Blob Blame History Raw
diff --git a/abrt.fc b/abrt.fc
index e4f84de..6098f52 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,30 +1,46 @@
-/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 
-/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log         --      gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
+/usr/sbin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus		--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.*	--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-install-ccpp-hook --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch --  gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
 
-/usr/libexec/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 /usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 
-/usr/sbin/abrtd	--	gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus	--	gen_context(system_u:object_r:abrt_exec_t,s0)
+/var/cache/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)?		gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+/var/log/abrt-logger.*		--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
 
-/var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+# ABRT retrace server
+/usr/bin/abrt-retrace-worker				--      gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages					--		gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
 
-/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+/var/cache/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/faf(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 
-/var/run/abrt\.pid	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket	-s	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_run_t,s0)
 
-/var/spool/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+# cjp: new version
+/usr/bin/retrace-server-worker				--      gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908..cf17e67 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
-## <summary>Automated bug-reporting tool.</summary>
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  ABRT daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`abrt_basic_types_template',`
+    gen_require(`
+        attribute abrt_domain;
+    ')
+
+    type $1_t, abrt_domain;
+    type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
 
 ######################################
 ## <summary>
@@ -40,7 +62,25 @@ interface(`abrt_exec',`
 
 ########################################
 ## <summary>
-##	Send null signals to abrt.
+##	Send a signal to abrt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_signal',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	allow $1 abrt_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send a null signal to abrt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58,7 +98,7 @@ interface(`abrt_signull',`
 
 ########################################
 ## <summary>
-##	Read process state of abrt.
+##	Allow the domain to read abrt state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -71,12 +111,13 @@ interface(`abrt_read_state',`
 		type abrt_t;
 	')
 
+	kernel_search_proc($1)
 	ps_process_pattern($1, abrt_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to abrt over an unix stream socket.
+##	Connect to abrt over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -116,8 +157,7 @@ interface(`abrt_dbus_chat',`
 
 #####################################
 ## <summary>
-##	Execute abrt-helper in the abrt
-##	helper domain.
+##	Execute abrt-helper in the abrt-helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -130,15 +170,13 @@ interface(`abrt_domtrans_helper',`
 		type abrt_helper_t, abrt_helper_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute abrt helper in the abrt
-##	helper domain, and allow the
-##	specified role the abrt helper domain.
+##	Execute abrt helper in the abrt_helper domain, and
+##	allow the specified role the abrt_helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -154,17 +192,54 @@ interface(`abrt_domtrans_helper',`
 #
 interface(`abrt_run_helper',`
 	gen_require(`
-		attribute_role abrt_helper_roles;
+		type abrt_helper_t;
 	')
 
 	abrt_domtrans_helper($1)
-	roleattribute $2 abrt_helper_roles;
+	role $2 types abrt_helper_t;
+')
+
+########################################
+## <summary>
+##	Read abrt cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_read_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Append abrt cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_append_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	
+	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt cache files.
+##	Read/Write inherited abrt cache
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -172,15 +247,18 @@ interface(`abrt_run_helper',`
 ##	</summary>
 ## </param>
 #
-interface(`abrt_cache_manage',`
-	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
-	abrt_manage_cache($1)
+interface(`abrt_rw_inherited_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	
+	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt cache content.
+##	Manage abrt cache
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -193,7 +271,6 @@ interface(`abrt_manage_cache',`
 		type abrt_var_cache_t;
 	')
 
-	files_search_var($1)
 	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 	manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
@@ -201,7 +278,7 @@ interface(`abrt_manage_cache',`
 
 ####################################
 ## <summary>
-##	Read abrt configuration files.
+##	Read abrt configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -218,9 +295,29 @@ interface(`abrt_read_config',`
 	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
 ')
 
+####################################
+## <summary>
+##	Dontaudit read abrt configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_dontaudit_read_config',`
+	gen_require(`
+		type abrt_etc_t;
+	')
+
+	files_search_etc($1)
+    dontaudit $1 abrt_etc_t:dir list_dir_perms;
+    dontaudit $1 abrt_etc_t:file read_file_perms;
+')
+
 ######################################
 ## <summary>
-##	Read abrt log files.
+##	Read abrt logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -258,8 +355,7 @@ interface(`abrt_read_pid_files',`
 
 ######################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt PID files.
+##	Create, read, write, and delete abrt PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,10 +372,51 @@ interface(`abrt_manage_pid_files',`
 	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
 ')
 
+########################################
+## <summary>
+##	Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute abrt server in the abrt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_systemctl',`
+	gen_require(`
+		type abrt_t;
+		type abrt_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 abrt_unit_file_t:file manage_file_perms;
+	allow $1 abrt_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, abrt_t)
+')
+
 #####################################
 ## <summary>
-##	All of the rules required to
-##	administrate an abrt environment,
+##	All of the rules required to administrate
+##	an abrt environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -288,39 +425,174 @@ interface(`abrt_manage_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the abrt domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`abrt_admin',`
 	gen_require(`
-		attribute abrt_domain;
-		type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
-		type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
-		type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+		type abrt_t, abrt_etc_t;
+		type abrt_var_cache_t, abrt_var_log_t;
+		type abrt_var_run_t, abrt_tmp_t;
+		type abrt_initrc_exec_t;
+		type abrt_unit_file_t;
 	')
 
-	allow $1 abrt_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, abrt_domain)
+	allow $1 abrt_t:process { signal_perms };
+	ps_process_pattern($1, abrt_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 abrt_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, abrt_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, abrt_var_log_t)
 
-	files_search_var($1)
-	admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+	files_list_var($1)
+	admin_pattern($1, abrt_var_cache_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, abrt_var_run_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, abrt_tmp_t)
+
+	abrt_systemctl($1)
+	admin_pattern($1, abrt_unit_file_t)
+	allow $1 abrt_unit_file_t:service all_service_perms;
+')
+
+####################################
+## <summary>
+##  Execute abrt-retrace in the abrt-retrace domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`abrt_domtrans_retrace_worker',`
+    gen_require(`
+        type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+## <summary>
+##  Manage abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_manage_spool_retrace',`
+    gen_require(`
+        type abrt_retrace_spool_t;
+    ')
+
+	manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+	manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+	manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+#####################################
+## <summary>
+##  Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_read_spool_retrace',`
+    gen_require(`
+        type abrt_retrace_spool_t;
+    ')
+
+    list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 ')
+
+
+#####################################
+## <summary>
+##  Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_read_cache_retrace',`
+    gen_require(`
+        type abrt_retrace_cache_t;
+    ')
+
+    list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+    read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write abrt sock files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`abrt_dontaudit_write_sock_file',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	dontaudit $1 abrt_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Transition to abrt named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_filetrans_named_content',`
+	gen_require(`
+		type abrt_tmp_t;
+		type abrt_etc_t;
+		type abrt_var_cache_t;
+		type abrt_var_run_t;
+	')
+
+	files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
+	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+	files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
index cc43d25..23aea8e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.3.4)
+policy_module(abrt, 1.2.0)
 
 ########################################
 #
@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether ABRT can modify
-##	public files used for public file
-##	transfer services.
-##	</p>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
 ## </desc>
 gen_tunable(abrt_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Determine whether ABRT can run in
-##	the abrt_handle_event_t domain to
-##	handle ABRT event scripts.
-##	</p>
+## <p>
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+## </p>
+## </desc>
+gen_tunable(abrt_upload_watch_anon_write, true)
+
+## <desc>
+##  <p>
+##  Allow ABRT to run in abrt_handle_event_t domain
+##  to handle ABRT event scripts
+##  </p>
 ## </desc>
 gen_tunable(abrt_handle_event, false)
 
 attribute abrt_domain;
 
-attribute_role abrt_helper_roles;
-roleattribute system_r abrt_helper_roles;
-
-type abrt_t, abrt_domain;
-type abrt_exec_t;
+abrt_basic_types_template(abrt)
 init_daemon_domain(abrt_t, abrt_exec_t)
 
 type abrt_initrc_exec_t;
 init_script_file(abrt_initrc_exec_t)
 
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
+# etc files
 type abrt_etc_t;
 files_config_file(abrt_etc_t)
 
+# log files
 type abrt_var_log_t;
 logging_log_file(abrt_var_log_t)
 
 type abrt_tmp_t;
 files_tmp_file(abrt_tmp_t)
 
+# var/cache files
 type abrt_var_cache_t;
 files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
+userdom_user_tmp_content(abrt_var_cache_t)
 
+# pid files
 type abrt_var_run_t;
 files_pid_file(abrt_var_run_t)
 
-type abrt_dump_oops_t, abrt_domain;
-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
 init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
 
-type abrt_handle_event_t, abrt_domain;
-type abrt_handle_event_exec_t;
-domain_type(abrt_handle_event_t)
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+# type for abrt-handle-event to handle
+# ABRT event scripts
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
 role system_r types abrt_handle_event_t;
 
-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
+# type needed to allow all domains
+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
 application_domain(abrt_helper_t, abrt_helper_exec_t)
-role abrt_helper_roles types abrt_helper_t;
+role system_r types abrt_helper_t;
 
-type abrt_retrace_coredump_t, abrt_domain;
-type abrt_retrace_coredump_exec_t;
-domain_type(abrt_retrace_coredump_t)
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-role system_r types abrt_retrace_coredump_t;
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
+
+#
+# Support for ABRT retrace server
 
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
 role system_r types abrt_retrace_worker_t;
 
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
 type abrt_retrace_cache_t;
 files_type(abrt_retrace_cache_t)
 
 type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
 
-type abrt_watch_log_t, abrt_domain;
-type abrt_watch_log_exec_t;
+# Support abrt-watch log
+abrt_basic_types_template(abrt_watch_log)
 init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-')
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
 
 ########################################
 #
-# Local policy
+# abrt local policy
 #
 
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
 allow abrt_t self:fifo_file rw_fifo_file_perms;
-allow abrt_t self:tcp_socket { accept listen };
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow abrt_t abrt_etc_t:dir list_dir_perms;
+# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
 
+# log file
 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
 
@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
 
+# abrt var/cache files
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
 files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
 
+# abrt pid files
 manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
 
-can_exec(abrt_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
 
 kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
 kernel_request_load_module(abrt_t)
 kernel_rw_kernel_sysctl(abrt_t)
 
@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
 corecmd_read_all_executables(abrt_t)
 
 corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
 corenet_tcp_sendrecv_generic_if(abrt_t)
 corenet_tcp_sendrecv_generic_node(abrt_t)
-corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
 corenet_tcp_bind_generic_node(abrt_t)
-
-corenet_sendrecv_all_client_packets(abrt_t)
 corenet_tcp_connect_http_port(abrt_t)
 corenet_tcp_connect_ftp_port(abrt_t)
 corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
 
 dev_getattr_all_chr_files(abrt_t)
 dev_getattr_all_blk_files(abrt_t)
@@ -163,29 +193,40 @@ files_getattr_all_files(abrt_t)
 files_read_config_files(abrt_t)
 files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
-files_read_usr_files(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
 files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
 files_dontaudit_read_default_files(abrt_t)
 files_dontaudit_read_all_symlinks(abrt_t)
 files_dontaudit_getattr_all_sockets(abrt_t)
 files_list_mnt(abrt_t)
+fs_list_all(abrt_t)
 
+fs_list_inotifyfs(abrt_t)
 fs_getattr_all_fs(abrt_t)
 fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
 fs_read_fusefs_files(abrt_t)
 fs_read_noxattr_fs_files(abrt_t)
 fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+
 auth_use_nsswitch(abrt_t)
 
-logging_read_generic_logs(abrt_t)
+init_read_utmp(abrt_t)
 
+miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
 
 tunable_policy(`abrt_anon_write',`
 	miscfiles_manage_public_files(abrt_t)
@@ -193,15 +234,11 @@ tunable_policy(`abrt_anon_write',`
 
 optional_policy(`
 	apache_list_modules(abrt_t)
-	apache_read_module_files(abrt_t)
+	apache_read_modules(abrt_t)
 ')
 
 optional_policy(`
 	dbus_system_domain(abrt_t, abrt_exec_t)
-
-	optional_policy(`
-		policykit_dbus_chat(abrt_t)
-	')
 ')
 
 optional_policy(`
@@ -209,6 +246,20 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kdump_read_crash(abrt_t)
+')
+
+optional_policy(`
+	mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+	mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+	mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
@@ -221,6 +272,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+    puppet_read_lib(abrt_t)
+')
+
+# to install debuginfo packages
+optional_policy(`
 	rpm_exec(abrt_t)
 	rpm_dontaudit_manage_db(abrt_t)
 	rpm_manage_cache(abrt_t)
@@ -230,6 +286,7 @@ optional_policy(`
 	rpm_signull(abrt_t)
 ')
 
+# to run mailx plugin
 optional_policy(`
 	sendmail_domtrans(abrt_t)
 ')
@@ -240,9 +297,17 @@ optional_policy(`
 	sosreport_delete_tmp_files(abrt_t)
 ')
 
+optional_policy(`
+	sssd_stream_connect(abrt_t)
+')
+
+optional_policy(`
+	xserver_read_log(abrt_t)
+')
+
 #######################################
 #
-# Handle-event local policy
+# abrt-handle-event local policy
 #
 
 allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -253,9 +318,13 @@ tunable_policy(`abrt_handle_event',`
 	can_exec(abrt_t, abrt_handle_event_exec_t)
 ')
 
+optional_policy(`
+	unconfined_domain(abrt_handle_event_t)
+')
+
 ########################################
 #
-# Helper local policy
+# abrt--helper local policy
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -268,6 +337,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
 
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -276,15 +346,20 @@ corecmd_read_all_executables(abrt_helper_t)
 
 domain_read_all_domains_state(abrt_helper_t)
 
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
 fs_list_inotifyfs(abrt_helper_t)
 fs_getattr_all_fs(abrt_helper_t)
 
 auth_use_nsswitch(abrt_helper_t)
 
+logging_send_syslog_msg(abrt_helper_t)
+
 term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
 ifdef(`hide_broken_symptoms',`
+	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -292,11 +367,25 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow abrt_t self:capability sys_resource;
+	allow abrt_t domain:file write;
+	allow abrt_t domain:process setrlimit;
 ')
 
 #######################################
 #
-# Retrace coredump policy
+# abrt retrace coredump policy
 #
 
 allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -314,10 +403,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
 
 dev_read_urand(abrt_retrace_coredump_t)
 
-files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
 
 sysnet_dns_name_resolve(abrt_retrace_coredump_t)
 
+# to install debuginfo packages
 optional_policy(`
 	rpm_exec(abrt_retrace_coredump_t)
 	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -330,10 +421,11 @@ optional_policy(`
 
 #######################################
 #
-# Retrace worker policy
+# abrt retrace worker policy
 #
 
-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -352,46 +444,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
-files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
 
 sysnet_dns_name_resolve(abrt_retrace_worker_t)
 
+optional_policy(`
+	mock_domtrans(abrt_retrace_worker_t)
+	mock_manage_lib_files(abrt_t)
+')
+
 ########################################
 #
-# Dump oops local policy
+# abrt_dump_oops local policy
 #
 
 allow abrt_dump_oops_t self:capability dac_override;
 allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
 
 files_search_spool(abrt_dump_oops_t)
 manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
 
 read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 
 read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
 
+kernel_read_debugfs(abrt_dump_oops_t)
 kernel_read_kernel_sysctls(abrt_dump_oops_t)
 kernel_read_ring_buffer(abrt_dump_oops_t)
 
 domain_use_interactive_fds(abrt_dump_oops_t)
 
 fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
 
 logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
 
 #######################################
 #
-# Watch log local policy
+# abrt_watch_log local policy
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
 
@@ -400,16 +502,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 corecmd_exec_bin(abrt_watch_log_t)
 
 logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+#optional_policy(`
+#	unconfined_domain(abrt_watch_log_t)
+#')
 
 #######################################
 #
-# Global local policy
+# abrt-upload-watch local policy
 #
 
-kernel_read_system_state(abrt_domain)
+allow abrt_upload_watch_t self:capability { dac_override chown };
 
-files_read_etc_files(abrt_domain)
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
 
-logging_send_syslog_msg(abrt_domain)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
 
-miscfiles_read_localization(abrt_domain)
+corecmd_exec_bin(abrt_upload_watch_t)
+
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+    miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(abrt_upload_watch_t)
+')
+
+#######################################
+#
+# Local policy for all abrt domain
+#
+
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
+
+files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.*  --              gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
 /usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
 
 /usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9a..a5ed692 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`accountsd_systemctl',`
+	gen_require(`
+		type accountsd_t;
+		type accountsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 accountsd_unit_file_t:file read_file_perms;
+	allow $1 accountsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, accountsd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an accountsd environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`accountsd_admin',`
 	gen_require(`
 		type accountsd_t;
+		type accountsd_unit_file_t;
 	')
 
-	allow $1 accountsd_t:process { ptrace signal_perms };
+	allow $1 accountsd_t:process signal_perms;
 	ps_process_pattern($1, accountsd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 accountsd_t:process ptrace;
+	')
+
 	accountsd_manage_lib_files($1)
+
+	accountsd_systemctl($1)
+	admin_pattern($1, accountsd_unit_file_t)
+	allow $1 accountsd_unit_file_t:service all_service_perms;
 ')
diff --git a/accountsd.te b/accountsd.te
index 313b33f..6e0a894 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
 	class passwd all_passwd_perms;
 ')
 
+gen_require(`
+	class passwd { passwd chfn chsh rootok crontab };
+')
+
 ########################################
 #
 # Declarations
@@ -11,11 +15,15 @@ gen_require(`
 
 type accountsd_t;
 type accountsd_exec_t;
-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
 
 type accountsd_var_lib_t;
 files_type(accountsd_var_lib_t)
 
+type accountsd_unit_file_t;
+systemd_unit_file(accountsd_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
 dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
-files_read_usr_files(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t)
 auth_read_login_records(accountsd_t)
 auth_read_shadow(accountsd_t)
 
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
 
+logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
 logging_set_loginuid(accountsd_t)
 
@@ -65,9 +73,16 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_domain(accountsd_t, accountsd_exec_t)
+')
+
+optional_policy(`
 	policykit_dbus_chat(accountsd_t)
 ')
 
 optional_policy(`
 	xserver_read_xdm_tmp_files(accountsd_t)
+	xserver_read_state_xdm(accountsd_t)
+	xserver_dbus_chat_xdm(accountsd_t)
+	xserver_manage_xdm_etc_files(accountsd_t)
 ')
diff --git a/acct.if b/acct.if
index 81280d0..bc4038b 100644
--- a/acct.if
+++ b/acct.if
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
 
 ########################################
 ## <summary>
+##	Dontaudit Attempts to list acct_data directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`acct_dontaudit_list_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	dontaudit $1 acct_data_t:dir list_dir_perms;	
+')
+
+#######################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an acct environment.
 ## </summary>
@@ -103,9 +121,13 @@ interface(`acct_admin',`
 		type acct_t, acct_initrc_exec_t, acct_data_t;
 	')
 
-	allow $1 acct_t:process { ptrace signal_perms };
+	allow $1 acct_t:process { signal_perms };
 	ps_process_pattern($1, acct_t)
 
+    tunable_policy(`deny_ptrace',`',`
+		allow $1 acct_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, acct_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
index 1a1c91a..d538827 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
 dev_read_sysfs(acct_t)
 dev_read_urand(acct_t)
 
-domain_use_interactive_fds(acct_t)
-
 fs_search_auto_mountpoints(acct_t)
 fs_getattr_xattr_fs(acct_t)
 
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
 term_dontaudit_use_generic_ptys(acct_t)
 
 files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
 
 auth_use_nsswitch(acct_t)
 
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
 
 logging_send_syslog_msg(acct_t)
 
-miscfiles_read_localization(acct_t)
-
 userdom_dontaudit_search_user_home_dirs(acct_t)
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
 
diff --git a/ada.te b/ada.te
index 8b5ad06..8ce8f26 100644
--- a/ada.te
+++ b/ada.te
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
 
 allow ada_t self:process { execstack execmem };
 
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
 
 optional_policy(`
 	unconfined_domain(ada_t)
diff --git a/afs.if b/afs.if
index 3b41be6..97d99f9 100644
--- a/afs.if
+++ b/afs.if
@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
 
 ########################################
 ## <summary>
+##	Read AFS config data
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`afs_read_config',`
+	gen_require(`
+		type afs_config_t;
+	')
+
+	read_files_pattern($1, afs_config_t, afs_config_t)
+')
+
+########################################
+## <summary>
 ##	Read and write afs cache files.
 ## </summary>
 ## <param name="domain">
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
 interface(`afs_admin',`
 	gen_require(`
 		attribute afs_domain;
-		type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+		type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
 		type afs_ka_db_t, afs_vl_db_t, afs_config_t;
 		type afs_logfile_t, afs_cache_t, afs_files_t;
 	')
 
-	allow $1 afs_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, afs_domain)
+	allow $1 afs_t:process signal_perms;
+	ps_process_pattern($1, afs_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 afs_t:process ptrace;
+	')
 
 	afs_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
index 6690cdf..7726644 100644
--- a/afs.te
+++ b/afs.te
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
 files_mounton_mnt(afs_t)
-files_read_usr_files(afs_t)
 files_rw_etc_runtime_files(afs_t)
 
 fs_getattr_xattr_fs(afs_t)
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
 
 logging_send_syslog_msg(afs_t)
 
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy
@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
 
 kernel_read_kernel_sysctls(afs_bosserver_t)
 
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
 corenet_all_recvfrom_netlabel(afs_bosserver_t)
 corenet_udp_sendrecv_generic_if(afs_bosserver_t)
 corenet_udp_sendrecv_generic_node(afs_bosserver_t)
@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
 corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
 
 files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
 
 seutil_read_config(afs_bosserver_t)
 
@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
 allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
 allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 
@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
 
 corenet_all_recvfrom_unlabeled(afs_fsserver_t)
 corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
 corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
 corenet_udp_sendrecv_generic_if(afs_fsserver_t)
 corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
 corenet_udp_sendrecv_generic_node(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
 
 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
 corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
 
 files_read_etc_runtime_files(afs_fsserver_t)
 files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
 files_list_pids(afs_fsserver_t)
 files_dontaudit_search_mnt(afs_fsserver_t)
 
@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
 
 kernel_read_kernel_sysctls(afs_kaserver_t)
 
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
 corenet_all_recvfrom_netlabel(afs_kaserver_t)
 corenet_udp_sendrecv_generic_if(afs_kaserver_t)
 corenet_udp_sendrecv_generic_node(afs_kaserver_t)
@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
 corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
 
 files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
 
 seutil_read_config(afs_kaserver_t)
 
@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
 allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
 allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 
 manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
 filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
 
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
 corenet_all_recvfrom_netlabel(afs_ptserver_t)
 corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
 corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
 corenet_udp_bind_afs_pt_port(afs_ptserver_t)
 corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 
+sysnet_read_config(afs_ptserver_t)
+
 userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
 ########################################
@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
 allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 
 manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
 filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
 
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
 corenet_all_recvfrom_netlabel(afs_vlserver_t)
 corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
 corenet_udp_sendrecv_generic_if(afs_vlserver_t)
@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
 
 allow afs_domain self:udp_socket create_socket_perms;
 
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
+allow afs_domain afs_config_t:dir list_dir_perms;
 
 sysnet_read_config(afs_domain)
+
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb9..fbe187f 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
 		type aiccu_var_run_t;
 	')
 
-	allow $1 aiccu_t:process { ptrace signal_perms };
+	allow $1 aiccu_t:process signal_perms;
 	ps_process_pattern($1, aiccu_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aiccu_t:process ptrace;
+	')
+
 	aiccu_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
index 72c33c2..a9039ce 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
 corenet_tcp_bind_generic_node(aiccu_t)
 corenet_tcp_sendrecv_generic_if(aiccu_t)
 corenet_tcp_sendrecv_generic_node(aiccu_t)
-
 corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
 corenet_tcp_connect_sixxsconfig_port(aiccu_t)
 corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t)
 dev_read_rand(aiccu_t)
 dev_read_urand(aiccu_t)
 
-files_read_etc_files(aiccu_t)
 
-logging_send_syslog_msg(aiccu_t)
+auth_read_passwd(aiccu_t)
 
-miscfiles_read_localization(aiccu_t)
+logging_send_syslog_msg(aiccu_t)
 
 optional_policy(`
 	modutils_domtrans_insmod(aiccu_t)
 ')
 
 optional_policy(`
+    pcscd_stream_connect(aiccu_t)
+')
+
+optional_policy(`
 	sysnet_dns_name_resolve(aiccu_t)
 	sysnet_domtrans_ifconfig(aiccu_t)
 ')
diff --git a/aide.fc b/aide.fc
index df6e4d0..4b99c25 100644
--- a/aide.fc
+++ b/aide.fc
@@ -3,4 +3,4 @@
 /var/lib/aide(/.*)	gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
 
 /var/log/aide(/.*)?	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-/var/log/aide\.log	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide\.log.*	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
+++ b/aide.if
@@ -67,9 +67,13 @@ interface(`aide_admin',`
 		type aide_t, aide_db_t, aide_log_t;
 	')
 
-	allow $1 aide_t:process { ptrace signal_perms };
+	allow $1 aide_t:process signal_perms;
 	ps_process_pattern($1, aide_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aide_t:process ptrace;
+	')
+
 	aide_run($1, $2)
 
 	files_list_etc($1)
diff --git a/aide.te b/aide.te
index 4b28ab3..f781a7a 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
 type aide_t;
 type aide_exec_t;
 application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
 role aide_roles types aide_t;
 
 type aide_log_t;
@@ -23,22 +24,30 @@ files_type(aide_db_t)
 # Local policy
 #
 
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
 
 manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
 
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
 logging_log_filetrans(aide_t, aide_log_t, file)
 
 files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
 
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)
 
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+	prelink_domtrans(aide_t)
+')
 
 optional_policy(`
 	seutil_use_newrole_fds(aide_t)
diff --git a/aisexec.if b/aisexec.if
index a2997fa..861cebd 100644
--- a/aisexec.if
+++ b/aisexec.if
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
 		type aisexec_initrc_exec_t;
 	')
 
-	allow $1 aisexec_t:process { ptrace signal_perms };
+	allow $1 aisexec_t:process signal_perms;
 	ps_process_pattern($1, aisexec_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aisexec_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
index 196f7cf..3b5354f 100644
--- a/aisexec.te
+++ b/aisexec.te
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
 kernel_read_system_state(aisexec_t)
 
 corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
 
 corenet_all_recvfrom_unlabeled(aisexec_t)
 corenet_all_recvfrom_netlabel(aisexec_t)
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
 
 logging_send_syslog_msg(aisexec_t)
 
-miscfiles_read_localization(aisexec_t)
-
 userdom_rw_unpriv_user_semaphores(aisexec_t)
 userdom_rw_unpriv_user_shared_mem(aisexec_t)
 
@@ -105,6 +104,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
 	rhcs_rw_dlm_controld_semaphores(aisexec_t)
 
 	rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
--- /dev/null
+++ b/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm	--	gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py	--	gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid		--	gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/ajaxterm.if b/ajaxterm.if
new file mode 100644
index 0000000..7abe946
--- /dev/null
+++ b/ajaxterm.if
@@ -0,0 +1,90 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+	gen_require(`
+		type ajaxterm_t, ajaxterm_exec_t;
+	')
+
+	domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+## <summary>
+##	Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+	gen_require(`
+		type ajaxterm_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Read and write the ajaxterm pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ajaxterm_rw_ptys',`
+    gen_require(`
+        type ajaxterm_devpts_t;
+    ')
+
+    allow $1 ajaxterm_devpts_t:chr_file	rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ajaxterm environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+	gen_require(`
+		type ajaxterm_t, ajaxterm_initrc_exec_t;
+	')
+
+	allow $1 ajaxterm_t:process signal_perms;
+	ps_process_pattern($1, ajaxterm_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ajaxterm_t:process ptrace;
+	')
+
+	ajaxterm_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 ajaxterm_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
index 0000000..a95a4ad
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,60 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+	ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/alsa.fc b/alsa.fc
index 5de1e01..e5ab7ff 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc	--	gen_context(system_u:object_r:alsa_home_t,s0)
 /usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 
-/var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/usr/lib/systemd/system/alsa.*  --              gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid		--	gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index 708b743..cc78465 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
 
 	userdom_search_user_home_dirs($1)
 	allow $1 alsa_home_t:file manage_file_perms;
+	alsa_filetrans_home_content($1)
 ')
 
 ########################################
@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',`
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic alsa
-##	home type.
+##	Read Alsa lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
+#
+interface(`alsa_read_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Class of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`alsa_filetrans_home_content',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
 	gen_require(`
 		type alsa_home_t;
+		type alsa_etc_rw_t;
+		type alsa_var_lib_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+	files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+	files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+	files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+	files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+	files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+	files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
 ')
 
 ########################################
 ## <summary>
-##	Read Alsa lib files.
+##	Execute alsa server in the alsa domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
 	gen_require(`
-		type alsa_var_lib_t;
+		type alsa_t;
+		type alsa_unit_file_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+	systemd_exec_systemctl($1)
+	allow $1 alsa_unit_file_t:file read_file_perms;
+	allow $1 alsa_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, alsa_t)
 ')
diff --git a/alsa.te b/alsa.te
index cda6d20..a80ddb9 100644
--- a/alsa.te
+++ b/alsa.te
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
 
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
 type alsa_home_t;
 userdom_user_home_content(alsa_home_t)
 
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket { accept listen };
@@ -51,7 +58,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
 manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
 kernel_read_system_state(alsa_t)
+kernel_signal(alsa_t)
 
 corecmd_exec_bin(alsa_t)
 
@@ -59,7 +72,6 @@ dev_read_sound(alsa_t)
 dev_read_sysfs(alsa_t)
 dev_write_sound(alsa_t)
 
-files_read_usr_files(alsa_t)
 files_search_var_lib(alsa_t)
 
 term_dontaudit_use_console(alsa_t)
@@ -72,8 +84,6 @@ init_use_fds(alsa_t)
 
 logging_send_syslog_msg(alsa_t)
 
-miscfiles_read_localization(alsa_t)
-
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,5 +1,6 @@
 /etc/amanda(/.*)?	gen_context(system_u:object_r:amanda_config_t,s0)
 /etc/amanda/.*/tapelist(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates	gen_context(system_u:object_r:amanda_amandates_t,s0)
 /etc/dumpdates	gen_context(system_u:object_r:amanda_dumpdates_t,s0)
 # empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
 /usr/lib/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 
+/usr/lib/systemd/system/amanda.*    --  gen_context(system_u:object_r:amanda_unit_file_t,s0)
+
 /usr/sbin/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
diff --git a/amanda.te b/amanda.te
index ed45974..f367ba0 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
 roleattribute system_r amanda_recover_roles;
 
 type amanda_t;
+type amanda_exec_t;
 type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
 
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
+type amanda_unit_file_t;
+systemd_unit_file(amanda_unit_file_t)
 
 type amanda_log_t;
 logging_log_file(amanda_log_t)
@@ -60,7 +63,7 @@ optional_policy(`
 #
 
 allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:process { getsched setsched setpgid signal };
 allow amanda_t self:fifo_file rw_fifo_file_perms;
 allow amanda_t self:unix_stream_socket { accept listen };
 allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
 
 manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
 corecmd_exec_shell(amanda_t)
 corecmd_exec_bin(amanda_t)
 
-corenet_all_recvfrom_unlabeled(amanda_t)
 corenet_all_recvfrom_netlabel(amanda_t)
 corenet_tcp_sendrecv_generic_if(amanda_t)
 corenet_tcp_sendrecv_generic_node(amanda_t)
 corenet_tcp_sendrecv_all_ports(amanda_t)
 corenet_tcp_bind_generic_node(amanda_t)
 
+corenet_tcp_bind_amanda_port(amanda_t)
+corenet_udp_bind_amanda_port(amanda_t)
+
 corenet_sendrecv_all_server_packets(amanda_t)
 corenet_tcp_bind_all_rpc_ports(amanda_t)
 corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
 
 dev_getattr_all_blk_files(amanda_t)
 dev_getattr_all_chr_files(amanda_t)
+dev_read_urand(amanda_t)
 
 files_read_etc_runtime_files(amanda_t)
 files_list_all(amanda_t)
@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
 
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
 
 auth_use_nsswitch(amanda_recover_t)
 
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
 logging_search_logs(amanda_recover_t)
 
-miscfiles_read_localization(amanda_recover_t)
-
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
 userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+    inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+')
+
+optional_policy(`
+	fstools_domtrans(amanda_t)
+	fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
index 17689a7..8aa6849 100644
--- a/amavis.fc
+++ b/amavis.fc
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
 /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 ')
 
-/var/opt/f-secure(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
 /var/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
 
 /var/lib/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
index 60d4f8c..18ef077 100644
--- a/amavis.if
+++ b/amavis.if
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
 
 	files_search_spool($1)
 	read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+	allow $1 amavis_spool_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
 
 ########################################
 ## <summary>
+##	Read and write amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_rw_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	allow $1 amavis_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	amavis lib files.
 ## </summary>
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
 		type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
 	')
 
-	allow $1 amavis_t:process { ptrace signal_perms };
+	allow $1 amavis_t:process signal_perms;
 	ps_process_pattern($1, amavis_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 amavis_t:process ptrace;
+	')
+
 	amavis_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
index ab55ba7..a95b541 100644
--- a/amavis.te
+++ b/amavis.te
@@ -39,7 +39,7 @@ type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
 
 type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
 
 ########################################
 #
@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
 
+# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
 allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
 
 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
 corecmd_exec_bin(amavis_t)
 corecmd_exec_shell(amavis_t)
 
-corenet_all_recvfrom_unlabeled(amavis_t)
 corenet_all_recvfrom_netlabel(amavis_t)
 corenet_tcp_sendrecv_generic_if(amavis_t)
 corenet_udp_sendrecv_generic_if(amavis_t)
@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
 
 corenet_sendrecv_razor_client_packets(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
 
 dev_read_rand(amavis_t)
 dev_read_sysfs(amavis_t)
@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
 domain_dontaudit_read_all_domains_state(amavis_t)
 
 files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
 files_search_spool(amavis_t)
 
 fs_getattr_xattr_fs(amavis_t)
@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
 
-miscfiles_read_localization(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
+
+sysnet_use_ldap(amavis_t)
 
 userdom_dontaudit_search_user_home_dirs(amavis_t)
 
 tunable_policy(`amavis_use_jit',`
-	allow amavis_t self:process execmem;
+    allow amavis_t self:process execmem;
 ',`
-	dontaudit amavis_t self:process execmem;
+    dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+	antivirus_domain_template(amavis_t)
 ')
 
 optional_policy(`
@@ -173,6 +181,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
 	postfix_read_config(amavis_t)
 	postfix_list_spool(amavis_t)
 ')
diff --git a/amtu.te b/amtu.te
index c960f92..486e9ed 100644
--- a/amtu.te
+++ b/amtu.te
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
 
 files_manage_boot_files(amtu_t)
 files_read_etc_runtime_files(amtu_t)
-files_read_etc_files(amtu_t)
 
 logging_send_audit_msgs(amtu_t)
 
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
 
 optional_policy(`
 	nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
index b098089..258407b 100644
--- a/anaconda.fc
+++ b/anaconda.fc
@@ -1 +1,7 @@
 # No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda      --  gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
diff --git a/anaconda.if b/anaconda.if
index 14a61b7..21bbf36 100644
--- a/anaconda.if
+++ b/anaconda.if
@@ -1 +1,54 @@
 ## <summary>Anaconda installer.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run install.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_install',`
+	gen_require(`
+		type install_t, install_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, install_exec_t, install_t)
+')
+
+########################################
+## <summary>
+##	Execute install in the install
+##	domain, and allow the specified
+##	role the install domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_run_install',`
+	gen_require(`
+		type install_t;
+		type install_exec_t;
+		attribute_role install_roles;
+	')
+
+	anaconda_domtrans_install($1)
+	roleattribute $2 install_roles;
+	role_transition $2 install_exec_t system_r;
+
+	optional_policy(`
+		rpm_transition_script(install_t, $2)
+	')
+')
+
diff --git a/anaconda.te b/anaconda.te
index 6f1384c..f226596 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
 	class passwd all_passwd_perms;
 ')
 
+gen_require(`
+	class passwd { passwd chfn chsh rootok crontab };
+')
+
 ########################################
 #
 # Declarations
@@ -16,6 +20,14 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
 domain_obj_id_change_exemption(anaconda_t)
 role system_r types anaconda_t;
 
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+type install_t;
+type install_exec_t;
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
 ########################################
 #
 # Local policy
@@ -34,8 +46,9 @@ modutils_domtrans_insmod(anaconda_t)
 modutils_domtrans_depmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(anaconda_t)
 
 optional_policy(`
 	rpm_domtrans(anaconda_t)
@@ -53,3 +66,34 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain_noaudit(anaconda_t)
 ')
+
+########################################
+#
+# Local policy
+#
+
+allow install_t self:capability2 mac_admin;
+
+systemd_dbus_chat_localed(install_t)
+
+tunable_policy(`deny_ptrace',`',`
+	domain_ptrace_all_domains(install_t)
+')
+
+optional_policy(`
+    mount_run(install_t, install_roles)
+')
+
+optional_policy(`
+    networkmanager_dbus_chat(install_t)
+')
+
+optional_policy(`
+	seutil_run_setfiles_mac(install_t, install_roles)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(install_t)
+')
+
+
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..9d5214b
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,43 @@
+/etc/amavis(d)?\.conf			--	gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)?					gen_context(system_u:object_r:antivirus_conf_t,s0)
+
+/etc/rc\.d/init\.d/amavis		--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp	--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamd.*		--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/clamd.*	--	gen_context(system_u:object_r:antivirus_unit_file_t,s0)
+
+/usr/lib/AntiVir/antivir		--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/amavisd.*				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/freshclam				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/clamd					--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/clamav-milter			--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/var/clamav(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/amavis(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav-unofficial-sigs(/.*)?   gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.*					gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)?			gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/virusmails(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/log/amavisd\.log.* 		--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav.*   				gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/freshclam.*    		--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav/freshclam.* 	--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamd.*    				gen_context(system_u:object_r:antivirus_log_t,s0)
+
+/var/run/amavis(d)?(/.*)?			gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/amavisd-snmp-subagent\.pid	--	gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
+/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamav.*					gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamd.*					gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
index 0000000..df5b3be
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,322 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  antivirus domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+interface(`antivirus_domain_template',`
+        gen_require(`
+                attribute antivirus_domain;
+        ')
+
+        typeattribute $1 antivirus_domain;
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run antivirus program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`antivirus_domtrans',`
+    gen_require(`
+        type antivirus_t, antivirus_exec_t;
+    ')
+
+    domtrans_pattern($1, antivirus_exec_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  Execute antivirus program without a transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_exec',`
+    gen_require(`
+        type antivirus_exec_t;
+    ')
+
+    can_exec($1, antivirus_exec_t)
+')
+
+#######################################
+## <summary>
+##  Connect to run antivirus program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_stream_connect',`
+    gen_require(`
+        type antivirus_t, antivirus_db_t, antivirus_var_run_t;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
+	stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to append
+##  to antivirus log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_append_log',`
+    gen_require(`
+        type antivirus_log_t;
+    ')
+
+    logging_search_logs($1)
+    allow $1 antivirus_log_t:dir list_dir_perms;
+    append_files_pattern($1, antivirus_log_t, antivirus_log_t)
+')
+
+#######################################
+## <summary>
+##  Read antivirus configuration files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_read_config',`
+    gen_require(`
+        type antivirus_conf_t;
+    ')
+
+    files_search_etc($1)
+    allow $1 antivirus_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Search antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_search_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+	files_search_spool($1)
+    allow $1 antivirus_db_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##  Read antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_read_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+	read_files_pattern($1, antivirus_db_t, antivirus_db_t)
+	read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#####################################
+## <summary>
+##  Read and write antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_rw_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+    write_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+####################################
+## <summary>
+##  Manage antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_manage_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+    manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
+	manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#######################################
+## <summary>
+##  Manage antivirus pid content.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_manage_pid',`
+    gen_require(`
+        type antivirus_var_run_t;
+    ')
+
+    manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+    manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+')
+
+######################################
+## <summary>
+##      Read antivirus state files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`antivirus_read_state_clamd',`
+        gen_require(`
+                type antivirus_t;
+        ')
+
+        kernel_search_proc($1)
+        ps_process_pattern($1, antivirus_t)
+')
+
+######################################
+## <summary>
+##      Execute antivirus server in the antivirus domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`antivirus_systemctl',`
+        gen_require(`
+                type antivirus_t;
+                type antivirus_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 antivirus_unit_file_t:file read_file_perms;
+        allow $1 antivirus_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  All of the rules required to administrate
+##  an antivirus programs environment
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed to manage the clamav domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`antivirus_admin',`
+    gen_require(`
+		attribute antivirus_domain;
+        type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
+        type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
+        type antivirus_initrc_exec_t, antivirus_unit_file_t;
+    ')
+
+	allow $1 antivirus_t:process signal_perms;
+    ps_process_pattern($1, antivirus_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 antivirus_t:process ptrace;
+    ')
+
+    init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 antivirus_initrc_exec_t system_r;
+    allow $2 system_r;
+
+	antivirus_systemctl($1)
+    admin_pattern($1, antivirus_unit_file_t)
+    allow $1 antivirus_unit_file_t:service all_service_perms;
+
+    files_list_etc($1)
+    admin_pattern($1, antivirus_conf_t)
+
+    files_list_var_lib($1)
+	admin_pattern($1, antivirus_db_t)
+
+    logging_list_logs($1)
+    admin_pattern($1, antivirus_log_t)
+
+    files_list_pids($1)
+    admin_pattern($1, antivirus_var_run_t)
+
+    files_list_tmp($1)
+    admin_pattern($1, antivirus_tmp_t)
+
+    optional_policy(`
+        systemd_passwd_agent_exec($1)
+        systemd_read_fifo_file_passwd_run($1)
+    ')
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000..83590aa
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,273 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Allow antivirus programs to read non security files on a system
+##  </p>
+## </desc>
+gen_tunable(antivirus_can_scan_system, false)
+
+## <desc>
+##  <p>
+##  Determine whether can antivirus programs use JIT compiler.
+##  </p>
+## </desc>
+gen_tunable(antivirus_use_jit, false)
+
+attribute antivirus_domain;
+
+type antivirus_t;
+type antivirus_exec_t;
+typeattribute antivirus_t antivirus_domain;
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
+init_script_file(antivirus_initrc_exec_t)
+
+type antivirus_unit_file_t;
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
+files_pid_file(antivirus_var_run_t)
+
+type antivirus_log_t;
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
+logging_log_file(antivirus_log_t)
+
+type antivirus_db_t;
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
+files_type(antivirus_db_t)
+
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
+type antivirus_tmp_t;
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
+files_tmp_file(antivirus_tmp_t)
+
+########################################
+#
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_override chown kill setgid setuid };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
+allow antivirus_domain self:tcp_socket { listen accept };
+
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
+
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
+
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
+kernel_read_network_state(antivirus_t)
+kernel_read_net_sysctls(antivirus_t)
+kernel_read_kernel_sysctls(antivirus_domain)
+kernel_read_sysctl(antivirus_domain)
+kernel_read_system_state(antivirus_t)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
+corenet_all_recvfrom_netlabel(antivirus_t)
+corenet_tcp_sendrecv_generic_if(antivirus_t)
+corenet_udp_sendrecv_generic_if(antivirus_t)
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
+corenet_udp_sendrecv_generic_node(antivirus_domain)
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
+corenet_udp_sendrecv_all_ports(antivirus_domain)
+corenet_tcp_bind_generic_node(antivirus_domain)
+corenet_udp_bind_generic_node(antivirus_domain)
+
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
+
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
+
+corenet_sendrecv_generic_server_packets(antivirus_domain)
+corenet_udp_bind_generic_port(antivirus_domain)
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
+
+corenet_sendrecv_razor_client_packets(antivirus_domain)
+corenet_tcp_connect_razor_port(antivirus_domain)
+corenet_tcp_connect_agentx_port(antivirus_domain)
+
+corenet_tcp_connect_clamd_port(antivirus_domain)
+
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
+corenet_tcp_bind_clamd_port(antivirus_domain)
+
+corenet_sendrecv_http_client_packets(antivirus_domain)
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
+
+dev_read_rand(antivirus_domain)
+dev_read_sysfs(antivirus_domain)
+dev_read_urand(antivirus_domain)
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
+files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
+fs_getattr_xattr_fs(antivirus_domain)
+
+auth_use_nsswitch(antivirus_t)
+auth_dontaudit_read_shadow(antivirus_domain)
+
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
+init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
+miscfiles_read_generic_certs(antivirus_domain)
+
+sysnet_use_ldap(antivirus_domain)
+
+userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
+	files_read_non_security_files(antivirus_domain)
+	files_getattr_all_pipes(antivirus_domain)
+	files_getattr_all_sockets(antivirus_domain)
+    dev_getattr_all_blk_files(antivirus_domain)
+    dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
+    allow antivirus_domain self:process execmem;
+    allow antivirus_domain self:process execmem;
+',`
+    dontaudit antivirus_domain self:process execmem;
+    dontaudit antivirus_domain self:process execmem;
+')
+
+optional_policy(`
+	apache_read_sys_content(antivirus_domain)
+')
+
+optional_policy(`
+	antivirus_systemctl(antivirus_domain)
+')
+
+optional_policy(`
+	cron_system_entry(antivirus_t, antivirus_exec_t)
+    cron_use_fds(antivirus_domain)
+    cron_use_system_job_fds(antivirus_domain)
+    cron_rw_pipes(antivirus_domain)
+')
+
+optional_policy(`
+    dcc_domtrans_client(antivirus_domain)
+    dcc_stream_connect_dccifd(antivirus_domain)
+')
+
+optional_policy(`
+    exim_read_spool_files(antivirus_domain)
+')
+
+optional_policy(`
+    mta_read_config(antivirus_domain)
+	mta_read_queue(antivirus_domain)
+	mta_send_mail(antivirus_domain)
+')
+
+optional_policy(`
+    nslcd_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+	mysql_stream_connect(antivirus_domain)
+	corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
+    postfix_read_config(antivirus_domain)
+    postfix_list_spool(antivirus_domain)
+')
+
+optional_policy(`
+    pyzor_domtrans(antivirus_domain)
+    pyzor_signal(antivirus_domain)
+')
+
+optional_policy(`
+    razor_domtrans(antivirus_domain)
+')
+
+optional_policy(`
+    snmp_manage_var_lib_dirs(antivirus_domain)
+    snmp_manage_var_lib_files(antivirus_domain)
+    snmp_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+	spamd_stream_connect(clamd_t)
+    spamassassin_exec(antivirus_domain)
+    spamassassin_exec_client(antivirus_domain)
+    spamassassin_read_lib_files(antivirus_domain)
+	spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 550a69e..43bb1c9 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,161 +1,212 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
 HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
 
