
-		type zarafa_var_lib_t;
-	')
-
-	allow $1 zarafa_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, zarafa_domain)
-
-	init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 zarafa_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_etc($1)
-	admin_pattern($1, zarafa_etc_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t })
-
-	logging_search_log($1)
-	admin_pattern($1, zarafa_logfile)
-
-	files_search_var_lib($1)
-	admin_pattern($1, { zarafa_var_lib_t zarafa_share_t })
-
-	files_search_pids($1)
-	admin_pattern($1, zarafa_pidfile)
+interface(`zarafa_manage_lib_files',`
+    gen_require(`
+        type zarafa_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+    manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 ')
diff --git a/zarafa.te b/zarafa.te
index 3fded1c4d8..8bea5e820a 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
 # Declarations
 #
 
+## <desc>
+##  <p>
+## Allow zarafa domains to setrlimit/sys_resource.
+##  </p>
+## </desc>
+gen_tunable(zarafa_setrlimit, false)
+
 attribute zarafa_domain;
-attribute zarafa_logfile;
-attribute zarafa_pidfile;
 
 zarafa_domain_template(deliver)
 
@@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t)
 type zarafa_etc_t;
 files_config_file(zarafa_etc_t)
 
-type zarafa_initrc_exec_t;
-init_script_file(zarafa_initrc_exec_t)
-
 zarafa_domain_template(gateway)
 zarafa_domain_template(ical)
 zarafa_domain_template(indexer)
@@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t)
 
 ########################################
 #
-# Deliver local policy
+# zarafa-deliver local policy
 #
 
 manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
 manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
 files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
 
+auth_use_nsswitch(zarafa_deliver_t)
+
+corenet_tcp_bind_lmtp_port(zarafa_deliver_t)
+
 ########################################
 #
-# Gateway local policy
+# zarafa_gateway local policy
 #
-
-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
 corenet_all_recvfrom_netlabel(zarafa_gateway_t)
 corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
 corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
+corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
 corenet_tcp_bind_generic_node(zarafa_gateway_t)
-
-corenet_sendrecv_pop_server_packets(zarafa_gateway_t)
 corenet_tcp_bind_pop_port(zarafa_gateway_t)
-corenet_tcp_sendrecv_pop_port(zarafa_gateway_t)
+
+######################################
+#
+# zarafa-indexer local policy
+#
+
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
+auth_use_nsswitch(zarafa_indexer_t)
 
 #######################################
 #
-# Ical local policy
+# zarafa-ical local policy
 #
 
-corenet_all_recvfrom_unlabeled(zarafa_ical_t)
+
 corenet_all_recvfrom_netlabel(zarafa_ical_t)
 corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
 corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
+corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
 corenet_tcp_bind_generic_node(zarafa_ical_t)
-
-corenet_sendrecv_http_cache_client_packets(zarafa_ical_t)
 corenet_tcp_bind_http_cache_port(zarafa_ical_t)
-corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t)
+
+auth_use_nsswitch(zarafa_ical_t)
 
 ######################################
 #
-# Indexer local policy
+# zarafa-monitor local policy
 #
 
-manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
-manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
-files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
 
-manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
-manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+auth_use_nsswitch(zarafa_monitor_t)
 
 ########################################
 #
-# Server local policy
+# zarafa_server local policy
 #
 
+allow zarafa_server_t self:capability net_bind_service;
+
 manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
 manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
 files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
@@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
 
 stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
 
-corenet_all_recvfrom_unlabeled(zarafa_server_t)
 corenet_all_recvfrom_netlabel(zarafa_server_t)
 corenet_tcp_sendrecv_generic_if(zarafa_server_t)
 corenet_tcp_sendrecv_generic_node(zarafa_server_t)
+corenet_tcp_sendrecv_all_ports(zarafa_server_t)
 corenet_tcp_bind_generic_node(zarafa_server_t)
-
-corenet_sendrecv_zarafa_server_packets(zarafa_server_t)
 corenet_tcp_bind_zarafa_port(zarafa_server_t)
-corenet_tcp_sendrecv_zarafa_port(zarafa_server_t)
 