-/etc/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/horde(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab	--	gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs	gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 
-/etc/vhosts	--	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/thttpd\.conf       -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/opt/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* --      gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.*	--  gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.*     --  gen_context(system_u:object_r:httpd_unit_file_t,s0)
 
-/srv/([^/]*/)?www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog      --      gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
-/usr/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)?        gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/usr/bin/htsslpass	--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 
-/usr/lib/apache-ssl/.+	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)?	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/share/joomla(/.*)?                 gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 
-/usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs	--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.*	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/htcacheclean      --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx         --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm       --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 
-/usr/share/dirsrv(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.*	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.*	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.*	gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.*			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/share/glpi(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php		--		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php	-- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php    --  gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.*			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem	--	gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.*			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/mod_security(/.*)?     gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+
 /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)?		  gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/thttpd\.log.*  -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+')
+
+/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid    -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 
-/var/run/apache.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/cherokee\.pid	--	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port	-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/mod_.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/wsgi.*	-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/user/apache(/.*)?	gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)?	gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php	--	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/moodledata(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html(/.*)?/sites/default/settings\.php	-- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html(/.*)?/sites/default/files(/.*)? 	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/html(/.*)?/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/moodle/data(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/moodle(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/openshift/console/tmp(/.*)?    gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+
+/var/www/openshift/broker/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/console/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/openshift/console/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/var/www/stickshift/[^/]*/log(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index 83e899c..9426db5 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
-## <summary>Various web servers.</summary>
+## <summary>Apache web server</summary>
 
 ########################################
 ## <summary>
-##	Create a set of derived types for
-##	httpd web content.
+##	Create a set of derived types for apache
+##	web content.
 ## </summary>
 ## <param name="prefix">
 ##	<summary>
@@ -13,118 +13,103 @@
 #
 template(`apache_content_template',`
 	gen_require(`
-		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
-		attribute httpd_script_domains, httpd_htaccess_type;
-		type httpd_t, httpd_suexec_t;
+		attribute httpd_exec_scripts, httpd_script_exec_type;
+		type httpd_t, httpd_suexec_t, httpd_log_t;
+		type httpd_sys_content_t;
+		attribute httpd_script_type, httpd_content_type;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	## <desc>
-	##	<p>
-	##	Determine whether the script domain can
-	##	modify public files used for public file
-	##	transfer services. Directories/Files must
-	##	be labeled public_content_rw_t.
-	##	</p>
-	## </desc>
-	gen_tunable(allow_httpd_$1_script_anon_write, false)
-
-	type httpd_$1_content_t, httpdcontent; # customizable
+	#This type is for webpages
+	type httpd_$1_content_t; # customizable;
+	typeattribute httpd_$1_content_t httpd_content_type;
 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
 	files_type(httpd_$1_content_t)
 
-	type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
+	# This type is used for .htaccess files
+	type httpd_$1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute httpd_$1_htaccess_t httpd_content_type;
 	files_type(httpd_$1_htaccess_t)
 
-	type httpd_$1_script_t, httpd_script_domains;
+	# Type that CGI scripts run as
+	type httpd_$1_script_t,	httpd_script_type;
 	domain_type(httpd_$1_script_t)
 	role system_r types httpd_$1_script_t;
 
+	kernel_read_system_state(httpd_$1_script_t)
+
+	# This type is used for executable scripts files
 	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-	corecmd_shell_entry_type(httpd_$1_script_t)
+	typeattribute httpd_$1_script_exec_t httpd_content_type;
 	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
 
-	type httpd_$1_rw_content_t, httpdcontent; # customizable
+	type httpd_$1_rw_content_t; # customizable
+	typeattribute httpd_$1_rw_content_t httpd_content_type;
 	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
 	files_type(httpd_$1_rw_content_t)
 
-	type httpd_$1_ra_content_t, httpdcontent; # customizable
+	type httpd_$1_ra_content_t, httpd_content_type; # customizable
+	typeattribute httpd_$1_ra_content_t httpd_content_type;
 	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
 	files_type(httpd_$1_ra_content_t)
 
-	########################################
-	#
-	# Policy
-	#
+	# Allow the script process to search the cgi directory, and users directory
+	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
 
 	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
 
-	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-	allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-	allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+	append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+	create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
 
-	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
-	allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
-	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+	read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+	read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
 
 	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
 
-	tunable_policy(`allow_httpd_$1_script_anon_write',`
-		miscfiles_manage_public_files(httpd_$1_script_t)
-	')
+    allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
 
+	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
 		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-		allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-		allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-	')
+		allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+		create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
 
-	tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-		can_exec(httpd_t, httpd_$1_rw_content_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
-		domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
-	')
 
-	tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
-		can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
-	')
+		domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
-	')
+		# privileged users run the script:
+		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
-		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+		# apache runs the script:
+		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+		allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for apache.
+##	Role access for apache
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -133,47 +118,61 @@ template(`apache_content_template',`
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`apache_role',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_user_content_t, httpd_user_htaccess_t;
-		type httpd_user_script_t, httpd_user_script_exec_t;
-		type httpd_user_ra_content_t, httpd_user_rw_content_t;
+		type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+		type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
 	')
 
 	role $1 types httpd_user_script_t;
 
-	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
-	allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+	apache_exec_modules($2)
+	apache_filetrans_home_content($2)
 
 	tunable_policy(`httpd_enable_cgi',`
+		# If a user starts a script by hand it gets the proper context
 		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
 	')
 
@@ -184,7 +183,7 @@ interface(`apache_role',`
 
 ########################################
 ## <summary>
-##	Read user httpd script executable files.
+##	Read httpd user scripts executables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -204,7 +203,7 @@ interface(`apache_read_user_scripts',`
 
 ########################################
 ## <summary>
-##	Read user httpd content.
+##	Read user web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -224,7 +223,7 @@ interface(`apache_read_user_content',`
 
 ########################################
 ## <summary>
-##	Execute httpd with a domain transition.
+##	Transition to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,27 +240,47 @@ interface(`apache_domtrans',`
 	domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute httpd server in the httpd domain.
+##	Allow the specified domain to execute apache
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
 	gen_require(`
-		type httpd_initrc_exec_t;
+		type httpd_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+	can_exec($1, httpd_exec_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to execute apache suexec
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_suexec',`
+	gen_require(`
+		type httpd_suexec_exec_t;
+	')
+
+	can_exec($1, httpd_suexec_exec_t)
 ')
 
 #######################################
 ## <summary>
-##	Send generic signals to httpd.
+##	Send a generic signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -279,7 +298,7 @@ interface(`apache_signal',`
 
 ########################################
 ## <summary>
-##	Send null signals to httpd.
+##	Send a null signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -297,7 +316,7 @@ interface(`apache_signull',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to httpd.
+##	Send a SIGCHLD signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -315,8 +334,7 @@ interface(`apache_sigchld',`
 
 ########################################
 ## <summary>
-##	Inherit and use file descriptors
-##	from httpd.
+##	Inherit and use file descriptors from Apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -334,8 +352,8 @@ interface(`apache_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd unnamed pipes.
+##	Do not audit attempts to read and write Apache
+##	unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -348,13 +366,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
 		type httpd_t;
 	')
 
-	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd unix domain stream sockets.
+##	Do not audit attempts to read and write Apache
+##	unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -372,8 +390,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd TCP sockets.
+##	Do not audit attempts to read and write Apache
+##	TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -391,8 +409,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	all httpd content.
+##	Create, read, write, and delete all web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -417,7 +434,8 @@ interface(`apache_manage_all_content',`
 
 ########################################
 ## <summary>
-##	Set attributes httpd cache directories.
+##	Allow domain to  set the attributes
+##	of the APACHE cache directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -435,7 +453,8 @@ interface(`apache_setattr_cache_dirs',`
 
 ########################################
 ## <summary>
-##	List httpd cache directories.
+##	Allow the specified domain to list
+##	Apache cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -453,7 +472,8 @@ interface(`apache_list_cache',`
 
 ########################################
 ## <summary>
-##	Read and write httpd cache files.
+##	Allow the specified domain to read
+##	and write Apache cache files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -471,7 +491,8 @@ interface(`apache_rw_cache_files',`
 
 ########################################
 ## <summary>
-##	Delete httpd cache directories.
+##	Allow the specified domain to delete
+##	Apache cache dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -489,7 +510,8 @@ interface(`apache_delete_cache_dirs',`
 
 ########################################
 ## <summary>
-##	Delete httpd cache files.
+##	Allow the specified domain to delete
+##	Apache cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -507,49 +529,51 @@ interface(`apache_delete_cache_files',`
 
 ########################################
 ## <summary>
-##	Read httpd configuration files.
+##	Allow the specified domain to search
+##	apache configuration dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`apache_read_config',`
+interface(`apache_search_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 
 	files_search_etc($1)
-	allow $1 httpd_config_t:dir list_dir_perms;
-	read_files_pattern($1, httpd_config_t, httpd_config_t)
-	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+	allow $1 httpd_config_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search httpd configuration directories.
+##	Allow the specified domain to read
+##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`apache_search_config',`
+interface(`apache_read_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 
 	files_search_etc($1)
-	allow $1 httpd_config_t:dir search_dir_perms;
+	allow $1 httpd_config_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_config_t, httpd_config_t)
+	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd configuration files.
+##	Allow the specified domain to manage
+##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -570,8 +594,8 @@ interface(`apache_manage_config',`
 
 ########################################
 ## <summary>
-##	Execute the Apache helper program
-##	with a domain transition.
+##	Execute the Apache helper program with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -608,16 +632,38 @@ interface(`apache_domtrans_helper',`
 #
 interface(`apache_run_helper',`
 	gen_require(`
-		attribute_role httpd_helper_roles;
+		type httpd_helper_t;
 	')
 
 	apache_domtrans_helper($1)
-	roleattribute $2 httpd_helper_roles;
+	role $2 types httpd_helper_t;
+')
+
+########################################
+## <summary>
+##	dontaudit attempts to read
+##	apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_dontaudit_read_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	dontaudit $1 httpd_log_t:file read_file_perms;
+	dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read httpd log files.
+##	Allow the specified domain to read
+##	apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -639,7 +685,8 @@ interface(`apache_read_log',`
 
 ########################################
 ## <summary>
-##	Append httpd log files.
+##	Allow the specified domain to append
+##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -657,10 +704,29 @@ interface(`apache_append_log',`
 	append_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
+#######################################
+## <summary>
+##  Allow the specified domain to write
+##  to apache log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`apache_write_log',`
+    gen_require(`
+        type httpd_log_t;
+    ')
+
+	allow $1 httpd_log_t:file write;
+')
+
 ########################################
 ## <summary>
-##	Do not audit attempts to append
-##	httpd log files.
+##	Do not audit attempts to append to the
+##	Apache logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -678,8 +744,8 @@ interface(`apache_dontaudit_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd log files.
+##	Allow the specified domain to manage
+##	to apache var lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -687,20 +753,21 @@ interface(`apache_dontaudit_append_log',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_manage_log',`
+interface(`apache_manage_lib',`
 	gen_require(`
-		type httpd_log_t;
+		type httpd_var_lib_t;
 	')
 
-	logging_search_logs($1)
-	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
-	manage_files_pattern($1, httpd_log_t, httpd_log_t)
-	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+	manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+	read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Write apache log files.
+##	Allow the specified domain to manage
+##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -708,19 +775,21 @@ interface(`apache_manage_log',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_write_log',`
+interface(`apache_manage_log',`
 	gen_require(`
 		type httpd_log_t;
 	')
 
 	logging_search_logs($1)
-	write_files_pattern($1, httpd_log_t, httpd_log_t)
+	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+	manage_files_pattern($1, httpd_log_t, httpd_log_t)
+	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	httpd module directories.
+##	Do not audit attempts to search Apache
+##	module directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -738,7 +807,8 @@ interface(`apache_dontaudit_search_modules',`
 
 ########################################
 ## <summary>
-##	List httpd module directories.
+##	Allow the specified domain to read
+##	the apache module directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -746,17 +816,19 @@ interface(`apache_dontaudit_search_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
-	allow $1 httpd_modules_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute httpd module files.
+##	Allow the specified domain to list
+##	the contents of the apache modules
+##	directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -764,19 +836,19 @@ interface(`apache_list_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_exec_modules',`
+interface(`apache_list_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
-	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
-	can_exec($1, httpd_modules_t)
+	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Read httpd module files.
+##	Allow the specified domain to execute
+##	apache modules.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -784,19 +856,19 @@ interface(`apache_exec_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_read_module_files',`
+interface(`apache_exec_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
-	libs_search_lib($1)
-	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+	allow $1 httpd_modules_t:dir list_dir_perms;
+	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+	can_exec($1, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run httpd_rotatelogs.
+##	Execute a domain transition to run httpd_rotatelogs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -809,13 +881,50 @@ interface(`apache_domtrans_rotatelogs',`
 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
 ')
 
+#######################################
+## <summary>
+##  Execute httpd_rotatelogs in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_rotatelogs',`
+    gen_require(`
+        type httpd_rotatelogs_exec_t;
+    ')
+
+	can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+## <summary>
+##  Execute httpd system scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_sys_script',`
+	gen_require(`
+		type httpd_sys_script_exec_t;
+	')
+
+	allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+	can_exec($1, httpd_sys_script_exec_t)
+')
+
 ########################################
 ## <summary>
-##	List httpd system content directories.
+##	Allow the specified domain to list
+##	apache system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -829,13 +938,14 @@ interface(`apache_list_sys_content',`
 	')
 
 	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	files_search_var($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd system content files.
+##	Allow the specified domain to manage
+##	apache system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -844,6 +954,7 @@ interface(`apache_list_sys_content',`
 ## </param>
 ## <rolecap/>
 #
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
 interface(`apache_manage_sys_content',`
 	gen_require(`
 		type httpd_sys_content_t;
@@ -855,32 +966,98 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
-########################################
+######################################
+## <summary>
+##	Allow the specified domain to read
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to read
+##	apache system content rw dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd system rw content.
+##	Allow the specified domain to manage
+##	apache system content rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_manage_sys_content_rw',`
 	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 
-	apache_search_sys_content($1)
+	files_search_var($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute all httpd scripts in the
-##	system script domain.
+##	Allow the specified domain to delete
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	files_search_tmp($1)
+	delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+##	Execute all web scripts in the system
+##	script domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -888,10 +1065,17 @@ interface(`apache_manage_sys_rw_content',`
 ##	</summary>
 ## </param>
 #
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_sys_script_t;
+		type httpd_sys_script_exec_t;
+		type httpd_sys_script_t, httpd_sys_content_t;
+	')
+
+	tunable_policy(`httpd_enable_cgi',`
+		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1085,8 @@ interface(`apache_domtrans_sys_script',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd system script unix
-##	domain stream sockets.
+##	Do not audit attempts to read and write Apache
+##	system script unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -941,7 +1124,7 @@ interface(`apache_domtrans_all_scripts',`
 ########################################
 ## <summary>
 ##	Execute all user scripts in the user
-##	script domain. Add user script domains
+##	script domain.  Add user script domains
 ##	to the specified role.
 ## </summary>
 ## <param name="domain">
@@ -954,6 +1137,7 @@ interface(`apache_domtrans_all_scripts',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
@@ -966,7 +1150,8 @@ interface(`apache_run_all_scripts',`
 
 ########################################
 ## <summary>
-##	Read httpd squirrelmail data files.
+##	Allow the specified domain to read
+##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -979,12 +1164,13 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file read_file_perms;
+	read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
 ')
 
 ########################################
 ## <summary>
-##	Append httpd squirrelmail data files.
+##	Allow the specified domain to append
+##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1002,7 +1188,7 @@ interface(`apache_append_squirrelmail_data',`
 
 ########################################
 ## <summary>
-##	Search httpd system content.
+##	Search apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1015,13 +1201,12 @@ interface(`apache_search_sys_content',`
 		type httpd_sys_content_t;
 	')
 
-	files_search_var($1)
 	allow $1 httpd_sys_content_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read httpd system content.
+##	Read apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1041,7 +1226,7 @@ interface(`apache_read_sys_content',`
 
 ########################################
 ## <summary>
-##	Search httpd system CGI directories.
+##	Search apache system CGI directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1059,8 +1244,7 @@ interface(`apache_search_sys_scripts',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete all
-##	user httpd content.
+##	Create, read, write, and delete all user web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1070,13 +1254,22 @@ interface(`apache_search_sys_scripts',`
 ## <rolecap/>
 #
 interface(`apache_manage_all_user_content',`
-	refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
-	apache_manage_all_content($1)
+	gen_require(`
+		attribute httpd_user_content_type, httpd_user_script_exec_type;
+	')
+
+	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
 ')
 
 ########################################
 ## <summary>
-##	Search system script state directories.
+##	Search system script state directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1094,7 +1287,8 @@ interface(`apache_search_sys_script_state',`
 
 ########################################
 ## <summary>
-##	Read httpd tmp files.
+##	Allow the specified domain to read
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1111,10 +1305,29 @@ interface(`apache_read_tmp_files',`
 	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
 
+######################################
+## <summary>
+##	Dontaudit attempts to read and write
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_tmp_t:file { read write };
+')
+
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	httpd tmp files.
+##	Dontaudit attempts to write
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1127,7 +1340,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
 
-	dontaudit $1 httpd_tmp_t:file write_file_perms;
+	dontaudit $1 httpd_tmp_t:file write;
 ')
 
 ########################################
@@ -1136,6 +1349,9 @@ interface(`apache_dontaudit_write_tmp_files',`
 ## </summary>
 ##	<desc>
 ##	<p>
+##	Execute CGI in the specified domain.
+##	</p>
+##	<p>
 ##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
@@ -1165,8 +1381,30 @@ interface(`apache_cgi_domain',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an apache environment.
+##	Execute httpd server in the httpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apache_systemctl',`
+	gen_require(`
+		type httpd_t;
+		type httpd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 httpd_unit_file_t:file read_file_perms;
+	allow $1 httpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, httpd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an apache environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1183,18 +1421,19 @@ interface(`apache_cgi_domain',`
 interface(`apache_admin',`
 	gen_require(`
 		attribute httpdcontent, httpd_script_exec_type;
-		attribute httpd_script_domains, httpd_htaccess_type;
 		type httpd_t, httpd_config_t, httpd_log_t;
-		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
-		type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
-		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
-		type httpd_initrc_exec_t, httpd_suexec_t;
+		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+		type httpd_suexec_tmp_t, httpd_tmp_t;
+		type httpd_unit_file_t;
 	')
 
-	allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
-	allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
-	ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+	allow $1 httpd_t:process signal_perms;
+	ps_process_pattern($1, httpd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 httpd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -1204,10 +1443,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
-	files_search_etc($1)
-	admin_pattern($1, { httpd_config_t httpd_keytab_t })
+	files_list_etc($1)
+	admin_pattern($1, httpd_config_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
@@ -1218,9 +1457,141 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
-	admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
-	admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+	admin_pattern($1, httpdcontent)
+	admin_pattern($1, httpd_script_exec_type)
+
+	seutil_domtrans_setfiles($1)
+
+	files_list_tmp($1)
+	admin_pattern($1, httpd_tmp_t)
+	admin_pattern($1, httpd_php_tmp_t)
+	admin_pattern($1, httpd_suexec_tmp_t)
+
+	apache_systemctl($1)
+	admin_pattern($1, httpd_unit_file_t)
+	allow $1 httpd_unit_file_t:service all_service_perms;
+
+	apache_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+	gen_require(`
+		type httpd_t;
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit $1 httpd_t:tcp_socket { read write };
+	dontaudit $1 httpd_t:unix_dgram_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Transition to apache named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_filetrans_named_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+		type httpd_tmp_t;
+	')
+
+
+	apache_filetrans_home_content($1)
+	files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
+	files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+## <summary>
+##	Allow any httpd_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_entrypoint',`
+	gen_require(`
+		type httpd_exec_t;
+	')
+	allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+## <summary>
+##	Execute a httpd_exec_t in the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_domtrans',`
+	gen_require(`
+		type httpd_exec_t;
+	')
+
+	domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Transition to apache home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_filetrans_home_content',`
+	gen_require(`
+		type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+		type httpd_user_content_ra_t;
+	')
 
-	apache_run_all_scripts($1, $2)
-	apache_run_helper($1, $2)
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+	filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+	filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
diff --git a/apache.te b/apache.te
index 1a82e29..bce7760 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
+#
+# NOTES:
+#  This policy will work with SUEXEC enabled as part of the Apache
+#  configuration. However, the user CGI scripts will run under the
+#  system_u:system_r:httpd_user_script_t.
+#
+#  The user CGI scripts must be labeled with the httpd_user_script_exec_t
+#  type, and the directory containing the scripts should also be labeled
+#  with these types. This policy allows the user role to perform that
+#  relabeling. If it is desired that only admin role should be able to relabel
+#  the user CGI scripts, then relabel rule for user roles should be removed.
+#
 
 ########################################
 #
 # Declarations
 #
 
+selinux_genbool(httpd_bool_t)
+
 ## <desc>
-##	<p>
-##	Determine whether httpd can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
 ## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use mod_auth_pam.
-##	</p>
+## <p>
+## Dontaudit Apache to search dirs.
+## </p>
 ## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use built in scripting.
-##	</p>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
 ## </desc>
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_pam, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can check spam.
-##	</p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
 ## </desc>
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and modules
-##	can connect to the network using TCP.
-##	</p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
+gen_tunable(httpd_manage_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and modules
-##	can connect to cobbler over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect_cobbler, false)
 
 ## <desc>
-##	<p>
-##	Determine whether scripts and modules can
-##	connect to databases over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to server cobbler files.
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect to
-##	ldap over the network.
-##	</p>
+## <p>
+## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect
-##	to memcache server over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_connect_db, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can act as a relay.
-##	</p>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_relay, false)
+gen_tunable(httpd_can_network_memcache, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd daemon can
-##	connect to zabbix over the network.
-##	</p>
+## <p>
+## Allow httpd to act as a relay
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_network_relay, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can send mail.
-##	</p>
+##  <p>
+##  Allow http daemon to connect to zabbix
+##  </p>
 ## </desc>
-gen_tunable(httpd_can_sendmail, false)
+gen_tunable(httpd_can_connect_zabbix, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can communicate
-##	with avahi service via dbus.
-##	</p>
+##  <p>
+##  Allow http daemon to connect to mythtv
+##  </p>
 ## </desc>
-gen_tunable(httpd_dbus_avahi, false)
+gen_tunable(httpd_can_connect_mythtv, false)
 
 ## <desc>
-##	<p>
-##	Determine wether httpd can use support.
-##	</p>
+## <p>
+## Allow http daemon to check spam
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_can_check_spam, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can act as a
-##	FTP server by listening on the ftp port.
-##	</p>
+## <p>
+## Allow http daemon to send mail
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_can_sendmail, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can traverse
-##	user home directories.
-##	</p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_dbus_avahi, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd gpg can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow Apache to communicate with sssd service via dbus
+## </p>
 ## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_dbus_sssd, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can execute
-##	its temporary content.
-##	</p>
+## <p>
+## Allow httpd cgi support
+## </p>
 ## </desc>
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_enable_cgi, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and
-##	modules can use execmem and execstack.
-##	</p>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
 ## </desc>
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_enable_ftp_server, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect
-##	to port 80 for graceful shutdown.
-##	</p>
+## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
 ## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_can_connect_ftp, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can
-##	manage IPA content files.
-##	</p>
+##  <p>
+##  Allow httpd to connect to the ldap port 
+##  </p>
 ## </desc>
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_can_connect_ldap, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use mod_auth_ntlm_winbind.
-##	</p>
+## <p>
+## Allow httpd to read home directories
+## </p>
 ## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_enable_homedirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can read
-##	generic user home content files.
-##	</p>
+## <p>
+## Allow httpd to read user content 
+## </p>
 ## </desc>
 gen_tunable(httpd_read_user_content, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can change
-##	its resource limits.
-##	</p>
+## <p>
+## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
+## </desc>
+gen_tunable(httpd_run_stickshift, false)
+
+## <desc>
+## <p>
+## Allow Apache to query NS records
+## </p>
+## </desc>
+gen_tunable(httpd_verify_dns, false)
+
+## <desc>
+## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
 ## </desc>
 gen_tunable(httpd_setrlimit, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can run
-##	SSI executables in the same domain
-##	as system CGI scripts.
-##	</p>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
 ## </desc>
 gen_tunable(httpd_ssi_exec, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can communicate
-##	with the terminal. Needed for entering the
-##	passphrase for certificates at the terminal.
-##	</p>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
 ## </desc>
 gen_tunable(httpd_tty_comm, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can have full access
-##	to its content types.
-##	</p>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
 ## </desc>
 gen_tunable(httpd_unified, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use
-##	cifs file systems.
-##	</p>
+## <p>
+## Allow httpd to access openstack ports
+## </p>
+## </desc>
+gen_tunable(httpd_use_openstack, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
 ## </desc>
 gen_tunable(httpd_use_cifs, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether httpd can
-##	use fuse file systems.
+##	Allow httpd to access FUSE file systems
 ##	</p>
 ## </desc>
 gen_tunable(httpd_use_fusefs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use gpg.
-##	</p>
+## <p>
+## Allow httpd to run gpg
+## </p>
 ## </desc>
 gen_tunable(httpd_use_gpg, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use
-##	nfs file systems.
-##	</p>
+## <p>
+## Allow httpd to connect to  sasl
+## </p>
+## </desc>
+gen_tunable(httpd_use_sasl, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
 
+## <desc>
+## <p>
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(httpd_sys_script_anon_write, false)
+
 attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
 
-# domains that can exec all scripts
+# domains that can exec all users scripts
 attribute httpd_exec_scripts;
 
+attribute httpd_script_type;
 attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
 
-# all script domains
+# user script domains
 attribute httpd_script_domains;
 
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
 type httpd_t;
 type httpd_exec_t;
+ifdef(`distro_redhat',`
+	typealias httpd_t alias phpfpm_t;
+	typealias httpd_exec_t alias phpfpm_exec_t;
+')
 init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
 
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
 type httpd_cache_t;
 files_type(httpd_cache_t)
 
+# httpd_config_t is the type given to the configuration files
 type httpd_config_t;
 files_config_file(httpd_config_t)
 
 type httpd_helper_t;
 type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
 
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+	typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
 type httpd_log_t;
+ifdef(`distro_redhat',`
+	typealias httpd_log_t alias phpfpm_log_t;
+')
 logging_log_file(httpd_log_t)
 
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
 type httpd_modules_t;
 files_type(httpd_modules_t)
 
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
 type httpd_rotatelogs_t;
 type httpd_rotatelogs_exec_t;
 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
 type httpd_squirrelmail_t;
 files_type(httpd_squirrelmail_t)
 
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
 type httpd_suexec_exec_t;
 domain_type(httpd_suexec_t)
 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
 type httpd_suexec_tmp_t;
 files_tmp_file(httpd_suexec_tmp_t)
 
+# setup the system domain for system CGI scripts
 apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
 
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
 
 apache_content_template(user)
 ubac_constrained(httpd_user_script_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
 userdom_user_home_content(httpd_user_content_t)
 userdom_user_home_content(httpd_user_htaccess_t)
 userdom_user_home_content(httpd_user_script_exec_t)
 userdom_user_home_content(httpd_user_ra_content_t)
 userdom_user_home_content(httpd_user_rw_content_t)
+typeattribute httpd_user_script_t httpd_script_domains;
 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
 
+# for apache2 memory mapped files
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
 
 type httpd_var_run_t;
+ifdef(`distro_redhat',`
+	typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
 files_pid_file(httpd_var_run_t)
 
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
 
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
 
 optional_policy(`
 	prelink_object_file(httpd_modules_t)
 ')
 
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
 ########################################
 #
-# Local policy
+# Apache server local policy
 #
 
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
 allow httpd_t self:sock_file read_sock_file_perms;
@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms;
 allow httpd_t self:sem create_sem_perms;
 allow httpd_t self:msgq create_msgq_perms;
 allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
 
+# Allow httpd_t to put files in /var/cache/httpd etc
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
 
+# Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
+can_exec(httpd_t, httpd_exec_t)
+
 allow httpd_t httpd_lock_t:file manage_file_perms;
 files_lock_filetrans(httpd_t, httpd_lock_t, file)
 
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
 create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
 allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
 allow httpd_t httpd_rotatelogs_t:process signal_perms;
 
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 
+allow httpd_t httpd_suexec_exec_t:process { signal signull };
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -445,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
 kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
 kernel_search_network_sysctl(httpd_t)
 
-corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
 corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
 corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+	corenet_tcp_connect_http_port(httpd_t)
+')
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
 dev_read_urand(httpd_t)
 dev_rw_crypto(httpd_t)
 
-domain_use_interactive_fds(httpd_t)
-
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
 fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
 
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
+
+files_dontaudit_search_all_pids(httpd_t)
 files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
 files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
 files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
 files_read_var_lib_symlinks(httpd_t)
 
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
 libs_read_lib_files(httpd_t)
 
+ifdef(`hide_broken_symptoms',`
+	libs_exec_lib_files(httpd_t)
+')
+
 logging_send_syslog_msg(httpd_t)
 
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
 miscfiles_read_fonts(httpd_t)
 miscfiles_read_public_files(httpd_t)
 miscfiles_read_generic_certs(httpd_t)
 miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
 
 userdom_use_unpriv_users_fds(httpd_t)
 
-ifdef(`TODO',`
-	tunable_policy(`allow_httpd_mod_auth_pam',`
-		auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+	allow httpd_t self:process setrlimit;
+	allow httpd_t self:capability sys_resource;
+')
 
-		logging_send_audit_msgs(httpd_t)
-	')
+tunable_policy(`httpd_anon_write',`
+	miscfiles_manage_public_files(httpd_t)
 ')
 
-ifdef(`hide_broken_symptoms',`
-	libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+    files_dontaudit_search_non_security_dirs(httpd_t)
 ')
 
-tunable_policy(`allow_httpd_anon_write',`
-	miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+	auth_domtrans_chkpwd(httpd_t)
+	logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+		samba_domtrans_winbind_helper(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_can_network_connect',`
-	corenet_sendrecv_all_client_packets(httpd_t)
 	corenet_tcp_connect_all_ports(httpd_t)
-	corenet_tcp_sendrecv_all_ports(httpd_t)
 ')
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_t)
 	corenet_tcp_connect_gds_db_port(httpd_t)
-	corenet_tcp_sendrecv_gds_db_port(httpd_t)
-	corenet_sendrecv_mssql_client_packets(httpd_t)
 	corenet_tcp_connect_mssql_port(httpd_t)
-	corenet_tcp_sendrecv_mssql_port(httpd_t)
-	corenet_sendrecv_oracledb_client_packets(httpd_t)
-	corenet_tcp_connect_oracledb_port(httpd_t)
-	corenet_tcp_sendrecv_oracledb_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+	corenet_tcp_connect_oracle_port(httpd_t)
+	corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+	corenet_tcp_connect_memcache_port(httpd_t)
 ')
 
 tunable_policy(`httpd_can_network_relay',`
-	corenet_sendrecv_gopher_client_packets(httpd_t)
+	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
-	corenet_tcp_sendrecv_gopher_port(httpd_t)
-	corenet_sendrecv_ftp_client_packets(httpd_t)
 	corenet_tcp_connect_ftp_port(httpd_t)
-	corenet_tcp_sendrecv_ftp_port(httpd_t)
-	corenet_sendrecv_http_client_packets(httpd_t)
 	corenet_tcp_connect_http_port(httpd_t)
-	corenet_tcp_sendrecv_http_port(httpd_t)
-	corenet_sendrecv_http_cache_client_packets(httpd_t)
 	corenet_tcp_connect_http_cache_port(httpd_t)
-	corenet_tcp_sendrecv_http_cache_port(httpd_t)
-	corenet_sendrecv_squid_client_packets(httpd_t)
 	corenet_tcp_connect_squid_port(httpd_t)
-	corenet_tcp_sendrecv_squid_port(httpd_t)
+	corenet_tcp_connect_memcache_port(httpd_t)
+	corenet_sendrecv_gopher_client_packets(httpd_t)
+	corenet_sendrecv_ftp_client_packets(httpd_t)
+	corenet_sendrecv_http_client_packets(httpd_t)
+	corenet_sendrecv_http_cache_client_packets(httpd_t)
+	corenet_sendrecv_squid_client_packets(httpd_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_builtin_scripting',`
-	exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+')
 
-	allow httpd_t httpdcontent:dir list_dir_perms;
-	allow httpd_t httpdcontent:file read_file_perms;
-	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+	can_exec(httpd_sys_script_t, httpd_sys_content_t)
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
-	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+	miscfiles_manage_public_files(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -589,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
 
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-#	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+	manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+	manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+	manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+	corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+	corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+	corenet_tcp_connect_zabbix_port(httpd_t)
 ')
 
 tunable_policy(`httpd_enable_ftp_server',`
-	corenet_sendrecv_ftp_server_packets(httpd_t)
 	corenet_tcp_bind_ftp_port(httpd_t)
-	corenet_tcp_sendrecv_ftp_port(httpd_t)
+	corenet_tcp_bind_all_ephemeral_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+	can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+	can_exec(httpd_sys_script_t, httpd_tmp_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -619,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+tunable_policy(`httpd_use_nfs',`
 	fs_list_auto_mountpoints(httpd_t)
-	fs_read_cifs_files(httpd_t)
-	fs_read_cifs_symlinks(httpd_t)
+	fs_manage_nfs_dirs(httpd_t)
+	fs_manage_nfs_files(httpd_t)
+	fs_manage_nfs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
+
+tunable_policy(`httpd_use_nfs',`
+	automount_search_tmp_dirs(httpd_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_t)
+	fs_read_cifs_symlinks(httpd_t)
 ')
 
 tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_t)
+	# allow httpd to connect to mail servers
 	corenet_tcp_connect_smtp_port(httpd_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_t)
-	corenet_sendrecv_pop_client_packets(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
 	corenet_tcp_connect_pop_port(httpd_t)
-	corenet_tcp_sendrecv_pop_port(httpd_t)
-
+	corenet_sendrecv_pop_client_packets(httpd_t)
 	mta_send_mail(httpd_t)
 	mta_signal_system_mail(httpd_t)
+    postfix_rw_spool_maildrop_files(httpd_t)
 ')
 
-optional_policy(`
-	tunable_policy(`httpd_can_network_connect_zabbix',`
-		zabbix_tcp_connect(httpd_t)
-	')
-')
-
-optional_policy(`
-	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-		spamassassin_domtrans_client(httpd_t)
-	')
-')
-
-tunable_policy(`httpd_graceful_shutdown',`
-	corenet_sendrecv_http_client_packets(httpd_t)
-	corenet_tcp_connect_http_port(httpd_t)
-	corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
-	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-		gpg_spec_domtrans(httpd_t, httpd_gpg_t)
-	')
-')
-
-optional_policy(`
-	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
-		samba_domtrans_winbind_helper(httpd_t)
-	')
+tunable_policy(`httpd_use_cifs',`
+	fs_manage_cifs_dirs(httpd_t)
+	fs_manage_cifs_files(httpd_t)
+	fs_manage_cifs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+	fs_manage_fusefs_dirs(httpd_t)
+	fs_manage_fusefs_files(httpd_t)
+	fs_manage_fusefs_symlinks(httpd_t)
 ')
 
 tunable_policy(`httpd_setrlimit',`
@@ -690,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
 ')
 
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-	can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_cifs_dirs(httpd_t)
-	fs_manage_cifs_files(httpd_t)
-	fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+	cobbler_list_config(httpd_t)
+	cobbler_read_config(httpd_t)
 
-tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_fusefs_dirs(httpd_t)
-	fs_manage_fusefs_files(httpd_t)
-	fs_read_fusefs_symlinks(httpd_t)
-')
+    tunable_policy(`httpd_serve_cobbler_files',`
+        cobbler_manage_lib_files(httpd_t)
+',`
+	    cobbler_read_lib_files(httpd_t)
+	    cobbler_search_lib(httpd_t)
+    ')
 
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_t)
+    tunable_policy(`httpd_can_network_connect_cobbler',`
+        corenet_tcp_connect_cobbler_port(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_nfs_dirs(httpd_t)
-	fs_manage_nfs_files(httpd_t)
-	fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+    tunable_policy(`httpd_use_sasl',`
+        sasl_connect(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_t)
+optional_policy(`
+	# Support for ABRT retrace server
+	# mod_wsgi
+	abrt_manage_spool_retrace(httpd_t)
+	abrt_domtrans_retrace_worker(httpd_t)
+	abrt_read_config(httpd_t)
 ')
 
 optional_policy(`
@@ -744,24 +895,32 @@ optional_policy(`
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(httpd_t)
+	cron_system_entry(httpd_t, httpd_exec_t)
 ')
 
 optional_policy(`
-	cobbler_read_config(httpd_t)
-	cobbler_read_lib_files(httpd_t)
+	cvs_read_data(httpd_t)
 ')
 
 optional_policy(`
-	cron_system_entry(httpd_t, httpd_exec_t)
+	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
 
 optional_policy(`
-	cvs_read_data(httpd_t)
+	#needed by FreeIPA 
+	dirsrv_stream_connect(httpd_t)
 ')
 
 optional_policy(`
-	daemontools_service_domain(httpd_t, httpd_exec_t)
+	dirsrv_manage_config(httpd_t)
+	dirsrv_manage_log(httpd_t)
+	dirsrv_manage_var_run(httpd_t)
+	dirsrv_read_share(httpd_t)
+	dirsrv_signal(httpd_t)
+	dirsrv_signull(httpd_t)
+	dirsrvadmin_manage_config(httpd_t)
+	dirsrvadmin_manage_tmp(httpd_t)
+	dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
 ')
 
 optional_policy(`
@@ -770,6 +929,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
+
+    tunable_policy(`httpd_dbus_sssd',
+        sssd_dbus_chat(httpd_t)
+    ')
 ')
 
 optional_policy(`
@@ -781,34 +944,53 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+		gpg_domtrans_web(httpd_t)
+	')
+')
+
+optional_policy(`
+	gssproxy_stream_connect(httpd_t)
+')
+
+optional_policy(`
+	mirrormanager_manage_pid_files(httpd_t)
+	mirrormanager_read_lib_files(httpd_t)
+	mirrormanager_read_log(httpd_t)
+')
+
+optional_policy(`
+	jetty_admin(httpd_t)
+')
+
+optional_policy(`
 	kerberos_keytab_template(httpd, httpd_t)
-	kerberos_manage_host_rcache(httpd_t)
-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
 ')
 
 optional_policy(`
+	# needed by FreeIPA
 	ldap_stream_connect(httpd_t)
-
-	tunable_policy(`httpd_can_network_connect_ldap',`
-		ldap_tcp_connect(httpd_t)
-	')
+	ldap_read_certs(httpd_t)
 ')
 
 optional_policy(`
 	mailman_signal_cgi(httpd_t)
 	mailman_domtrans_cgi(httpd_t)
 	mailman_read_data_files(httpd_t)
+	# should have separate types for public and private archives
 	mailman_search_data(httpd_t)
 	mailman_read_archive(httpd_t)
 ')
 
 optional_policy(`
-	memcached_stream_connect(httpd_t)
+	mediawiki_read_tmp_files(httpd_t)
+	mediawiki_delete_tmp_files(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_memcache',`
-		memcached_tcp_connect(httpd_t)
-	')
+optional_policy(`
+	memcached_stream_connect(httpd_t)
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
@@ -816,8 +998,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	munin_read_config(httpd_t)
+')
+
+optional_policy(`
+	# Allow httpd to work with mysql
 	mysql_read_config(httpd_t)
 	mysql_stream_connect(httpd_t)
+	mysql_rw_db_sockets(httpd_t)
+
+	optional_policy(`
+		postgresql_stream_connect(httpd_t)
+	')
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
@@ -826,6 +1018,7 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
+	nagios_read_log(httpd_t)
 ')
 
 optional_policy(`
@@ -836,20 +1029,40 @@ optional_policy(`
 ')
 
 optional_policy(`
+	openshift_search_lib(httpd_t)
+	openshift_initrc_signull(httpd_t)
+	openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+	passenger_exec(httpd_t)
+	passenger_kill(httpd_t)
+	passenger_manage_pid_content(httpd_t)
+')
+
+optional_policy(`
 	pcscd_read_pid_files(httpd_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(httpd_t)
-	postgresql_unpriv_client(httpd_t)
+	pki_apache_domain_signal(httpd_t)
+	pki_manage_apache_config_files(httpd_t)
+	pki_manage_apache_lib(httpd_t)
+	pki_manage_apache_log_files(httpd_t)
+	pki_manage_apache_run(httpd_t)
+	pki_read_tomcat_cert(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_t)
-	')
+optional_policy(`
+	puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+	pwauth_domtrans(httpd_t)
 ')
 
 optional_policy(`
-	puppet_read_lib_files(httpd_t)
+	rpm_dontaudit_read_db(httpd_t)
 ')
 
 optional_policy(`
@@ -857,19 +1070,35 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Allow httpd to work with postgresql
+	postgresql_stream_connect(httpd_t)
+	postgresql_unpriv_client(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_t)
+	')
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(httpd_t)
 ')
 
 optional_policy(`
 	smokeping_read_lib_files(httpd_t)
+    smokeping_read_pid_files(httpd_t)
 ')
 
 optional_policy(`
+	files_dontaudit_rw_usr_dirs(httpd_t)
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
 
 optional_policy(`
+    thin_stream_connect(httpd_t)
+')
+
+optional_policy(`
 	udev_read_db(httpd_t)
 ')
 
@@ -877,65 +1106,173 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
+optional_policy(`
+	zarafa_manage_lib_files(httpd_t)
+	zarafa_stream_connect_server(httpd_t)
+	zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+    zoneminder_append_log(httpd_t)
+    zoneminder_manage_lib_dirs(httpd_t)
+    zoneminder_manage_lib_files(httpd_t)
+    zoneminder_stream_connect(httpd_t)
+    zoneminder_exec(httpd_t)
+')
+
 ########################################
 #
-# Helper local policy
+# Apache helper local policy
 #
 
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
 
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
 
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
 
-logging_search_logs(httpd_helper_t)
 logging_send_syslog_msg(httpd_helper_t)
 
+tunable_policy(`httpd_verify_dns',`
+	corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+	allow httpd_t self:capability { fowner fsetid sys_resource };
+	dontaudit httpd_t self:capability sys_ptrace;
+	allow httpd_t self:process setexec;
+
+	files_dontaudit_getattr_all_files(httpd_t)
+	domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`httpd_run_stickshift', `
+		passenger_manage_lib_files(httpd_t)
+		passenger_getattr_log_files(httpd_t)
+	',`
+		passenger_domtrans(httpd_t)
+		passenger_read_lib_files(httpd_t)
+		passenger_stream_connect(httpd_t)
+		passenger_manage_tmp_files(httpd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`httpd_run_stickshift', `
+		oddjob_dbus_chat(httpd_t)
+	')
+')
+
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_helper_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_helper_t)
+	userdom_use_inherited_user_terminals(httpd_helper_t)
+')
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(httpd_php_t)
+	corenet_tcp_connect_mssql_port(httpd_php_t)
+	corenet_sendrecv_mssql_client_packets(httpd_php_t)
+	corenet_tcp_connect_oracle_port(httpd_php_t)
+	corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_php_t)
+	mysql_rw_db_sockets(httpd_php_t)
+	mysql_read_config(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_php_t)
+	')
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_php_t)
+	postgresql_unpriv_client(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_php_t)
+	')
 ')
 
 ########################################
 #
-# Suexec local policy
+# Apache suexec local policy
 #
 
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
 
 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
 
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
 dev_read_urand(httpd_suexec_t)
 
 fs_read_iso9660_files(httpd_suexec_t)
 fs_search_auto_mountpoints(httpd_suexec_t)
 
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
@@ -944,123 +1281,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
-miscfiles_read_localization(httpd_suexec_t)
 miscfiles_read_public_files(httpd_suexec_t)
 
-tunable_policy(`httpd_builtin_scripting',`
-	exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
-	allow httpd_suexec_t httpdcontent:dir list_dir_perms;
-	allow httpd_suexec_t httpdcontent:file read_file_perms;
-	allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
 
 tunable_policy(`httpd_can_network_connect',`
+	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
 	corenet_tcp_connect_all_ports(httpd_suexec_t)
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
-	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
 	corenet_tcp_connect_gds_db_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
-	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
-	corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_oracledb_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+	corenet_tcp_connect_oracle_port(httpd_suexec_t)
+	corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
 ')
 
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
 tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_smtp_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
-	corenet_sendrecv_pop_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_pop_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
 	mta_send_mail(httpd_suexec_t)
-	mta_signal_system_mail(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_read_cifs_files(httpd_suexec_t)
-	fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_suexec_t)
+	manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
+        fs_list_auto_mountpoints(httpd_suexec_t)
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
-	can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_suexec_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_cifs_dirs(httpd_suexec_t)
-	fs_manage_cifs_files(httpd_suexec_t)
-	fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_suexec_t)
+	fs_read_cifs_symlinks(httpd_suexec_t)
 	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_fusefs_dirs(httpd_suexec_t)
-	fs_manage_fusefs_files(httpd_suexec_t)
-	fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_nfs_dirs(httpd_suexec_t)
-	fs_manage_nfs_files(httpd_suexec_t)
-	fs_manage_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+	mailman_domtrans_cgi(httpd_suexec_t)
 ')
 
 optional_policy(`
-	mailman_domtrans_cgi(httpd_suexec_t)
+	mta_stub(httpd_suexec_t)
+
+	# apache should set close-on-exec
+	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
 optional_policy(`
 	mysql_stream_connect(httpd_suexec_t)
+	mysql_rw_db_sockets(httpd_suexec_t)
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
@@ -1077,172 +1365,106 @@ optional_policy(`
 	')
 ')
 
-tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
 ########################################
 #
-# Common script local policy
+# Apache system script local policy
 #
 
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
 
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
 
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
 
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
 
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_inherit_append_all_logs(httpd_sys_script_t)
 
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
-	allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
 
-	manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-	manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-	manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
 
-	can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	allow httpd_script_domains self:process { setsched signal_perms };
-	allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
-	kernel_read_system_state(httpd_script_domains)
-
-	fs_getattr_all_fs(httpd_script_domains)
-
-	files_read_etc_runtime_files(httpd_script_domains)
-	files_read_usr_files(httpd_script_domains)
-
-	libs_read_lib_files(httpd_script_domains)
-
-	miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+	mta_send_mail(httpd_sys_script_t)
 ')
 
 optional_policy(`
-	tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-		nis_use_ypbind_uncond(httpd_script_domains)
+	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+		spamassassin_domtrans_client(httpd_t)
 	')
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
-	corenet_tcp_connect_gds_db_port(httpd_script_domains)
-	corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
-	corenet_sendrecv_mssql_client_packets(httpd_script_domains)
-	corenet_tcp_connect_mssql_port(httpd_script_domains)
-	corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
-	corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
-	corenet_tcp_connect_oracledb_port(httpd_script_domains)
-	corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
-	mysql_read_config(httpd_script_domains)
-	mysql_stream_connect(httpd_script_domains)
-
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		mysql_tcp_connect(httpd_script_domains)
-	')
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+	corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
 ')
 
-optional_policy(`
-	postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_script_domains)
-	')
-')
+tunable_policy(`httpd_use_nfs',`
+        fs_list_auto_mountpoints(httpd_sys_script_t)
+	fs_manage_nfs_dirs(httpd_sys_script_t)
+	fs_manage_nfs_files(httpd_sys_script_t)
+	fs_manage_nfs_symlinks(httpd_sys_script_t)
+	fs_exec_nfs_files(httpd_sys_script_t)
 
-optional_policy(`
-	nscd_use(httpd_script_domains)
+        fs_list_auto_mountpoints(httpd_suexec_t)
+	fs_manage_nfs_dirs(httpd_suexec_t)
+	fs_manage_nfs_files(httpd_suexec_t)
+	fs_manage_nfs_symlinks(httpd_suexec_t)
+	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
-	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_pop_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
-	mta_send_mail(httpd_sys_script_t)
-	mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_bind_generic_node(httpd_sys_script_t)
+	corenet_udp_bind_generic_node(httpd_sys_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_tcp_connect_all_ports(httpd_sys_script_t)
+	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_search_user_home_dirs(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
-	allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+        fs_list_auto_mountpoints(httpd_sys_script_t)
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1472,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
 	fs_manage_cifs_dirs(httpd_sys_script_t)
 	fs_manage_cifs_files(httpd_sys_script_t)
 	fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_sys_script_t)
+	fs_manage_cifs_dirs(httpd_suexec_t)
+	fs_manage_cifs_files(httpd_suexec_t)
+	fs_manage_cifs_symlinks(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
 	fs_manage_fusefs_dirs(httpd_sys_script_t)
 	fs_manage_fusefs_files(httpd_sys_script_t)
-	fs_read_fusefs_symlinks(httpd_sys_script_t)
+	fs_manage_fusefs_symlinks(httpd_sys_script_t)
+	fs_manage_fusefs_dirs(httpd_suexec_t)
+	fs_manage_fusefs_files(httpd_suexec_t)
+	fs_manage_fusefs_symlinks(httpd_suexec_t)
+	fs_exec_fusefs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
-	fs_manage_nfs_dirs(httpd_sys_script_t)
-	fs_manage_nfs_files(httpd_sys_script_t)
-	fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_sys_script_t)
+	clamav_domtrans_clamscan(httpd_t)
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+	mysql_stream_connect(httpd_sys_script_t)
+	mysql_rw_db_sockets(httpd_sys_script_t)
+	mysql_read_config(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(httpd_sys_script_t)
+	postgresql_stream_connect(httpd_sys_script_t)
+	postgresql_unpriv_client(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
-	postgresql_unpriv_client(httpd_sys_script_t)
+    snmp_read_snmp_var_lib_files(httpd_sys_script_t)
 ')
 
 ########################################
 #
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
 #
 
 allow httpd_rotatelogs_t self:capability dac_override;
 
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
 
-files_read_etc_files(httpd_rotatelogs_t)
 
 logging_search_logs(httpd_rotatelogs_t)
 
-miscfiles_read_localization(httpd_rotatelogs_t)
 
 ########################################
 #
@@ -1315,8 +1547,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
-	apache_content_template(unconfined)
+	type httpd_unconfined_script_t;
+	type httpd_unconfined_script_exec_t;
+	domain_type(httpd_unconfined_script_t)
+	domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
 	unconfined_domain(httpd_unconfined_script_t)
+
+	role system_r types httpd_unconfined_script_t;
+	allow httpd_t httpd_unconfined_script_t:process signal_perms;
 ')
 
 ########################################
@@ -1324,49 +1563,38 @@ optional_policy(`
 # User content local policy
 #
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_user_script_t)
-	fs_read_cifs_files(httpd_user_script_t)
-	fs_read_cifs_symlinks(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(httpd_user_script_t)
-	fs_read_nfs_files(httpd_user_script_t)
-	fs_read_nfs_symlinks(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_user_script_t httpdcontent:file entrypoint;
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_user_script_t)
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_search_user_home_content(httpd_t)
+	userdom_search_user_home_content(httpd_suexec_t)
+	userdom_search_user_home_content(httpd_user_script_t)
 ')
 
 tunable_policy(`httpd_read_user_content',`
+	userdom_read_user_home_content_files(httpd_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
 	userdom_read_user_home_content_files(httpd_user_script_t)
 ')
 
-optional_policy(`
-	postgresql_unpriv_client(httpd_user_script_t)
-')
-
 ########################################
 #
-# Passwd local policy
+# httpd_passwd local policy
 #
 
 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
 
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
@@ -1376,38 +1604,100 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
+
 auth_use_nsswitch(httpd_passwd_t)
 
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
 
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
 
-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
 
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
 
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
 
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
 
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
 
-tunable_policy(`httpd_gpg_anon_write',`
-	miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+	nis_use_ypbind_uncond(httpd_script_type)
 ')
 
 optional_policy(`
-	apache_manage_sys_rw_content(httpd_gpg_t)
+	nscd_socket_use(httpd_script_type)
 ')
 
-optional_policy(`
-	gpg_entry_type(httpd_gpg_t)
-	gpg_exec(httpd_gpg_t)
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
+	allow httpd_t httpd_content_type:dir search_dir_perms;
+	allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+	allow httpd_t httpd_content_type:dir list_dir_perms;
+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+	corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+	corenet_tcp_connect_glance_port(httpd_sys_script_t)
+	corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+    corenet_tcp_connect_osapi_compute_port(httpd_t)
 ')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..462acb8 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,10 +1,15 @@
+/etc/apcupsd/powerfail	--	gen_context(system_u:object_r:apcupsd_power_t,s0)
+
 /etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/apcupsd.*  -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
 /sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /usr/sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /var/lock/subsys/apcupsd	--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK..			--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
 
 /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0aba..cbe3d4a 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_systemctl',`
+	gen_require(`
+		type apcupsd_t;
+		type apcupsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 apcupsd_unit_file_t:file read_file_perms;
+	allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+## <summary>
+##	Create configuration files in /var/lock 
+##	with a named file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_filetrans_named_content',`
+	gen_require(`
+		type apcupsd_lock_t;
+	')
+
+	files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+	files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an apcupsd environment.
 ## </summary>
@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
 	gen_require(`
 		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
 		type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+		type apcupsd_unit_file_t;
+		type apcupsd_power_t;
 	')
 
-	allow $1 apcupsd_t:process { ptrace signal_perms };
+	allow $1 apcupsd_t:process signal_perms;
 	ps_process_pattern($1, apcupsd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 apcupsd_t:process ptrace;
+	')
+
 	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, apcupsd_var_run_t)
+
+	apcupsd_systemctl($1)
+	admin_pattern($1, apcupsd_unit_file_t)
+	allow $1 apcupsd_unit_file_t:service all_service_perms;
+
+	manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
+	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
diff --git a/apcupsd.te b/apcupsd.te
index b236327..5206035 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
 type apcupsd_var_run_t;
 files_pid_file(apcupsd_var_run_t)
 
+type apcupsd_power_t;
+files_type(apcupsd_power_t)
+
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
 allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
 files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
 
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
 logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
 
 manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
 corecmd_exec_bin(apcupsd_t)
 corecmd_exec_shell(apcupsd_t)
 
-corenet_all_recvfrom_unlabeled(apcupsd_t)
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
 corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
 
 corenet_udp_bind_snmp_port(apcupsd_t)
 corenet_sendrecv_snmp_server_packets(apcupsd_t)
@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
 
 dev_rw_generic_usb_dev(apcupsd_t)
 
-files_read_etc_files(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
 files_manage_etc_runtime_files(apcupsd_t)
 files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
 
 term_use_unallocated_ttys(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
 
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
 
-miscfiles_read_localization(apcupsd_t)
+auth_use_nsswitch(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
 
 sysnet_dns_name_resolve(apcupsd_t)
 
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
 
 optional_policy(`
 	hostname_exec(apcupsd_t)
@@ -101,6 +115,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
 
+optional_policy(`
+	systemd_start_power_services(apcupsd_t)
+	systemd_status_power_services(apcupsd_t)
+')
+
 ########################################
 #
 # CGI local policy
@@ -112,7 +131,6 @@ optional_policy(`
 	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
 
-	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
 	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
 	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
 	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
diff --git a/apm.fc b/apm.fc
index ce27d2f..d20377e 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.*  --              gen_context(system_u:object_r:apmd_unit_file_t,s0)
 /etc/rc\.d/init\.d/acpid	--	gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
 
 /usr/bin/apm	--	gen_context(system_u:object_r:apm_exec_t,s0)
diff --git a/apm.if b/apm.if
index 1a7a97e..1d29dce 100644
--- a/apm.if
+++ b/apm.if
@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
 
 ########################################
 ## <summary>
+##	Execute apmd server in the apmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apmd_systemctl',`
+	gen_require(`
+		type apmd_t;
+		type apmd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 apmd_unit_file_t:file read_file_perms;
+	allow $1 apmd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, apmd_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an apm environment.
 ## </summary>
@@ -163,9 +186,13 @@ interface(`apm_admin',`
 		type apmd_tmp_t;
 	')
 
-	allow $1 apmd_t:process { ptrace signal_perms };
+	allow $1 apmd_t:process { signal_perms };
 	ps_process_pattern($1, apmd_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 apmd_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, apmd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
 type apmd_var_run_t;
 files_pid_file(apmd_var_run_t)
 
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
 ########################################
 #
 # Client local policy
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
 
 fs_getattr_xattr_fs(apm_t)
 
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
 
 domain_use_interactive_fds(apm_t)
 
@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
 #
 
 allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
 allow apmd_t self:process { signal_perms getsession };
 allow apmd_t self:fifo_file rw_fifo_file_perms;
 allow apmd_t self:netlink_socket create_socket_perms;
@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
 kernel_rw_all_sysctls(apmd_t)
 kernel_read_system_state(apmd_t)
 kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
 
 dev_read_input(apmd_t)
 dev_read_mouse(apmd_t)
@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
 fs_dontaudit_getattr_all_symlinks(apmd_t)
 fs_dontaudit_getattr_all_pipes(apmd_t)
 fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
 
 corecmd_exec_all_executables(apmd_t)
 
@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
 auth_use_nsswitch(apmd_t)
 
 init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
 
 libs_exec_ld_so(apmd_t)
 libs_exec_lib_files(apmd_t)
@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
 logging_send_audit_msgs(apmd_t)
 logging_send_syslog_msg(apmd_t)
 
-miscfiles_read_localization(apmd_t)
 miscfiles_read_hwdata(apmd_t)
 
 modutils_domtrans_insmod(apmd_t)
 modutils_read_module_config(apmd_t)
 
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
 userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
 
 optional_policy(`
 	automount_domtrans(apmd_t)
@@ -206,11 +210,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(apmd_t)
+	shutdown_domtrans(apmd_t)
 ')
 
 optional_policy(`
-	shutdown_domtrans(apmd_t)
+	sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(apmd_t)
 ')
 
 optional_policy(`
diff --git a/apt.if b/apt.if
index e2414c4..970736b 100644
--- a/apt.if
+++ b/apt.if
@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+	dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
 	allow $1 apt_var_cache_t:file read_file_perms;
 ')
 
diff --git a/apt.te b/apt.te
index e2d8d52..d82403c 100644
--- a/apt.te
+++ b/apt.te
@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
 corecmd_exec_bin(apt_t)
 corecmd_exec_shell(apt_t)
 
-corenet_all_recvfrom_unlabeled(apt_t)
 corenet_all_recvfrom_netlabel(apt_t)
 corenet_tcp_sendrecv_generic_if(apt_t)
 corenet_tcp_sendrecv_generic_node(apt_t)
@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t)
 domain_use_interactive_fds(apt_t)
 
 files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
 term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
 
 libs_exec_ld_so(apt_t)
 libs_exec_lib_files(apt_t)
 
 logging_send_syslog_msg(apt_t)
 
-miscfiles_read_localization(apt_t)
-
 seutil_use_newrole_fds(apt_t)
 
 sysnet_read_config(apt_t)
 
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
 
 optional_policy(`
 	cron_system_entry(apt_t, apt_exec_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/arpwatch	--	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/arpwatch.* --	gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
 /usr/sbin/arpwatch	--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
 
 /var/arpwatch(/.*)?	gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c..51c8cc0 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
 
 ########################################
 ## <summary>
+##	Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_systemctl',`
+	gen_require(`
+		type arpwatch_t;
+		type arpwatch_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 arpwatch_unit_file_t:file read_file_perms;
+	allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, arpwatch_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an arpwatch environment.
 ## </summary>
@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
 	gen_require(`
 		type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
 		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_unit_file_t;
 	')
 
-	allow $1 arpwatch_t:process { ptrace signal_perms };
+	allow $1 arpwatch_t:process signal_perms;
 	ps_process_pattern($1, arpwatch_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 arpwatch_t:process ptrace;
+	')
+
 	arpwatch_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, arpwatch_var_run_t)
+
+	arpwatch_systemctl($1)
+	admin_pattern($1, arpwatch_unit_file_t)
+	allow $1 arpwatch_unit_file_t:service all_service_perms;
 ')
diff --git a/arpwatch.te b/arpwatch.te
index fa18c76..fd6911a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
 type arpwatch_var_run_t;
 files_pid_file(arpwatch_var_run_t)
 
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
 allow arpwatch_t self:tcp_socket { accept listen };
 allow arpwatch_t self:packet_socket create_socket_perms;
 allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
 
 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
 files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
 
-kernel_read_kernel_sysctls(arpwatch_t)
 kernel_read_network_state(arpwatch_t)
+# meminfo
 kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
 kernel_request_load_module(arpwatch_t)
 
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
 dev_read_sysfs(arpwatch_t)
 dev_read_usbmon_dev(arpwatch_t)
 dev_rw_generic_usb_dev(arpwatch_t)
@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
 
 domain_use_interactive_fds(arpwatch_t)
 
-files_read_usr_files(arpwatch_t)
 files_search_var_lib(arpwatch_t)
 
 auth_use_nsswitch(arpwatch_t)
 
 logging_send_syslog_msg(arpwatch_t)
 
-miscfiles_read_localization(arpwatch_t)
-
 userdom_dontaudit_search_user_home_dirs(arpwatch_t)
 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
 
diff --git a/asterisk.if b/asterisk.if
index 7268a04..6ffd87d 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
 	domtrans_pattern($1, asterisk_exec_t, asterisk_t)
 ')
 
+######################################
+## <summary>
+##	Execute asterisk in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`asterisk_exec',`
+	gen_require(`
+		type asterisk_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, asterisk_exec_t)
+')
+
 #####################################
 ## <summary>
 ##	Connect to asterisk over a unix domain.
@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
 		type asterisk_var_lib_t, asterisk_initrc_exec_t;
 	')
 
-	allow $1 asterisk_t:process { ptrace signal_perms };
+	allow $1 asterisk_t:process signal_perms;
 	ps_process_pattern($1, asterisk_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 asterisk_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 5439f1c..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
 logging_log_file(asterisk_log_t)
 
 type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
 
 type asterisk_tmp_t;
 files_tmp_file(asterisk_tmp_t)
@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
 read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
 read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
 
-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
 
 manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
 manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
 
 manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
 manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
 
 manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
 
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
 can_exec(asterisk_t, asterisk_exec_t)
 
 kernel_read_kernel_sysctls(asterisk_t)
@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
 corecmd_exec_bin(asterisk_t)
 corecmd_exec_shell(asterisk_t)
 
-corenet_all_recvfrom_unlabeled(asterisk_t)
 corenet_all_recvfrom_netlabel(asterisk_t)
 corenet_tcp_sendrecv_generic_if(asterisk_t)
 corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
 
 domain_use_interactive_fds(asterisk_t)
 
-files_read_usr_files(asterisk_t)
 files_search_spool(asterisk_t)
 files_dontaudit_search_home(asterisk_t)
 
@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
 
 logging_send_syslog_msg(asterisk_t)
 
-miscfiles_read_localization(asterisk_t)
-
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
 userdom_dontaudit_search_user_home_dirs(asterisk_t)
 
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..4579cfe
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py		--	gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)?		gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 0000000..316c324
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## <summary>policy for authconfig</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the authconfig domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`authconfig_domtrans',`
+	gen_require(`
+		type authconfig_t, authconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+## <summary>
+##	Search authconfig lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_search_lib',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	allow $1 authconfig_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read authconfig lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_read_lib_files',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage authconfig lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_manage_lib_files',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage authconfig lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_manage_lib_dirs',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an authconfig environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_admin',`
+	gen_require(`
+		type authconfig_t;
+		type authconfig_var_lib_t;
+	')
+
+	allow $1 authconfig_t:process { ptrace signal_perms };
+	ps_process_pattern($1, authconfig_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, authconfig_var_lib_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 0000000..362a049
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
index 92adb37..0a2ffc6 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
 /etc/apm/event\.d/autofs	--	gen_context(system_u:object_r:automount_exec_t,s0)
 /etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/autofs.*	--	gen_context(system_u:object_r:automount_unit_file_t,s0)
+
 /usr/sbin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
 
 /var/lock/subsys/autofs	--	gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index 089430a..b0bed70 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`automount_signal',`
 	gen_require(`
 		type automount_t;
@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
 
 ########################################
 ## <summary>
+##	Allow domain to search of automount temporary
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_search_tmp_dirs',`
+	gen_require(`
+		type automount_tmp_t;
+	')
+    
+    search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get
 ##	attributes of automount temporary
 ##	directories.
@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
 
 ########################################
 ## <summary>
+##	Execute automount server in the automount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`automount_systemctl',`
+	gen_require(`
+		type automount_t;
+		type automount_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 automount_unit_file_t:file read_file_perms;
+	allow $1 automount_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, automount_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an automount environment.
 ## </summary>
@@ -153,11 +194,16 @@ interface(`automount_admin',`
 	gen_require(`
 		type automount_t, automount_lock_t, automount_tmp_t;
 		type automount_var_run_t, automount_initrc_exec_t;
+		type automount_unit_file_t;
 	')
 
-	allow $1 automount_t:process { ptrace signal_perms };
+	allow $1 automount_t:process signal_perms;
 	ps_process_pattern($1, automount_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 automount_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, automount_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 automount_initrc_exec_t system_r;
@@ -171,4 +217,8 @@ interface(`automount_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, automount_var_run_t)
+
+	automount_systemctl($1)
+	admin_pattern($1, automount_unit_file_t)
+	allow $1 automount_unit_file_t:service all_service_perms;
 ')
diff --git a/automount.te b/automount.te
index a579c3b..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,12 +22,16 @@ type automount_tmp_t;
 files_tmp_file(automount_tmp_t)
 files_mountpoint(automount_tmp_t)
 
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability {  setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability2 block_suspend;
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
 corecmd_exec_bin(automount_t)
 corecmd_exec_shell(automount_t)
 
-corenet_all_recvfrom_unlabeled(automount_t)
 corenet_all_recvfrom_netlabel(automount_t)
 corenet_tcp_sendrecv_generic_if(automount_t)
 corenet_udp_sendrecv_generic_if(automount_t)
@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
 files_getattr_default_dirs(automount_t)
 files_getattr_home_dir(automount_t)
 files_getattr_isid_type_dirs(automount_t)
@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
 files_mounton_all_mountpoints(automount_t)
 files_mounton_mnt(automount_t)
 files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
 files_search_boot(automount_t)
 files_search_all(automount_t)
 files_unmount_all_file_type_fs(automount_t)
@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
 fs_mount_all_fs(automount_t)
 fs_mount_autofs(automount_t)
 fs_read_nfs_files(automount_t)
+fs_read_nfs_symlinks(automount_t)
 fs_search_all(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_unmount_all_fs(automount_t)
@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t)
 logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 
-miscfiles_read_localization(automount_t)
 miscfiles_read_generic_certs(automount_t)
 
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 
 optional_policy(`
+	# Run mount in the mount_t domain.
+	mount_domtrans(automount_t)
+	mount_domtrans_showmount(automount_t)
+	mount_signal(automount_t)
+')
+
+optional_policy(`
 	fstools_domtrans(automount_t)
 ')
 
@@ -160,3 +167,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(automount_t)
 ')
+
+tunable_policy(`mount_anyfile',`
+	files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2ca..4c2d076 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/avahi.*    --  gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
 /usr/sbin/avahi-daemon	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-dnsconfd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-autoipd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index aebe7cb..33fe57b 100644
--- a/avahi.if
+++ b/avahi.if
@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',`
 ########################################
 ## <summary>
 ##	Connect to avahi using a unix
-$$	stream socket.
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',`
 
 ########################################
 ## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_systemctl',`
+	gen_require(`
+		type avahi_t;
+		type avahi_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 avahi_unit_file_t:file read_file_perms;
+	allow $1 avahi_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, avahi_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an avahi environment.
 ## </summary>
@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',`
 interface(`avahi_admin',`
 	gen_require(`
 		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+		type avahi_unit_file_t;
 		type avahi_var_lib_t;
 	')
 
-	allow $1 avahi_t:process { ptrace signal_perms };
+	allow $1 avahi_t:process signal_perms;
 	ps_process_pattern($1, avahi_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 avahi_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 avahi_initrc_exec_t system_r;
@@ -169,4 +197,8 @@ interface(`avahi_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, avahi_var_lib_t)
+
+	avahi_systemctl($1)
+	admin_pattern($1, avahi_unit_file_t)
+	allow $1 avahi_unit_file_t:service all_service_perms;
 ')
diff --git a/avahi.te b/avahi.te
index 60e76be..0730647 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
 
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
 
 ########################################
 #
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
 corecmd_exec_bin(avahi_t)
 corecmd_exec_shell(avahi_t)
 
-corenet_all_recvfrom_unlabeled(avahi_t)
 corenet_all_recvfrom_netlabel(avahi_t)
 corenet_tcp_sendrecv_generic_if(avahi_t)
 corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
 fs_list_inotifyfs(avahi_t)
 
 domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
 
 files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
 
 auth_use_nsswitch(avahi_t)
 
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
 
 logging_send_syslog_msg(avahi_t)
 
-miscfiles_read_localization(avahi_t)
 miscfiles_read_generic_certs(avahi_t)
 
 sysnet_domtrans_ifconfig(avahi_t)
 sysnet_manage_config(avahi_t)
 sysnet_etc_filetrans_config(avahi_t)
 
+systemd_login_signull(avahi_t)
+
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
 
diff --git a/awstats.te b/awstats.te
index d6ab824..116176d 100644
--- a/awstats.te
+++ b/awstats.te
@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
 dev_read_urand(awstats_t)
 
 files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
 
 fs_list_inotifyfs(awstats_t)
 
@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t)
 
 logging_read_generic_logs(awstats_t)
 
-miscfiles_read_localization(awstats_t)
-
 sysnet_dns_name_resolve(awstats_t)
 
 tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +86,13 @@ optional_policy(`
 # CGI local policy
 #
 
+apache_read_log(httpd_awstats_script_t)
+
+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
+
 allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
 
 read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
 files_search_var_lib(httpd_awstats_script_t)
-
-apache_read_log(httpd_awstats_script_t)
diff --git a/backup.te b/backup.te
index d6ceef4..c10d39c 100644
--- a/backup.te
+++ b/backup.te
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
 corecmd_exec_bin(backup_t)
 corecmd_exec_shell(backup_t)
 
-corenet_all_recvfrom_unlabeled(backup_t)
 corenet_all_recvfrom_netlabel(backup_t)
 corenet_tcp_sendrecv_generic_if(backup_t)
 corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
 
 sysnet_read_config(backup_t)
 
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
 
 optional_policy(`
 	cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.if b/bacula.if
index dcd774e..c240ffa 100644
--- a/bacula.if
+++ b/bacula.if
@@ -69,6 +69,7 @@ interface(`bacula_admin',`
 		type bacula_t, bacula_etc_t, bacula_log_t;
 		type bacula_spool_t, bacula_var_lib_t;
 		type bacula_var_run_t, bacula_initrc_exec_t;
+        attribute_role bacula_admin_roles;
 	')
 
 	allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index 3beba2f..12cd4f6 100644
--- a/bacula.te
+++ b/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
 # Local policy
 #
 
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
 allow bacula_t self:process signal;
 allow bacula_t self:fifo_file rw_fifo_file_perms;
 allow bacula_t self:tcp_socket { accept listen };
@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
 corenet_sendrecv_generic_server_packets(bacula_t)
 corenet_udp_bind_generic_port(bacula_t)
 
+
+#TODO: check port labels for hplip a bacula
+corenet_tcp_bind_bacula_port(bacula_t)
+
 corenet_sendrecv_hplip_server_packets(bacula_t)
 corenet_tcp_bind_hplip_port(bacula_t)
 corenet_udp_bind_hplip_port(bacula_t)
@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
 fs_getattr_xattr_fs(bacula_t)
 fs_list_all(bacula_t)
 
+auth_use_nsswitch(bacula_t)
 auth_read_shadow(bacula_t)
 
 logging_send_syslog_msg(bacula_t)
@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
 
 domain_use_interactive_fds(bacula_admin_t)
 
-files_read_etc_files(bacula_admin_t)
 
-miscfiles_read_localization(bacula_admin_t)
 
 sysnet_dns_name_resolve(bacula_admin_t)
 
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e35..8af0e14 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/bcfg2-server.*		--	gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
 /usr/sbin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
 
 /var/lib/bcfg2(/.*)?	gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d36..7132e1e 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
 
 ########################################
 ## <summary>
+##	Execute bcfg2 server in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_systemctl',`
+	gen_require(`
+		type bcfg2_t;
+		type bcfg2_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 bcfg2_unit_file_t:file read_file_perms;
+	allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bcfg2_t)
+')
+
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bcfg2 environment.
 ## </summary>
@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
 	gen_require(`
 		type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
 		type bcfg2_var_run_t;
+		type bcfg2_unit_file_t;
 	')
 
-	allow $1 bcfg2_t:process { ptrace signal_perms };
+	allow $1 bcfg2_t:process { signal_perms };
 	ps_process_pattern($1, bcfg2_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 bcfg2_t:process ptrace;
+    ')
+
 	bcfg2_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, bcfg2_var_lib_t)
+
+	bcfg2_systemctl($1)
+	admin_pattern($1, bcfg2_unit_file_t)
+	allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/bcfg2.te b/bcfg2.te
index 536ec3c..271b976 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
 type bcfg2_var_lib_t;
 files_type(bcfg2_var_lib_t)
 
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
 type bcfg2_var_run_t;
 files_pid_file(bcfg2_var_run_t)
 
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
 
 domain_use_interactive_fds(bcfg2_t)
 
-files_read_usr_files(bcfg2_t)
 
 auth_use_nsswitch(bcfg2_t)
 
 logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a1..f755e6b 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,75 @@
-/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named-sdb --     gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 
-/etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key 	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key 	--	gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* --  gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.*	--	gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named-sdb.* --	gen_context(system_u:object_r:named_unit_file_t,s0)
 
 /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named	--	gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf	--	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
 /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor --	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf --	gen_context(system_u:object_r:named_exec_t,s0)
 
-/var/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
-/var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc		-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
 
-/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)?			gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+')
 
-/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/unbound(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/proc(/.*)?	<<none>>
-/var/named/chroot/var/run/named.*	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/chroot/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 866a1e2..43b445c 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_systemctl',`
+	gen_require(`
+		type named_unit_file_t;
+		type named_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 named_unit_file_t:file read_file_perms;
+	allow $1 named_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
 ##	Execute ndc in the ndc domain.
 ## </summary>
 ## <param name="domain">
@@ -169,6 +192,7 @@ interface(`bind_read_config',`
 		type named_conf_t;
 	')
 
+	allow $1 named_conf_t:dir  list_dir_perms;
 	read_files_pattern($1, named_conf_t, named_conf_t)
 ')
 
@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete
+##	BIND configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
 ##	Search bind cache directories.
 ## </summary>
 ## <param name="domain">
@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
 
 ########################################
 ## <summary>
+##	Read BIND zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_log',`
+	gen_require(`
+		type named_zone_t;
+		type named_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_zone_t:dir search_dir_perms;
+	read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	bind zone files.
 ## </summary>
@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',`
 
 ########################################
 ## <summary>
+##	Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_state',`
+	gen_require(`
+		type named_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bind environment.
 ## </summary>
@@ -362,12 +445,20 @@ interface(`bind_udp_chat_named',`
 interface(`bind_admin',`
 	gen_require(`
 		type named_t, named_tmp_t, named_log_t;
-		type named_cache_t, named_zone_t, named_initrc_exec_t;
-		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+		type named_conf_t, named_var_run_t, named_cache_t;
+		type named_zone_t, named_initrc_exec_t;
+		type dnssec_t, ndc_t, named_keytab_t;
+		type named_unit_file_t;
+	')
+
+	allow $1 named_t:process signal_perms;
+	ps_process_pattern($1, named_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 named_t:process ptrace;
 	')
 
-	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { named_t ndc_t })
+	bind_run_ndc($1, $2)
 
 	init_labeled_script_domtrans($1, named_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -383,11 +474,15 @@ interface(`bind_admin',`
 	files_list_etc($1)
 	admin_pattern($1, named_conf_t)
 
+	admin_pattern($1, named_keytab_t)
+
 	files_list_var($1)
 	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
 
 	files_list_pids($1)
 	admin_pattern($1, named_var_run_t)
 
-	bind_run_ndc($1, $2)
+	admin_pattern($1, named_unit_file_t)
+	bind_systemctl($1)
+	allow $1 named_unit_file_t:service all_service_perms;
 ')
diff --git a/bind.te b/bind.te
index 076ffee..1672ca4 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
 init_system_domain(named_t, named_checkconf_exec_t)
 
 type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
 files_mountpoint(named_conf_t)
 
 # for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
 type named_initrc_exec_t;
 init_script_file(named_initrc_exec_t)
 
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
 type named_log_t;
 logging_log_file(named_log_t)
 
@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
 # Local policy
 #
 
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
 allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
 
 can_exec(named_t, named_exec_t)
 
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
 logging_log_filetrans(named_t, named_log_t, file)
 
 manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
 
 corecmd_search_bin(named_t)
 
-corenet_all_recvfrom_unlabeled(named_t)
 corenet_all_recvfrom_netlabel(named_t)
 corenet_tcp_sendrecv_generic_if(named_t)
 corenet_udp_sendrecv_generic_if(named_t)
@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
 dev_read_sysfs(named_t)
 dev_read_rand(named_t)
 dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
 
 domain_use_interactive_fds(named_t)
 
@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
 ')
 
 optional_policy(`
+	# needed by FreeIPA with DNS support
+	dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+	cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
 	dbus_system_domain(named_t, named_exec_t)
 
 	init_dbus_chat_script(named_t)
@@ -183,6 +194,7 @@ optional_policy(`
 
 optional_policy(`
 	kerberos_keytab_template(named, named_t)
+	kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
 ')
 
 optional_policy(`
@@ -209,7 +221,8 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
-kernel_read_kernel_sysctls(ndc_t)
 kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
 
-corenet_all_recvfrom_unlabeled(ndc_t)
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)
 corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
 
 logging_send_syslog_msg(ndc_t)
 
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
 
 userdom_use_user_terminals(ndc_t)
 
diff --git a/bird.te b/bird.te
index d4d71ec..f53b135 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
 corenet_tcp_sendrecv_bgp_port(bird_t)
 
 # /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
 
 logging_send_syslog_msg(bird_t)
 
diff --git a/bitlbee.if b/bitlbee.if
index e73fb79..2badfc0 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
 		type bitlbee_log_t, bitlbee_tmp_t;
 	')
 
-	allow $1 bitlbee_t:process { ptrace signal_perms };
+	allow $1 bitlbee_t:process signal_perms;
 	ps_process_pattern($1, bitlbee_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bitlbee_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index ac8c91e..80ecd7e 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
 
 allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
 allow bitlbee_t self:process { setsched signal };
+
 allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
 allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
 manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 
 manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
 
-kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
 
-files_read_usr_files(bitlbee_t)
-
 libs_legacy_use_shared_libs(bitlbee_t)
 
 auth_use_nsswitch(bitlbee_t)
 
 logging_send_syslog_msg(bitlbee_t)
 
-miscfiles_read_localization(bitlbee_t)
-
 optional_policy(`
 	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
 ')
diff --git a/blueman.fc b/blueman.fc
index c295d2e..4f84e9c 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
 /usr/libexec/blueman-mechanism	--	gen_context(system_u:object_r:blueman_exec_t,s0)
 
 /var/lib/blueman(/.*)?	gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec525..1dd4059 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
 
 	allow $1 blueman_t:dbus send_msg;
 	allow blueman_t $1:dbus send_msg;
+	ps_process_pattern(blueman_t, $1)
 ')
 
 ########################################
diff --git a/blueman.te b/blueman.te
index bc5c984..63a4b1d 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
 
 type blueman_t;
 type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
 
 type blueman_var_lib_t;
 files_type(blueman_var_lib_t)
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
 #
 
 allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
 allow blueman_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
 manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
 files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
 
-kernel_read_net_sysctls(blueman_t)
+kernel_rw_net_sysctls(blueman_t)
 kernel_read_system_state(blueman_t)
 kernel_request_load_module(blueman_t)
 