-files_read_usr_files(zarafa_server_t)
 
+auth_use_nsswitch(zarafa_server_t)
+
+logging_send_syslog_msg(zarafa_server_t)
 logging_send_audit_msgs(zarafa_server_t)
 
+sysnet_dns_name_resolve(zarafa_server_t)
+
 optional_policy(`
 	kerberos_use(zarafa_server_t)
 ')
 
 optional_policy(`
 	mysql_stream_connect(zarafa_server_t)
-	mysql_tcp_connect(zarafa_server_t)
-')
-
-optional_policy(`
-	postgresql_stream_connect(zarafa_server_t)
-	postgresql_tcp_connect(zarafa_server_t)
 ')
 
 ########################################
 #
-# Spooler local policy
+# zarafa_spooler local policy
 #
 
 can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
 
-corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
 corenet_all_recvfrom_netlabel(zarafa_spooler_t)
 corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
 corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-
-corenet_sendrecv_smtp_client_packets(zarafa_spooler_t)
+corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
 corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
+
+auth_use_nsswitch(zarafa_spooler_t)
 
 ########################################
 #
-# Zarafa domain local policy
+# zarafa_gateway local policy
 #
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
 
-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
-allow zarafa_domain self:process { setrlimit signal };
+#######################################
+#
+# zarafa-ical local policy
+#
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+
+########################################
+#
+# zarafa domains local policy
+#
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { kill dac_read_search dac_override chown setgid setuid };
+allow zarafa_domain self:process { signal_perms };
 allow zarafa_domain self:fifo_file rw_fifo_file_perms;
-allow zarafa_domain self:tcp_socket { accept listen };
-allow zarafa_domain self:unix_stream_socket { accept listen };
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+tunable_policy(`zarafa_setrlimit',`
+    allow zarafa_domain self:capability sys_resource;
+    allow zarafa_domain self:process setrlimit;
+')
 
 stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
 
 read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
 
-kernel_read_system_state(zarafa_domain)
-
 dev_read_rand(zarafa_domain)
 dev_read_urand(zarafa_domain)
 
-logging_send_syslog_msg(zarafa_domain)
-
-miscfiles_read_localization(zarafa_domain)
+dev_read_sysfs(zarafa_domain)
diff --git a/zebra.fc b/zebra.fc
index 28ee4cac93..bc37f76918 100644
--- a/zebra.fc
+++ b/zebra.fc
@@ -1,21 +1,34 @@
-/etc/quagga(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)
-/etc/zebra(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)
-
 /etc/rc\.d/init\.d/bgpd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ospf6d	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ospfd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ripd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ripngd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/zebra	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra --	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/babeld -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/isisd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/babeld.*    --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/bgpd.*      --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/isisd.*     --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ospf6d.*    --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ospfd.*     --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ripd.*      --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ripngd.*    --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/zebra.*     --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
 
-/usr/sbin/bgpd	--	gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/babeld    --  gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/bgpd		--	gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/isisd     --  gen_context(system_u:object_r:zebra_exec_t,s0)
 /usr/sbin/ospf.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/rip.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/zebra	--	gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.*		--	gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra		--	gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)?		gen_context(system_u:object_r:zebra_conf_t,s0)
 
-/var/log/quagga(/.*)?	gen_context(system_u:object_r:zebra_log_t,s0)
-/var/log/zebra(/.*)?	gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/quagga(/.*)?		gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/zebra(/.*)?		gen_context(system_u:object_r:zebra_log_t,s0)
 
 /var/run/\.zebra	-s	gen_context(system_u:object_r:zebra_var_run_t,s0)
 /var/run/\.zserv	-s	gen_context(system_u:object_r:zebra_var_run_t,s0)
-/var/run/quagga(/.*)?	gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)?		gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
index 34164017bf..e364caf4bf 100644
--- a/zebra.if
+++ b/zebra.if
@@ -1,8 +1,8 @@
-## <summary>Zebra border gateway protocol network routing service.</summary>
+## <summary>Zebra border gateway protocol network routing service</summary>
 