@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
 dev_read_rand(blueman_t)
 dev_read_urand(blueman_t)
 dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
 
 domain_use_interactive_fds(blueman_t)
 
 files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
 
 auth_use_nsswitch(blueman_t)
 
 logging_send_syslog_msg(blueman_t)
 
-miscfiles_read_localization(blueman_t)
-
 sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
 
 optional_policy(`
 	avahi_domtrans(blueman_t)
 ')
 
 optional_policy(`
+    bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+	dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
+optional_policy(`
 	dnsmasq_domtrans(blueman_t)
 	dnsmasq_read_pid_files(blueman_t)
 ')
 
 optional_policy(`
+	gnome_search_gconf(blueman_t)
+')
+
+optional_policy(`
 	iptables_domtrans(blueman_t)
 ')
+
+optional_policy(`
+	xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f3..0086b95 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,14 @@
 /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/bluetooth.*  -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
 /usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
 /usr/bin/dund	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/hidd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
 /usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0a..3e8a553 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
 	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
 
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+	allow $2 bluetooth_helper_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 bluetooth_helper_t:process ptrace;
+	')
 
 	allow $2 bluetooth_t:socket rw_socket_perms;
 
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
 	allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 	allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
+	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	bluetooth_stream_connect($2)
 	stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
-	files_search_pids($2)
 ')
 
 #####################################
@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
 
 ########################################
 ## <summary>
+##	dontaudit Send and receive messages from
+##	bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+	gen_require(`
+		type bluetooth_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 bluetooth_t:dbus send_msg;
+	dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
 ## </summary>
 ## <param name="domain">
@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 
 ########################################
 ## <summary>
+##	Execute bluetooth server in the bluetooth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_systemctl',`
+	gen_require(`
+		type bluetooth_t;
+		type bluetooth_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 bluetooth_unit_file_t:file read_file_perms;
+	allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bluetooth_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bluetooth environment.
 ## </summary>
@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
 		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
 		type bluetooth_var_lib_t, bluetooth_var_run_t;
 		type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
-		type bluetooth_initrc_exec_t;
+		type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
 	')
 
-	allow $1 bluetooth_t:process { ptrace signal_perms };
+	allow $1 bluetooth_t:process signal_perms;
 	ps_process_pattern($1, bluetooth_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bluetooth_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, bluetooth_var_run_t)
+
+	bluetooth_systemctl($1)
+	admin_pattern($1, bluetooth_unit_file_t)
+	allow $1 bluetooth_unit_file_t:service all_service_perms;
 ')
diff --git a/bluetooth.te b/bluetooth.te
index 6f09d24..231de05 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
 type bluetooth_var_run_t;
 files_pid_file(bluetooth_var_run_t)
 
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 
 manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
 
 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)
 kernel_request_load_module(bluetooth_t)
 kernel_search_debugfs(bluetooth_t)
 
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
 
 dev_read_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
 domain_dontaudit_search_all_domains_state(bluetooth_t)
 
 files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
 
 logging_send_syslog_msg(bluetooth_t)
 
-miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
 
@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
+	dbus_connect_system_bus(bluetooth_t)
 
 	optional_policy(`
 		cups_dbus_chat(bluetooth_t)
@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
 domain_read_all_domains_state(bluetooth_helper_t)
 
 files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
 files_dontaudit_list_default(bluetooth_helper_t)
 
 term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad..bda740a 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
-/usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client	-- 		gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
-/var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client			--		gen_context(system_u:object_r:boinc_exec_t,s0)
 
-/var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service        --  gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)?				gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.*				--		gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaa..fbcef10 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,165 @@
-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an boinc environment.
+##	Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+	gen_require(`
+		type boinc_t, boinc_exec_t;
+	')
+
+	domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+##	Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+	gen_require(`
+		type boinc_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Dontaudit getattr on boinc lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`boinc_dontaudit_getattr_lib',`
+    gen_require(`
+        type boinc_var_lib_t;
+    ')
+
+    dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Search boinc lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	allow $1 boinc_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read boinc lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	boinc lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`boinc_systemctl',`
+    gen_require(`
+        type boinc_t;
+        type boinc_unit_file_t;
+    ')
+
+    systemd_exec_systemctl($1)
+    allow $1 boinc_unit_file_t:file read_file_perms;
+    allow $1 boinc_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, boinc_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an boinc environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -19,26 +175,32 @@
 #
 interface(`boinc_admin',`
 	gen_require(`
-
-		type boinc_t, boinc_project_t, boinc_log_t;
-		type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
-		type boinc_project_var_lib_t, boinc_project_tmp_t;
+		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+		type boinc_unit_file_t;
 	')
 
-	allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { boinc_t boinc_project_t })
+	allow $1 boinc_t:process signal_perms;
+	ps_process_pattern($1, boinc_t)
 
-	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 boinc_t:process ptrace;
+	')
+
+	boinc_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 boinc_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	logging_search_logs($1)
-	admin_pattern($1, boinc_log_t)
+	files_list_var_lib($1)
+	admin_pattern($1, boinc_var_lib_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+	boinc_systemctl($1)
+	admin_pattern($1, boinc_unit_file_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+	allow $1 boinc_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/boinc.te b/boinc.te
index 7c92aa1..44edba7 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-type boinc_t;
+## <desc>
+##	<p>
+##	Allow boinc_domain execmem/execstack.
+##	</p>
+## </desc>
+gen_tunable(boinc_execmem, true)
+
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
 type boinc_exec_t;
 init_daemon_domain(boinc_t, boinc_exec_t)
 
@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
 type boinc_var_lib_t;
 files_type(boinc_var_lib_t)
 
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
 type boinc_log_t;
 logging_log_file(boinc_log_t)
 
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
 type boinc_project_t;
 domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
 role system_r types boinc_project_t;
 
 type boinc_project_tmp_t;
 files_tmp_file(boinc_project_tmp_t)
 
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+    allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(boinc_domain)
+')
+
 ########################################
 #
-# Local policy
+# boinc local policy
 #
 
 allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
 allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
 
 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
 manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
 manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
 fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
 
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
 
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
 
+# needs read /proc/interrupts
 kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
 corenet_all_recvfrom_netlabel(boinc_t)
 corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
 corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
 corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
 corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
 corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
 corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
 corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
 corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
 
 files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
 
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
 
 term_getattr_all_ptys(boinc_t)
 term_getattr_unallocated_ttys(boinc_t)
@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
 
 logging_send_syslog_msg(boinc_t)
 
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
 
-optional_policy(`
-	mta_send_mail(boinc_t)
-')
+xserver_stream_connect(boinc_t)
 
 optional_policy(`
-	sysnet_dns_name_resolve(boinc_t)
+	mta_send_mail(boinc_t)
 ')
 
 ########################################
 #
-# Project local policy
+# boinc-projects local policy
 #
 
 allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+	allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
 
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
 
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
 kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
 
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
 corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
 
 files_dontaudit_search_home(boinc_project_t)
 
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+	gnome_read_gconf_config(boinc_project_t)	
+')
+
 optional_policy(`
 	java_exec(boinc_project_t)
 ')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+	unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
index bcd1e87..6294955 100644
--- a/brctl.te
+++ b/brctl.te
@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
 
 domain_use_interactive_fds(brctl_t)
 
-files_read_etc_files(brctl_t)
 
 term_dontaudit_use_console(brctl_t)
 
-miscfiles_read_localization(brctl_t)
-
 optional_policy(`
 	xen_append_log(brctl_t)
 	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6e..fb6e397 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)?		gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
 
 /var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262..bf0cefa 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
 interface(`bugzilla_admin',`
 	gen_require(`
 		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
 		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-		type httpd_bugzilla_htaccess_t;
+		type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
 	')
 
-	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+	allow $1 httpd_bugzilla_script_t:process signal_perms;
 	ps_process_pattern($1, httpd_bugzilla_script_t)
 
-	files_search_usr($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 httpd_bugzilla_script_t:process ptrace;
+	')
+
+	files_list_tmp($1)
+	admin_pattern($1, httpd_bugzilla_tmp_t)
+
+	files_list_var_lib(httpd_bugzilla_script_t)
+
 	admin_pattern($1, httpd_bugzilla_script_exec_t)
 	admin_pattern($1, httpd_bugzilla_script_t)
 	admin_pattern($1, httpd_bugzilla_content_t)
@@ -76,5 +78,7 @@ interface(`bugzilla_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, httpd_bugzilla_rw_content_t)
 
-	apache_list_sys_content($1)
+	optional_policy(`
+		apache_list_sys_content($1)
+	')
 ')
diff --git a/bugzilla.te b/bugzilla.te
index 41f8251..57f094e 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
 
 apache_content_template(bugzilla)
 
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
 ########################################
 #
 # Local policy
@@ -14,7 +17,6 @@ apache_content_template(bugzilla)
 
 allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
 
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
 corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
 corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
 corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
 corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
 corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
 
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
 files_search_var_lib(httpd_bugzilla_script_t)
 
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+auth_read_passwd(httpd_bugzilla_script_t)
+
+dev_read_sysfs(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
 sysnet_use_ldap(httpd_bugzilla_script_t)
 
+miscfiles_read_certs(httpd_bugzilla_script_t)
+
 optional_policy(`
 	mta_send_mail(httpd_bugzilla_script_t)
 ')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 0000000..b5ee23b
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed		--	gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.*			gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 0000000..de66654
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,121 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
+## <summary>
+##	Execute bumblebee in the bumblebee domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bumblebee_domtrans',`
+	gen_require(`
+		type bumblebee_t, bumblebee_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	Read bumblebee PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_read_pid_files',`
+	gen_require(`
+		type bumblebee_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute bumblebee server in the bumblebee domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_systemctl',`
+	gen_require(`
+		type bumblebee_t;
+		type bumblebee_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 bumblebee_unit_file_t:file read_file_perms;
+	allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	Connect to bumblebee over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_stream_connect',`
+	gen_require(`
+		type bumblebee_t, bumblebee_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bumblebee environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bumblebee_admin',`
+	gen_require(`
+		type bumblebee_t;
+		type bumblebee_var_run_t;
+		type bumblebee_unit_file_t;
+	')
+
+	allow $1 bumblebee_t:process { signal_perms };
+	ps_process_pattern($1, bumblebee_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 bumblebee_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, bumblebee_var_run_t)
+
+	bumblebee_systemctl($1)
+	admin_pattern($1, bumblebee_unit_file_t)
+	allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 0000000..6e058fc
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,65 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_read_passwd(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
+xserver_kill(bumblebee_t)
+xserver_signal(bumblebee_t)
+xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
+corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+    apm_stream_connect(bumblebee_t)
+')
+
+optional_policy(`
+    unconfined_domain(bumblebee_t)
+')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_dev_t,s0)
 
 /sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
 
 /usr/sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
 
-/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)?		gen_context(system_u:object_r:cachefiles_var_t,s0)
 
-/var/run/cachefilesd\.pid	--	gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid --	gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9..3b41945 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## <summary>CacheFiles user-space management daemon.</summary>
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an cachefilesd environment.
+##	Execute a domain transition to run cachefilesd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
 	gen_require(`
-		type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
-		type cachefilesd_var_run_t;
+		type cachefilesd_t, cachefilesd_exec_t;
 	')
 
-	allow $1 cachefilesd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, cachefilesd_t)
-
-	init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cachefilesd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_var($1)
-	admin_pattern($1, cachefilesd_cache_t)
-
-	files_search_pids($1)
-	admin_pattern($1, cachefilesd_var_run_t)
+	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
 ')
diff --git a/cachefilesd.te b/cachefilesd.te
index 581c8ef..2c71b1d 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,143 @@
-policy_module(cachefilesd, 1.0.1)
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd, 1.0.17)
 
-########################################
+###############################################################################
 #
 # Declarations
 #
 
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
 type cachefilesd_t;
 type cachefilesd_exec_t;
 init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
 
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
 type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)
 
-########################################
 #
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
 #
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+	rpm_use_script_fds(cachefilesd_t)
+')
 
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do.  This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache.  It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
 allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
 
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
 manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
 files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
 
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
 
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
 
+# Permit statfs on the backing filesystem
 fs_getattr_xattr_fs(cachefilesd_t)
 
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
 term_dontaudit_use_generic_ptys(cachefilesd_t)
 term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
 
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+#   (1) the security context used by the module to access files in the cache,
+#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
 
-miscfiles_read_localization(cachefilesd_t)
+#
+#   (2) the label that will be assigned to new files and directories created in
+#       the cache by the module, which will be the same as the label on the
+#       directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
 
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
 
-optional_policy(`
-	rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
index cd9c528..ba793b7 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
 		attribute_role calamaris_roles;
 	')
 
-	lightsquid_domtrans($1)
+	calamaris_domtrans($1)
 	roleattribute $2 calamaris_roles;
 ')
 
diff --git a/calamaris.te b/calamaris.te
index f4f21d3..de28437 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
 
 corecmd_exec_bin(calamaris_t)
 
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
 dev_read_urand(calamaris_t)
 
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
 files_read_etc_runtime_files(calamaris_t)
 
-libs_read_lib_files(calamaris_t)
-
 auth_use_nsswitch(calamaris_t)
 
 logging_send_syslog_msg(calamaris_t)
 
-miscfiles_read_localization(calamaris_t)
-
 userdom_dontaudit_list_user_home_dirs(calamaris_t)
 
 optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 528051e..44e5b7d 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
 
 auth_use_nsswitch(callweaver_t)
 
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07..f416e22 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
 		type canna_var_run_t, canna_initrc_exec_t;
 	')
 
-	allow $1 canna_t:process { ptrace signal_perms };
+	allow $1 canna_t:process signal_perms;
 	ps_process_pattern($1, canna_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 canna_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, canna_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 4ec0626..88e7e89 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
 kernel_read_kernel_sysctls(canna_t)
 kernel_read_system_state(canna_t)
 
-corenet_all_recvfrom_unlabeled(canna_t)
 corenet_all_recvfrom_netlabel(canna_t)
 corenet_tcp_sendrecv_generic_if(canna_t)
 corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
 
 domain_use_interactive_fds(canna_t)
 
-files_read_etc_files(canna_t)
 files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
 files_search_tmp(canna_t)
 files_dontaudit_read_root_files(canna_t)
 
 logging_send_syslog_msg(canna_t)
 
-miscfiles_read_localization(canna_t)
-
 sysnet_read_config(canna_t)
 
 userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d..cb94e5e 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
+		type ccs_var_lib_t, ccs_var_log_t;
 		type ccs_var_run_t, ccs_tmp_t;
 	')
 
-	allow $1 ccs_t:process { ptrace signal_perms };
+	allow $1 ccs_t:process { signal_perms };
 	ps_process_pattern($1, ccs_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ccs_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, ccs_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ccs_initrc_exec_t system_r;
 	allow $2 system_r;
 
 	files_search_etc($1)
-	admin_pattern($1, ccs_conf_t)
+	admin_pattern($1, cluster_conf_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index b85b53b..476aaa3 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
 
 allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
 allow ccs_t self:fifo_file rw_fifo_file_perms;
 allow ccs_t self:unix_stream_socket { accept connectto listen };
 allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
 corecmd_list_bin(ccs_t)
 corecmd_exec_bin(ccs_t)
 
-corenet_all_recvfrom_unlabeled(ccs_t)
 corenet_all_recvfrom_netlabel(ccs_t)
 corenet_tcp_sendrecv_generic_if(ccs_t)
 corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
 
 dev_read_urand(ccs_t)
 
-files_read_etc_files(ccs_t)
 files_read_etc_runtime_files(ccs_t)
 
 init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
 
 logging_send_syslog_msg(ccs_t)
 
-miscfiles_read_localization(ccs_t)
-
 sysnet_dns_name_resolve(ccs_t)
 
 userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
-	aisexec_stream_connect(ccs_t)
-	corosync_stream_connect(ccs_t)
+	rhcs_stream_connect_cluster(ccs_t)
 ')
 
 optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f6..4de4a00 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
 
 	allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
 
-	allow $2 cdrecord_t:process { ptrace signal_perms };
+	allow $2 cdrecord_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 cdrecord_t:process ptrace;
+	')
 	ps_process_pattern($2, cdrecord_t)
 ')
diff --git a/cdrecord.te b/cdrecord.te
index 55fb26a..a7555c0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
 domain_interactive_fd(cdrecord_t)
 domain_use_interactive_fds(cdrecord_t)
 
-files_read_etc_files(cdrecord_t)
-
 term_use_controlling_term(cdrecord_t)
 term_list_ptys(cdrecord_t)
 
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
 
 logging_send_syslog_msg(cdrecord_t)
 
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
 
 tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
 	fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
 	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	files_search_mnt(cdrecord_t)
-	fs_read_nfs_files(cdrecord_t)
-	fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
 
 optional_policy(`
 	resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b18..ef29f6e 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
 interface(`certmaster_admin',`
 	gen_require(`
 		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-		type certmaster_etc_rw_t, certmaster_var_log_t;
-		type certmaster_initrc_exec_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
 	')
 
-	allow $1 certmaster_t:process { ptrace signal_perms };
+	allow $1 certmaster_t:process signal_perms;
 	ps_process_pattern($1, certmaster_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 certmaster_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index bf82163..2b571c7 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
 dev_read_urand(certmaster_t)
 
 files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
 
 auth_use_nsswitch(certmaster_t)
 
-miscfiles_read_localization(certmaster_t)
 miscfiles_manage_generic_cert_dirs(certmaster_t)
 miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8..cd8eb4d 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -2,6 +2,8 @@
 
 /usr/sbin/certmonger	--	gen_context(system_u:object_r:certmonger_exec_t,s0)
 
+/usr/lib/ipa/certmonger(/.*)?		gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
 /var/lib/certmonger(/.*)?	gen_context(system_u:object_r:certmonger_var_lib_t,s0)
 
 /var/run/certmonger.*	gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef..144c074 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
 	')
 
 	ps_process_pattern($1, certmonger_t)
-	allow $1 certmonger_t:process { ptrace signal_perms };
+	allow $1 certmonger_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 certmonger_t:process ptrace;
+	')
 
 	certmonger_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 certmonger_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, certmonger_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, certmonger_var_run_t)
 ')
diff --git a/certmonger.te b/certmonger.te
index 2354e21..b2b0a2f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
 type certmonger_var_run_t;
 files_pid_file(certmonger_var_run_t)
 
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
 ########################################
 #
 # Local policy
@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
 allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
 dontaudit certmonger_t self:capability sys_tty_config;
 allow certmonger_t self:capability2 block_suspend;
+
 allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
 manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(certmonger_t)
 kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
 
 corenet_all_recvfrom_unlabeled(certmonger_t)
 corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
 
 corenet_sendrecv_certmaster_client_packets(certmonger_t)
 corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_ldap_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
 corenet_tcp_sendrecv_certmaster_port(certmonger_t)
 
 corecmd_exec_bin(certmonger_t)
 corecmd_exec_shell(certmonger_t)
 
+dev_read_rand(certmonger_t)
 dev_read_urand(certmonger_t)
 
 domain_use_interactive_fds(certmonger_t)
 
-files_read_usr_files(certmonger_t)
 files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
 
 fs_search_cgroup_dirs(certmonger_t)
 
@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
 
 logging_send_syslog_msg(certmonger_t)
 
-miscfiles_read_localization(certmonger_t)
 miscfiles_manage_generic_cert_files(certmonger_t)
 
+systemd_exec_systemctl(certmonger_t)
+
 userdom_search_user_home_content(certmonger_t)
+userdom_manage_home_certs(certmonger_t)
 
 optional_policy(`
-	apache_initrc_domtrans(certmonger_t)
 	apache_search_config(certmonger_t)
 	apache_signal(certmonger_t)
 	apache_signull(certmonger_t)
+	apache_systemctl(certmonger_t)
 ')
 
 optional_policy(`
@@ -92,11 +108,51 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_read_keytab(certmonger_t)
+	dirsrv_manage_config(certmonger_t)
+	dirsrv_signal(certmonger_t)
+	dirsrv_signull(certmonger_t)
+')
+
+optional_policy(`
+    ipa_manage_lib(certmonger_t)
+')
+
+optional_policy(`
 	kerberos_use(certmonger_t)
+	kerberos_read_keytab(certmonger_t)
 ')
 
 optional_policy(`
 	pcscd_read_pid_files(certmonger_t)
 	pcscd_stream_connect(certmonger_t)
 ')
+
+optional_policy(`
+	pki_rw_tomcat_cert(certmonger_t)
+	pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+	type certmonger_unconfined_t;
+	domain_type(certmonger_unconfined_t)
+
+	domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+	role system_r types certmonger_unconfined_t;
+
+	domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+	allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+	allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+	allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+	init_domtrans_script(certmonger_unconfined_t)
+
+	optional_policy(`
+		unconfined_domain(certmonger_unconfined_t)
+	')
+')
diff --git a/certwatch.te b/certwatch.te
index 403af41..1a4bd9c 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
 
 allow certwatch_t self:capability sys_nice;
 allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
 
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
 dev_read_urand(certwatch_t)
 
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
 files_read_usr_symlinks(certwatch_t)
 files_list_tmp(certwatch_t)
 
 fs_list_inotifyfs(certwatch_t)
 
 auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
 auth_var_filetrans_cache(certwatch_t)
 
 logging_send_syslog_msg(certwatch_t)
 
 miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
 
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
 
 optional_policy(`
+	apache_domtrans(certwatch_t)
 	apache_exec_modules(certwatch_t)
 	apache_read_config(certwatch_t)
 ')
 
 optional_policy(`
+    mta_send_mail(certwatch_t)
+')
+
+optional_policy(`
 	cron_system_entry(certwatch_t, certwatch_exec_t)
 ')
 
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
 template(`cfengine_domain_template',`
 	gen_require(`
 		attribute cfengine_domain;
-		type cfengine_log_t, cfengine_var_lib_t;
 	')
 
 	########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
 	# Policy
 	#
 
+	kernel_read_system_state(cfengine_$1_t)
+
 	auth_use_nsswitch(cfengine_$1_t)
+
+	logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+## <summary>
+##  Search cfengine lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cfengine_search_lib_files',`
+	gen_require(`
+		type cfengine_var_lib_t;
+	')
+
+	allow $1 cfengine_var_lib_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
 	dontaudit $1 cfengine_var_log_t:file write_file_perms;
 ')
 
+#####################################
+## <summary>
+##      Allow the specified domain to append cfengine's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cfengine_append_inherited_log',`
+        gen_require(`
+                type cfengine_var_log_t;
+        ')
+
+        cfengine_search_lib_files($1)
+		allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+## <summary>
+##      Dontaudit the specified domain to write cfengine's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cfengine_dontaudit_write_log',`
+        gen_require(`
+                type cfengine_var_log_t;
+        ')
+
+		dontaudit $1 cfengine_var_log_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
 		type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
 	')
 
-	allow $1 cfengine_domain:process { ptrace signal_perms };
+	allow $1 cfengine_domain:process { signal_perms };
 	ps_process_pattern($1, cfengine_domain)
 
 	init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
 ')
+
diff --git a/cfengine.te b/cfengine.te
index 8af5bbe..168f01f 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
 setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
 logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
 
-kernel_read_system_state(cfengine_domain)
-
 corecmd_exec_bin(cfengine_domain)
 corecmd_exec_shell(cfengine_domain)
 
 dev_read_urand(cfengine_domain)
 dev_read_sysfs(cfengine_domain)
 
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
 sysnet_domtrans_ifconfig(cfengine_domain)
 
 ########################################
diff --git a/cgroup.if b/cgroup.if
index 85ca63f..1d1c99c 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
 		type cgrules_etc_t, cgclear_t;
 	')
 
-	allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+	allow $1 cgclear_t:process signal_perms;
+	ps_process_pattern($1, cgclear_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgclear_t:process ptrace;
+	')
+
+	allow $1 cgconfig_t:process signal_perms;
+	ps_process_pattern($1, cgconfig_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgconfig_t:process ptrace;
+	')
+
+	allow $1 cgred_t:process signal_perms;
+	ps_process_pattern($1, cgred_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgred_t:process ptrace;
+	')
 
 	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
 	files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index fdee107..a4c2efb 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
 type cgrules_etc_t;
 files_config_file(cgrules_etc_t)
 
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
 init_daemon_domain(cgconfig_t, cgconfig_exec_t)
 
 type cgconfig_initrc_exec_t;
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
 
 allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
 
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
 
 kernel_read_system_state(cgclear_t)
 
+auth_use_nsswitch(cgclear_t)
+
 domain_setpriority_all_domains(cgclear_t)
 
 fs_manage_cgroup_dirs(cgclear_t)
@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 kernel_list_unlabeled(cgconfig_t)
 kernel_read_system_state(cgconfig_t)
 
-files_read_etc_files(cgconfig_t)
-
 fs_manage_cgroup_dirs(cgconfig_t)
 fs_manage_cgroup_files(cgconfig_t)
 fs_mount_cgroup(cgconfig_t)
 fs_mounton_cgroup(cgconfig_t)
 fs_unmount_cgroup(cgconfig_t)
 
+auth_use_nsswitch(cgconfig_t)
+
 ########################################
 #
 # cgred local policy
 #
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
 
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
 
+allow cgred_t cgconfig_etc_t:file read_file_perms;
 allow cgred_t cgrules_etc_t:file read_file_perms;
 
 allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
 files_getattr_all_files(cgred_t)
 files_getattr_all_sockets(cgred_t)
 files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
 
-fs_write_cgroup_files(cgred_t)
+fs_manage_cgroup_dirs(cgred_t)
+fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
 
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
 
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 0000000..57866f6
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,9 @@
+/opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 0000000..23407b8
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,137 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+	gen_require(`
+		type chrome_sandbox_t, chrome_sandbox_exec_t;
+	')
+
+	domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+	ps_process_pattern(chrome_sandbox_t, $1)
+
+	allow $1 chrome_sandbox_t:fd use;
+
+	dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+	allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
+	ifdef(`hide_broken_symptoms',`
+		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+	')
+')
+
+
+########################################
+## <summary>
+##	Execute chrome_sandbox in the chrome_sandbox domain, and
+##	allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the chrome_sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+	gen_require(`
+		type chrome_sandbox_t;
+		type chrome_sandbox_nacl_t;
+	')
+
+	chrome_domtrans_sandbox($1)
+	role $2 types chrome_sandbox_t;
+	role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+## <summary>
+##	Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chrome_role_notrans',`
+	gen_require(`
+		type chrome_sandbox_t;
+		type chrome_sandbox_tmpfs_t;
+		type chrome_sandbox_nacl_t;
+	')
+
+	role $1 types chrome_sandbox_t;
+	role $1 types chrome_sandbox_nacl_t;
+
+	ps_process_pattern($2, chrome_sandbox_t)
+	allow $2 chrome_sandbox_t:process signal_perms;
+
+	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+	allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
+	dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+	allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+	allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chrome_role',`
+	chrome_role_notrans($1, $2)
+	chrome_domtrans_sandbox($2)
+')
+
+########################################
+## <summary>
+##	Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+	gen_require(`
+		type chrome_sandbox_t;
+	')
+
+	dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 0000000..fb60ffc
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,248 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+	gnome_exec_config_home_files(chrome_sandbox_t)
+	gnome_read_generic_cache_files(chrome_sandbox_t)
+	gnome_rw_inherited_config(chrome_sandbox_t)
+	gnome_read_home_config(chrome_sandbox_t)
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+
+')
+
+optional_policy(`
+	mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+	xserver_use_user_fonts(chrome_sandbox_t)
+	xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(chrome_sandbox_t)
+	fs_exec_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_files(chrome_sandbox_t)
+	fs_rw_inherited_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_symlinks(chrome_sandbox_t)
+	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(chrome_sandbox_t)
+	fs_exec_cifs_files(chrome_sandbox_t)
+	fs_rw_inherited_cifs_files(chrome_sandbox_t)
+	fs_read_cifs_files(chrome_sandbox_t)
+	fs_read_cifs_symlinks(chrome_sandbox_t)
+	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+    fs_search_fusefs(chrome_sandbox_t)
+    fs_read_fusefs_files(chrome_sandbox_t)
+    fs_exec_fusefs_files(chrome_sandbox_t)
+	fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+        fs_read_ecryptfs_files(chrome_sandbox_t)
+		fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+		fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+	bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+	cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+	sandbox_use_ptys(chrome_sandbox_t)
+')
+
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+	gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143e..a665b32 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -2,6 +2,8 @@
 
 /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/chrony.*	--      gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265..0de4af3 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
 
 ########################################
 ## <summary>
-##	Connect to chronyd using a unix
-##	domain stream socket.
+##	Read chronyd keys files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',`
 	gen_require(`
-		type chronyd_t, chronyd_var_run_t;
+		type chronyd_keys_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 ')
 
 ########################################
 ## <summary>
-##	Send to chronyd using a unix domain
-##	datagram socket.
+##	Append chronyd keys files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',`
+	gen_require(`
+		type chronyd_keys_t;
+	')
+
+	append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+##	Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_systemctl',`
+	gen_require(`
+		type chronyd_t;
+		type chronyd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 chronyd_unit_file_t:file read_file_perms;
+	allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+## <summary>
+##  Connect to chronyd using a unix
+##  domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`chronyd_stream_connect',`
 	gen_require(`
 		type chronyd_t, chronyd_var_run_t;
 	')
 
 	files_search_pids($1)
-	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
 ########################################
 ## <summary>
-##	Read chronyd key files.
+##	Send to chronyd using a unix domain
+##	datagram socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',`
 	gen_require(`
-		type chronyd_keys_t;
+		type chronyd_t, chronyd_var_run_t;
 	')
 
-	files_search_etc($1)
-	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+	files_search_pids($1)
+	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
 ####################################
@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
 #
 interface(`chronyd_admin',`
 	gen_require(`
-		type chronyd_t, chronyd_var_log_t;
-		type chronyd_var_run_t, chronyd_var_lib_t;
-		type chronyd_initrc_exec_t, chronyd_keys_t;
+		type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+		type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+		type chronyd_keys_t, chronyd_unit_file_t;
 	')
 
-	allow $1 chronyd_t:process { ptrace signal_perms };
+	allow $1 chronyd_t:process signal_perms;
 	ps_process_pattern($1, chronyd_t)
 
-	chronyd_initrc_domtrans($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 chronyd_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, chronyd_keys_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, chronyd_var_log_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, chronyd_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, chronyd_var_run_t)
+
+	admin_pattern($1, chronyd_tmpfs_t)
+
+	admin_pattern($1, chronyd_unit_file_t)
+	chronyd_systemctl($1)
+	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
diff --git a/chronyd.te b/chronyd.te
index 914ee2d..d0c8001 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
 type chronyd_tmpfs_t;
 files_tmpfs_file(chronyd_tmpfs_t)
 
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
 
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
 # Local policy
 #
 
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
+
 dev_rw_realtime_clock(chronyd_t)
 
 auth_use_nsswitch(chronyd_t)
 
 logging_send_syslog_msg(chronyd_t)
 
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
 
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
-
-optional_policy(`
-	mta_send_mail(chronyd_t)
-')
diff --git a/cipe.te b/cipe.te
index 28c8475..9b86dd1 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
 corecmd_exec_shell(ciped_t)
 corecmd_exec_bin(ciped_t)
 
-corenet_all_recvfrom_unlabeled(ciped_t)
 corenet_all_recvfrom_netlabel(ciped_t)
 corenet_udp_sendrecv_generic_if(ciped_t)
 corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
 
 domain_use_interactive_fds(ciped_t)
 
-files_read_etc_files(ciped_t)
 files_read_etc_runtime_files(ciped_t)
 files_dontaudit_search_var(ciped_t)
 
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
 
 logging_send_syslog_msg(ciped_t)
 
-miscfiles_read_localization(ciped_t)
-
 sysnet_read_config(ciped_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc..c53b80d 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
 /usr/bin/clamdscan	--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam	--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 
+/usr/lib/systemd/system/clamd.*  --  gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
 /usr/sbin/clamd	--	gen_context(system_u:object_r:clamd_exec_t,s0)
 /usr/sbin/clamav-milter	--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
diff --git a/clamav.if b/clamav.if
index 4cc4a5c..99c5cca 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## <summary>ClamAV Virus Scanner.</summary>
+## <summary>ClamAV Virus Scanner</summary>
 
 ########################################
 ## <summary>
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
 		type clamd_t, clamd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, clamd_exec_t, clamd_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to clamd using a unix
-##	domain stream socket.
+##	Connect to run clamd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
 
 ########################################
 ## <summary>
-##	Append clamav log files.
+##	Allow the specified domain to append
+##	to clamav log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	clamav pid content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clamav_manage_pid_content',`
-	gen_require(`
-		type clamd_var_run_t;
-	')
-
-	files_search_pids($1)
-	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
-########################################
-## <summary>
 ##	Read clamav configuration files.
 ## </summary>
 ## <param name="domain">
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
 
 ########################################
 ## <summary>
-##	Search clamav library directories.
+##	Search clamav libraries directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
 		type clamscan_t, clamscan_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute clamscan in the caller domain.
+##	Execute clamscan without a transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
 		type clamscan_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, clamscan_exec_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Read clamd process state files.
+##	Manage clamd pid content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
 ##	</summary>
 ## </param>
 #
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
 	gen_require(`
-		type clamd_t;
+		type clamd_var_run_t;
 	')
 
-	kernel_search_proc($1)
-	allow $1 clamd_t:dir list_dir_perms;
-	read_files_pattern($1, clamd_t, clamd_t)
-	read_lnk_files_pattern($1, clamd_t, clamd_t)
+	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+## <summary>
+##      Read clamd state files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`clamav_read_state_clamd',`
+        gen_require(`
+                type clamd_t;
+        ')
+
+        kernel_search_proc($1)
+        ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+## <summary>
+##      Execute clamd server in the clamd domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`clamd_systemctl',`
+        gen_require(`
+                type clamd_t;
+                type clamd_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 clamd_unit_file_t:file read_file_perms;
+        allow $1 clamd_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, clamd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an clamav environment.
+##	All of the rules required to administrate
+##	an clamav environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the clamav domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
 interface(`clamav_admin',`
 	gen_require(`
 		type clamd_t, clamd_etc_t, clamd_tmp_t;
-		type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
-		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+		type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
 		type freshclam_t, freshclam_var_log_t;
+		type clamd_unit_file_t;
 	')
 
-	allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+	allow $1 clamd_t:process signal_perms;
+	ps_process_pattern($1, clamd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 clamd_t:process ptrace;
+		allow $1 clamscan_t:process ptrace;
+		allow $1 freshclam_t:process ptrace;
+	')
+
+	allow $1 clamscan_t:process signal_perms;
+	ps_process_pattern($1, clamscan_t)
+
+	allow $1 freshclam_t:process signal_perms;
+	ps_process_pattern($1, freshclam_t)
 
 	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 clamd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	clamd_systemctl($1)
+	admin_pattern($1, clamd_unit_file_t)
+	allow $1 clamd_unit_file_t:service all_service_perms;
+
 	files_list_etc($1)
 	admin_pattern($1, clamd_etc_t)
 
@@ -217,11 +251,21 @@ interface(`clamav_admin',`
 	admin_pattern($1, clamd_var_lib_t)
 
 	logging_list_logs($1)
-	admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+	admin_pattern($1, clamd_var_log_t)
 
 	files_list_pids($1)
 	admin_pattern($1, clamd_var_run_t)
 
 	files_list_tmp($1)
-	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+	admin_pattern($1, clamd_tmp_t)
+
+	admin_pattern($1, clamscan_tmp_t)
+
+	admin_pattern($1, freshclam_var_log_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+
 ')
diff --git a/clamav.te b/clamav.te
index 8e1fef9..c8c9a5a 100644
--- a/clamav.te
+++ b/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
 type clamd_initrc_exec_t;
 init_script_file(clamd_initrc_exec_t)
 
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)
 
@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
 allow clamd_t self:capability { kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:process signal;
+
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { accept connectto listen };
 allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
 
 corecmd_exec_shell(clamd_t)
 
-corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
 corenet_tcp_sendrecv_generic_if(clamd_t)
 corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
 
 corenet_sendrecv_generic_client_packets(clamd_t)
 corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
 
 corenet_sendrecv_clamd_server_packets(clamd_t)
 corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
 
 logging_send_syslog_msg(clamd_t)
 
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
-	allow clamd_t self:process execmem;
-',`
-	dontaudit clamd_t self:process execmem;
-')
-
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
 	amavis_read_spool_files(clamd_t)
-	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+	amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
 	amavis_create_pid_files(clamd_t)
 ')
 
@@ -165,6 +161,31 @@ optional_policy(`
 	mta_send_mail(clamd_t)
 ')
 
+optional_policy(`
+	spamd_stream_connect(clamd_t)
+	spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+	allow clamd_t self:process execmem;
+	allow clamscan_t self:process execmem;
+',`
+	dontaudit clamd_t self:process execmem;
+	dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+    antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+    antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+    antivirus_domain_template(freshclam_t)
+')
+
 ########################################
 #
 # Freshclam local policy
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
 
 logging_send_syslog_msg(freshclam_t)
 
-miscfiles_read_localization(freshclam_t)
 
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
@@ -241,6 +261,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	clamd_systemctl(freshclam_t)
+')
+
+optional_policy(`
 	cron_system_entry(freshclam_t, freshclam_exec_t)
 ')
 
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
 kernel_read_kernel_sysctls(clamscan_t)
 kernel_read_system_state(clamscan_t)
 
-corenet_all_recvfrom_unlabeled(clamscan_t)
 corenet_all_recvfrom_netlabel(clamscan_t)
 corenet_tcp_sendrecv_generic_if(clamscan_t)
 corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
 
 corecmd_read_all_executables(clamscan_t)
 
-files_read_etc_files(clamscan_t)
 files_read_etc_runtime_files(clamscan_t)
 files_search_var_lib(clamscan_t)
 
 init_read_utmp(clamscan_t)
 init_dontaudit_write_utmp(clamscan_t)
 
-miscfiles_read_localization(clamscan_t)
 miscfiles_read_public_files(clamscan_t)
 
 sysnet_dns_name_resolve(clamscan_t)
@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
 ')
 
 optional_policy(`
-	amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')
 
diff --git a/clockspeed.te b/clockspeed.te
index b59c592..4b8cddc 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
 
 read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
 corenet_all_recvfrom_netlabel(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
 corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
 
 files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
 
-miscfiles_read_localization(clockspeed_cli_t)
 
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
 
 ########################################
 #
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
 manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
 corenet_all_recvfrom_netlabel(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
 corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
 
 files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
 
-miscfiles_read_localization(clockspeed_srv_t)
 
 optional_policy(`
 	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 29782b8..685edff 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
 
 logging_send_syslog_msg(clogd_t)
 
-miscfiles_read_localization(clogd_t)
-
 optional_policy(`
-	aisexec_stream_connect(clogd_t)
-	corosync_stream_connect(clogd_t)
+	rhcs_stream_connect_cluster(clogd_t)
 ')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..6cc6774
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod		    --	gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic	--	gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log.*  --  gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)?             gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongo.*		gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)?	gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.*		--		gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongo.*		gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.*	--	gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongo.*		gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/iwhd\.pid               --      gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 0000000..8ac848b
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,42 @@
+## <summary>cloudform policy</summary>
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  cloudform daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`cloudform_domain_template',`
+    gen_require(`
+        attribute cloudform_domain;
+    ')
+
+    type $1_t, cloudform_domain;
+    type $1_exec_t;
+    init_daemon_domain($1_t, $1_exec_t)
+
+    kernel_read_system_state($1_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudform_exec_mongod',`
+    gen_require(`
+	type mongod_exec_t;
+    ')
+
+    can_exec($1, mongod_exec_t)
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000..496ce03
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,300 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type mongod_initrc_exec_t;
+init_script_file(mongod_initrc_exec_t)
+
+type mongod_log_t;
+logging_log_file(mongod_log_t)
+
+type mongod_var_lib_t;
+files_type(mongod_var_lib_t)
+
+type mongod_tmp_t;
+files_tmp_file(mongod_tmp_t)
+
+type mongod_var_run_t;
+files_pid_file(mongod_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+    dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+    dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+    mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    # it check file context and run restorecon
+    seutil_read_file_contexts(cloud_init_t)
+    seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+    ssh_exec_keygen(cloud_init_t)
+    ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+    sysnet_domtrans_ifconfig(cloud_init_t)
+    sysnet_read_dhcpc_state(cloud_init_t)
+    sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+    rpm_domtrans(cloud_init_t)
+    rpm_transition_script(cloud_init_t)
+    unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_override setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+	sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
+########################################
+#
+# mongod local policy
+#
+
+allow mongod_t self:process { execmem setsched signal };
+
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+#needed by dbomatic
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
+
+corenet_tcp_bind_generic_node(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_connect_postgresql_port(mongod_t)
+
+kernel_read_vm_sysctls(mongod_t)
+kernel_read_system_state(mongod_t)
+
+fs_getattr_all_fs(mongod_t)
+
+optional_policy(`
+	mysql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(mongod_t)
+')
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb..f348d27 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
 		type cmirrord_t, cmirrord_tmpfs_t;
 	')
 
-	allow $1 cmirrord_t:shm rw_shm_perms;
+	allow $1 cmirrord_t:shm { rw_shm_perms destroy };
 
 	allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
 	rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	fs_search_tmpfs($1)
 ')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
 		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
 	')
 
-	allow $1 cmirrord_t:process { ptrace signal_perms };
+	allow $1 cmirrord_t:process signal_perms;
 	ps_process_pattern($1, cmirrord_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cmirrord_t:process ptrace;
+	')
+
 	cmirrord_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index d8e9958..e4c023c 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
 # Local policy
 #
 
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
 dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process { setfscreate signal };
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
 domain_use_interactive_fds(cmirrord_t)
 domain_obj_id_change_exemption(cmirrord_t)
 
-files_read_etc_files(cmirrord_t)
-
 storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
 
 seutil_read_file_contexts(cmirrord_t)
 
 logging_send_syslog_msg(cmirrord_t)
 
-miscfiles_read_localization(cmirrord_t)
-
 optional_policy(`
 	corosync_stream_connect(cmirrord_t)
 ')
+
+optional_policy(`
+    rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208..2b650a7 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,6 +4,7 @@
 
 /usr/bin/cobblerd	--	gen_context(system_u:object_r:cobblerd_exec_t,s0)
 
+/var/cache/cobbler(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/cobbler(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 
 /var/lib/tftpboot/etc(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f81..8b567c1 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
 ')
 