 ########################################
 ## <summary>
-##	Read zebra configuration content.
+##	Read the configuration files for zebra.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -18,14 +18,13 @@ interface(`zebra_read_config',`
 
 	files_search_etc($1)
 	allow $1 zebra_conf_t:dir list_dir_perms;
-	allow $1 zebra_conf_t:file read_file_perms;
-	allow $1 zebra_conf_t:lnk_file read_lnk_file_perms;
+	read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to zebra with a unix
-##	domain stream socket.
+##	Connect to zebra over an unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -42,10 +41,34 @@ interface(`zebra_stream_connect',`
 	stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
 ')
 
+#######################################
+## <summary>
+##  Execute zebra services in the zebra domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`zebra_systemctl',`
+    gen_require(`
+        type zebra_t;
+        type zebra_unit_file_t;
+    ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        allow $1 zebra_unit_file_t:file read_file_perms;
+        allow $1 zebra_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, zebra_t)
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an zebra environment.
+##	All of the rules required to administrate
+##	an zebra environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -54,7 +77,7 @@ interface(`zebra_stream_connect',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the zebra domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -62,13 +85,16 @@ interface(`zebra_stream_connect',`
 interface(`zebra_admin',`
 	gen_require(`
 		type zebra_t, zebra_tmp_t, zebra_log_t;
-		type zebra_conf_t, zebra_var_run_t;
-		type zebra_initrc_exec_t;
+		type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
 	')
 
-	allow $1 zebra_t:process { ptrace signal_perms };
+	allow $1 zebra_t:process signal_perms;
 	ps_process_pattern($1, zebra_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 zebra_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 zebra_initrc_exec_t system_r;
@@ -85,4 +111,8 @@ interface(`zebra_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, zebra_var_run_t)
+
+    zebra_systemctl($1)
+    admin_pattern($1, zebra_unit_file_t)
+    allow $1 zebra_unit_file_t:service all_service_perms;
 ')
diff --git a/zebra.te b/zebra.te
index 2e80d04fc6..5bf04b2d0e 100644
--- a/zebra.te
+++ b/zebra.te
@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether zebra daemon can
-##	manage its configuration files.
-##	</p>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
 ## </desc>
-gen_tunable(allow_zebra_write_config, false)
+#
+gen_tunable(zebra_write_config, false)
 
 type zebra_t;
 type zebra_exec_t;
 init_daemon_domain(zebra_t, zebra_exec_t)
 
 type zebra_conf_t;
-files_type(zebra_conf_t)
+files_config_file(zebra_conf_t)
 
 type zebra_initrc_exec_t;
 init_script_file(zebra_initrc_exec_t)
 
+type zebra_unit_file_t;
+systemd_unit_file(zebra_unit_file_t)
+
 type zebra_log_t;
 logging_log_file(zebra_log_t)
 
@@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t)
 allow zebra_t self:capability { setgid setuid net_admin net_raw };
 dontaudit zebra_t self:capability sys_tty_config;
 allow zebra_t self:process { signal_perms getcap setcap };
-allow zebra_t self:fifo_file rw_fifo_file_perms;
-allow zebra_t self:unix_stream_socket { accept connectto listen };
+allow zebra_t self:file rw_file_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
 allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
 allow zebra_t self:udp_socket create_socket_perms;
 allow zebra_t self:rawip_socket create_socket_perms;
 
 allow zebra_t zebra_conf_t:dir list_dir_perms;
-allow zebra_t zebra_conf_t:file read_file_perms;
-allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms;
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 
 allow zebra_t zebra_log_t:dir setattr_dir_perms;
-append_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
-create_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
-setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
 manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
 logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
 
-allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
-files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+# /tmp/.bgpd is such a bad idea!
+manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
+manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
+files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file })
 
 manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
 manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
@@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t)
 kernel_read_kernel_sysctls(zebra_t)
 kernel_rw_net_sysctls(zebra_t)
 