+
+
+########################################
+## <summary>
+##	Read cobbler configuration dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_list_config',`
+	gen_require(`
+		type cobbler_etc_t;
+	')
+
+	list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+	files_search_etc($1)
+')
+
+
 ########################################
 ## <summary>
 ##	Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
 
 	files_search_var_lib($1)
 	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 
 ########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 
 ########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
 interface(`cobbler_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t;
+		type cobbler_tmp_t;
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
 
 	logging_search_logs($1)
 	admin_pattern($1, cobbler_var_log_t)
-
-	apache_search_sys_content($1)
-	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
diff --git a/cobbler.te b/cobbler.te
index 2a71346..3a38b11 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
 
 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
 
 kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
 
 corecmd_exec_bin(cobblerd_t)
 corecmd_exec_shell(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
 corenet_tcp_connect_http_port(cobblerd_t)
 corenet_sendrecv_http_client_packets(cobblerd_t)
 
+dev_read_sysfs(cobblerd_t)
 dev_read_urand(cobblerd_t)
 
 files_list_boot(cobblerd_t)
 files_list_tmp(cobblerd_t)
 files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
 files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
 
 fs_getattr_all_fs(cobblerd_t)
 fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
 
 term_use_console(cobblerd_t)
 
+auth_use_nsswitch(cobblerd_t)
+
 logging_send_syslog_msg(cobblerd_t)
 
 miscfiles_read_localization(cobblerd_t)
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
 ')
 
 optional_policy(`
+	apache_domtrans(cobblerd_t)
 	apache_search_sys_content(cobblerd_t)
 ')
 
@@ -170,6 +173,7 @@ optional_policy(`
 	bind_domtrans(cobblerd_t)
 	bind_initrc_domtrans(cobblerd_t)
 	bind_manage_zone(cobblerd_t)
+	bind_systemctl(cobblerd_t)
 ')
 
 optional_policy(`
@@ -179,12 +183,22 @@ optional_policy(`
 optional_policy(`
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
+	dhcpd_systemctl(cobblerd_t)
 ')
 
 optional_policy(`
 	dnsmasq_domtrans(cobblerd_t)
 	dnsmasq_initrc_domtrans(cobblerd_t)
 	dnsmasq_write_config(cobblerd_t)
+	dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+    libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(cobblerd_t)
 ')
 
 optional_policy(`
@@ -192,13 +206,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rsync_exec(cobblerd_t)
 	rsync_read_config(cobblerd_t)
-	rsync_manage_config_files(cobblerd_t)
+	rsync_manage_config(cobblerd_t)
 	rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
 ')
 
 optional_policy(`
-	tftp_manage_config_files(cobblerd_t)
-	tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+	tftp_manage_config(cobblerd_t)
 	tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
 ')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 0000000..ee6e817
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/cockpit.service		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/lib/systemd/system/cockpit.socket		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/lib/systemd/system/cockpitd.service		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpitd		--	gen_context(system_u:object_r:cockpit_exec_t,s0)
+
+/var/lib/cockpit(/.*)?		gen_context(system_u:object_r:cockpit_var_lib_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000..25e3237
--- /dev/null
+++ b/cockpit.if
@@ -0,0 +1,186 @@
+
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_domtrans',`
+	gen_require(`
+		type cockpit_t, cockpit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_exec_t, cockpit_t)
+')
+
+########################################
+## <summary>
+##	Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	allow $1 cockpit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+	gen_require(`
+		type cockpit_t;
+		type cockpit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 cockpit_unit_file_t:file read_file_perms;
+	allow $1 cockpit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cockpit_t)
+')
+
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	cockpit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_dbus_chat',`
+	gen_require(`
+		type cockpit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 cockpit_t:dbus send_msg;
+	allow cockpit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cockpit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+	gen_require(`
+		type cockpit_t;
+		type cockpit_var_lib_t;
+	type cockpit_unit_file_t;
+	')
+
+	allow $1 cockpit_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 cockpit_t:process ptrace;
+    ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, cockpit_var_lib_t)
+
+	cockpit_systemctl($1)
+	admin_pattern($1, cockpit_unit_file_t)
+	allow $1 cockpit_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 0000000..ede96a7
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,93 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_t;
+type cockpit_exec_t;
+init_daemon_domain(cockpit_t, cockpit_exec_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
+########################################
+#
+# cockpit local policy
+#
+allow cockpit_t self:capability net_admin;
+allow cockpit_t self:fifo_file rw_fifo_file_perms;
+allow cockpit_t self:unix_stream_socket create_stream_socket_perms;
+allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow cockpit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
+files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file })
+
+kernel_read_system_state(cockpit_t)
+kernel_read_network_state(cockpit_t)
+
+corecmd_exec_bin(cockpit_t)
+corecmd_exec_shell(cockpit_t)
+
+dev_read_sysfs(cockpit_t)
+
+domain_use_interactive_fds(cockpit_t)
+domain_read_all_domains_state(cockpit_t)
+
+files_read_etc_files(cockpit_t)
+files_list_tmp(cockpit_t)
+
+fs_read_tmpfs_symlinks(cockpit_t)
+fs_list_cgroup_dirs(cockpit_t)
+fs_read_cgroup_files(cockpit_t)
+fs_getattr_all_fs(cockpit_t)
+
+auth_use_nsswitch(cockpit_t)
+
+init_dbus_chat(cockpit_t)
+init_status(cockpit_t)
+init_read_state(cockpit_t)
+init_list_pid_dirs(cockpit_t)
+
+logging_send_syslog_msg(cockpit_t)
+
+miscfiles_read_localization(cockpit_t)
+
+systemd_status_all_unit_files(cockpit_t)
+systemd_read_logind_sessions_files(cockpit_t)
+
+udev_read_pid_files(cockpit_t)
+
+optional_policy(`
+	dbus_system_bus_client(cockpit_t)
+	dbus_connect_system_bus(cockpit_t)
+
+	optional_policy(`
+		accountsd_dbus_chat(cockpit_t)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat_disk(cockpit_t)
+		devicekit_dbus_chat_power(cockpit_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(cockpit_t)
+		networkmanager_stream_connect(cockpit_t)
+	')
+
+	optional_policy(`
+		realmd_dbus_chat(cockpit_t)
+	')
+')
+
+optional_policy(`
+	docker_stream_connect(cockpit_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..2e7d7ed 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/collectd	--	gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/collectd.*  -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
 /usr/sbin/collectd	--	gen_context(system_u:object_r:collectd_exec_t,s0)
 
 /var/lib/collectd(/.*)?	gen_context(system_u:object_r:collectd_var_lib_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e..f4db2ca 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,144 @@
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an collectd environment.
+##	Transition to collectd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`collectd_domtrans',`
+	gen_require(`
+		type collectd_t, collectd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+## <summary>
+##	Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_initrc_domtrans',`
+	gen_require(`
+		type collectd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search collectd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_search_lib',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	allow $1 collectd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read collectd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_read_lib_files',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_lib_files',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_lib_dirs',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`collectd_systemctl',`
+	gen_require(`
+		type collectd_t;
+		type collectd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 collectd_unit_file_t:file read_file_perms;
+	allow $1 collectd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, collectd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an collectd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -20,13 +156,17 @@
 interface(`collectd_admin',`
 	gen_require(`
 		type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
-		type collectd_var_lib_t;
+        type collectd_var_lib_t, collectd_unit_file_t;
 	')
 
-	allow $1 collectd_t:process { ptrace signal_perms };
+	allow $1 collectd_t:process signal_perms;
 	ps_process_pattern($1, collectd_t)
 
-	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 collectd_t:process ptrace;
+	')
+
+	collectd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 collectd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -36,4 +176,9 @@ interface(`collectd_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, collectd_var_lib_t)
+
+	collectd_systemctl($1)
+	admin_pattern($1, collectd_unit_file_t)
+	allow $1 collectd_unit_file_t:service all_service_perms;
 ')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8..6ade0ea 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
 type collectd_var_run_t;
 files_pid_file(collectd_var_run_t)
 
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
 apache_content_template(collectd)
 
+type httpd_collectd_script_tmp_t;
+files_tmp_file(httpd_collectd_script_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_admin sys_nice };
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
 allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
 
 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
 manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
 manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
 files_pid_filetrans(collectd_t, collectd_var_run_t, file)
 
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
 
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+auth_getattr_passwd(collectd_t)
+auth_read_passwd(collectd_t)
+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
 
 dev_read_rand(collectd_t)
 dev_read_sysfs(collectd_t)
 dev_read_urand(collectd_t)
 
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
 files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
 
 fs_getattr_all_fs(collectd_t)
 
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
 
 logging_send_syslog_msg(collectd_t)
 
@@ -75,16 +89,31 @@ tunable_policy(`collectd_tcp_network_connect',`
 ')
 
 optional_policy(`
+	mysql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+    netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
 	virt_read_config(collectd_t)
+	virt_stream_connect(collectd_t)
 ')
 
 ########################################
 #
-# Web local policy
+# Web collectd local policy
 #
 
-optional_policy(`
-	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(httpd_collectd_script_t)	
+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+
+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })	
+
+auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 717ea0b..22e0385 100644
--- a/colord.fc
+++ b/colord.fc
@@ -4,5 +4,7 @@
 /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
+/usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
 /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
 /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37..825f537 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## <summary>GNOME color manager.</summary>
+## <summary>GNOME color manager</summary>
 
 ########################################
 ## <summary>
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
 		type colord_t, colord_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, colord_exec_t, colord_t)
 ')
 
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
 
 	allow $1 colord_t:dbus send_msg;
 	allow colord_t $1:dbus send_msg;
+	ps_process_pattern(colord_t, $1)
 ')
 
 ######################################
@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',`
 	files_search_var_lib($1)
 	read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Execute colord server in the colord domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`colord_systemctl',`
+	gen_require(`
+		type colord_t;
+		type colord_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 colord_unit_file_t:file read_file_perms;
+	allow $1 colord_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 09f18e2..3547d05 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
 type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
 
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
 type colord_var_lib_t;
 files_type(colord_var_lib_t)
 
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
 allow colord_t self:capability { dac_read_search dac_override };
 dontaudit colord_t self:capability sys_admin;
 allow colord_t self:process signal;
+
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
 allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
 dev_write_video_dev(colord_t)
 dev_rw_printer(colord_t)
 dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
 dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
 dev_rw_generic_usb_dev(colord_t)
 
 domain_use_interactive_fds(colord_t)
 
 files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
 
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
 fs_list_noxattr_fs(colord_t)
 fs_read_noxattr_fs_files(colord_t)
 fs_search_all(colord_t)
 fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
 
 storage_getattr_fixed_disk_dev(colord_t)
 storage_getattr_removable_dev(colord_t)
@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
 
 auth_use_nsswitch(colord_t)
 
+init_read_state(colord_t)
+
 logging_send_syslog_msg(colord_t)
 
-miscfiles_read_localization(colord_t)
+systemd_read_logind_sessions_files(colord_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_getattr_nfs(colord_t)
-	fs_read_nfs_files(colord_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_getattr_cifs(colord_t)
-	fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmpfs_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
 
 optional_policy(`
 	cups_read_config(colord_t)
 	cups_read_rw_config(colord_t)
 	cups_stream_connect(colord_t)
 	cups_dbus_chat(colord_t)
+	cups_read_state(colord_t)
+')
+
+optional_policy(`
+	gnome_read_home_icc_data_content(colord_t)
+	# Fixes lots of breakage in F16 on upgrade
+	gnome_read_generic_data_home_files(colord_t)
 ')
 
 optional_policy(`
@@ -133,3 +143,16 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(colord_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(colord_t)
+	xserver_read_xdm_state(colord_t)
+	# /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+	xserver_read_inherited_xdm_lib_files(colord_t)
+    # allow to read /run/initial-setup-$username
+    xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
+	zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index 3f6e4dc..88c4f19 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
 kernel_read_network_state(comsat_t)
 kernel_read_system_state(comsat_t)
 
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
 dev_read_urand(comsat_t)
 
 fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
 
 logging_send_syslog_msg(comsat_t)
 
-miscfiles_read_localization(comsat_t)
-
 userdom_dontaudit_getattr_user_ttys(comsat_t)
 
 mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index 23dc348..c4450f7 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,4 +1,5 @@
 /etc/rc\.d/init\.d/condor	--	gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.*        --  gen_context(system_u:object_r:condor_unit_file_t,s0)
 
 /usr/sbin/condor_collector	--	gen_context(system_u:object_r:condor_collector_exec_t,s0)
 /usr/sbin/condor_master	--	gen_context(system_u:object_r:condor_master_exec_t,s0)
@@ -8,6 +9,8 @@
 /usr/sbin/condor_startd	--	gen_context(system_u:object_r:condor_startd_exec_t,s0)
 /usr/sbin/condor_starter	--	gen_context(system_u:object_r:condor_startd_exec_t,s0)
 
+/etc/condor(/.*)?       gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
 /var/lib/condor(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
 
 /var/lib/condor/execute(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if
index 3fe3cb8..e979b3d 100644
--- a/condor.if
+++ b/condor.if
@@ -1,81 +1,396 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  condor init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`condor_domain_template',`
+    gen_require(`
+        type condor_master_t;
+        attribute condor_domain;
+    ')
+
+    #############################
+    #
+    # Declarations
+    #
+
+    type condor_$1_t, condor_domain;
+    type condor_$1_exec_t;
+    init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+    role system_r types condor_$1_t;
+
+    domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+    allow condor_master_t condor_$1_exec_t:file ioctl;
+
+	kernel_read_system_state(condor_$1_t)
+
+	corenet_all_recvfrom_netlabel(condor_$1_t)
+	corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+    auth_use_nsswitch(condor_$1_t)
+
+    logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+## <summary>
+##	Transition to condor.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`condor_domtrans_master',`
+	gen_require(`
+		type condor_master_t, condor_master_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
+## <summary>
+##  Allows to start userland processes
+##  by transitioning to the specified domain,
+##  with a range transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The process type entered by condor_startd.
+##  </summary>
+## </param>
+## <param name="entrypoint">
+##  <summary>
+##  The executable type for the entrypoint.
+##  </summary>
+## </param>
+## <param name="range">
+##  <summary>
+##  Range for the domain.
+##  </summary>
+## </param>
+#
+interface(`condor_startd_ranged_domtrans_to',`
+    gen_require(`
+        type sshd_t;
+    ')
+    condor_startd_domtrans_to($1, $2)
+
+
+    ifdef(`enable_mcs',`
+        range_transition condor_startd_t $2:process $3;
+    ')
+
+')
 
 #######################################
 ## <summary>
-##	The template to define a condor domain.
+##  Allows to start userlandprocesses
+##  by transitioning to the specified domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="domain">
+##  <summary>
+##  The process type entered by condor_startd.
+##  </summary>
+## </param>
+## <param name="entrypoint">
+##  <summary>
+##  The executable type for the entrypoint.
+##  </summary>
+## </param>
+#
+interface(`condor_startd_domtrans_to',`
+    gen_require(`
+        type condor_startd_t;
+    ')
+
+    domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+## <summary>
+##	Read condor's log files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Domain prefix to be used.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-template(`condor_domain_template',`
+interface(`condor_read_log',`
 	gen_require(`
-		attribute condor_domain;
-		type condor_master_t;
+		type condor_log_t;
 	')
 
-	#############################
-	#
-	# Declarations
-	#
+	logging_search_logs($1)
+	read_files_pattern($1, condor_log_t, condor_log_t)
+')
 
-	type condor_$1_t, condor_domain;
-	type condor_$1_exec_t;
-	domain_type(condor_$1_t)
-	domain_entry_file(condor_$1_t, condor_$1_exec_t)
-	role system_r types condor_$1_t;
+########################################
+## <summary>
+##	Append to condor log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_append_log',`
+	gen_require(`
+		type condor_log_t;
+	')
 
-	#############################
-	#
-	# Policy
-	#
+	logging_search_logs($1)
+	append_files_pattern($1, condor_log_t, condor_log_t)
+')
 
-	domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-	allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+## <summary>
+##	Manage condor log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_log',`
+	gen_require(`
+		type condor_log_t;
+	')
 
-	auth_use_nsswitch(condor_$1_t)
+	logging_search_logs($1)
+	manage_dirs_pattern($1, condor_log_t, condor_log_t)
+	manage_files_pattern($1, condor_log_t, condor_log_t)
+	manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an condor environment.
+##	Search condor lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`condor_search_lib',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	allow $1 condor_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read condor lib files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+## <summary>
+##  Read and write condor lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_lib_files',`
+    gen_require(`
+        type condor_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage condor lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_lib_files',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage condor lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_lib_dirs',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read condor PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_read_pid_files',`
 	gen_require(`
-		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
-		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-		type condor_var_run_t, condor_startd_tmp_t;
+		type condor_var_run_t;
 	')
 
-	allow $1 condor_domain:process { ptrace signal_perms };
+	files_search_pids($1)
+	allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute condor server in the condor domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`condor_systemctl',`
+	gen_require(`
+		type condor_domain;
+		type condor_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 condor_unit_file_t:file read_file_perms;
+	allow $1 condor_unit_file_t:service manage_service_perms;
+
 	ps_process_pattern($1, condor_domain)
+')
+
+#######################################
+## <summary>
+##  Read and write condor_startd server TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_startd',`
+	gen_require(`
+		type condor_startd_t;
+	')
 
-	init_labeled_script_domtrans($1, condor_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 condor_initrc_exec_t system_r;
-	allow $2 system_r;
+	allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+## <summary>
+##  Read and write condor_schedd server TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+    gen_require(`
+        type condor_schedd_t;
+    ')
+
+    allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an condor environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_admin',`
+    gen_require(`
+        attribute condor_domain;
+        type condor_initrc_exec_t, condor_log_t;
+        type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+        type condor_var_run_t, condor_startd_tmp_t;
+		type condor_unit_file_t;
+    ')
+
+	allow $1 condor_domain:process { signal_perms };
+	ps_process_pattern($1, condor_domain)
+
+    init_labeled_script_domtrans($1, condor_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 condor_initrc_exec_t system_r;
+    allow $2 system_r;
 
 	logging_search_logs($1)
 	admin_pattern($1, condor_log_t)
 
-	files_search_locks($1)
-	admin_pattern($1, condor_var_lock_t)
+    files_search_locks($1)
+    admin_pattern($1, condor_var_lock_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, condor_var_lib_t)
@@ -85,4 +400,13 @@ interface(`condor_admin',`
 
 	files_search_tmp($1)
 	admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+	condor_systemctl($1)
+	admin_pattern($1, condor_unit_file_t)
+	allow $1 condor_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/condor.te b/condor.te
index 3f2b672..8fb887d 100644
--- a/condor.te
+++ b/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
 type condor_startd_tmpfs_t;
 files_tmpfs_file(condor_startd_tmpfs_t)
 
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
 type condor_log_t;
 logging_log_file(condor_log_t)
 
@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
 type condor_var_run_t;
 files_pid_file(condor_var_run_t)
 
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
 condor_domain_template(collector)
 condor_domain_template(negotiator)
 condor_domain_template(procd)
@@ -57,15 +63,21 @@ condor_domain_template(startd)
 # Global local policy
 #
 
+allow condor_domain self:capability dac_override;
+allow condor_domain self:capability2 block_suspend;
+
 allow condor_domain self:process signal_perms;
 allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
 
 manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
 logging_log_filetrans(condor_domain, condor_log_t, { dir file })
 
 manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
 
 allow condor_domain condor_master_t:process signull;
 allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
 
 kernel_read_kernel_sysctls(condor_domain)
 kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
 
 corecmd_exec_bin(condor_domain)
 corecmd_exec_shell(condor_domain)
 
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
 corenet_tcp_sendrecv_generic_if(condor_domain)
 corenet_tcp_sendrecv_generic_node(condor_domain)
 
@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
 dev_read_sysfs(condor_domain)
 dev_read_urand(condor_domain)
 
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
 
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
 
 tunable_policy(`condor_tcp_network_connect',`
 	corenet_sendrecv_all_client_packets(condor_domain)
@@ -125,7 +135,7 @@ optional_policy(`
 # Master local policy
 #
 
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { setuid setgid sys_ptrace };
 
 allow condor_master_t condor_domain:process { sigkill signal };
 
@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
 
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+
 corenet_udp_sendrecv_generic_if(condor_master_t)
 corenet_udp_sendrecv_generic_node(condor_master_t)
 corenet_tcp_bind_generic_node(condor_master_t)
@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
 
 auth_use_nsswitch(condor_master_t)
 
+logging_send_syslog_msg(condor_master_t)
+
 optional_policy(`
 	mta_send_mail(condor_master_t)
 	mta_read_config(condor_master_t)
@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
 
 kernel_read_network_state(condor_collector_t)
 
+corenet_tcp_bind_http_port(condor_collector_t)
+
 #####################################
 #
 # Negotiator local policy
@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
 allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_negotiator_t condor_master_t:udp_socket getattr;
 
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
 ######################################
 #
 # Procd local policy
@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
 
 allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
 
-allow condor_procd_t condor_startd_t:process sigkill;
+allow condor_procd_t condor_domain:process sigkill;
+
 
 domain_read_all_domains_state(condor_procd_t)
 
@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
 
 allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
 
+allow condor_schedd_t condor_master_tmp_t:dir getattr;  
+
 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
 domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
 
@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
 
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
 #####################################
 #
 # Startd local policy
@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
 mcs_process_set_categories(condor_startd_t)
 
 init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
 
 libs_exec_lib_files(condor_startd_t)
 
-files_read_usr_files(condor_startd_t)
-
 optional_policy(`
 	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 	ssh_domtrans(condor_startd_t)
@@ -249,3 +273,7 @@ optional_policy(`
 		kerberos_use(condor_startd_ssh_t)
 	')
 ')
+
+optional_policy(`
+    unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 0000000..5f97ba9
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/conman.*		--	gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand		--	gen_context(system_u:object_r:conman_exec_t,s0)
+
+/var/log/conman(/.*)?			gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)?		gen_context(system_u:object_r:conman_log_t,s0)
+
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000..54b4b04
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,142 @@
+## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
+
+########################################
+## <summary>
+##	Execute conman in the conman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`conman_domtrans',`
+	gen_require(`
+		type conman_t, conman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+## <summary>
+##	Read conman's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_read_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Append to conman log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_append_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Manage conman log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_manage_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, conman_log_t, conman_log_t)
+	manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Execute conman server in the conman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`conman_systemctl',`
+	gen_require(`
+		type conman_t;
+		type conman_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 conman_unit_file_t:file read_file_perms;
+	allow $1 conman_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an conman environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`conman_admin',`
+	gen_require(`
+		type conman_t;
+		type conman_log_t;
+	    type conman_unit_file_t;
+	')
+
+	allow $1 conman_t:process { signal_perms };
+	ps_process_pattern($1, conman_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 conman_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, conman_log_t)
+
+	conman_systemctl($1)
+	admin_pattern($1, conman_unit_file_t)
+	allow $1 conman_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 0000000..d6b0314
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,49 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+auth_read_passwd(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+optional_policy(`
+    freeipmi_stream_connect(conman_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
 
 /var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..0647a3b 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
 
 ########################################
 ## <summary>
+##	dontaudit Send and receive messages from
+##	consolekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+	gen_require(`
+		type consolekit_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 consolekit_t:dbus send_msg;
+	dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	consolekit over dbus.
 ## </summary>
@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read consolekit log files.
 ## </summary>
 ## <param name="domain">
@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
 	allow $1 consolekit_var_run_t:dir list_dir_perms;
 	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 ')
+
+########################################
+## <summary>
+##	List consolekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+	gen_require(`
+		type consolekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the domain to read consolekit state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_state',`
+	gen_require(`
+		type consolekit_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+## <summary>
+##	Execute consolekit server in the consolekit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`consolekit_systemctl',`
+	gen_require(`
+		type consolekit_t;
+		type consolekit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 consolekit_unit_file_t:file read_file_perms;
+	allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index 5f0c793..580dff0 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
 
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
 allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
 
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
 
 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
 
-files_read_usr_files(consolekit_t)
 # needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 files_search_all_mountpoints(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 
-mcs_ptrace_all(consolekit_t)
-
 term_use_all_terms(consolekit_t)
 
 auth_use_nsswitch(consolekit_t)
 auth_manage_pam_console_data(consolekit_t)
 auth_write_login_records(consolekit_t)
 
+init_read_utmp(consolekit_t)
+
 logging_send_syslog_msg(consolekit_t)
 logging_send_audit_msgs(consolekit_t)
 
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
 
+userdom_read_all_users_state(consolekit_t)
 userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
 userdom_read_user_tmp_files(consolekit_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(consolekit_t)
+optional_policy(`
+	cron_read_system_job_lib_files(consolekit_t)
 ')
 
 ifdef(`distro_debian',`
@@ -112,13 +113,6 @@ optional_policy(`
 	')
 ')
 
-optional_policy(`
-	hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
-	networkmanager_append_log_files(consolekit_t)
-')
 
 optional_policy(`
 	policykit_domtrans_auth(consolekit_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0f..6a96733 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/corosync	--	gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/corosync.*  -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
 /usr/sbin/corosync	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 /usr/sbin/corosync-notifyd	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 
diff --git a/corosync.if b/corosync.if
index 694a037..b836c07 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
 	read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
 ')
 
+#######################################
+## <summary>
+##	Setattr corosync log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_setattr_log',`
+	gen_require(`
+		type corosync_var_log_t;
+	')
+
+	setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
 #####################################
 ## <summary>
 ##	Connect to corosync over a unix
@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
 interface(`corosync_stream_connect',`
 	gen_require(`
 		type corosync_t, corosync_var_run_t;
+		type corosync_var_lib_t;
 	')
 
 	files_search_pids($1)
+	stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
 	stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
 ')
 
 ######################################
 ## <summary>
-##	Read and write corosync tmpfs files.
+##  Allow the specified domain to read/write corosync's tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`corosync_rw_tmpfs',`
+    gen_require(`
+        type corosync_tmpfs_t;
+    ')
+
+	rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+## <summary>
+##	Execute corosync server in the corosync domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
 	gen_require(`
-		type corosync_tmpfs_t;
+		type corosync_t;
+		type corosync_unit_file_t;
 	')
 
-	fs_search_tmpfs($1)
-	rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+	systemd_exec_systemctl($1)
+	allow $1 corosync_unit_file_t:file read_file_perms;
+	allow $1 corosync_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, corosync_t)
 ')
 
 ######################################
@@ -160,12 +204,17 @@ interface(`corosync_admin',`
 		type corosync_t, corosync_var_lib_t, corosync_var_log_t;
 		type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
 		type corosync_initrc_exec_t;
+		type corosync_unit_file_t;
 	')
 
-	allow $1 corosync_t:process { ptrace signal_perms };
+	allow $1 corosync_t:process signal_perms;
 	ps_process_pattern($1, corosync_t)
 
-	corosync_initrc_domtrans($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 corosync_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 corosync_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -183,4 +232,8 @@ interface(`corosync_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, corosync_var_run_t)
+
+	corosync_systemctl($1)
+	admin_pattern($1, corosync_unit_file_t)
+	allow $1 corosync_unit_file_t:service all_service_perms;
 ')
diff --git a/corosync.te b/corosync.te
index eeea48d..691ca11 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
 type corosync_var_run_t;
 files_pid_file(corosync_var_run_t)
 
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
 domain_read_all_domains_state(corosync_t)
 
 files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
 
 auth_use_nsswitch(corosync_t)
 
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
 miscfiles_read_localization(corosync_t)
 
 userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+	fs_manage_tmpfs_files(corosync_t)
+	init_manage_script_status_files(corosync_t)
+')
 
 optional_policy(`
 	ccs_read_config(corosync_t)
@@ -129,20 +137,29 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lvm_rw_clvmd_tmpfs_files(corosync_t)
+	lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
 	qpidd_rw_shm(corosync_t)
 ')
 
 optional_policy(`
-	rhcs_getattr_fenced_exec_files(corosync_t)
+	rhcs_getattr_fenced(corosync_t)
+	# to communication with RHCS
 	rhcs_rw_cluster_shm(corosync_t)
 	rhcs_rw_cluster_semaphores(corosync_t)
 	rhcs_stream_connect_cluster(corosync_t)
+	rhcs_read_cluster_lib_files(corosync_t)
+	rhcs_manage_cluster_lib_files(corosync_t)
+	rhcs_relabel_cluster_lib_files(corosync_t)
 ')
 
 optional_policy(`
-	rgmanager_manage_tmpfs_files(corosync_t)
+	rpc_search_nfs_state_data(corosync_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+    wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c086302..4f33119 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,3 +1,6 @@
+
+/usr/lib/systemd/system/couchdb.*		--	gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
 /etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
 
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
index 83d6744..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
 
 ########################################
 ## <summary>
+##	Allow to read couchdb log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_read_log_files',`
+	gen_require(`
+		type couchdb_log_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, couchdb_log_t, couchdb_log_t)
+')
+
+########################################
+## <summary>
+##	Allow to read couchdb lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_read_lib_files',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an couchdb environment.
 ## </summary>
@@ -10,6 +48,151 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`couchdb_manage_lib_files',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage couchdb lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_manage_lib_dirs',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow to read couchdb conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_read_conf_files',`
+	gen_require(`
+		type couchdb_conf_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+')
+
+########################################
+## <summary>
+##	Read couchdb PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_read_pid_files',`
+	gen_require(`
+		type couchdb_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##      Search couchdb PID dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`couchdb_search_pid_dirs',`
+        gen_require(`
+                type couchdb_var_run_t;
+        ')
+
+        files_search_pids($1)
+        allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Allow domain to manage couchdb content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`couchdb_manage_files',`
+        gen_require(`
+                type couchdb_var_run_t;
+                type couchdb_log_t;
+                type couchdb_var_lib_t;
+                type couchdb_conf_t;
+        ')
+
+    manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+    manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+    manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+    manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+')
+
+########################################
+## <summary>
+##	Execute couchdb server in the couchdb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`couchdb_systemctl',`
+	gen_require(`
+		type couchdb_t;
+		type couchdb_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 couchdb_unit_file_t:file read_file_perms;
+	allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an couchdb environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## </summary>
+## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
@@ -19,14 +202,19 @@
 #
 interface(`couchdb_admin',`
 	gen_require(`
+		type couchdb_unit_file_t;
 		type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
 		type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
 		type couchdb_tmp_t;
 	')
 
-	allow $1 couchdb_t:process { ptrace signal_perms };
+	allow $1 couchdb_t:process { signal_perms };
 	ps_process_pattern($1, couchdb_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 couchdb_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 couchdb_initrc_exec_t system_r;
@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, couchdb_var_run_t)
+
+	admin_pattern($1, couchdb_unit_file_t)
+	couchdb_systemctl($1)
+	allow $1 couchdb_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/couchdb.te b/couchdb.te
index 503adab..046fe9b 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
 type couchdb_var_run_t;
 files_pid_file(couchdb_var_run_t)
 
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t)
 dev_read_sysfs(couchdb_t)
 dev_read_urand(couchdb_t)
 
-files_read_usr_files(couchdb_t)
-
 fs_getattr_xattr_fs(couchdb_t)
 
 auth_use_nsswitch(couchdb_t)
 
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 8a4b596..cbecde8 100644
--- a/courier.fc
+++ b/courier.fc
@@ -9,17 +9,18 @@
 /usr/sbin/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
 
 /usr/lib/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 /usr/lib/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
 
 /var/lib/courier(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
 /var/lib/courier-imap(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820f..acdb179 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## <summary>Courier IMAP and POP3 email servers.</summary>
+## <summary>Courier IMAP and POP3 email servers</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a courier domain.
+##	Template for creating courier server processes.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix name of the server process.
 ##	</summary>
 ## </param>
 #
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
 		attribute courier_domain;
 	')
 
-	########################################
+	##############################
 	#
 	# Declarations
 	#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
 	type courier_$1_exec_t;
 	init_daemon_domain(courier_$1_t, courier_$1_exec_t)
 
-	########################################
+	##############################
 	#
-	# Policy
+	# Declarations
 	#
 
 	can_exec(courier_$1_t, courier_$1_exec_t)
+
+	kernel_read_system_state(courier_$1_t)
+
+	corenet_all_recvfrom_netlabel(courier_$1_t)
+	corenet_tcp_sendrecv_generic_if(courier_$1_t)
+	corenet_udp_sendrecv_generic_if(courier_$1_t)
+	corenet_tcp_sendrecv_generic_node(courier_$1_t)
+	corenet_udp_sendrecv_generic_node(courier_$1_t)
+	corenet_tcp_sendrecv_all_ports(courier_$1_t)
+	corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+	logging_send_syslog_msg(courier_$1_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the courier authentication
-##	daemon with a domain transition.
+##	Execute the courier authentication daemon with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
 		type courier_authdaemon_t, courier_authdaemon_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
 ')
 
 #######################################
 ## <summary>
-##	Connect to courier-authdaemon over
-##	a unix stream socket.
+##  Connect to courier-authdaemon over a unix stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`courier_stream_connect_authdaemon',`
-	gen_require(`
-		type courier_authdaemon_t, courier_spool_t;
-	')
+    gen_require(`
+        type courier_authdaemon_t, courier_spool_t;
+    ')
 
 	files_search_spool($1)
-	stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+    stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the courier POP3 and IMAP
-##	server with a domain transition.
+##	Execute the courier POP3 and IMAP server with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
 		type courier_pop_t, courier_pop_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
 
 ########################################
 ## <summary>
-##	Read courier config files.
+##	Read courier config files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
 ##	Create, read, write, and delete courier
 ##	spool files.
 ## </summary>
-## <param name="domain">
+## <param name="domains">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	read_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write courier spool pipes.
+##	Read and write to courier spool pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
 	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
 ')
diff --git a/courier.te b/courier.te
index 77bb077..1499c3f 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
 files_config_file(courier_etc_t)
 
 type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
 
 type courier_var_lib_t;
 files_type(courier_var_lib_t)
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
 files_pid_filetrans(courier_domain, courier_var_run_t, dir)
 
 kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
 
 corecmd_exec_bin(courier_domain)
 
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
 
 domain_use_interactive_fds(courier_domain)
 
-files_read_etc_files(courier_domain)
 files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
 
 fs_getattr_xattr_fs(courier_domain)
 fs_search_auto_mountpoints(courier_domain)
 
-logging_send_syslog_msg(courier_domain)
-
 sysnet_read_config(courier_domain)
 
 userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -77,6 +72,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_stream_connect(courier_domain)
+')
+
+optional_policy(`
 	udev_read_db(courier_domain)
 ')
 
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
 create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
 
 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
 
 libs_read_lib_files(courier_authdaemon_t)
 
-miscfiles_read_localization(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
 dev_read_rand(courier_tcpd_t)
 dev_read_urand(courier_tcpd_t)
 
-miscfiles_read_localization(courier_tcpd_t)
 
 ########################################
 #
diff --git a/cpucontrol.te b/cpucontrol.te
index 2f1aad6..155a337 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
 init_use_fds(cpucontrol_domain)
 init_use_script_ptys(cpucontrol_domain)
 
-logging_send_syslog_msg(cpucontrol_domain)
-
 userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
 
 optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
 read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
 read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
 
-kernel_list_proc(cpucontrol_t)
 kernel_read_proc_symlinks(cpucontrol_t)
 
 dev_read_sysfs(cpucontrol_t)
 dev_rw_cpu_microcode(cpucontrol_t)
 
+logging_send_syslog_msg(cpucontrol_t)
+
 optional_policy(`
 	rhgb_use_ptys(cpucontrol_t)
 ')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
 
 domain_read_all_domains_state(cpuspeed_t)
 
-files_read_etc_files(cpuspeed_t)
 files_read_etc_runtime_files(cpuspeed_t)
 
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index a3bbc21..7fd7d8f 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
 # Local policy
 #
 
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
 allow cpufreqselector_t self:process getsched;
 allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
 
 kernel_read_system_state(cpufreqselector_t)
 
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
 dev_rw_sysfs(cpufreqselector_t)
 
-miscfiles_read_localization(cpufreqselector_t)
-
 userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
 
 optional_policy(`
 	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
 	policykit_read_lib(cpufreqselector_t)
 	policykit_read_reload(cpufreqselector_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
index 6e76215..4819e90 100644
--- a/cron.fc
+++ b/cron.fc
@@ -3,6 +3,9 @@
 /etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
+/usr/lib/systemd/system/atd.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
+
 /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
 /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
@@ -12,9 +15,7 @@
 /usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
 /usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
-
-/var/log/cron.*				gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.*             gen_context(system_u:object_r:cron_log_t,s0)
 /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 
 /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -27,13 +28,23 @@
 
 /var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)?		gen_context(system_u:object_r:user_cron_spool_log_t,s0)
 
-/var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
 #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 /var/spool/cron/[^/]*		--	<<none>>
 
-/var/spool/cron/crontabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+')
+
+/var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/crontabs/.*	--	<<none>>
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
@@ -43,19 +54,23 @@
 /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
+/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
+
 ifdef(`distro_debian',`
-/var/spool/cron/atjobs	-d		gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.*		--	gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/atjobs/[^/]*	--	<<none>>
-/var/spool/cron/atspool	-d		gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 ')
 
 ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun	-d		gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 ')
 
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun	-d		gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
-/var/spool/cron/tabs	-d		gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 ')
diff --git a/cron.if b/cron.if
index 1303b30..058864e 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
 
 #######################################
 ## <summary>
-##	The template to define a crontab domain.
+##	The common rules for a crontab domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="userdomain_prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
 ##	</summary>
 ## </param>
 #
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
 
+	kernel_read_system_state($1_t)
+
 	auth_domtrans_chk_passwd($1_t)
 	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	userdom_home_reader($1_t)
+
 ')
 
 ########################################
 ## <summary>
-##	Role access for cron.
+##	Role access for cron
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -60,57 +68,37 @@ interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
 		type user_cron_spool_t, crond_t;
-		bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
 	role $1 types { cronjob_t crontab_t };
 
-	##############################
-	#
-	# Local policy
-	#
+	# cronjob shows up in user ps
+	ps_process_pattern($2, cronjob_t)
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
+	allow crond_t $2:process transition;
 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 	allow $2 crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	# needs to be authorized SELinux context for cron
+	allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
+	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
+	allow $2 crontab_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 crontab_t:process ptrace;
+	')
 
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
 	corecmd_exec_bin(crontab_t)
 	corecmd_exec_shell(crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
-
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
-
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
-
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
@@ -119,78 +107,38 @@ interface(`cron_role',`
 		dbus_stub(cronjob_t)
 
 		allow cronjob_t $2:dbus send_msg;
-	')
+	')		
 ')
 
 ########################################
 ## <summary>
-##	Role access for unconfined cron.
+##	Role access for unconfined cronjobs
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
-		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
+		type unconfined_cronjob_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	role $1 types { unconfined_cronjob_t crontab_t };
+	role $1 types unconfined_cronjob_t;
 
-	##############################
-	#
-	# Local policy
-	#
-
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
-
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
-
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
-
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
-
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, unconfined_cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
-
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+	# cronjob shows up in user ps
+	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 unconfined_cronjob_t:process ptrace;
+	')
 
 	optional_policy(`
 		gen_require(`
@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',`
 		')
 
 		dbus_stub(unconfined_cronjob_t)
-
 		allow unconfined_cronjob_t $2:dbus send_msg;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for admin cron.
+##	Role access for cron
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_admin_role',`
 	gen_require(`
-		type cronjob_t, crontab_exec_t, admin_crontab_t;
+		type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+		type user_cron_spool_t, crond_t;
 		class passwd crontab;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
 
-	role $1 types { cronjob_t admin_crontab_t };
+	# cronjob shows up in user ps
+	ps_process_pattern($2, cronjob_t)
 
-	##############################
-	#
-	# Local policy
-	#
+	# Manipulate other users crontab.
+	allow $2 self:passwd crontab;
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+	# crontab shows up in user ps
+	ps_process_pattern($2, admin_crontab_t)
+	allow $2 admin_crontab_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 admin_crontab_t:process ptrace;
+	')
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2 crond_t:process sigchld;
+	allow crond_t $2:process transition;
 
-	allow $2 admin_crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, admin_crontab_t)
+	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 
-	# Manipulate other users crontab.
-	allow $2 self:passwd crontab;
+	# needs to be authorized SELinux context for cron
+	allow $2 user_cron_spool_t:file entrypoint;
 
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(admin_crontab_t, $2)
+	#corecmd_shell_domtrans(admin_crontab_t, $2)
 	corecmd_exec_bin(admin_crontab_t)
 	corecmd_exec_shell(admin_crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
-
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
-
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
-
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
@@ -285,13 +213,13 @@ interface(`cron_admin_role',`
 		dbus_stub(admin_cronjob_t)
 
 		allow cronjob_t $2:dbus send_msg;
-	')
+	')		
 ')
 
 ########################################
 ## <summary>
-##	Make the specified program domain
-##	accessable from the system cron jobs.
+##	Make the specified program domain accessable
+##	from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -307,15 +235,15 @@ interface(`cron_admin_role',`
 interface(`cron_system_entry',`
 	gen_require(`
 		type crond_t, system_cronjob_t;
-		type user_cron_spool_log_t;
 	')
 
-	rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
 	domtrans_pattern(system_cronjob_t, $2, $1)
 	domtrans_pattern(crond_t, $2, $1)
 
 	role system_r types $1;
+
+	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -333,13 +261,12 @@ interface(`cron_domtrans',`
 		type system_cronjob_t, crond_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, crond_exec_t, system_cronjob_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute crond in the caller domain. 
+##	Execute crond_exec_t 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -352,7 +279,6 @@ interface(`cron_exec',`
 		type crond_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, crond_exec_t)
 ')
 
@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Use crond file descriptors.
+##	Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_systemctl',`
+	gen_require(`
+		type crond_unit_file_t;
+		type crond_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 crond_unit_file_t:file read_file_perms;
+	allow $1 crond_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from the cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -394,7 +344,7 @@ interface(`cron_use_fds',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to crond.
+##	Send a SIGCHLD signal to the cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -412,7 +362,7 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
-##	Set the attributes of cron log files.
+##	Send a generic signal to cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -420,17 +370,17 @@ interface(`cron_sigchld',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	allow $1 cron_log_t:file setattr_file_perms;
+	allow $1 crond_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Create cron log files.
+##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	create_files_pattern($1, cron_log_t, cron_log_t)
+	allow $1 crond_t:fifo_file read_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write to cron log files.
+##	Read crond state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -456,18 +406,20 @@ interface(`cron_create_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	allow $1 cron_log_t:file write_file_perms;
+	kernel_search_proc($1)
+	ps_process_pattern($1, crond_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Create, read, write and delete
-##	cron log files.
+##	Send and receive messages from
+##	crond over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -475,48 +427,37 @@ interface(`cron_write_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
+		class dbus send_msg;
 	')
 
-	manage_files_pattern($1, cron_log_t, cron_log_t)
-
-	logging_search_logs($1)
+	allow $1 crond_t:dbus send_msg;
+	allow crond_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	log directories with the cron log file type.
+##	Do not audit attempts to write cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	logging_log_filetrans($1, cron_log_t, $2, $3)
+	dontaudit $1 crond_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read cron daemon unnamed pipes.
+##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
 	gen_require(`
 		type crond_t;
 	')
 
-	allow $1 crond_t:fifo_file read_fifo_file_perms;
+	allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	cron daemon unnamed pipes.
+##	Read and write inherited user spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
 	gen_require(`
-		type crond_t;
+		type user_cron_spool_t;
 	')
 
-	dontaudit $1 crond_t:fifo_file write;
+	allow $1 user_cron_spool_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write crond unnamed pipes.
+##	Read and write inherited spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_spool_files',`
 	gen_require(`
-		type crond_t;
+		type cron_spool_t;
 	')
 
-	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 cron_spool_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write crond TCP sockets.
+##	Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write cron daemon TCP sockets.
+##	Dontaudit Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Search cron spool directories.
+##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -627,8 +566,26 @@ interface(`cron_search_spool',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	crond pid files.
+##	Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+	gen_require(`
+		type cron_system_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+## <summary>
+##	Manage pid files used by cron
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',`
 		type crond_var_run_t;
 	')
 
+	files_search_pids($1)
 	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute anacron in the cron
-##	system domain.
+##	Execute anacron in the cron system domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',`
 		type system_cronjob_t, anacron_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
 ')
 
 ########################################
 ## <summary>
-##	Use system cron job file descriptors.
+##	Inherit and use a file descriptor
+##	from system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',`
 
 ########################################
 ## <summary>
-##	Read system cron job lib files.
+##	Write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_write_system_job_pipes',`
 	gen_require(`
-		type system_cronjob_var_lib_t;
+		type system_cronjob_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+	allow $1 system_cronjob_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	system cron job lib files.
+##	Read and write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_rw_system_job_pipes',`
 	gen_require(`
-		type system_cronjob_var_lib_t;
+		type system_cronjob_t;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+	allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write system cron job unnamed pipes.
+##	Allow read/write unix stream sockets from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_write_system_job_pipes',`
+interface(`cron_rw_system_job_stream_sockets',`
 	gen_require(`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:file write;
+	allow $1 system_cronjob_t:unix_stream_socket { read write };
 ')
 
 ########################################
 ## <summary>
-##	Read and write system cron job
-##	unnamed pipes.
+##	Read temporary files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_rw_system_job_pipes',`
+interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
-		type system_cronjob_t;
+		type system_cronjob_tmp_t, cron_var_run_t;
 	')
 
-	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+	files_search_tmp($1)
+	allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+	files_search_pids($1)
+	allow $1 cron_var_run_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write inherited system cron
-##	job unix domain stream sockets.
+##	Do not audit attempts to append temporary
+##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`cron_rw_system_job_stream_sockets',`
+interface(`cron_dontaudit_append_system_job_tmp_files',`
 	gen_require(`
-		type system_cronjob_t;
+		type system_cronjob_tmp_t;
 	')
 
-	allow $1 system_cronjob_t:unix_stream_socket { read write };
+	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read system cron job temporary files.
+##	Do not audit attempts to write temporary
+##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_system_job_tmp_files',`
+interface(`cron_dontaudit_write_system_job_tmp_files',`
 	gen_require(`
 		type system_cronjob_tmp_t;
+		type cron_var_run_t;
 	')
 
-	files_search_tmp($1)
-	allow $1 system_cronjob_tmp_t:file read_file_perms;
+	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+	dontaudit $1 cron_var_run_t:file write_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to append temporary
-##	system cron job files.
+##	Read temporary files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`cron_dontaudit_append_system_job_tmp_files',`
+interface(`cron_read_system_job_lib_files',`
 	gen_require(`
-		type system_cronjob_tmp_t;
+		type system_cronjob_var_lib_t;
 	')
 
-	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+	files_search_var_lib($1)
+	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write temporary
-##	system cron job files.
+##	Manage files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`cron_dontaudit_write_system_job_tmp_files',`
+interface(`cron_manage_system_job_lib_files',`
 	gen_require(`
-		type system_cronjob_tmp_t;
+		type system_cronjob_var_lib_t;
 	')
 
-	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Create, read, write and delete
+##  cron log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cron_manage_log_files',`
+    gen_require(`
+        type cron_log_t;
+    ')
+
+    manage_files_pattern($1, cron_log_t, cron_log_t)
+
+    logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##  Create specified objects in generic
+##  log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  Class of the object being created.
+##  </summary>
+## </param>
+## <param name="name" optional="true">
+##  <summary>
+##  The name of the object being created.
+##  </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+    gen_require(`
+        type cron_log_t;
+    ')
+
+    logging_log_filetrans($1, cron_log_t, $2, $3)
 ')
diff --git a/cron.te b/cron.te
index 28e1b86..439a761 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.5.10)
+policy_module(cron, 2.2.1)
 
 gen_require(`
 	class passwd rootok;
@@ -11,46 +11,37 @@ gen_require(`
 
 ## <desc>
 ##	<p>
-##	Determine whether system cron jobs
-##	can relabel filesystem for
-##	restoring file contexts.
+##	Allow system cron jobs to relabel filesystem
+##	for restoring file contexts.
 ##	</p>
 ## </desc>
 gen_tunable(cron_can_relabel, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether crond can execute jobs
-##	in the user domain as opposed to the
-##	the generic cronjob domain.
-##	</p>
-## </desc>
-gen_tunable(cron_userdomain_transition, false)
-
-## <desc>
-##	<p>
-##	Determine whether extra rules
-##	should be enabled to support fcron.
+##	Enable extra rules in the cron domain
+##	to support fcron.
 ##	</p>
 ## </desc>
 gen_tunable(fcron_crond, false)
 
-attribute cron_spool_type;
 attribute crontab_domain;
+attribute cron_spool_type;
 
 type anacron_exec_t;
 application_executable_file(anacron_exec_t)
 
 type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
 
+# var/lib files
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
 
 type cron_var_run_t;
 files_pid_file(cron_var_run_t)
 
+# var/log files
 type cron_log_t;
 logging_log_file(cron_log_t)
 
@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t)
 type crond_initrc_exec_t;
 init_script_file(crond_initrc_exec_t)
 
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 files_poly_parent(crond_tmp_t)
@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
 typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
 typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
 typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
 
 type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
 
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
 
+# Type of user crontabs once moved to cron spool.
 type user_cron_spool_t, cron_spool_type;
 typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
 mta_system_content(user_cron_spool_t)
 
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
 ')
 
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
-	dontaudit crontab_domain crond_t:process signal;
-')
-
 ########################################
 #
-# Admin local policy
+# Admin crontab local policy
 #
 
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
 
+# Manipulate other users crontab.
 selinux_get_fs_mount(admin_crontab_t)
 selinux_validate_context(admin_crontab_t)
 selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +143,26 @@ selinux_compute_relabel_context(admin_crontab_t)
 selinux_compute_user_contexts(admin_crontab_t)
 
 tunable_policy(`fcron_crond',`
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
 	allow admin_crontab_t self:process setfscreate;
 ')
 
 ########################################
 #
-# Daemon local policy
+# Cron daemon local policy
 #
 
 allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
 allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
 allow crond_t self:shm create_shm_perms;
 allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
 logging_log_filetrans(crond_t, cron_log_t, file)
 
 manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
 
 list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
 
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
 
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
 
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
 
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
 
 corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
 corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
 domain_subj_id_change_exemption(crond_t)
 domain_role_change_exemption(crond_t)
 
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
 files_read_etc_runtime_files(crond_t)
 files_read_generic_spool(crond_t)
 files_list_usr(crond_t)
+# Read from /var/spool/cron.
 files_search_var_lib(crond_t)
 files_search_default(crond_t)
+files_read_all_locks(crond_t)
 
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
 mls_file_read_all_levels(crond_t)
 mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
 mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
 
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
 
 init_read_state(crond_t)
 init_rw_utmp(crond_t)
 init_spec_domtrans_script(crond_t)
 
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
 auth_use_nsswitch(crond_t)
 
 logging_send_audit_msgs(crond_t)
@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
 
-miscfiles_read_localization(crond_t)
 
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
 userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
 
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit crond_t cronjob_t:process transition;
-	dontaudit crond_t cronjob_t:fd use;
-	dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
-	allow crond_t cronjob_t:process transition;
-	allow crond_t cronjob_t:fd use;
-	allow crond_t cronjob_t:key manage_key_perms;
-')
+mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
 
 ifdef(`distro_debian',`
+	# pam_limits is used
 	allow crond_t self:process setrlimit;
 
-	optional_policy(`
-		logwatch_search_cache_dir(crond_t)
-	')
+')
+
+optional_policy(`
+	logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+	bind_read_config(crond_t)
 ')
 
 ifdef(`distro_redhat',`
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(crond_t)
 	')
 ')
 
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
 	files_polyinstantiate_all(crond_t)
 ')
 
-tunable_policy(`fcron_crond',`
-	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+	allow crond_t system_cron_spool_t:file manage_file_perms;
 ')
 
 optional_policy(`
@@ -353,102 +297,136 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client(crond_t)
-
-	optional_policy(`
-		hal_dbus_chat(crond_t)
-	')
-
-	optional_policy(`
-		unconfined_dbus_send(crond_t)
-	')
+	djbdns_search_tinydns_keys(crond_t)
+	djbdns_link_tinydns_keys(crond_t)
 ')
 
 optional_policy(`
-	amanda_search_var_lib(crond_t)
+	locallogin_search_keys(crond_t)
+	locallogin_link_keys(crond_t)
 ')
 
 optional_policy(`
-	amavis_search_lib(crond_t)
+	# these should probably be unconfined_crond_t
+	dbus_system_bus_client(crond_t)
+	init_dbus_send_script(crond_t)
+	init_dbus_chat(crond_t)
 ')
 
 optional_policy(`
-	djbdns_search_tinydns_keys(crond_t)
-	djbdns_link_tinydns_keys(crond_t)
+	amanda_search_var_lib(crond_t)
 ')
 
 optional_policy(`
-	hal_write_log(crond_t)
+	antivirus_search_db(crond_t)
 ')
 
 optional_policy(`
-	locallogin_search_keys(crond_t)
-	locallogin_link_keys(crond_t)
+	hal_dbus_chat(crond_t)
+	hal_write_log(crond_t)
+	hal_dbus_chat(system_cronjob_t)
 ')
 
 optional_policy(`
-	mta_send_mail(crond_t)
+	# cjp: why?
+	munin_search_lib(crond_t)
 ')
 
 optional_policy(`
-	munin_search_lib(crond_t)
+	rpc_search_nfs_state_data(crond_t)
 ')
 
 optional_policy(`
-	postgresql_search_db(crond_t)
+	# Commonly used from postinst scripts
+	rpm_read_pipes(crond_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(crond_t)
+	# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+	postgresql_search_db(crond_t)
 ')
 
 optional_policy(`
-	rpm_read_pipes(crond_t)
+	systemd_use_fds_logind(crond_t)
+	systemd_write_inherited_logind_sessions_pipes(crond_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(crond_t)
+	udev_read_db(crond_t)
 ')
 
 optional_policy(`
-	udev_read_db(crond_t)
+	vnstatd_search_lib(crond_t)
 ')
 
 ########################################
 #
-# System local policy
+# System cron process domain
 #
 
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+#  Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
+# This is to handle /var/lib/misc directory.  Used currently
+# by prelink var/lib files for cron 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
 allow system_cronjob_t cron_var_run_t:file manage_file_perms;
 files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
 
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+mls_file_read_to_clearance(system_cronjob_t)
+
+# anacron forces the following
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
 
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
 
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
 
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
+# ps does not need to access /boot when run from cron
 files_dontaudit_search_boot(system_cronjob_t)
 
 corecmd_exec_all_executables(system_cronjob_t)
 
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
 corenet_all_recvfrom_netlabel(system_cronjob_t)
 corenet_tcp_sendrecv_generic_if(system_cronjob_t)
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
 fs_getattr_all_pipes(system_cronjob_t)
 fs_getattr_all_sockets(system_cronjob_t)
 
+# quiet other ps operations
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
 files_getattr_all_symlinks(system_cronjob_t)
 files_getattr_all_pipes(system_cronjob_t)
 files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
 files_read_var_files(system_cronjob_t)
+# for nscd:
 files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
 
-mls_file_read_to_clearance(system_cronjob_t)
-
 init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
 init_domtrans_script(system_cronjob_t)
 
 auth_use_nsswitch(system_cronjob_t)
@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
-miscfiles_read_localization(system_cronjob_t)
-
 seutil_read_config(system_cronjob_t)
 
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
 ifdef(`distro_redhat',`
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+
+	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
 	')
 ')
 
+selinux_get_fs_mount(system_cronjob_t)
+
 tunable_policy(`cron_can_relabel',`
 	seutil_domtrans_setfiles(system_cronjob_t)
 ',`
-	selinux_get_fs_mount(system_cronjob_t)
 	selinux_validate_context(system_cronjob_t)
 	selinux_compute_access_vector(system_cronjob_t)
 	selinux_compute_create_context(system_cronjob_t)
@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
+	# Needed for certwatch
 	apache_exec_modules(system_cronjob_t)
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
+	apache_manage_lib(system_cronjob_t)
+	apache_delete_cache_dirs(system_cronjob_t)
+	apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+	bind_read_config(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -546,10 +543,6 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(system_cronjob_t)
-
-	optional_policy(`
-		networkmanager_dbus_chat(system_cronjob_t)
-	')
 ')
 
 optional_policy(`
@@ -581,6 +574,7 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(system_cronjob_t)
 	mta_send_mail(system_cronjob_t)
+	mta_system_content(system_cron_spool_t)
 ')
 
 optional_policy(`
@@ -588,15 +582,23 @@ optional_policy(`
 ')
 
 optional_policy(`
-	postfix_read_config(system_cronjob_t)
+	networkmanager_dbus_chat(system_cronjob_t)
 ')
 
 optional_policy(`
+	postfix_read_config(system_cronjob_t)
+')	
+
+optional_policy(`
 	prelink_delete_cache(system_cronjob_t)
 	prelink_manage_lib(system_cronjob_t)
 	prelink_manage_log(system_cronjob_t)
 	prelink_read_cache(system_cronjob_t)
-	prelink_relabelfrom_lib(system_cronjob_t)
+	prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+    rkhunter_manage_lib_files(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -606,6 +608,7 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
+	spamassassin_manage_home_client(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -613,12 +616,24 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_domain(crond_t)
+	unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(crond_t)
+	unconfined_dbus_send(crond_t)
+	userdom_filetrans_home_content(crond_t)
 ')
 
 ########################################
 #
-# Cronjob local policy
+# User cronjobs local policy
 #
 
 allow cronjob_t self:process { signal_perms setsched };
@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
 kernel_read_system_state(cronjob_t)
 kernel_read_kernel_sysctls(cronjob_t)
 
+# ps does not need to access /boot when run from cron
 files_dontaudit_search_boot(cronjob_t)
 
-corenet_all_recvfrom_unlabeled(cronjob_t)
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
 corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
 
 dev_read_urand(cronjob_t)
 
 fs_getattr_all_fs(cronjob_t)
 
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
 domain_dontaudit_read_all_domains_state(cronjob_t)
 domain_dontaudit_getattr_all_domains(cronjob_t)
 
 files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
 files_dontaudit_search_pids(cronjob_t)
 
 libs_exec_lib_files(cronjob_t)
 libs_exec_ld_so(cronjob_t)
 
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
 logging_search_logs(cronjob_t)
 
 seutil_read_config(cronjob_t)
 
-miscfiles_read_localization(cronjob_t)
 
 userdom_manage_user_tmp_files(cronjob_t)
 userdom_manage_user_tmp_symlinks(cronjob_t)
 userdom_manage_user_tmp_pipes(cronjob_t)
 userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
 userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
 userdom_manage_user_home_content_files(cronjob_t)
 userdom_manage_user_home_content_symlinks(cronjob_t)
 userdom_manage_user_home_content_pipes(cronjob_t)
 userdom_manage_user_home_content_sockets(cronjob_t)
 
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit cronjob_t crond_t:fd use;
-	dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-	dontaudit cronjob_t crond_t:process sigchld;
-
-	dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
-	allow cronjob_t crond_t:fd use;
-	allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-	allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
 
-	allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')
 
+# need a per-role version of this:
+#optional_policy(`
+#	mono_domtrans(cronjob_t)
+#')
+
 optional_policy(`
 	nis_use_ypbind(cronjob_t)
 ')
 
 ########################################
 #
-# Unconfined local policy
+# Unconfined cronjobs local policy
 #
 
 optional_policy(`
-	type unconfined_cronjob_t;
-	domain_type(unconfined_cronjob_t)
-	domain_cron_exemption_target(unconfined_cronjob_t)
-
+	# Permit a transition from the crond_t domain to this domain.
+	# The transition is requested explicitly by the modified crond 
+	# via setexeccon.  There is no way to set up an automatic
+	# transition, since crontabs are configuration files, not executables.
+	allow crond_t unconfined_cronjob_t:process transition;
 	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+	allow crond_t unconfined_cronjob_t:fd use;
 
 	unconfined_domain(unconfined_cronjob_t)
+')
 
-	tunable_policy(`cron_userdomain_transition',`
-		dontaudit crond_t unconfined_cronjob_t:process transition;
-		dontaudit crond_t unconfined_cronjob_t:fd use;
-		dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
-	',`
-		allow crond_t unconfined_cronjob_t:process transition;
-		allow crond_t unconfined_cronjob_t:fd use;
-		allow crond_t unconfined_cronjob_t:key manage_key_perms;
-	')
+##############################
+#
+# crontab common policy
+#
+
+# dac_override is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
+	dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+	ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+	openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+	openshift_transition(system_cronjob_t)
 ')
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6..9131995 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -2,11 +2,16 @@
 
 /usr/sbin/ctdbd	--	gen_context(system_u:object_r:ctdbd_exec_t,s0)
 
+/var/ctdb(/.*)?    gen_context(system_u:object_r:ctdbd_var_t,s0)
+
+/var/lib/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
 /var/lib/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
 
 /var/log/ctdb\.log.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
 /var/log/log\.ctdb.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
 
+
+/var/run/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
 /var/run/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
 
 /var/spool/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d..e99c5c6 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,144 @@
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
+
+## <summary>policy for ctdbd</summary>
+
+########################################
+## <summary>
+##	Transition to ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_domtrans',`
+	gen_require(`
+		type ctdbd_t, ctdbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+## <summary>
+##	Execute ctdbd server in the ctdbd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_initrc_domtrans',`
+	gen_require(`
+		type ctdbd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read ctdbd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ctdbd_read_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to ctdbd log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`ctdbd_append_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	ctdbd lib files.
+##	Manage ctdbd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_manage_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+        manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+        manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Search ctdbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_search_lib',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read ctdbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_read_lib_files',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage ctdbd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+        manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Connect to ctdbd with a unix
-##	domain stream socket.
+##	Manage ctdbd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_var_files',`
 	gen_require(`
-		type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+		type ctdbd_var_t;
+	')
+
+	files_search_var_lib($1)
+    manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
+')
+
+########################################
+## <summary>
+##	Manage ctdbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_manage_lib_dirs',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read ctdbd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_read_pid_files',`
+	gen_require(`
+		type ctdbd_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+	allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Connect to ctdbd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_stream_connect',`
+    gen_require(`
+        type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+    stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ctdb environment.
+##	All of the rules required to administrate
+##	an ctdbd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
 	gen_require(`
-		type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+		type ctdbd_t, ctdbd_initrc_exec_t;
 		type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
 	')
 
-	allow $1 ctdbd_t:process { ptrace signal_perms };
+	allow $1 ctdbd_t:process signal_perms;
 	ps_process_pattern($1, ctdbd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ctdbd_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+	ctdbd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 ctdbd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -74,12 +269,10 @@ interface(`ctdb_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, ctdbd_log_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, ctdbd_tmp_t)
-
 	files_search_var_lib($1)
 	admin_pattern($1, ctdbd_var_lib_t)
 
 	files_search_pids($1)
 	admin_pattern($1, ctdbd_var_run_t)
 ')
+
diff --git a/ctdb.te b/ctdb.te
index 6ce66e7..7725178 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
 type ctdbd_var_lib_t;
 files_type(ctdbd_var_lib_t)
 
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
 type ctdbd_var_run_t;
 files_pid_file(ctdbd_var_run_t)
 
@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
 #
 
 allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+allow ctdbd_t self:capability2 block_suspend;
 allow ctdbd_t self:process { setpgid signal_perms setsched };
 allow ctdbd_t self:fifo_file rw_fifo_file_perms;
 allow ctdbd_t self:unix_stream_socket { accept connectto listen };
 allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
 allow ctdbd_t self:packet_socket create_socket_perms;
 allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
 
 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
 create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
 exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
 manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
 manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
 
 manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
 manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
 files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
 
 kernel_read_network_state(ctdbd_t)
@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
 corenet_tcp_sendrecv_generic_if(ctdbd_t)
 corenet_tcp_sendrecv_generic_node(ctdbd_t)
 corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
 
 corenet_sendrecv_ctdb_server_packets(ctdbd_t)
 corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
 corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
 
 corecmd_exec_bin(ctdbd_t)
@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
 
 domain_dontaudit_read_all_domains_state(ctdbd_t)
 
-files_read_etc_files(ctdbd_t)
 files_search_all_mountpoints(ctdbd_t)
 
+fs_getattr_all_fs(ctdbd_t)
+
+auth_read_passwd(ctdbd_t)
+
 logging_send_syslog_msg(ctdbd_t)
 
-miscfiles_read_localization(ctdbd_t)
 miscfiles_read_public_files(ctdbd_t)
 
 optional_policy(`
@@ -109,6 +126,7 @@ optional_policy(`
 	samba_initrc_domtrans(ctdbd_t)
 	samba_domtrans_net(ctdbd_t)
 	samba_rw_var_files(ctdbd_t)
+	samba_systemctl(ctdbd_t)
 ')
 
 optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011e..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/etc/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
 
 /etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
 
-/etc/hp(/.*)?	gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
 
-/lib/udev/udev-configure-printer	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/opt/brother/Printers(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.*	--	gen_context(system_u:object_r:cupsd_unit_file_t,s0)
 
-/usr/bin/cups-config-daemon	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
-/usr/Brother/fax/.*\.log.*	gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd	--	gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.*	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/usr/libexec/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* --	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/usr/local/linuxprinter/ppd(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
-/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed 	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
-/usr/share/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/var/cache/alchemist/printconf.*	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 
 /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 
-/var/lib/hp(/.*)?	gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)?		gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/var/log/cups(/.*)?	gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.*	gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 
-/var/ccpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)?       gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*)		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)?	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)?        gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 06da9a0..c18145d 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
 interface(`cups_read_config',`
 	gen_require(`
 		type cupsd_etc_t, cupsd_rw_etc_t;
+		type hplip_etc_t;
 	')
 
 	files_search_etc($1)
-	read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
 ')
 
 ########################################
@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
 
 ########################################
 ## <summary>
+##	Execute cupsd server in the cupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cupsd_systemctl',`
+	gen_require(`
+		type cupsd_t;
+		type cupsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 cupsd_unit_file_t:file read_file_perms;
+	allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cupsd_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an cups environment.
 ## </summary>
@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',`
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
 		type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
 		type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
 		type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-		type hplip_t, ptal_t;
+		type ptal_t;
+		type cupsd_unit_file_t;
 	')
 
-	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-	allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+	allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+	ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -348,13 +379,64 @@ interface(`cups_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
 
-	files_list_spool($1)
-	admin_pattern($1, cupsd_spool_t)
-
 	files_list_tmp($1)
 	admin_pattern($1, { cupsd_tmp_t  cupsd_lpd_tmp_t })
-
-	files_list_pids($1)
 	admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
 	admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+	cupsd_systemctl($1)
+	admin_pattern($1, cupsd_unit_file_t)
+	allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Transition to cups named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_filetrans_named_content',`
+	gen_require(`
+		type cupsd_rw_etc_t;
+		type cupsd_etc_t;
+	')
+
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+	files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
+')
+
+########################################
+## <summary>
+##	Allow the domain to read cups state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_read_state',`
+	gen_require(`
+		type cupsd_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, cupsd_t)
 ')
diff --git a/cups.te b/cups.te
index 9f34c2e..f3aaaed 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
 # Declarations
 #
 
-type cupsd_config_t;
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
 type cupsd_config_exec_t;
 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
 
 type cupsd_config_var_run_t;
 files_pid_file(cupsd_config_var_run_t)
 
-type cupsd_t;
+type cupsd_t, cups_domain;
 type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
 init_daemon_domain(cupsd_t, cupsd_exec_t)
 mls_trusted_object(cupsd_t)
 
 type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
 files_config_file(cupsd_etc_t)
 
 type cupsd_initrc_exec_t;
@@ -33,13 +38,15 @@ type cupsd_lock_t;
 files_lock_file(cupsd_lock_t)
 
 type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
 logging_log_file(cupsd_log_t)
 
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
 type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 
 type cupsd_lpd_tmp_t;
 files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
 type cupsd_lpd_var_run_t;
 files_pid_file(cupsd_lpd_var_run_t)
 
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
 type cups_pdf_exec_t;
 cups_backend(cups_pdf_t, cups_pdf_exec_t)
 
@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
 files_tmp_file(cups_pdf_tmp_t)
 
 type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
 files_tmp_file(cupsd_tmp_t)
 
 type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
 files_pid_file(cupsd_var_run_t)
 init_daemon_run_dir(cupsd_var_run_t, "cups")
 mls_trusted_object(cupsd_var_run_t)
 
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
 
 type ptal_t;
 type ptal_exec_t;
@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
 
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+    lpd_manage_spool(cups_domain)
+')
+
 ########################################
 #
 # Cups local policy
 #
 
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched };
 allow cupsd_t self:unix_stream_socket { accept connectto listen };
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
 allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
 allow cupsd_t self:appletalk_socket create_socket_perms;
 
 allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 
 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
 
 allow cupsd_t cupsd_exec_t:dir search_dir_perms;
 allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
 files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
 
 manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
 
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
 
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
 
-allow cupsd_t hplip_t:process { signal sigkill };
-
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
 
-allow cupsd_t hplip_var_run_t:file read_file_perms;
 
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
 
 kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
 kernel_request_load_module(cupsd_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_t)
 corenet_all_recvfrom_netlabel(cupsd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_t)
 corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_bind_all_rpc_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
 
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
 
 dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
 dev_rw_input_dev(cupsd_t)
 dev_rw_generic_usb_dev(cupsd_t)
 dev_rw_usbfs(cupsd_t)
@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
@@ -215,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
 files_read_var_files(cupsd_t)
 files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
 files_dontaudit_getattr_all_tmp_files(cupsd_t)
 files_dontaudit_list_home(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
 
-fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 fs_search_fusefs(cupsd_t)
 fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
 
+mls_dbus_send_all_levels(cupsd_t)
 mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_all_levels(cupsd_t)
@@ -235,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
 
 term_search_ptys(cupsd_t)
 term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
 
 selinux_compute_access_vector(cupsd_t)
 selinux_validate_context(cupsd_t)
@@ -247,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
 
-libs_read_lib_files(cupsd_t)
 libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
 
 logging_send_audit_msgs(cupsd_t)
 logging_send_syslog_msg(cupsd_t)
 
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-
 seutil_read_config(cupsd_t)
 
 sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
 userdom_dontaudit_search_user_home_content(cupsd_t)
 
 optional_policy(`
@@ -275,6 +307,8 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(cupsd_t)
 
+	init_dbus_chat(cupsd_t)
+
 	userdom_dbus_send_all_users(cupsd_t)
 
 	optional_policy(`
@@ -285,8 +319,10 @@ optional_policy(`
 		hal_dbus_chat(cupsd_t)
 	')
 
+	# talk to processes that do not have policy
 	optional_policy(`
 		unconfined_dbus_chat(cupsd_t)
+		files_write_generic_pid_pipes(cupsd_t)
 	')
 ')
 
@@ -299,8 +335,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
 	kerberos_manage_host_rcache(cupsd_t)
-	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
 
 optional_policy(`
@@ -309,7 +345,6 @@ optional_policy(`
 
 optional_policy(`
 	lpd_exec_lpr(cupsd_t)
-	lpd_manage_spool(cupsd_t)
 	lpd_read_config(cupsd_t)
 	lpd_relabel_spool(cupsd_t)
 ')
@@ -337,7 +372,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	virt_rw_all_image_chr_files(cupsd_t)
+	virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+    vmware_read_system_config(cupsd_t)
 ')
 
 ########################################
@@ -345,12 +384,11 @@ optional_policy(`
 # Configuration daemon local policy
 #
 
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
 dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
 
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t, cupsd_t)
 
@@ -375,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
 
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
 
 stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
 
 kernel_read_system_state(cupsd_config_t)
 kernel_read_all_sysctls(cupsd_config_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
 corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -395,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_sendrecv_all_client_packets(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
 
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
 dev_rw_generic_usb_dev(cupsd_config_t)
 
 files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
 files_read_var_symlinks(cupsd_config_t)
 files_search_all_mountpoints(cupsd_config_t)
 
-fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
 
 domain_use_interactive_fds(cupsd_config_t)
@@ -420,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
 
 logging_send_syslog_msg(cupsd_config_t)
 
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
@@ -452,9 +475,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+    gnome_dontaudit_read_config(cupsd_config_t)
+')
+
+optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
-	hal_dontaudit_use_fds(hplip_t)
 ')
 
 optional_policy(`
@@ -490,10 +516,6 @@ optional_policy(`
 # Lpd local policy
 #
 
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -511,31 +533,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
 corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
 
 corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
 
-dev_read_urand(cupsd_lpd_t)
-dev_read_rand(cupsd_lpd_t)
-
-fs_getattr_xattr_fs(cupsd_lpd_t)
-
 files_search_home(cupsd_lpd_t)
 
 auth_use_nsswitch(cupsd_lpd_t)
 
 logging_send_syslog_msg(cupsd_lpd_t)
 
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
@@ -546,7 +560,6 @@ optional_policy(`
 #
 
 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -562,148 +575,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 
 kernel_read_system_state(cups_pdf_t)
 
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
 auth_use_nsswitch(cups_pdf_t)
 
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
 userdom_manage_user_home_content_dirs(cups_pdf_t)
 userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
 	fs_manage_nfs_files(cups_pdf_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(cups_pdf_t)
-	fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
 
 optional_policy(`
-	lpd_manage_spool(cups_pdf_t)
+	gnome_read_config(cups_pdf_t)
 ')
 
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
-	dbus_system_bus_client(hplip_t)
-
-	optional_policy(`
-		userdom_dbus_send_all_users(hplip_t)
-	')
-')
-
-optional_policy(`
-	lpd_read_config(hplip_t)
-	lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
-	snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
-	udev_read_db(hplip_t)
-')
 
 ########################################
 #
@@ -731,7 +619,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
 
-corenet_all_recvfrom_unlabeled(ptal_t)
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -741,13 +628,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
 
-dev_read_sysfs(ptal_t)
 dev_read_usbfs(ptal_t)
 dev_rw_printer(ptal_t)
 
 domain_use_interactive_fds(ptal_t)
 
-files_read_etc_files(ptal_t)
 files_read_etc_runtime_files(ptal_t)
 
 fs_getattr_all_fs(ptal_t)
@@ -755,8 +640,6 @@ fs_search_auto_mountpoints(ptal_t)
 
 logging_send_syslog_msg(ptal_t)
 
-miscfiles_read_localization(ptal_t)
-
 sysnet_read_config(ptal_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -769,3 +652,4 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
+
diff --git a/cvs.fc b/cvs.fc
index 75c8be9..9dcffb2 100644
--- a/cvs.fc
+++ b/cvs.fc
@@ -1,3 +1,6 @@
+HOME_DIR/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
+/root/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
+
 /etc/rc\.d/init\.d/cvs	--	gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
 
 /opt/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
diff --git a/cvs.if b/cvs.if
index 9fa7ffb..089c8d4 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
 ## <summary>Concurrent versions system.</summary>
 
+######################################
+## <summary>
+##  Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`cvs_dontaudit_list_data',`
+    gen_require(`
+        type cvs_data_t;
+    ')
+
+    dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read CVS data and metadata content.
@@ -41,6 +59,24 @@ interface(`cvs_exec',`
 
 ########################################
 ## <summary>
+##	Transition to cvs named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cvs_filetrans_home_content',`
+	gen_require(`
+		type cvs_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an cvs environment
 ## </summary>
@@ -59,12 +95,18 @@ interface(`cvs_exec',`
 interface(`cvs_admin',`
 	gen_require(`
 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
-		type cvs_data_t, cvs_var_run_t;
+		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+		type cvs_home_t;
 	')
 
-	allow $1 cvs_t:process { ptrace signal_perms };
+	allow $1 cvs_t:process signal_perms;
 	ps_process_pattern($1, cvs_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cvs_t:process ptrace;
+	')
+
+	# Allow cvs_t to restart the apache service
 	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 cvs_initrc_exec_t system_r;
@@ -78,4 +120,7 @@ interface(`cvs_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, cvs_var_run_t)
+
+	userdom_search_user_home_dirs($1)
+	admin_pattern($1, cvs_home_t)
 ')
diff --git a/cvs.te b/cvs.te
index 53fc3af..d7cdaaf 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
 ##	password files.
 ##	</p>
 ## </desc>
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
 
 type cvs_t;
 type cvs_exec_t;
 inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+init_domain(cvs_t, cvs_exec_t)
 application_executable_file(cvs_exec_t)
 
 type cvs_data_t; # customizable
@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
 type cvs_var_run_t;
 files_pid_file(cvs_var_run_t)
 
+type cvs_home_t;
+userdom_user_home_content(cvs_home_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
+
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
 corecmd_exec_bin(cvs_t)
 corecmd_exec_shell(cvs_t)
 
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
 dev_read_urand(cvs_t)
 
 files_read_etc_runtime_files(cvs_t)
@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
 
 init_read_utmp(cvs_t)
 
+init_dontaudit_read_utmp(cvs_t)
+
 logging_send_syslog_msg(cvs_t)
 logging_send_audit_msgs(cvs_t)
 
-miscfiles_read_localization(cvs_t)
-
 mta_send_mail(cvs_t)
 
-userdom_dontaudit_search_user_home_dirs(cvs_t)
-
 # cjp: typeattribute doesnt work in conditionals yet
 auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
+tunable_policy(`cvs_read_shadow',`
 	allow cvs_t self:capability dac_override;
 	auth_tunable_read_shadow(cvs_t)
 ')
@@ -103,4 +117,5 @@ optional_policy(`
 	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
 	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
 ')
diff --git a/cyphesis.te b/cyphesis.te
index 916427f..556f1ac 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
 corecmd_search_bin(cyphesis_t)
 corecmd_getattr_bin_files(cyphesis_t)
 
-corenet_all_recvfrom_unlabeled(cyphesis_t)
 corenet_tcp_sendrecv_generic_if(cyphesis_t)
 corenet_tcp_sendrecv_generic_node(cyphesis_t)
 corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
 
 domain_use_interactive_fds(cyphesis_t)
 
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
 
 logging_send_syslog_msg(cyphesis_t)
 
-miscfiles_read_localization(cyphesis_t)
-
 sysnet_dns_name_resolve(cyphesis_t)
 
 optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 6508280..a2860e3 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
 	manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##  Allow write cyrus data files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cyrus_write_data',`
+    gen_require(`
+        type cyrus_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Connect to Cyrus using a unix
@@ -63,9 +82,13 @@ interface(`cyrus_admin',`
 		type cyrus_var_run_t, cyrus_initrc_exec_t;
 	')
 
-	allow $1 cyrus_t:process { ptrace signal_perms };
+	allow $1 cyrus_t:process signal_perms;
 	ps_process_pattern($1, cyrus_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cyrus_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 395f97c..bf8db3c 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
 # Local policy
 #
 
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
 dontaudit cyrus_t self:capability sys_tty_config;
 allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow cyrus_t self:process setrlimit;
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
 kernel_read_system_state(cyrus_t)
 kernel_read_all_sysctls(cyrus_t)
 
-corenet_all_recvfrom_unlabeled(cyrus_t)
 corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_generic_if(cyrus_t)
 corenet_tcp_sendrecv_generic_node(cyrus_t)
@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
 corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
 
+corenet_sendrecv_innd_server_packets(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
+
 corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
 
@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
-files_read_usr_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
 
 fs_getattr_all_fs(cyrus_t)
 fs_search_auto_mountpoints(cyrus_t)
@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
 
 logging_send_syslog_msg(cyrus_t)
 
-miscfiles_read_localization(cyrus_t)
 miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
@@ -116,6 +115,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
 	kerberos_keytab_template(cyrus, cyrus_t)
 ')
 
@@ -128,8 +131,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	snmp_read_snmp_var_lib_files(cyrus_t)
-	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+	files_dontaudit_write_usr_dirs(cyrus_t)
+    snmp_manage_var_lib_files(cyrus_t)
 	snmp_stream_connect(cyrus_t)
 ')
 
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0..6c8106a 100644
--- a/daemontools.if
+++ b/daemontools.if
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
 	allow $1 svc_svc_t:file manage_file_perms;
 	allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
 ')
+
diff --git a/daemontools.te b/daemontools.te
index 0165962..2569147 100644
--- a/daemontools.te
+++ b/daemontools.te
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
 allow svc_multilog_t svc_start_t:fd use;
 allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
 
+term_write_console(svc_multilog_t)
+
 init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
 
 logging_manage_generic_logs(svc_multilog_t)
 
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
 corecmd_exec_bin(svc_run_t)
 corecmd_exec_shell(svc_run_t)
 
-files_read_etc_files(svc_run_t)
+term_write_console(svc_run_t)
+
 files_read_etc_runtime_files(svc_run_t)
 files_search_pids(svc_run_t)
 files_search_var_lib(svc_run_t)
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
 
 can_exec(svc_start_t, svc_start_exec_t)
 
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
 domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
 
 kernel_read_kernel_sysctls(svc_start_t)
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
 corecmd_exec_bin(svc_start_t)
 corecmd_exec_shell(svc_start_t)
 
-files_read_etc_files(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
 files_read_etc_runtime_files(svc_start_t)
 files_search_var(svc_start_t)
 files_search_pids(svc_start_t)
 
 logging_send_syslog_msg(svc_start_t)
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
index 98a2d6a..fff0987 100644
--- a/dante.te
+++ b/dante.te
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
 
 domain_use_interactive_fds(dante_t)
 
-files_read_etc_files(dante_t)
 files_read_etc_runtime_files(dante_t)
 
 fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
index a67870a..f7c0e61 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
 
 role dbadm_r;
 
-userdom_base_user_template(dbadm)
+userdom_confined_admin_template(dbadm)
 
 ########################################
 #
 # Local policy
 #
 
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
 
 files_dontaudit_search_all_dirs(dbadm_t)
 files_delete_generic_locks(dbadm_t)
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)
 
 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
 
 userdom_dontaudit_search_user_home_dirs(dbadm_t)
 
@@ -60,3 +61,7 @@ optional_policy(`
 optional_policy(`
 	postgresql_admin(dbadm_t, dbadm_r)
 ')
+
+optional_policy(`
+	sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/dbskk.te b/dbskk.te
index 188e2e6..719583e 100644
--- a/dbskk.te
+++ b/dbskk.te
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
 kernel_read_system_state(dbskkd_t)
 kernel_read_network_state(dbskkd_t)
 
-corenet_all_recvfrom_unlabeled(dbskkd_t)
 corenet_all_recvfrom_netlabel(dbskkd_t)
 corenet_tcp_sendrecv_generic_if(dbskkd_t)
 corenet_udp_sendrecv_generic_if(dbskkd_t)
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
 
 fs_getattr_xattr_fs(dbskkd_t)
 
-files_read_etc_files(dbskkd_t)
 
 auth_use_nsswitch(dbskkd_t)
 
 logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
index dda905b..ccd0ba9 100644
--- a/dbus.fc
+++ b/dbus.fc
@@ -1,20 +1,27 @@
-HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
-/etc/dbus-.*(/.*)?	gen_context(system_u:object_r:dbusd_etc_t,s0)
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/bin/dbus-daemon	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/usr/bin/dbus-daemon(-1)?	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/usr/lib/dbus-.*/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/usr/libexec/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/cache/ibus(/.*)?     gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 
-/var/lib/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-
-/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid	--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 
+ifdef(`distro_redhat',`
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index afcf3a2..8cc440f 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
-## <summary>Desktop messaging bus.</summary>
+## <summary>Desktop messaging bus</summary>
 
 ########################################
 ## <summary>
@@ -19,7 +19,24 @@ interface(`dbus_stub',`
 
 ########################################
 ## <summary>
-##	Role access for dbus.
+##	Execute dbus-daemon in the caller domain.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dbus_exec_dbusd',`
+	gen_require(`
+        type dbusd_exec_t;
+	')
+    can_exec($1, dbusd_exec_t)
+')
+
+########################################
+## <summary>
+##	Role access for dbus
 ## </summary>
 ## <param name="role_prefix">
 ##	<summary>
@@ -41,59 +58,68 @@ interface(`dbus_stub',`
 template(`dbus_role_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
-		attribute session_bus_type;
-		type system_dbusd_t, dbusd_exec_t;
-		type session_dbusd_tmp_t, session_dbusd_home_t;
+		attribute dbusd_unconfined, session_bus_type;
+		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+		type $1_t;
 	')
 
 	##############################
 	#
-	# Declarations
+	# Delcarations
 	#
 
 	type $1_dbusd_t, session_bus_type;
-	domain_type($1_dbusd_t)
-	domain_entry_file($1_dbusd_t, dbusd_exec_t)
+	application_domain($1_dbusd_t, dbusd_exec_t)
 	ubac_constrained($1_dbusd_t)
-
 	role $2 types $1_dbusd_t;
 