-corenet_all_recvfrom_unlabeled(zebra_t)
 corenet_all_recvfrom_netlabel(zebra_t)
 corenet_tcp_sendrecv_generic_if(zebra_t)
 corenet_udp_sendrecv_generic_if(zebra_t)
@@ -79,48 +82,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
 corenet_tcp_sendrecv_generic_node(zebra_t)
 corenet_udp_sendrecv_generic_node(zebra_t)
 corenet_raw_sendrecv_generic_node(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
 corenet_tcp_bind_generic_node(zebra_t)
 corenet_udp_bind_generic_node(zebra_t)
-
-corenet_sendrecv_bgp_server_packets(zebra_t)
 corenet_tcp_bind_bgp_port(zebra_t)
-corenet_sendrecv_bgp_client_packets(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
 corenet_tcp_connect_bgp_port(zebra_t)
-corenet_tcp_sendrecv_bgp_port(zebra_t)
-
 corenet_sendrecv_zebra_server_packets(zebra_t)
-corenet_tcp_bind_zebra_port(zebra_t)
-corenet_tcp_sendrecv_zebra_port(zebra_t)
-
 corenet_sendrecv_router_server_packets(zebra_t)
-corenet_udp_bind_router_port(zebra_t)
-corenet_udp_sendrecv_router_port(zebra_t)
 
 dev_associate_usbfs(zebra_var_run_t)
 dev_list_all_dev_nodes(zebra_t)
+dev_read_rand(zebra_t)
+dev_read_urand(zebra_t)
 dev_read_sysfs(zebra_t)
 dev_rw_zero(zebra_t)
 
-domain_use_interactive_fds(zebra_t)
-
-files_read_etc_files(zebra_t)
-files_read_etc_runtime_files(zebra_t)
-
 fs_getattr_all_fs(zebra_t)
 fs_search_auto_mountpoints(zebra_t)
 
 term_list_ptys(zebra_t)
 
-logging_send_syslog_msg(zebra_t)
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_runtime_files(zebra_t)
 
-miscfiles_read_localization(zebra_t)
+auth_use_nsswitch(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
 
 sysnet_read_config(zebra_t)
 
 userdom_dontaudit_use_unpriv_user_fds(zebra_t)
 userdom_dontaudit_search_user_home_dirs(zebra_t)
 
-tunable_policy(`allow_zebra_write_config',`
+tunable_policy(`zebra_write_config',`
 	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 ')
 