+	kernel_read_system_state($1_dbusd_t)
+
+	selinux_get_fs_mount($1_dbusd_t)
+
+	userdom_home_manager($1_dbusd_t)
+
 	##############################
 	#
 	# Local policy
 	#
 
+	# For connecting to the bus
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
-	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
-	allow $3 $1_dbusd_t:fd use;
-	
-	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
-	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+	# SE-DBus specific permissions
+	allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
 
 	ps_process_pattern($3, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { ptrace signal_perms };
+	allow $3 $1_dbusd_t:process signal_perms;
 
-	allow $1_dbusd_t $3:process sigkill;
+	tunable_policy(`deny_ptrace',`',`
+		allow $3 $1_dbusd_t:process ptrace;
+	')
 
-	corecmd_bin_domtrans($1_dbusd_t, $3)
-	corecmd_shell_domtrans($1_dbusd_t, $3)
+	# cjp: this seems very broken
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
+	corecmd_shell_domtrans($1_dbusd_t, $1_t)
+	allow $1_dbusd_t $3:process sigkill;
+	allow $3 $1_dbusd_t:fd use;
+	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
 
 	auth_use_nsswitch($1_dbusd_t)
 
-	ifdef(`hide_broken_symptoms',`
-		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+	logging_send_syslog_msg($1_dbusd_t)
+
+	optional_policy(`
+		mozilla_domtrans_spec($1_dbusd_t, $1_t)
 	')
 ')
 
 #######################################
 ## <summary>
 ##	Template for creating connections to
-##	the system bus.
+##	the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,91 +129,82 @@ template(`dbus_role_template',`
 #
 interface(`dbus_system_bus_client',`
 	gen_require(`
-		attribute dbusd_system_bus_client;
-		type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
+		type system_dbusd_t, system_dbusd_t;
+		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
+		attribute dbusd_unconfined;
 	')
 
-	typeattribute $1 dbusd_system_bus_client;
-
+	# SE-DBus specific permissions
 	allow $1 { system_dbusd_t self }:dbus send_msg;
-	allow system_dbusd_t $1:dbus send_msg;
+	allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
 
-	files_search_var_lib($1)
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	files_search_var_lib($1)
 
+	# For connecting to the bus
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
 	dbus_read_config($1)
 ')
 
 #######################################
 ## <summary>
-##	Acquire service on DBUS
-##	session bus.
+##	Creating connections to specified
+##	DBUS sessions.
 ## </summary>
-## <param name="domain">
+## <param name="role_prefix">
 ##	<summary>
-##	Domain allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-#
-interface(`dbus_connect_session_bus',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
-	dbus_connect_all_session_bus($1)
-')
-
-#######################################
-## <summary>
-##	Acquire service on all DBUS
-##	session busses.
-## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_all_session_bus',`
+interface(`dbus_session_client',`
 	gen_require(`
-		attribute session_bus_type;
-		class dbus acquire_svc;
+		class dbus send_msg;
+		type $1_dbusd_t;
 	')
 
-	allow $1 session_bus_type:dbus acquire_svc;
+	allow $2 $1_dbusd_t:fd use;
+	allow $2 { $1_dbusd_t self }:dbus send_msg;
+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 ')
 
 #######################################
 ## <summary>
-##	Acquire service on specified
-##	DBUS session bus.
+##	Template for creating connections to
+##	a user DBUS.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_spec_session_bus',`
+interface(`dbus_session_bus_client',`
 	gen_require(`
-		type $1_dbusd_t;
-		class dbus acquire_svc;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus acquire_svc;
+	# SE-DBus specific permissions
+	allow $1 { session_bus_type self }:dbus send_msg;
+
+	# For connecting to the bus
+	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	allow session_bus_type $1:process sigkill;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to DBUS
-##	session bus.
+##	Send a message the session DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_session_bus_client',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
-	dbus_all_session_bus_client($1)
+interface(`dbus_send_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
+	allow $1 session_bus_type:dbus send_msg;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to all
-##	DBUS session busses.
+##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -211,57 +231,38 @@ interface(`dbus_session_bus_client',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_all_session_bus_client',`
+interface(`dbus_read_config',`
 	gen_require(`
-		attribute session_bus_type, dbusd_session_bus_client;
-		class dbus send_msg;
+		type dbusd_etc_t;
 	')
 
-	typeattribute $1 dbusd_session_bus_client;
-
-	allow $1 { session_bus_type self }:dbus send_msg;
-	allow session_bus_type $1:dbus send_msg;
-	
-	allow $1 session_bus_type:unix_stream_socket connectto;
-	allow $1 session_bus_type:fd use;
+	allow $1 dbusd_etc_t:dir list_dir_perms;
+	allow $1 dbusd_etc_t:file read_file_perms;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to specified
-##	DBUS session bus.
+##	Read system dbus lib files.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_spec_session_bus_client',`
+interface(`dbus_read_lib_files',`
 	gen_require(`
-		attribute dbusd_session_bus_client;
-		type $1_dbusd_t;
-		class dbus send_msg;
+		type system_dbusd_var_lib_t;
 	')
 
-	typeattribute $2 dbusd_session_bus_client;
-
-	allow $2 { $1_dbusd_t self }:dbus send_msg;
-	allow $1_dbusd_t $2:dbus send_msg;
-
-	allow $2 $1_dbusd_t:unix_stream_socket connectto;
-	allow $2 $1_dbusd_t:fd use;
+	files_search_var_lib($1)
+	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to DBUS session bus.
+##	Create, read, write, and delete
+##	system dbus lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -269,15 +270,19 @@ interface(`dbus_spec_session_bus_client',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_session_bus',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
-	dbus_send_all_session_bus($1)
+interface(`dbus_manage_lib_files',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to all DBUS
-##	session busses.
+##	Connect to the system DBUS
+##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -285,44 +290,52 @@ interface(`dbus_send_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_all_session_bus',`
+interface(`dbus_connect_session_bus',`
 	gen_require(`
 		attribute session_bus_type;
-		class dbus send_msg;
+		class dbus acquire_svc;
 	')
 
-	allow $1 dbus_session_bus_type:dbus send_msg;
+	allow $1 session_bus_type:dbus acquire_svc;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to specified
-##	DBUS session busses.
+##	Allow a application domain to be started
+##	by the session dbus.
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain_prefix">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	User domain prefix to be used.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an
+##	entry point to this domain.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_spec_session_bus',`
+interface(`dbus_session_domain',`
 	gen_require(`
 		type $1_dbusd_t;
-		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus send_msg;
+	domtrans_pattern($1_dbusd_t, $2, $3)
+
+	dbus_session_bus_client($3)
+	dbus_connect_session_bus($3)
 ')
 
 ########################################
 ## <summary>
-##	Read dbus configuration content.
+##	Connect to the system DBUS
+##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -330,18 +343,18 @@ interface(`dbus_send_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_read_config',`
+interface(`dbus_connect_system_bus',`
 	gen_require(`
-		type dbusd_etc_t;
+		type system_dbusd_t;
+		class dbus acquire_svc;
 	')
 
-	allow $1 dbusd_etc_t:dir list_dir_perms;
-	allow $1 dbusd_etc_t:file read_file_perms;
+	allow $1 system_dbusd_t:dbus acquire_svc;
 ')
 
 ########################################
 ## <summary>
-##	Read system dbus lib files.
+##	Send a message on the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -349,19 +362,18 @@ interface(`dbus_read_config',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_read_lib_files',`
+interface(`dbus_send_system_bus',`
 	gen_require(`
-		type system_dbusd_var_lib_t;
+		type system_dbusd_t;
+		class dbus send_msg;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	allow $1 system_dbusd_t:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	system dbus lib files.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_manage_lib_files',`
+interface(`dbus_system_bus_unconfined',`
 	gen_require(`
-		type system_dbusd_var_lib_t;
+		type system_dbusd_t;
+		class dbus all_dbus_perms;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	allow $1 system_dbusd_t:dbus *;
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Create a domain for processes
+##	which can be started by the system dbus
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Type of the program to be used as an entry point to this domain.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_session_domain',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
-	dbus_all_session_domain($1, $2)
+interface(`dbus_system_domain',`
+	gen_require(`
+		attribute system_bus_type;
+		type system_dbusd_t;
+		role system_r;
+	')
+	typeattribute $1  system_bus_type;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	domtrans_pattern(system_dbusd_t, $2, $1)
+	init_system_domain($1, $2)
+
+	ps_process_pattern($1, system_dbusd_t)
+
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Use and inherit system DBUS file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
-##	</summary>
-## </param>
-## <param name="entry_point">
-##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_all_session_domain',`
+interface(`dbus_use_system_bus_fds',`
 	gen_require(`
-		type session_bus_type;
+		type system_dbusd_t;
 	')
 
-	domtrans_pattern(session_bus_type, $2, $1)
-
-	dbus_all_session_bus_client($1)
-	dbus_connect_all_session_bus($1)
+	allow $1 system_dbusd_t:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
-##	</summary>
-## </param>
-## <param name="entry_point">
-##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_spec_session_domain',`
+interface(`dbus_unconfined',`
 	gen_require(`
-		type $1_dbusd_t;
+		attribute dbusd_unconfined;
 	')
 
-	domtrans_pattern($1_dbusd_t, $2, $3)
-
-	dbus_spec_session_bus_client($1, $2)
-	dbus_connect_spec_session_bus($1, $2)
+	typeattribute $1 dbusd_unconfined;
 ')
 
 ########################################
 ## <summary>
-##	Acquire service on the DBUS system bus.
+##	Delete all dbus pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_system_bus',`
+interface(`dbus_delete_pid_files',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus acquire_svc;
+		type system_dbusd_var_run_t;
 	')
 
-	allow $1 system_dbusd_t:dbus acquire_svc;
+	files_search_pids($1)
+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Send messages to the DBUS system bus.
+##	Read all dbus pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_system_bus',`
+interface(`dbus_read_pid_files',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus send_msg;
+		type system_dbusd_var_run_t;
 	')
 
-	allow $1 system_dbusd_t:dbus send_msg;
+	files_search_pids($1)
+	read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to DBUS system bus.
+##	Do not audit attempts to connect to
+##	session bus types with a unix
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_system_bus_unconfined',`
+interface(`dbus_dontaudit_stream_connect_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus all_dbus_perms;
+		attribute session_bus_type;
 	')
 
-	allow $1 system_dbusd_t:dbus *;
+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Create a domain for processes which
-##	can be started by the DBUS system bus.
+##	Allow attempts to connect to
+##	session bus types with a unix
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
-##	</summary>
-## </param>
-## <param name="entry_point">
-##	<summary>
-##	Type of the program to be used as an entry point to this domain.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_system_domain',`
+interface(`dbus_stream_connect_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
-		role system_r;
+		attribute session_bus_type;
 	')
 
-	domain_type($1)
-	domain_entry_file($1, $2)
-
-	role system_r types $1;
-
-	domtrans_pattern(system_dbusd_t, $2, $1)
-
-	dbus_system_bus_client($1)
-	dbus_connect_system_bus($1)
-
-	ps_process_pattern(system_dbusd_t, $1)
-
-	userdom_read_all_users_state($1)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-	')
+	allow $1 session_bus_type:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Use and inherit DBUS system bus
-##	file descriptors.
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_use_system_bus_fds',`
+interface(`dbus_chat_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	allow $1 system_dbusd_t:fd use;
+	allow $1 session_bus_type:dbus send_msg;
+	allow session_bus_type $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write DBUS system bus TCP sockets.
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_dontaudit_chat_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	dontaudit $1 system_dbusd_t:tcp_socket { read write };
+	dontaudit $1 session_bus_type:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to DBUS.
+##	Do not audit attempts to send dbus
+##	messages to system bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_unconfined',`
+interface(`dbus_dontaudit_chat_system_bus',`
 	gen_require(`
-		attribute dbusd_unconfined;
+		attribute system_bus_type;
+		class dbus send_msg;
 	')
 
-	typeattribute $1 dbusd_unconfined;
+	dontaudit $1 system_bus_type:dbus send_msg;
+	dontaudit system_bus_type $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##      Transition to dbus named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dbus_filetrans_named_content_system',`
+    gen_require(`
+        type system_dbusd_var_lib_t;
+    ')
+    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
 ')
diff --git a/dbus.te b/dbus.te
index 2c2e7e1..2ead441 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
-policy_module(dbus, 1.18.8)
+policy_module(dbus, 1.17.0)
 
 gen_require(`
 	class dbus all_dbus_perms;
 ')
 
-########################################
+##############################
 #
-# Declarations
+# Delcarations
 #
 
 attribute dbusd_unconfined;
+attribute system_bus_type;
 attribute session_bus_type;
 
-attribute dbusd_system_bus_client;
-attribute dbusd_session_bus_client;
-
 type dbusd_etc_t;
 files_config_file(dbusd_etc_t)
 
@@ -22,9 +20,6 @@ type dbusd_exec_t;
 corecmd_executable_file(dbusd_exec_t)
 typealias dbusd_exec_t alias system_dbusd_exec_t;
 
-type session_dbusd_home_t;
-userdom_user_home_content(session_dbusd_home_t)
-
 type session_dbusd_tmp_t;
 typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
 typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
+mls_trusted_object(system_dbusd_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
 ')
 
-########################################
+##############################
 #
-# Local policy
+# System bus local policy
 #
 
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
 allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
+can_exec(system_dbusd_t, dbusd_exec_t)
+
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 
 manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 
 manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
-
-can_exec(system_dbusd_t, dbusd_exec_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
 
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_shell(system_dbusd_t)
-
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
+dev_rw_inherited_input_dev(system_dbusd_t)
+dev_rw_inherited_dri(system_dbusd_t)
 
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_rw_inherited_non_security_files(system_dbusd_t)
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_list_inotifyfs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
-fs_search_cgroup_dirs(system_dbusd_t)
 fs_dontaudit_list_nfs(system_dbusd_t)
 
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
+mls_trusted_object(system_dbusd_t)
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_list_home(system_dbusd_t)
+
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
-miscfiles_read_localization(system_dbusd_t)
 miscfiles_read_generic_certs(system_dbusd_t)
 
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
+userdom_home_reader(system_dbusd_t)
+
+optional_policy(`
+	bind_domtrans(system_dbusd_t)
+')
+
 optional_policy(`
 	bluetooth_stream_connect(system_dbusd_t)
 ')
 
 optional_policy(`
-	policykit_read_lib(system_dbusd_t)
+	cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+	getty_start_services(system_dbusd_t)
+')
+
+optional_policy(`
+	gnome_exec_gconf(system_dbusd_t)
+	gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+    nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
+	networkmanager_initrc_domtrans(system_dbusd_t)
+	networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(system_dbusd_t)
+	policykit_domtrans_auth(system_dbusd_t)
+	policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(system_dbusd_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(system_dbusd_t)
+	systemd_use_fds_logind(system_dbusd_t)
+	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+	systemd_write_inhibit_pipes(system_dbusd_t)
+# These are caused by broken systemd patch
+	systemd_start_power_services(system_dbusd_t)
+	systemd_config_all_services(system_dbusd_t)
+	files_config_all_files(system_dbusd_t)
 ')
 
 optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
 
+optional_policy(`
+	# /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+	xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
 ########################################
 #
-# Common session bus local policy
+# system_bus_type rules
 #
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+	abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+	rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+	unconfined_dbus_send(system_bus_type)
+')
 
+ifdef(`hide_broken_symptoms',`
+	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+########################################
+#
+# session_bus_type rules
+#
+allow session_bus_type self:capability2 block_suspend;
 dontaudit session_bus_type self:capability sys_resource;
 allow session_bus_type self:process { getattr sigkill signal };
-dontaudit session_bus_type self:process { ptrace setrlimit };
+dontaudit session_bus_type self:process setrlimit;
 allow session_bus_type self:file { getattr read write };
 allow session_bus_type self:fifo_file rw_fifo_file_perms;
 allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket { accept listen };
-allow session_bus_type self:tcp_socket { accept listen };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
 allow session_bus_type self:netlink_selinux_socket create_socket_perms;
 
 allow session_bus_type dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
-
 manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
 
-kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
-corenet_all_recvfrom_unlabeled(session_bus_type)
-corenet_all_recvfrom_netlabel(session_bus_type)
 corenet_tcp_sendrecv_generic_if(session_bus_type)
 corenet_tcp_sendrecv_generic_node(session_bus_type)
 corenet_tcp_sendrecv_all_ports(session_bus_type)
 corenet_tcp_bind_generic_node(session_bus_type)
-
-corenet_sendrecv_all_server_packets(session_bus_type)
 corenet_tcp_bind_reserved_port(session_bus_type)
 
 dev_read_urand(session_bus_type)
 
-domain_read_all_domains_state(session_bus_type)
 domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
 
 files_list_home(session_bus_type)
-files_read_usr_files(session_bus_type)
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
-selinux_get_fs_mount(session_bus_type)
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
-logging_send_syslog_msg(session_bus_type)
-
-miscfiles_read_localization(session_bus_type)
 
 seutil_read_config(session_bus_type)
 seutil_read_default_contexts(session_bus_type)
 
-term_use_all_terms(session_bus_type)
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
 
 optional_policy(`
-	xserver_use_xdm_fds(session_bus_type)
+	gnome_read_config(session_bus_type)
+	gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+	hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+	thumb_domtrans(session_bus_type)
+')
+
+optional_policy(`
+	xserver_search_xdm_lib(session_bus_type)
 	xserver_rw_xdm_pipes(session_bus_type)
+	xserver_use_xdm_fds(session_bus_type)
+	xserver_append_xdm_home_files(session_bus_type)
 ')
 
 ########################################
@@ -244,5 +347,6 @@ optional_policy(`
 # Unconfined access to this module
 #
 
-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
diff --git a/dcc.fc b/dcc.fc
index 62d3c4e..cef59a7 100644
--- a/dcc.fc
+++ b/dcc.fc
@@ -10,6 +10,8 @@
 /usr/libexec/dcc/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 /usr/libexec/dcc/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
 
+/usr/libexec/dcc/start-dccifd   --  gen_context(system_u:object_r:dccifd_exec_t,s0)
+
 /usr/sbin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
 /usr/sbin/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
 /usr/sbin/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0..4639421 100644
--- a/dcc.if
+++ b/dcc.if
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
 		type dcc_var_t, dccifd_var_run_t, dccifd_t;
 	')
 
-	files_search_var($1)
+	files_search_pids($1)
 	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
 ')
diff --git a/dcc.te b/dcc.te
index 15d908f..cecb0da 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
 files_type(dcc_var_t)
 
 type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
 
 type dccd_t;
 type dccd_exec_t;
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
 files_read_etc_runtime_files(cdcc_t)
 
 auth_use_nsswitch(cdcc_t)
 
 logging_send_syslog_msg(cdcc_t)
 
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
 
 ########################################
 #
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
 
 allow dcc_client_t dcc_client_map_t:file rw_file_perms;
 
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
+
 manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
 manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
 files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_client_t)
 
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
 files_read_etc_runtime_files(dcc_client_t)
 
 fs_getattr_all_fs(dcc_client_t)
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
 
 logging_send_syslog_msg(dcc_client_t)
 
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
 
 optional_policy(`
-	amavis_read_spool_files(dcc_client_t)
+	antivirus_read_db(dcc_client_t)
 ')
 
 optional_policy(`
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_dbclean_t)
 
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
 files_read_etc_runtime_files(dcc_dbclean_t)
 
 auth_use_nsswitch(dcc_dbclean_t)
 
 logging_send_syslog_msg(dcc_dbclean_t)
 
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
 
 ########################################
 #
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
 kernel_read_system_state(dccd_t)
 kernel_read_kernel_sysctls(dccd_t)
 
-corenet_all_recvfrom_unlabeled(dccd_t)
 corenet_all_recvfrom_netlabel(dccd_t)
 corenet_udp_sendrecv_generic_if(dccd_t)
 corenet_udp_sendrecv_generic_node(dccd_t)
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
 
 logging_send_syslog_msg(dccd_t)
 
-miscfiles_read_localization(dccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
 userdom_dontaudit_search_user_home_dirs(dccd_t)
 
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
 kernel_read_system_state(dccifd_t)
 kernel_read_kernel_sysctls(dccifd_t)
 
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
 dev_read_sysfs(dccifd_t)
 
 domain_use_interactive_fds(dccifd_t)
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
 
 logging_send_syslog_msg(dccifd_t)
 
-miscfiles_read_localization(dccifd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
 userdom_dontaudit_search_user_home_dirs(dccifd_t)
 
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
 kernel_read_system_state(dccm_t)
 kernel_read_kernel_sysctls(dccm_t)
 
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
 dev_read_sysfs(dccm_t)
 
 domain_use_interactive_fds(dccm_t)
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
 
 logging_send_syslog_msg(dccm_t)
 
-miscfiles_read_localization(dccm_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
 userdom_dontaudit_search_user_home_dirs(dccm_t)
 
diff --git a/ddclient.if b/ddclient.if
index 5606b40..cd18cf2 100644
--- a/ddclient.if
+++ b/ddclient.if
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
 		type ddclient_var_run_t, ddclient_initrc_exec_t;
 	')
 
-	allow $1 ddclient_t:process { ptrace signal_perms };
+	allow $1 ddclient_t:process signal_perms;
 	ps_process_pattern($1, ddclient_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ddclient_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
index 0b4b8b9..2efb435 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
 # Declarations
 #
 
+
 dontaudit ddclient_t self:capability sys_tty_config;
 allow ddclient_t self:process signal_perms;
 allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
 
 read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
 setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
 corecmd_exec_shell(ddclient_t)
 corecmd_exec_bin(ddclient_t)
 
-corenet_all_recvfrom_unlabeled(ddclient_t)
 corenet_all_recvfrom_netlabel(ddclient_t)
 corenet_tcp_sendrecv_generic_if(ddclient_t)
 corenet_udp_sendrecv_generic_if(ddclient_t)
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
 corenet_udp_sendrecv_generic_node(ddclient_t)
 corenet_tcp_sendrecv_all_ports(ddclient_t)
 corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
 
 corenet_sendrecv_all_client_packets(ddclient_t)
 corenet_tcp_connect_all_ports(ddclient_t)
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
 
 domain_use_interactive_fds(ddclient_t)
 
-files_read_etc_files(ddclient_t)
 files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
 
 fs_getattr_all_fs(ddclient_t)
 fs_search_auto_mountpoints(ddclient_t)
 
+auth_read_passwd(ddclient_t)
+
 logging_send_syslog_msg(ddclient_t)
 
-miscfiles_read_localization(ddclient_t)
+mta_send_mail(ddclient_t)
 
 sysnet_exec_ifconfig(ddclient_t)
 sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
index ceb9bf4..2496e02 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
 dev_read_raw_memory(ddcprobe_t)
 dev_wx_raw_memory(ddcprobe_t)
 
-files_read_etc_files(ddcprobe_t)
 files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
 
 term_use_all_ttys(ddcprobe_t)
 term_use_all_ptys(ddcprobe_t)
diff --git a/denyhosts.if b/denyhosts.if
index a7326da..c87b5b7 100644
--- a/denyhosts.if
+++ b/denyhosts.if
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`denyhosts_admin',`
 	gen_require(`
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
 	')
 
-	allow $1 denyhosts_t:process { ptrace signal_perms };
+	allow $1 denyhosts_t:process signal_perms;
 	ps_process_pattern($1, denyhosts_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 denyhosts_t:process ptrace;
+	')
+
 	denyhosts_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 denyhosts_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, denyhosts_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, denyhosts_var_log_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, denyhosts_var_lock_t)
 ')
diff --git a/denyhosts.te b/denyhosts.te
index bcb9770..b53e611 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
 #
 # Local policy
 #
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
 
 allow denyhosts_t self:capability sys_tty_config;
 allow denyhosts_t self:fifo_file rw_fifo_file_perms;
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
 corecmd_exec_bin(denyhosts_t)
 corecmd_exec_shell(denyhosts_t)
 
-corenet_all_recvfrom_unlabeled(denyhosts_t)
 corenet_all_recvfrom_netlabel(denyhosts_t)
 corenet_tcp_sendrecv_generic_if(denyhosts_t)
 corenet_tcp_sendrecv_generic_node(denyhosts_t)
@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
 
 dev_read_urand(denyhosts_t)
 
+auth_use_nsswitch(denyhosts_t)
+
 logging_read_generic_logs(denyhosts_t)
 logging_send_syslog_msg(denyhosts_t)
 
-miscfiles_read_localization(denyhosts_t)
-
 sysnet_dns_name_resolve(denyhosts_t)
 sysnet_manage_config(denyhosts_t)
 sysnet_etc_filetrans_config(denyhosts_t)
@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
 optional_policy(`
 	cron_system_entry(denyhosts_t, denyhosts_exec_t)
 ')
+
+optional_policy(`
+	gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.if b/devicekit.if
index d294865..3b4f593 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
-## <summary>Devicekit modular hardware abstraction layer.</summary>
+## <summary>Devicekit modular hardware abstraction layer</summary>
 
 ########################################
 ## <summary>
@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',`
 		type devicekit_t, devicekit_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, devicekit_exec_t, devicekit_t)
 ')
 
 ########################################
 ## <summary>
+##	Execute a domain transition to run devicekit_disk.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`devicekit_domtrans_disk',`
+	gen_require(`
+		type devicekit_disk_t, devicekit_disk_exec_t;
+	')
+
+	domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
+########################################
+## <summary>
 ##	Send to devicekit over a unix domain
 ##	datagram socket.
 ## </summary>
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
 #
 interface(`devicekit_dgram_send',`
 	gen_require(`
-		type devicekit_t, devicekit_var_run_t;
+		type devicekit_t;
 	')
 
-	files_search_pids($1)
-	dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
+	allow $1 devicekit_t:unix_dgram_socket sendto;
 ')
 
 ########################################
@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',`
 
 ########################################
 ## <summary>
-##	Send generic signals to devicekit power.
+##	Use file descriptors for devicekit_disk.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_use_fds_disk',`
+	gen_require(`
+		type devicekit_disk_t;
+	')
+
+	allow $1 devicekit_disk_t:fd use; 
+')
+
+########################################
+## <summary>
+##	Dontaudit Send and receive messages from
+##	devicekit disk over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dontaudit_dbus_chat_disk',`
+	gen_require(`
+		type devicekit_disk_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 devicekit_disk_t:dbus send_msg;
+	dontaudit devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send signal devicekit power
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',`
 	allow devicekit_power_t $1:dbus send_msg;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Create, read, write, and delete
-##	devicekit log files.
+##  Append inherited devicekit log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`devicekit_manage_log_files',`
+interface(`devicekit_append_inherited_log_files',`
 	gen_require(`
 		type devicekit_var_log_t;
 	')
 
-	logging_search_logs($1)
-	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	allow $1 devicekit_var_log_t:file append_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to write the devicekit
+##  log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	dontaudit $1 devicekit_var_log_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel devicekit log files.
+##	Allow the domain to read devicekit_power state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_relabel_log_files',`
+interface(`devicekit_read_state_power',`
 	gen_require(`
-		type devicekit_var_log_t;
+		type devicekit_power_t;
 	')
 
-	logging_search_logs($1)
-	relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	kernel_search_proc($1)
+	ps_process_pattern($1, devicekit_power_t)
 ')
 
 ########################################
@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+##	Do not audit attempts to read
 ##	devicekit PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+	gen_require(` 
+		type devicekit_var_run_t;
+	')
+
+	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
+##	Manage devicekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
 	')
 
 	files_search_pids($1)
+	manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
 	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+## <summary>
+##  Relabel devicekit LOG files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_relabel_log_files',`
+    gen_require(`
+        type devicekit_var_log_t;
+    ')
+
+    logging_search_logs($1)
+    relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an devicekit environment.
+##	Manage devicekit LOG files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`devicekit_manage_log_files',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an devicekit environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -219,21 +347,48 @@ interface(`devicekit_admin',`
 	gen_require(`
 		type devicekit_t, devicekit_disk_t, devicekit_power_t;
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
-		type devicekit_var_log_t;
 	')
 
-	allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
+	allow $1 devicekit_t:process signal_perms;
+	ps_process_pattern($1, devicekit_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 devicekit_t:process ptrace;
+		allow $1 devicekit_disk_t:process ptrace;
+		allow $1 devicekit_power_t:process ptrace;
+	')
+
+	allow $1 devicekit_disk_t:process signal_perms;
+	ps_process_pattern($1, devicekit_disk_t)
+
+	allow $1 devicekit_power_t:process signal_perms;
+	ps_process_pattern($1, devicekit_power_t)
 
-	files_search_tmp($1)
 	admin_pattern($1, devicekit_tmp_t)
+	files_list_tmp($1)
 
-	files_search_var_lib($1)
 	admin_pattern($1, devicekit_var_lib_t)
+	files_list_var_lib($1)
 
-	logging_search_logs($1)
-	admin_pattern($1, devicekit_var_log_t)
-
-	files_search_pids($1)
 	admin_pattern($1, devicekit_var_run_t)
+	files_list_pids($1)
+')
+
+########################################
+## <summary>
+##	Transition to devicekit named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_filetrans_named_content',`
+	gen_require(`
+		type devicekit_var_run_t, devicekit_var_log_t;
+	')
+
+	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
diff --git a/devicekit.te b/devicekit.te
index ff933af..cd1d88d 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
 
 type devicekit_t;
 type devicekit_exec_t;
-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
 
 type devicekit_power_t;
 type devicekit_power_exec_t;
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
 
 type devicekit_disk_t;
 type devicekit_disk_exec_t;
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
 
 type devicekit_tmp_t;
 files_tmp_file(devicekit_tmp_t)
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
 dev_read_sysfs(devicekit_t)
 dev_read_urand(devicekit_t)
 
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
-
 optional_policy(`
+	dbus_system_domain(devicekit_t, devicekit_exec_t)
 	dbus_system_bus_client(devicekit_t)
 
 	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +61,8 @@ optional_policy(`
 # Disk local policy
 #
 
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
+files_filetrans_named_content(devicekit_disk_t)
 
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 
 dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
+dev_rw_loop_control(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
+files_manage_etc_files(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
 
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)
 storage_raw_write_removable_device(devicekit_disk_t)
 
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
 
 auth_use_nsswitch(devicekit_disk_t)
 
-miscfiles_read_localization(devicekit_disk_t)
+logging_send_syslog_msg(devicekit_disk_t)
 
 userdom_read_all_users_state(devicekit_disk_t)
 userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
 
 optional_policy(`
+	dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
 	dbus_system_bus_client(devicekit_disk_t)
 
 	allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -167,6 +170,7 @@ optional_policy(`
 
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
+	mount_read_pid_files(devicekit_disk_t)
 ')
 
 optional_policy(`
@@ -180,6 +184,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_sessions_files(devicekit_disk_t)
+	systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
 	udev_domtrans(devicekit_disk_t)
 	udev_read_db(devicekit_disk_t)
 ')
@@ -188,12 +197,19 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
+optional_policy(`
+	unconfined_domain(devicekit_t)
+	unconfined_domain(devicekit_power_t)
+	unconfined_domain(devicekit_disk_t)
+')
+
 ########################################
 #
 # Power local policy
 #
 
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
+allow devicekit_power_t self:capability2 compromise_kernel;
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
 
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_runtime_files(devicekit_power_t)
-files_read_usr_files(devicekit_power_t)
 files_dontaudit_list_mnt(devicekit_power_t)
 
 fs_getattr_all_fs(devicekit_power_t)
 fs_list_inotifyfs(devicekit_power_t)
 
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
 
 auth_use_nsswitch(devicekit_power_t)
 
-miscfiles_read_localization(devicekit_power_t)
+seutil_exec_setfiles(devicekit_power_t)
 
 sysnet_domtrans_ifconfig(devicekit_power_t)
 sysnet_domtrans_dhcpc(devicekit_power_t)
@@ -269,9 +282,11 @@ optional_policy(`
 
 optional_policy(`
 	cron_initrc_domtrans(devicekit_power_t)
+	cron_systemctl(devicekit_power_t)
 ')
 
 optional_policy(`
+	dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
 	dbus_system_bus_client(devicekit_power_t)
 
 	allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -302,8 +317,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_manage_home_config(devicekit_power_t)
+')
+
+optional_policy(`
 	hal_domtrans_mac(devicekit_power_t)
-	hal_manage_log(devicekit_power_t)
 	hal_manage_pid_dirs(devicekit_power_t)
 	hal_manage_pid_files(devicekit_power_t)
 ')
@@ -341,3 +359,9 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
+
+optional_policy(`
+	corenet_tcp_connect_xserver_port(devicekit_power_t)
+	xserver_stream_connect(devicekit_power_t)
+')
+
diff --git a/dhcp.fc b/dhcp.fc
index 7956248..333d214 100644
--- a/dhcp.fc
+++ b/dhcp.fc
@@ -1,4 +1,6 @@
 /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
 
 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
diff --git a/dhcp.if b/dhcp.if
index c697edb..31d45bf 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
 	')
 
 	sysnet_search_dhcp_state($1)
-	allow $1 dhcpd_state_t:file setattr;
+	allow $1 dhcpd_state_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute dhcpd server in the dhcpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dhcpd_systemctl',`
+	gen_require(`
+		type dhcpd_unit_file_t;
+		type dhcpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	systemd_search_unit_dirs($1)
+	allow $1 dhcpd_unit_file_t:file read_file_perms;
+	allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dhcpd_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an dhcpd environment.
 ## </summary>
@@ -79,11 +103,16 @@ interface(`dhcpd_admin',`
 	gen_require(`
 		type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+		type dhcpd_unit_file_t;
 	')
 
-	allow $1 dhcpd_t:process { ptrace signal_perms };
+	allow $1 dhcpd_t:process signal_perms;
 	ps_process_pattern($1, dhcpd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dhcpd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dhcpd_initrc_exec_t system_r;
@@ -97,4 +126,8 @@ interface(`dhcpd_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, dhcpd_var_run_t)
+
+	dhcpd_systemctl($1)
+	admin_pattern($1, dhcpd_unit_file_t)
+	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
diff --git a/dhcp.te b/dhcp.te
index c93c3db..5d61f10 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 type dhcpd_initrc_exec_t;
 init_script_file(dhcpd_initrc_exec_t)
 
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
 kernel_read_network_state(dhcpd_t)
 
-corenet_all_recvfrom_unlabeled(dhcpd_t)
 corenet_all_recvfrom_netlabel(dhcpd_t)
 corenet_tcp_sendrecv_generic_if(dhcpd_t)
 corenet_udp_sendrecv_generic_if(dhcpd_t)
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
 
 domain_use_interactive_fds(dhcpd_t)
 
-files_read_usr_files(dhcpd_t)
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
 
 logging_send_syslog_msg(dhcpd_t)
 
-miscfiles_read_localization(dhcpd_t)
-
+sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
 userdom_dontaudit_search_user_home_dirs(dhcpd_t)
 
 tunable_policy(`dhcpd_use_ldap',`
-	sysnet_use_ldap(dhcpd_t)
+    allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+    corenet_tcp_sendrecv_generic_if(dhcpd_t)
+    corenet_tcp_sendrecv_generic_node(dhcpd_t)
+    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+    corenet_tcp_connect_ldap_port(dhcpd_t)
+    corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+	ldap_read_certs(dhcpd_t)
+')
+
+ifdef(`distro_gentoo',`
+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
 ')
 
 optional_policy(`
+	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
 ')
 
 optional_policy(`
+	cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(dhcpd_t)
 	dbus_connect_system_bus(dhcpd_t)
 ')
diff --git a/dictd.if b/dictd.if
index 3cc3494..cb0a1f4 100644
--- a/dictd.if
+++ b/dictd.if
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
 		type dictd_var_run_t, dictd_initrc_exec_t;
 	')
 
-	allow $1 dictd_t:process { ptrace signal_perms };
+	allow $1 dictd_t:process signal_perms;
 	ps_process_pattern($1, dictd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dictd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
index fd4a602..43b800a 100644
--- a/dictd.te
+++ b/dictd.te
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
 kernel_read_system_state(dictd_t)
 kernel_read_kernel_sysctls(dictd_t)
 
-corenet_all_recvfrom_unlabeled(dictd_t)
 corenet_all_recvfrom_netlabel(dictd_t)
 corenet_tcp_sendrecv_generic_if(dictd_t)
 corenet_tcp_sendrecv_generic_node(dictd_t)
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
 domain_use_interactive_fds(dictd_t)
 
 files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
 files_search_var_lib(dictd_t)
 
 fs_getattr_xattr_fs(dictd_t)
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
 
 logging_send_syslog_msg(dictd_t)
 
-miscfiles_read_localization(dictd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
diff --git a/dirmngr.te b/dirmngr.te
index b3b2188..5f91705 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
 
 kernel_read_crypto_sysctls(dirmngr_t)
 
-files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
index 0000000..8c44697
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,15 @@
+/etc/dirsrv/admin-serv(/.*)?		gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)?	gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin		--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv-admin      --  gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
index 0000000..30416f2
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,133 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
+##	Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_run_exec',`
+	gen_require(`
+		type dirsrvadmin_exec_t;
+	')
+
+	allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+	can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
+##	Exec cgi programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_run_httpd_script_exec',`
+	gen_require(`
+		type httpd_dirsrvadmin_script_exec_t;
+	')
+
+	allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+	can_exec($1, httpd_dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_read_config',`
+	gen_require(`
+		type dirsrvadmin_config_t;
+	')
+
+	read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+## <summary>
+##	Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_config',`
+	gen_require(`
+		type dirsrvadmin_config_t;
+	')
+
+	allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+	allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Read dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_tmp',`
+        gen_require(`
+                type dirsrvadmin_tmp_t;
+        ')
+
+        read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+##      Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_tmp',`
+        gen_require(`
+                type dirsrvadmin_tmp_t;
+        ')
+
+	manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+#######################################
+## <summary>
+##  Execute admin cgi programs in caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+    gen_require(`
+       type dirsrvadmin_unconfined_script_t;
+        type dirsrvadmin_unconfined_script_exec_t;
+    ')
+
+   domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+   allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
index 0000000..021c5ae
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,157 @@
+policy_module(dirsrv-admin,1.0.0) 
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+	apache_domtrans(dirsrvadmin_t)
+	apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+	apache_content_template(dirsrvadmin)
+
+	allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+	allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+	allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+	allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+	allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+	allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+	manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+	files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+	kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
+
+	corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
+	corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
+	corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
+
+	corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
+	corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+	corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+	corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
+
+	files_search_var_lib(httpd_dirsrvadmin_script_t)
+
+	sysnet_read_config(httpd_dirsrvadmin_script_t)
+
+	manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+	optional_policy(`
+		apache_read_modules(httpd_dirsrvadmin_script_t)
+		apache_read_config(httpd_dirsrvadmin_script_t)
+		apache_signal(httpd_dirsrvadmin_script_t)
+		apache_signull(httpd_dirsrvadmin_script_t)
+	')
+
+	optional_policy(`
+		# The CGI scripts must be able to manage dirsrv-admin
+		dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+		dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+		dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+		dirsrv_signal(httpd_dirsrvadmin_script_t)
+		dirsrv_signull(httpd_dirsrvadmin_script_t)
+		dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+		dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+		dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
+		dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+		dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+		dirsrv_read_share(httpd_dirsrvadmin_script_t)
+	')
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+   unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 0000000..5d30dab
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd			--	gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent			--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/ldap-agent-bin		--	gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv			--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid	gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
+/var/run/slapd.*    -s  gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log.*	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/dirsrv.if b/dirsrv.if
new file mode 100644
index 0000000..b214253
--- /dev/null
+++ b/dirsrv.if
@@ -0,0 +1,208 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrv_domtrans',`
+	gen_require(`
+		type dirsrv_t, dirsrv_exec_t;
+	')
+
+	domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+
+########################################
+## <summary>
+##  Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+##      Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+	gen_require(`
+		type dirsrv_var_log_t;
+	')
+
+	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_log_t:file manage_file_perms;
+	allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##		Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+        gen_require(`
+                type dirsrv_var_lib_t;
+        ')
+        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+        allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to dirsrv over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrv_stream_connect',`
+	gen_require(`
+		type dirsrv_t, dirsrv_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+	gen_require(`
+		type dirsrv_var_run_t;
+	')
+	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_run_t:file manage_file_perms;
+	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+## <summary>
+##      Allow a domain to create dirsrv pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_pid_filetrans',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        # Allow creating a dir in /var/run with this type
+        files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+## <summary>
+##      Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        allow $1 dirsrv_var_run_t:dir list_dir_perms;
+        allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+	gen_require(`
+		type dirsrv_config_t;
+	')
+
+	allow $1 dirsrv_config_t:dir manage_dir_perms;
+	allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Read dirsrv share files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+	gen_require(`
+		type dirsrv_share_t;
+	')
+
+	allow $1 dirsrv_share_t:dir list_dir_perms;
+	allow $1 dirsrv_share_t:file read_file_perms;
+	allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000..73d1b46
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,196 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+optional_policy(`
+	apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+	dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+optional_policy(`
+	kerberos_use(dirsrv_t)
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
+optional_policy(`
+	prelink_exec(dirsrv_t)
+')
+
+optional_policy(`
+	rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+    uuidd_stream_connect_manager(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
+	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+	snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+	snmp_manage_var_lib_files(dirsrv_snmp_t)
+	snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/distcc.if b/distcc.if
index 24d8c74..1790ec5 100644
--- a/distcc.if
+++ b/distcc.if
@@ -19,7 +19,7 @@
 #
 interface(`distcc_admin',`
 	gen_require(`
-		type distccd_t, distccd_t, distccd_log_t;
+		type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
 		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
diff --git a/distcc.te b/distcc.te
index b441a4d..83fb340 100644
--- a/distcc.te
+++ b/distcc.te
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
 kernel_read_system_state(distccd_t)
 kernel_read_kernel_sysctls(distccd_t)
 
-corenet_all_recvfrom_unlabeled(distccd_t)
 corenet_all_recvfrom_netlabel(distccd_t)
 corenet_tcp_sendrecv_generic_if(distccd_t)
 corenet_tcp_sendrecv_generic_node(distccd_t)
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
 
 logging_send_syslog_msg(distccd_t)
 
-miscfiles_read_localization(distccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(distccd_t)
 userdom_dontaudit_search_user_home_dirs(distccd_t)
 
diff --git a/djbdns.if b/djbdns.if
index 671d3c0..6d36c95 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
 
 	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
 	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+	corenet_all_recvfrom_netlabel(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_tcp_bind_generic_node(djbdns_$1_t)
+	corenet_udp_bind_generic_node(djbdns_$1_t)
+	corenet_tcp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_generic_port(djbdns_$1_t)
+	corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+	corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+	files_search_var(djbdns_$1_t)
 ')
 