@@ -139,3 +138,7 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(zebra_t)
 ')
+
+optional_policy(`
+	unconfined_sigchld(zebra_t)
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
index 0000000000..ceaa219dc3
--- /dev/null
+++ b/zoneminder.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/zoneminder	--	gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
+/usr/bin/zmpkg.pl		--	gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/lib/systemd/system/zoneminder.* --  gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
+
+/usr/libexec/zoneminder/cgi-bin(/.*)? 	gen_context(system_u:object_r:zoneminder_script_exec_t,s0)
+
+/var/lib/zoneminder(/.*)?		gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
+
+/var/log/zoneminder(/.*)?		gen_context(system_u:object_r:zoneminder_log_t,s0)
+
+/var/spool/zoneminder-upload(/.*)?	gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
index 0000000000..fb0519ebfb
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,374 @@
+## <summary>policy for zoneminder</summary>
+
+########################################
+## <summary>
+##	Transition to zoneminder.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zoneminder_domtrans',`
+	gen_require(`
+		type zoneminder_t, zoneminder_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute zoneminder
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zoneminder_exec',`
+	gen_require(`
+		type zoneminder_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, zoneminder_exec_t)
+')
+
+
+########################################
+## <summary>
+##	Execute zoneminder server in the zoneminder domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_initrc_domtrans',`
+	gen_require(`
+		type zoneminder_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+##	Read zoneminder's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zoneminder_read_log',`
+	gen_require(`
+		type zoneminder_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+')
+
+########################################
+## <summary>
+##	Append to zoneminder log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_append_log',`
+	gen_require(`
+		type zoneminder_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+')
+
+########################################
+## <summary>
+##	Manage zoneminder log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_manage_log',`
+	gen_require(`
+		type zoneminder_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
+	manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+	manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
+')
+
+########################################
+## <summary>
+##	Search zoneminder lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_search_lib',`
+	gen_require(`
+		type zoneminder_var_lib_t;
+	')
+
+	allow $1 zoneminder_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read zoneminder lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_read_lib_files',`
+	gen_require(`
+		type zoneminder_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage zoneminder lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_manage_lib_files',`
+	gen_require(`
+		type zoneminder_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage zoneminder lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_manage_lib_dirs',`
+	gen_require(`
+		type zoneminder_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+##  Manage zoneminder sock_files files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`zoneminder_manage_lib_sock_files',`
+    gen_require(`
+        type zoneminder_var_lib_t;
+    ')
+    files_search_var_lib($1)
+    manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Search zoneminder spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_search_spool',`
+	gen_require(`
+		type zoneminder_spool_t;
+	')
+
+	allow $1 zoneminder_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	Read zoneminder spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_read_spool_files',`
+	gen_require(`
+		type zoneminder_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage zoneminder spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_manage_spool_files',`
+	gen_require(`
+		type zoneminder_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage zoneminder spool dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_manage_spool_dirs',`
+	gen_require(`
+		type zoneminder_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
+')
+
+########################################
+## <summary>
+##	Connect to zoneminder over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zoneminder_stream_connect',`
+	gen_require(`
+		type zoneminder_t, zoneminder_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
+')
+
+######################################
+## <summary>
+##  Read/write zonerimender tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`zoneminder_rw_tmpfs_files',`
+    gen_require(`
+        type zoneminder_tmpfs_t;
+    ')
+
+    fs_search_tmpfs($1)
+    rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an zoneminder environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`zoneminder_admin',`
+	gen_require(`
+		type zoneminder_t;
+	type zoneminder_initrc_exec_t;
+	type zoneminder_log_t;
+	type zoneminder_var_lib_t;
+	type zoneminder_spool_t;
+	')
+
+	allow $1 zoneminder_t:process { ptrace signal_perms };
+	ps_process_pattern($1, zoneminder_t)
+
+	zoneminder_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 zoneminder_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, zoneminder_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, zoneminder_var_lib_t)
+
+	files_search_spool($1)
+	admin_pattern($1, zoneminder_spool_t)
+
+')
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
index 0000000000..ba1d14974f
--- /dev/null
+++ b/zoneminder.te
@@ -0,0 +1,189 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ZoneMinder to run su/sudo.
+## </p>
+## </desc>
+gen_tunable(zoneminder_run_sudo, false)
+
+
+## <desc>
+## <p>
+## Allow ZoneMinder to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(zoneminder_anon_write, false)
+
+gen_require(`
+    class passwd rootok;
+    class passwd passwd;
+    ')
+
+type zoneminder_t;
+type zoneminder_exec_t;
+init_daemon_domain(zoneminder_t, zoneminder_exec_t)
+
+type zoneminder_unit_file_t;
+systemd_unit_file(zoneminder_unit_file_t)
+
+type zoneminder_initrc_exec_t;
+init_script_file(zoneminder_initrc_exec_t)
+
+type zoneminder_log_t;
+logging_log_file(zoneminder_log_t)
+
+type zoneminder_tmpfs_t;
+files_tmpfs_file(zoneminder_tmpfs_t)
+
+type zoneminder_spool_t;
+files_type(zoneminder_spool_t)
+
+type zoneminder_var_lib_t;
+files_type(zoneminder_var_lib_t)
+
+type zoneminder_var_run_t;
+files_pid_file(zoneminder_var_run_t)
+
+########################################
+#
+# zoneminder local policy
+#
+allow zoneminder_t self:capability { chown dac_read_search dac_override };
+allow zoneminder_t self:process { signal_perms setpgid };
+allow zoneminder_t self:shm create_shm_perms;
+allow zoneminder_t self:fifo_file rw_fifo_file_perms;
+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow zoneminder_t self:netlink_selinux_socket create_socket_perms;
+
+manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
+manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
+logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
+manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
+manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
+files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
+
+kernel_read_system_state(zoneminder_t)
+
+domain_read_all_domains_state(zoneminder_t)
+
+corecmd_exec_bin(zoneminder_t)
+corecmd_exec_shell(zoneminder_t)
+
+corenet_tcp_bind_http_cache_port(zoneminder_t)
+corenet_tcp_bind_transproxy_port(zoneminder_t)
+corenet_tcp_connect_http_port(zoneminder_t)
+
+dev_read_sysfs(zoneminder_t)
+dev_read_rand(zoneminder_t)
+dev_read_urand(zoneminder_t)
+dev_read_video_dev(zoneminder_t)
+dev_write_video_dev(zoneminder_t)
+
+fs_getattr_xattr_fs(zoneminder_t)
+
+auth_use_nsswitch(zoneminder_t)
+#auth_read_shadow(zoneminder_t)     need to debug zmpkg.pl to see why is needed this rule.
+
+logging_send_syslog_msg(zoneminder_t)
+logging_send_audit_msgs(zoneminder_t)
+
+mta_send_mail(zoneminder_t)
+
+tunable_policy(`zoneminder_anon_write',`
+	miscfiles_manage_public_files(zoneminder_t)
+')
+
+tunable_policy(`zoneminder_run_sudo',`
+    allow zoneminder_t self:capability { setuid setgid sys_resource };
+    allow zoneminder_t self:process { setrlimit setsched };
+    allow zoneminder_t self:key write;
+    allow zoneminder_t self:passwd { passwd rootok };
+
+    auth_rw_lastlog(zoneminder_t)
+    auth_rw_faillog(zoneminder_t)
+    auth_exec_chkpwd(zoneminder_t)
+
+    selinux_compute_access_vector(zoneminder_t)
+
+    systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
+    systemd_dbus_chat_logind(zoneminder_t)
+
+    xserver_exec_xauth(zoneminder_t)
+')
+
+optional_policy(`
+    tunable_policy(`zoneminder_run_sudo',`
+        sudo_exec(zoneminder_t)
+        su_exec(zoneminder_t)
+    ')
+')
+
+optional_policy(`
+    dbus_system_bus_client(zoneminder_t)
+')
+
+
+optional_policy(`
+	mysql_stream_connect(zoneminder_t)
+')
+
+optional_policy(`
+    fprintd_dbus_chat(zoneminder_t)
+')
+
+optional_policy(`
+    motion_manage_all_files(zoneminder_t)
+')
+
+########################################
+#
+# zoneminder cgi local policy
+#
+
+optional_policy(`
+	apache_content_template(zoneminder)
+	apache_content_alias_template(zoneminder, zoneminder)
+
+	# need more testing
+	#allow zoneminder_script_t self:shm create_shm_perms;
+
+	manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+
+    rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
+
+	zoneminder_stream_connect(zoneminder_script_t)
+
+    can_exec(zoneminder_t, zoneminder_script_exec_t)
+	
+	files_search_var_lib(zoneminder_script_t)
+
+	logging_send_syslog_msg(zoneminder_script_t)
+
+	optional_policy(`
+	    	mysql_stream_connect(zoneminder_script_t)
+	')
+')
diff --git a/zosremote.if b/zosremote.if
index b14698c4f5..16e1581a00 100644
--- a/zosremote.if
+++ b/zosremote.if
@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`zosremote_run',`
 	gen_require(`
diff --git a/zosremote.te b/zosremote.te
index bc6a5db700..0abdcebcb8 100644
--- a/zosremote.te
+++ b/zosremote.te
@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
 
 auth_use_nsswitch(zos_remote_t)
 
-miscfiles_read_localization(zos_remote_t)
-
 logging_send_syslog_msg(zos_remote_t)