 #####################################
diff --git a/djbdns.te b/djbdns.te
index 463d290..df50e4c 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
 
 files_search_var(djbdns_domain)
 
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+
 ########################################
 #
 # axfrdns local policy
diff --git a/dkim.fc b/dkim.fc
index 5818418..674367b 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -9,7 +9,6 @@
 
 /var/lib/dkim-milter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/var/run/dkim-filter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/dkim-milter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/dkim-milter\.pid	--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f67..653a1ec 100644
--- a/dmidecode.if
+++ b/dmidecode.if
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
 	domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
 ')
 
+######################################
+## <summary>
+##	Execute dmidecode in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dmidecode_exec',`
+	gen_require(`
+		type dmidecode_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dmidecode_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index c947c2c..8d4d843 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
 
 locallogin_use_fds(dmidecode_t)
 
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+    rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808..84735a8 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,13 +1,16 @@
 /etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)?		gen_context(system_u:object_r:dnsmasq_etc_t,s0)
 
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
 /usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
-/var/log/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
-/var/run/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 /var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b8..b9895ba 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_domtrans',`
 	gen_require(`
 		type dnsmasq_exec_t, dnsmasq_t;
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
 	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
 ')
 
+#######################################
+## <summary>
+##  Execute dnsmasq server in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`dnsmasq_exec',`
+    gen_require(`
+        type dnsmasq_exec_t;
+    ')
+
+    can_exec($1, dnsmasq_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write dnsmasq pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_rw_inherited_pipes',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute the dnsmasq init script in
@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_systemctl',`
+	gen_require(`
+		type dnsmasq_unit_file_t;
+		type dnsmasq_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 dnsmasq_unit_file_t:file read_file_perms;
+	allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Send sigchld to dnsmasq.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_sigchld',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+    allow $1 dnsmasq_t:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to dnsmasq.
 ## </summary>
 ## <param name="domain">
@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_delete_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',`
 
 ########################################
 ## <summary>
-##	Read dnsmasq pid files.
+##	Read dnsmasq pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_read_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',`
 
 ########################################
 ## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the dnsmasq pid file type.
+##	Create dnsmasq pid directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
+#
+interface(`dnsmasq_read_state',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+    ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The object class of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+## <param name="private type">
 ##	<summary>
-##	The name of the object being created.
+##	The type of the directory for the object to be created.
 ##	</summary>
 ## </param>
 #
-interface(`dnsmasq_spec_filetrans_pid',`
+interface(`dnsmasq_filetrans_named_content_fromdir',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
-	filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
+	filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+	filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+#######################################
+## <summary>
+##      Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dnsmasq_filetrans_named_content',`
+		gen_require(`
+            type dnsmasq_etc_t;
+			type dnsmasq_var_run_t;
+	')
+
+	files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+	files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+	virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+	files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+	files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
 ')
 
 ########################################
@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
 interface(`dnsmasq_admin',`
 	gen_require(`
 		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
-		type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+        type dnsmasq_var_log_t;
+		type dnsmasq_initrc_exec_t;
+		type dnsmasq_unit_file_t;
 	')
 
-	allow $1 dnsmasq_t:process { ptrace signal_perms };
+	allow $1 dnsmasq_t:process signal_perms;
 	ps_process_pattern($1, dnsmasq_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dnsmasq_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, dnsmasq_lease_t)
 
-	logging_seearch_logs($1)
+	logging_search_logs($1)
 	admin_pattern($1, dnsmasq_var_log_t)
 
 	files_list_pids($1)
 	admin_pattern($1, dnsmasq_var_run_t)
+
+	dnsmasq_systemctl($1)
+	admin_pattern($1, dnsmasq_unit_file_t)
+	allow $1 dnsmasq_unit_file_t:service all_service_perms;
 ')
diff --git a/dnsmasq.te b/dnsmasq.te
index ba14bcf..34a4c71 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
 type dnsmasq_var_run_t;
 files_pid_file(dnsmasq_var_run_t)
 
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
 read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
 
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
 kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
 kernel_request_load_module(dnsmasq_t)
 
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corecmd_exec_bin(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
 corenet_all_recvfrom_netlabel(dnsmasq_t)
 corenet_tcp_sendrecv_generic_if(dnsmasq_t)
 corenet_udp_sendrecv_generic_if(dnsmasq_t)
@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
 
 auth_use_nsswitch(dnsmasq_t)
 
-logging_send_syslog_msg(dnsmasq_t)
+libs_exec_ldconfig(dnsmasq_t)
 
-miscfiles_read_localization(dnsmasq_t)
+logging_send_syslog_msg(dnsmasq_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -98,12 +105,21 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
 	dbus_connect_system_bus(dnsmasq_t)
 	dbus_system_bus_client(dnsmasq_t)
 ')
 
 optional_policy(`
-	networkmanager_read_pid_files(dnsmasq_t)
+	dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+	networkmanager_read_conf(dnsmasq_t)
+	networkmanager_manage_pid_files(dnsmasq_t)
 ')
 
 optional_policy(`
@@ -124,6 +140,14 @@ optional_policy(`
 
 optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
+	virt_read_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
 	virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 ')
+
+optional_policy(`
+    neutron_manage_lib_files(dnsmasq_t)
+    neutron_stream_connect(dnsmasq_t)
+    neutron_rw_fifo_file(dnsmasq_t)
+    neutron_sigchld(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..9e231a8
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,3 @@
+/usr/sbin/dnssec-triggerd	--	gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.*			gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
index 0000000..a952041
--- /dev/null
+++ b/dnssec.if
@@ -0,0 +1,64 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
+########################################
+## <summary>
+##	Transition to dnssec_trigger.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_domtrans',`
+	gen_require(`
+		type dnssec_trigger_t, dnssec_trigger_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
+########################################
+## <summary>
+##	Read dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_read_pid_files',`
+	gen_require(`
+		type dnssec_trigger_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an dnssec_trigger environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_admin',`
+	gen_require(`
+		type dnssec_trigger_t;
+		type dnssec_trigger_var_run_t;
+	')
+
+	allow $1 dnssec_trigger_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dnssec_trigger_t)
+
+	files_search_pids($1)
+	admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 0000000..7f715f8
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,58 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnssec_trigger_t;
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
+########################################
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability linux_immutable;
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
+
+kernel_read_system_state(dnssec_trigger_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_read_passwd(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+
+optional_policy(`
+	bind_read_config(dnssec_trigger_t)
+	bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+
diff --git a/dnssectrigger.te b/dnssectrigger.te
index ef36d73..fddd51f 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
 
 logging_send_syslog_msg(dnssec_triggerd_t)
 
-miscfiles_read_localization(dnssec_triggerd_t)
-
 sysnet_dns_name_resolve(dnssec_triggerd_t)
 sysnet_manage_config(dnssec_triggerd_t)
 sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
index 0000000..1c4ac02
--- /dev/null
+++ b/docker.fc
@@ -0,0 +1,17 @@
+/usr/bin/docker			--	gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
+
+/var/lib/docker(/.*)?		gen_context(system_u:object_r:docker_var_lib_t,s0)
+
+/var/run/docker\.pid		--	gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)
+
+/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)
+
+/var/log/lxc(/.*)?		gen_context(system_u:object_r:docker_log_t,s0)
+
+/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)
+/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
+/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
+/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
index 0000000..66fe66d
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,344 @@
+
+## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
+##	Execute docker in the docker domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`docker_domtrans',`
+	gen_require(`
+		type docker_t, docker_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, docker_exec_t, docker_t)
+')
+
+########################################
+## <summary>
+##	Search docker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_search_lib',`
+	gen_require(`
+		type docker_var_lib_t;
+	')
+
+	allow $1 docker_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Execute docker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_exec_lib',`
+	gen_require(`
+		type docker_var_lib_t;
+	')
+
+	allow $1 docker_var_lib_t:dir search_dir_perms;
+	can_exec($1, docker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read docker lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_read_lib_files',`
+	gen_require(`
+		type docker_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read docker share files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_read_share_files',`
+	gen_require(`
+		type docker_share_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, docker_share_t, docker_share_t)
+')
+
+########################################
+## <summary>
+##	Manage docker lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_manage_lib_files',`
+	gen_require(`
+		type docker_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+	manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage docker lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_manage_lib_dirs',`
+	gen_require(`
+		type docker_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create objects in a docker var lib directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`docker_lib_filetrans',`
+	gen_require(`
+		type docker_var_lib_t;
+	')
+
+	filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read docker PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_read_pid_files',`
+	gen_require(`
+		type docker_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, docker_var_run_t, docker_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute docker server in the docker domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`docker_systemctl',`
+	gen_require(`
+		type docker_t;
+		type docker_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 docker_unit_file_t:file read_file_perms;
+	allow $1 docker_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, docker_t)
+')
+
+########################################
+## <summary>
+##	Read and write docker shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_rw_sem',`
+	gen_require(`
+		type docker_t;
+	')
+
+	allow $1 docker_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write the docker pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`docker_use_ptys',`
+    gen_require(`
+        type docker_devpts_t;
+    ')
+
+    allow $1 docker_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow domain to create docker content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`docker_filetrans_named_content',`
+
+    gen_require(`
+        type docker_var_lib_t;
+        type docker_share_t;
+	type docker_log_t;
+	type docker_var_run_t;
+    ')
+
+    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
+    files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
+    logging_log_filetrans($1, docker_log_t, dir, "lxc")
+    files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
+    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
+    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
+    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
+    filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
+')
+
+########################################
+## <summary>
+##	Connect to docker over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_stream_connect',`
+	gen_require(`
+		type docker_t, docker_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an docker environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`docker_admin',`
+	gen_require(`
+		type docker_t;
+		type docker_var_lib_t, docker_var_run_t;
+		type docker_unit_file_t;
+		type docker_lock_t;
+		type docker_log_t;
+	')
+
+	allow $1 docker_t:process { ptrace signal_perms };
+	ps_process_pattern($1, docker_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, docker_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, docker_var_run_t)
+
+	files_search_locks($1)
+	admin_pattern($1, docker_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, docker_log_t)
+
+	docker_systemctl($1)
+	admin_pattern($1, docker_unit_file_t)
+	allow $1 docker_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..73e71c1
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,274 @@
+policy_module(docker, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Determine whether docker can
+##  connect to all TCP ports.
+##  </p>
+## </desc>
+gen_tunable(docker_connect_any, false)
+
+## <desc>
+## <p>
+## Allow docker to transition to unconfined containers.
+## </p>
+## </desc>
+gen_tunable(docker_transition_unconfined, false)
+
+type docker_t;
+type docker_exec_t;
+init_daemon_domain(docker_t, docker_exec_t)
+domain_subj_id_change_exemption(docker_t)
+domain_role_change_exemption(docker_t)
+
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
+type docker_lock_t;
+files_lock_file(docker_lock_t)
+
+type docker_log_t;
+logging_log_file(docker_log_t)
+
+type docker_tmp_t;
+files_tmp_file(docker_tmp_t)
+
+type docker_tmpfs_t;
+files_tmpfs_file(docker_tmpfs_t)
+
+type docker_var_run_t;
+files_pid_file(docker_var_run_t)
+
+type docker_unit_file_t;
+systemd_unit_file(docker_unit_file_t)
+
+type docker_devpts_t;
+term_pty(docker_devpts_t)
+
+type docker_share_t;
+files_type(docker_share_t)
+
+########################################
+#
+# docker local policy
+#
+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
+allow docker_t self:process { getattr signal_perms };
+allow docker_t self:fifo_file rw_fifo_file_perms;
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
+allow docker_t self:tcp_socket create_stream_socket_perms;
+allow docker_t self:udp_socket create_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
+files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
+
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
+
+manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
+manage_files_pattern(docker_t, docker_share_t, docker_share_t)
+manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
+can_exec(docker_t, docker_share_t)
+docker_filetrans_named_content(docker_t)
+
+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
+allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(docker_t, docker_devpts_t)
+
+kernel_read_system_state(docker_t)
+kernel_read_network_state(docker_t)
+kernel_read_all_sysctls(docker_t)
+kernel_rw_net_sysctls(docker_t)
+
+domain_use_interactive_fds(docker_t)
+
+corecmd_exec_bin(docker_t)
+corecmd_exec_shell(docker_t)
+
+corenet_tcp_bind_generic_node(docker_t)
+corenet_tcp_sendrecv_generic_if(docker_t)
+corenet_tcp_sendrecv_generic_node(docker_t)
+corenet_tcp_sendrecv_generic_port(docker_t)
+corenet_tcp_bind_all_ports(docker_t)
+corenet_tcp_connect_http_port(docker_t)
+corenet_tcp_connect_commplex_main_port(docker_t)
+corenet_udp_sendrecv_generic_if(docker_t)
+corenet_udp_sendrecv_generic_node(docker_t)
+corenet_udp_sendrecv_all_ports(docker_t)
+corenet_udp_bind_generic_node(docker_t)
+corenet_udp_bind_all_ports(docker_t)
+
+files_read_etc_files(docker_t)
+
+fs_read_cgroup_files(docker_t)
+fs_read_tmpfs_symlinks(docker_t)
+fs_getattr_all_fs(docker_t)
+
+storage_raw_rw_fixed_disk(docker_t)
+
+auth_use_nsswitch(docker_t)
+
+init_read_state(docker_t)
+init_status(docker_t)
+
+logging_send_audit_msgs(docker_t)
+logging_send_syslog_msg(docker_t)
+
+miscfiles_read_localization(docker_t)
+
+mount_domtrans(docker_t)
+
+seutil_read_default_contexts(docker_t)
+
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
+
+optional_policy(`
+	fstools_domtrans(docker_t)
+')
+
+optional_policy(`
+	iptables_domtrans(docker_t)
+')
+
+#
+# lxc rules
+#
+
+allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
+
+allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
+
+allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
+allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
+allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow docker_t docker_var_lib_t:dir mounton;
+allow docker_t docker_var_lib_t:chr_file mounton;
+can_exec(docker_t, docker_var_lib_t)
+
+kernel_setsched(docker_t)
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
+kernel_mounton_messages(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
+dev_getattr_sysfs_fs(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
+dev_rw_loop_control(docker_t)
+dev_rw_lvm_control(docker_t)
+
+files_getattr_isid_type_dirs(docker_t)
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
+files_manage_isid_type_symlinks(docker_t)
+files_manage_isid_type_chr_files(docker_t)
+files_manage_isid_type_blk_files(docker_t)
+files_exec_isid_files(docker_t)
+files_mounton_isid(docker_t)
+files_mounton_non_security(docker_t)
+files_mounton_isid_type_chr_file(docker_t)
+
+fs_mount_all_fs(docker_t)
+fs_unmount_all_fs(docker_t)
+fs_remount_all_fs(docker_t)
+files_mounton_isid(docker_t)
+fs_manage_cgroup_dirs(docker_t)
+fs_manage_cgroup_files(docker_t)
+fs_relabelfrom_xattr_fs(docker_t)
+fs_relabelfrom_tmpfs(docker_t)
+
+term_use_generic_ptys(docker_t)
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
+term_relabel_pty_fs(docker_t)
+term_mounton_unallocated_ttys(docker_t)
+
+modutils_domtrans_insmod(docker_t)
+
+systemd_status_all_unit_files(docker_t)
+systemd_start_systemd_services(docker_t)
+
+userdom_stream_connect(docker_t)
+userdom_search_user_home_content(docker_t)
+
+optional_policy(`
+	dbus_system_bus_client(docker_t)
+	init_dbus_chat(docker_t)
+
+	optional_policy(`
+		systemd_dbus_chat_logind(docker_t)
+	')
+')
+
+optional_policy(`
+	udev_read_db(docker_t)
+')
+
+optional_policy(`
+	virt_read_config(docker_t)
+	virt_exec(docker_t)
+	virt_stream_connect(docker_t)
+	virt_stream_connect_sandbox(docker_t)
+	virt_exec_sandbox_files(docker_t)
+	virt_manage_sandbox_files(docker_t)
+	virt_relabel_sandbox_filesystem(docker_t)
+	# for lxc
+	virt_transition_svirt_sandbox(docker_t, system_r)
+	virt_mounton_sandbox_file(docker_t)
+')
+
+tunable_policy(`docker_connect_any',`
+    corenet_tcp_connect_all_ports(docker_t)
+    corenet_sendrecv_all_packets(docker_t)
+    corenet_tcp_sendrecv_all_ports(docker_t)
+')
+
+optional_policy(`
+    tunable_policy(`docker_transition_unconfined',`
+	    unconfined_transition(docker_t, docker_share_t)
+    	unconfined_transition(docker_t, docker_var_lib_t)
+    ')
+')
+
+optional_policy(`
+    unconfined_domain(docker_t)
+')
+
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -1,36 +1,48 @@
-/etc/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot/passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
-/etc/dovecot\.conf.*	gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot\.passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /etc
+#
+/etc/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.*			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
+/etc/pki/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_cert_t,s0)
 /etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
 
-/usr/sbin/dovecot	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
 
-/usr/share/ssl/certs/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /usr
+#
+/usr/sbin/dovecot		--	gen_context(system_u:object_r:dovecot_exec_t,s0)
 
-/etc/ssl/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/certs/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
 
-/usr/lib/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ifdef(`distro_debian', `
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/dovecot-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
 
-/usr/libexec/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
 
-/var/run/dovecot(-login)?(/.*)?	gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat	--	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/lib/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/log/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/log/dovecot\.log.*	gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
 
-/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
index dbcac59..f3e446c 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
-## <summary>POP and IMAP mail server.</summary>
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  dovecot daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`dovecot_basic_types_template',`
+	gen_require(`
+		attribute dovecot_domain;
+	')
+
+	type $1_t, dovecot_domain;
+	type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
 
 #######################################
 ## <summary>
-##	Connect to dovecot using a unix
-##	domain stream socket.
+##  Connect to dovecot unix domain stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`dovecot_stream_connect',`
-	gen_require(`
-		type dovecot_t, dovecot_var_run_t;
-	')
+    gen_require(`
+        type dovecot_t, dovecot_var_run_t;
+    ')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+    files_search_pids($1)
+    stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to dovecot using a unix
-##	domain stream socket.
+##	Connect to dovecot auth unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
 
 ########################################
 ## <summary>
-##	Execute dovecot_deliver in the
-##	dovecot_deliver domain.
+##	Execute dovecot_deliver in the dovecot_deliver domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
 		type dovecot_deliver_t, dovecot_deliver_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	dovecot spool files.
+##	Create, read, write, and delete the dovecot spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
 	')
 
 	files_search_spool($1)
-	allow $1 dovecot_spool_t:dir manage_dir_perms;
-	allow $1 dovecot_spool_t:file manage_file_perms;
-	allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
+	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to delete
-##	dovecot lib files.
+##	Do not audit attempts to delete dovecot lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 		type dovecot_var_lib_t;
 	')
 
-	dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
+	dontaudit $1 dovecot_var_lib_t:file unlink;
 ')
 
 ######################################
 ## <summary>
-##	Write inherited dovecot tmp files.
+##	Allow attempts to write inherited
+##	dovecot tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
 	allow $1 dovecot_tmp_t:file write;
 ')
 
+####################################
+## <summary>
+##	Read dovecot configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dovecot_read_config',`
+	gen_require(`
+		type dovecot_etc_t;
+	')
+
+	files_search_etc($1)
+	list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
+	read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an dovecot environment.
+##	All of the rules required to administrate
+##	an dovecot environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the dovecot domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`dovecot_admin',`
 	gen_require(`
-		type dovecot_t, dovecot_etc_t, dovecot_var_log_t;
-		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
-		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
-		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
+		type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
+		type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
+		type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
+		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
 	')
 
-	allow $1 dovecot_t:process { ptrace signal_perms };
+	allow $1 dovecot_t:process signal_perms;
 	ps_process_pattern($1, dovecot_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dovecot_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -156,20 +195,25 @@ interface(`dovecot_admin',`
 	files_list_etc($1)
 	admin_pattern($1, dovecot_etc_t)
 
-	logging_list_logs($1)
-	admin_pattern($1, dovecot_var_log_t)
+	files_list_tmp($1)
+	admin_pattern($1, dovecot_auth_tmp_t)
+	admin_pattern($1, dovecot_tmp_t)
+
+	admin_pattern($1, dovecot_keytab_t)
 
 	files_list_spool($1)
 	admin_pattern($1, dovecot_spool_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
-
 	files_list_var_lib($1)
 	admin_pattern($1, dovecot_var_lib_t)
 
+	logging_search_logs($1)
+	admin_pattern($1, dovecot_var_log_t)
+
 	files_list_pids($1)
 	admin_pattern($1, dovecot_var_run_t)
 
-	admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
+	admin_pattern($1, dovecot_cert_t)
+
+	admin_pattern($1, dovecot_passwd_t)
 ')
diff --git a/dovecot.te b/dovecot.te
index a7bfaf0..38bfca8 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.15.6)
+policy_module(dovecot, 1.14.0)
 
 ########################################
 #
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6)
 
 attribute dovecot_domain;
 
-type dovecot_t, dovecot_domain;
-type dovecot_exec_t;
+dovecot_basic_types_template(dovecot)
 init_daemon_domain(dovecot_t, dovecot_exec_t)
 
-type dovecot_auth_t, dovecot_domain;
-type dovecot_auth_exec_t;
+dovecot_basic_types_template(dovecot_auth)
 domain_type(dovecot_auth_t)
 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
 type dovecot_cert_t;
 miscfiles_cert_type(dovecot_cert_t)
 
-type dovecot_deliver_t, dovecot_domain;
-type dovecot_deliver_exec_t;
+dovecot_basic_types_template(dovecot_deliver)
 domain_type(dovecot_deliver_t)
 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
 role system_r types dovecot_deliver_t;
@@ -42,11 +39,12 @@ type dovecot_passwd_t;
 files_type(dovecot_passwd_t)
 
 type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
 
 type dovecot_tmp_t;
 files_tmp_file(dovecot_tmp_t)
 
+# /var/lib/dovecot holds SSL parameters file
 type dovecot_var_lib_t;
 files_type(dovecot_var_lib_t)
 
@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
 type dovecot_var_run_t;
 files_pid_file(dovecot_var_run_t)
 
-########################################
+#######################################
 #
-# Common local policy
+# dovecot domain local policy
 #
 
 allow dovecot_domain self:capability2 block_suspend;
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
 
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
 
 kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
+kernel_read_network_state(dovecot_domain)
 
 corecmd_exec_bin(dovecot_domain)
 corecmd_exec_shell(dovecot_domain)
@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain)
 dev_read_rand(dovecot_domain)
 dev_read_urand(dovecot_domain)
 
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
 files_read_etc_runtime_files(dovecot_domain)
 
-logging_send_syslog_msg(dovecot_domain)
-
-miscfiles_read_localization(dovecot_domain)
-
 ########################################
 #
-# Local policy
+# dovecot local policy
 #
 
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
 
 allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
 
 manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
 
+# Allow dovecot to create and read SSL parameters file
 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
 
 manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
 
 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
 
-corenet_all_recvfrom_unlabeled(dovecot_t)
 corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_generic_if(dovecot_t)
 corenet_tcp_sendrecv_generic_node(dovecot_t)
 corenet_tcp_sendrecv_all_ports(dovecot_t)
 corenet_tcp_bind_generic_node(dovecot_t)
-
-corenet_sendrecv_mail_server_packets(dovecot_t)
 corenet_tcp_bind_mail_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
-corenet_sendrecv_sieve_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
 corenet_tcp_bind_sieve_port(dovecot_t)
-
-corenet_sendrecv_all_client_packets(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
 
 domain_use_interactive_fds(dovecot_t)
 
-files_read_var_lib_files(dovecot_t)
-files_read_var_symlinks(dovecot_t)
 files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
 files_dontaudit_list_default(dovecot_t)
 files_dontaudit_search_all_dirs(dovecot_t)
 files_search_all_mountpoints(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_getattr_all_dirs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
+files_read_var_lib_files(dovecot_t)
 
 init_getattr_utmp(dovecot_t)
 
@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t)
 
 miscfiles_read_generic_certs(dovecot_t)
 
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
+logging_send_syslog_msg(dovecot_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(dovecot_t)
-	fs_manage_nfs_files(dovecot_t)
-	fs_manage_nfs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(dovecot_t)
-	fs_manage_cifs_files(dovecot_t)
-	fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+	mta_manage_home_rw(dovecot_t)
+	mta_manage_spool(dovecot_t)
 ')
 
 optional_policy(`
 	kerberos_keytab_template(dovecot, dovecot_t)
-	kerberos_manage_host_rcache(dovecot_t)
-	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+	kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
 ')
 
 optional_policy(`
-	mta_manage_spool(dovecot_t)
-	mta_manage_mail_home_rw_content(dovecot_t)
-	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
-	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	gnome_manage_data(dovecot_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(dovecot_t)
+	postfix_manage_private_sockets(dovecot_t)
+	postfix_search_spool(dovecot_t)
 ')
 
 optional_policy(`
-	postfix_manage_private_sockets(dovecot_t)
-	postfix_search_spool(dovecot_t)
+	postgresql_stream_connect(dovecot_t)
 ')
 
 optional_policy(`
+	# Handle sieve scripts
 	sendmail_domtrans(dovecot_t)
 ')
 
@@ -221,46 +214,65 @@ optional_policy(`
 
 ########################################
 #
-# Auth local policy
+# dovecot auth local policy
 #
 
 allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
 allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
 read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
 
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+
 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
 
 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
 
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+corecmd_exec_bin(dovecot_auth_t)
 
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
 
 auth_domtrans_chk_passwd(dovecot_auth_t)
 auth_use_nsswitch(dovecot_auth_t)
 
-init_rw_utmp(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
 
-logging_send_audit_msgs(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
 
-seutil_dontaudit_search_config(dovecot_auth_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
+init_rw_utmp(dovecot_auth_t)
 
 sysnet_use_ldap(dovecot_auth_t)
 
+systemd_login_read_pid_files(dovecot_auth_t)
+
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
 optional_policy(`
+	kerberos_use(dovecot_auth_t)
+
+	# for gssapi (kerberos)
 	userdom_list_user_tmp(dovecot_auth_t)
 	userdom_read_user_tmp_files(dovecot_auth_t)
 	userdom_read_user_tmp_symlinks(dovecot_auth_t)
 ')
 
 optional_policy(`
+	mysql_search_db(dovecot_auth_t)
 	mysql_stream_connect(dovecot_auth_t)
 	mysql_read_config(dovecot_auth_t)
 	mysql_tcp_connect(dovecot_auth_t)
@@ -271,15 +283,30 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(dovecot_auth_t)
+	optional_policy(`
+		oddjob_dbus_chat(dovecot_auth_t)
+		oddjob_domtrans_mkhomedir(dovecot_auth_t)
+	')
+')
+
+optional_policy(`
 	postfix_manage_private_sockets(dovecot_auth_t)
+	postfix_rw_inherited_master_pipes(dovecot_deliver_t)
 	postfix_search_spool(dovecot_auth_t)
 ')
 
 ########################################
 #
-# Deliver local policy
+# dovecot deliver local policy
 #
 
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
 
 append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
 files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
 
 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
-
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
 
 can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 
-allow dovecot_deliver_t dovecot_t:process signull;
+auth_use_nsswitch(dovecot_deliver_t)
 
-fs_getattr_all_fs(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+logging_send_syslog_msg(dovecot_deliver_t)
 
-auth_use_nsswitch(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
 
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(dovecot_deliver_t)
-	fs_manage_nfs_files(dovecot_deliver_t)
-	fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_filetrans_home_content(dovecot_deliver_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(dovecot_deliver_t)
-	fs_manage_cifs_files(dovecot_deliver_t)
-	fs_manage_cifs_symlinks(dovecot_deliver_t)
+userdom_home_manager(dovecot_deliver_t)
+
+optional_policy(`
+	gnome_manage_data(dovecot_deliver_t)
 ')
 
 optional_policy(`
 	mta_mailserver_delivery(dovecot_deliver_t)
+	mta_manage_spool(dovecot_deliver_t)
 	mta_read_queue(dovecot_deliver_t)
 ')
 
@@ -326,5 +362,6 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Handle sieve scripts
 	sendmail_domtrans(dovecot_deliver_t)
 ')
diff --git a/drbd.fc b/drbd.fc
index 671a3fb..c781675 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
 /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
 /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a21639..26c5986 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run drbd.
+##	Execute a domain transition to run drbd.
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ## </summary>
 ## </param>
 #
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
 		type drbd_t, drbd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, drbd_exec_t, drbd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an drbd environment.
+##	Search drbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_search_lib',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	allow $1 drbd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read drbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_read_lib_files',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	drbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_manage_lib_files',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage drbd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_manage_lib_dirs',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an drbd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`drbd_admin',`
 	gen_require(`
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
 		type drbd_var_lib_t;
 	')
 
-	allow $1 drbd_t:process { ptrace signal_perms };
+	allow $1 drbd_t:process signal_perms;
 	ps_process_pattern($1, drbd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 drbd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, drbd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 drbd_initrc_exec_t system_r;
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, drbd_var_lib_t)
 ')
+
diff --git a/drbd.te b/drbd.te
index 8e5ee54..bdd8883 100644
--- a/drbd.te
+++ b/drbd.te
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
 allow drbd_t self:fifo_file rw_fifo_file_perms;
 allow drbd_t self:unix_stream_socket create_stream_socket_perms;
 allow drbd_t self:netlink_socket create_socket_perms;
-allow drbd_t self:netlink_route_socket nlmsg_write;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
 
 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
@@ -42,14 +42,12 @@ can_exec(drbd_t, drbd_exec_t)
 
 kernel_read_system_state(drbd_t)
 
+corecmd_exec_bin(drbd_t)
+
 dev_read_rand(drbd_t)
 dev_read_sysfs(drbd_t)
 dev_read_urand(drbd_t)
 
-files_read_etc_files(drbd_t)
-
 storage_raw_read_fixed_disk(drbd_t)
 
-miscfiles_read_localization(drbd_t)
-
 sysnet_dns_name_resolve(drbd_t)
diff --git a/dspam.fc b/dspam.fc
index 5eddac5..3ea0423 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -5,8 +5,13 @@
 /usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
 
 /var/lib/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)?	gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
 
 /var/log/dspam(/.*)?	gen_context(system_u:object_r:dspam_log_t,s0)
 
 /var/run/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+/var/www/dspam/.*\.cgi 	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/var/www/dspam(/.*?)		gen_context(system_u:object_r:httpd_dspam_content_t,s0)
+
+/var/lib/dspam/data(/.*)?			gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f2452..a446210 100644
--- a/dspam.if
+++ b/dspam.if
@@ -1,13 +1,15 @@
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
+
+## <summary>policy for dspam</summary>
+
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run dspam.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`dspam_domtrans',`
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
 		type dspam_t, dspam_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, dspam_exec_t, dspam_t)
 ')
 
-#######################################
+
+########################################
 ## <summary>
-##	Connect to dspam using a unix
-##	domain stream socket.
+##	Execute dspam server in the dspam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`dspam_initrc_domtrans',`
+	gen_require(`
+		type dspam_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read dspam's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`dspam_stream_connect',`
+interface(`dspam_read_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	dspam log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`dspam_append_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage dspam log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+        manage_files_pattern($1, dspam_log_t, dspam_log_t)
+        manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Search dspam lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_search_lib',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	allow $1 dspam_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read dspam lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_read_lib_files',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	dspam lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_lib_files',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage dspam lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_lib_dirs',`
 	gen_require(`
-		type dspam_t, dspam_var_run_t, dspam_tmp_t;
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	Read dspam PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_read_pid_files',`
+	gen_require(`
+		type dspam_var_run_t;
 	')
 
 	files_search_pids($1)
+	allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Connect to DSPAM using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dspam_stream_connect',`
+    gen_require(`
+        type dspam_t, dspam_var_run_t, dspam_tmp_t;
+    ')
+
+    files_search_pids($1)
 	files_search_tmp($1)
-	stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+    stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+    stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an dspam environment.
+##	All of the rules required to administrate
+##	an dspam environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
 #
 interface(`dspam_admin',`
 	gen_require(`
-		type dspam_t, dspam_initrc_exec_t, dspam_log_t;
-		type dspam_var_lib_t, dspam_var_run_t;
+		type dspam_t;
+		type dspam_initrc_exec_t;
+		type dspam_log_t;
+		type dspam_var_lib_t;
+		type dspam_var_run_t;
 	')
 
-	allow $1 dspam_t:process { ptrace signal_perms };
+	allow $1 dspam_t:process signal_perms;
 	ps_process_pattern($1, dspam_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dspam_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+	dspam_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 dspam_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, dspam_var_run_t)
+
 ')
diff --git a/dspam.te b/dspam.te
index 266cb8f..b619351 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
 
 allow dspam_t self:capability net_admin;
 allow dspam_t self:process signal;
+
+allow dspam_t self:tcp_socket { listen accept };
+
 allow dspam_t self:fifo_file rw_fifo_file_perms;
 allow dspam_t self:unix_stream_socket { accept listen };
 
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
 corenet_tcp_bind_spamd_port(dspam_t)
 corenet_tcp_connect_spamd_port(dspam_t)
 corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
 
 files_search_spool(dspam_t)
 
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
 
 logging_send_syslog_msg(dspam_t)
 
-miscfiles_read_localization(dspam_t)
-
 optional_policy(`
 	apache_content_template(dspam)
 
+	read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+	files_search_var_lib(httpd_dspam_script_t)
 	list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-	manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-	manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+	manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+	manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
+
+	domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
+
+	term_dontaudit_search_ptys(httpd_dspam_script_t)
+	term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
+	term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
+
+	init_read_utmp(httpd_dspam_script_t)
+
+	logging_send_syslog_msg(httpd_dspam_script_t)
+
+	mta_send_mail(httpd_dspam_script_t)
+
+	optional_policy(`
+	    mysql_tcp_connect(httpd_dspam_script_t)
+	    mysql_stream_connect(httpd_dspam_script_t)
+	')
 ')
 
 optional_policy(`
@@ -87,3 +114,12 @@ optional_policy(`
 
 	postgresql_tcp_connect(dspam_t)
 ')
+
+optional_policy(`
+    postfix_rw_inherited_master_pipes(dspam_t)
+    postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
+    procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
index a0da189..dc22b89 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
 ##	the entropy feeds.
 ##	</p>
 ## </desc>
-gen_tunable(entropyd_use_audio, false)
+gen_tunable(entropyd_use_audio, true)
 
 type entropyd_t;
 type entropyd_exec_t;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
 
-files_read_etc_files(entropyd_t)
-files_read_usr_files(entropyd_t)
-
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
 
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
 
 logging_send_syslog_msg(entropyd_t)
 
-miscfiles_read_localization(entropyd_t)
+auth_use_nsswitch(entropyd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/evolution.fc b/evolution.fc
index 597f305..8520653 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,6 @@
 HOME_DIR/\.camel_certs(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
 HOME_DIR/\.evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.cache/evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
 
 /tmp/\.exchange-USER(/.*)?	gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
 
diff --git a/evolution.te b/evolution.te
index 94fb625..3742ee1 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
 
 domain_dontaudit_read_all_domains_state(evolution_t)
 
-files_read_usr_files(evolution_t)
 
 fs_search_auto_mountpoints(evolution_t)
 
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
 
 userdom_manage_user_home_content_dirs(evolution_t)
 userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_filetrans_home_content(evolution_t)
 
 userdom_write_user_tmp_sockets(evolution_t)
 
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
 
 dev_read_urand(evolution_alarm_t)
 
-files_read_usr_files(evolution_alarm_t)
 
 fs_search_auto_mountpoints(evolution_alarm_t)
 
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
 
 dev_read_urand(evolution_exchange_t)
 
-files_read_usr_files(evolution_exchange_t)
 
 fs_search_auto_mountpoints(evolution_exchange_t)
 
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
 
 dev_read_urand(evolution_server_t)
 
-files_read_usr_files(evolution_server_t)
 
 fs_search_auto_mountpoints(evolution_server_t)
 
diff --git a/exim.fc b/exim.fc
index dc0254b..9df498d 100644
--- a/exim.fc
+++ b/exim.fc
@@ -3,6 +3,8 @@
 /usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)
 /usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)
 
+/var/lib/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_lib_t,s0)
+
 /var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)
 
 /var/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/exim.if b/exim.if
index 6041113..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute exim in the exim domain,
-##	and allow the specified role
-##	the exim domain.
+##     Execute the mailman program in the mailman domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##     <summary>
+##     The role to allow the mailman domain.
+##     </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`exim_run',`
+       gen_require(`
+               type exim_t;
+       ')
+
+       exim_domtrans($1)
+       role $2 types exim_t;
+')
+
+########################################
+## <summary>
+##	Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`exim_initrc_domtrans',`
 	gen_require(`
-		attribute_role exim_roles;
+		type exim_initrc_exec_t;
 	')
 
-	exim_domtrans($1)
-	roleattribute $2 exim_roles;
+	init_labeled_script_domtrans($1, exim_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read exim
-##	temporary tmp files.
+##	Do not audit attempts to read, 
+##	exim tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read exim temporary files.
+##	Allow domain to read, exim tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read exim pid files.
+##	Read exim PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Read exim log files.
+##	Allow the specified domain to read exim's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
 
 ########################################
 ## <summary>
-##	Append exim log files.
+##	Allow the specified domain to append
+##	exim log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	exim log files.
+##	Allow the specified domain to manage exim's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	exim spool directories.
+##	exim spool dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -225,6 +241,44 @@ interface(`exim_manage_spool_files',`
 
 ########################################
 ## <summary>
+##	Read exim var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_var_lib_files',`
+	gen_require(`
+		type exim_var_lib_t;
+	')
+
+	read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, and write exim var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_var_lib_files',`
+	gen_require(`
+		type exim_var_lib_t;
+	')
+
+	manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an exim environment.
 ## </summary>
@@ -238,22 +292,29 @@ interface(`exim_manage_spool_files',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`exim_admin',`
 	gen_require(`
 		type exim_t, exim_spool_t, exim_log_t;
 		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+		type exim_keytab_t;
 	')
 
-	allow $1 exim_t:process { ptrace signal_perms };
+	allow $1 exim_t:process signal_perms;
 	ps_process_pattern($1, exim_t)
 
-	init_labeled_script_domtrans($1, exim_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 exim_t:process ptrace;
+	')
+
+	exim_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, exim_keytab_t)
+
 	files_search_spool($1)
 	admin_pattern($1, exim_spool_t)
 
diff --git a/exim.te b/exim.te
index 19325ce..5495c90 100644
--- a/exim.te
+++ b/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.5.4)
+policy_module(exim, 1.6.1)
 
 ########################################
 #
@@ -45,11 +45,14 @@ mta_agent_executable(exim_exec_t)
 type exim_initrc_exec_t;
 init_script_file(exim_initrc_exec_t)
 
+type exim_var_lib_t;
+files_type(exim_var_lib_t)
+
 type exim_log_t;
 logging_log_file(exim_log_t)
 
 type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
 
 type exim_tmp_t;
 files_tmp_file(exim_tmp_t)
@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
 type exim_var_run_t;
 files_pid_file(exim_var_run_t)
 
+ifdef(`distro_debian',`
+	init_daemon_run_dir(exim_var_run_t, "exim4")
+')
+
 ########################################
 #
 # Local policy
@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
 allow exim_t self:tcp_socket { accept listen };
 
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
+
 append_files_pattern(exim_t, exim_log_t, exim_log_t)
 create_files_pattern(exim_t, exim_log_t, exim_log_t)
 setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
@@ -88,13 +97,13 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
 
 can_exec(exim_t, exim_exec_t)
 
+kernel_read_crypto_sysctls(exim_t)
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
 
 corecmd_search_bin(exim_t)
 
-corenet_all_recvfrom_unlabeled(exim_t)
 corenet_all_recvfrom_netlabel(exim_t)
 corenet_tcp_sendrecv_generic_if(exim_t)
 corenet_udp_sendrecv_generic_if(exim_t)
@@ -123,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
 
 dev_read_rand(exim_t)
 dev_read_urand(exim_t)
+dev_read_sysfs(exim_t)
 
 domain_use_interactive_fds(exim_t)
 
@@ -135,10 +145,10 @@ fs_getattr_xattr_fs(exim_t)
 fs_list_inotifyfs(exim_t)
 
 auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
 
 logging_send_syslog_msg(exim_t)
 
-miscfiles_read_localization(exim_t)
 miscfiles_read_generic_certs(exim_t)
 
 userdom_dontaudit_search_user_home_dirs(exim_t)
@@ -154,9 +164,9 @@ tunable_policy(`exim_can_connect_db',`
 	corenet_sendrecv_mssql_client_packets(exim_t)
 	corenet_tcp_connect_mssql_port(exim_t)
 	corenet_tcp_sendrecv_mssql_port(exim_t)
-	corenet_sendrecv_oracledb_client_packets(exim_t)
-	corenet_tcp_connect_oracledb_port(exim_t)
-	corenet_tcp_sendrecv_oracledb_port(exim_t)
+	corenet_sendrecv_oracle_client_packets(exim_t)
+	corenet_tcp_connect_oracle_port(exim_t)
+	corenet_tcp_sendrecv_oracle_port(exim_t)
 ')
 
 tunable_policy(`exim_read_user_files',`
@@ -170,13 +180,14 @@ tunable_policy(`exim_manage_user_files',`
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(exim_t)
-	clamav_stream_connect(exim_t)
+	antivirus_domtrans(exim_t)
+	antivirus_stream_connect(exim_t)
 ')
 
 optional_policy(`
 	cron_read_pipes(exim_t)
 	cron_rw_system_job_pipes(exim_t)
+	cron_use_system_job_fds(exim_t)
 ')
 
 optional_policy(`
@@ -188,12 +199,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_keytab_template(exim, exim_t)
-')
-
-optional_policy(`
-	mailman_read_data_files(exim_t)
-	mailman_domtrans(exim_t)
+    kerberos_keytab_template(exim, exim_t)
 ')
 
 optional_policy(`
@@ -218,6 +224,7 @@ optional_policy(`
 
 optional_policy(`
 	procmail_domtrans(exim_t)
+	procmail_read_home_files(exim_t)
 ')
 
 optional_policy(`
diff --git a/fail2ban.if b/fail2ban.if
index 50d0084..6565422 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
 	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute the fail2ban client in
-##	the fail2ban client domain.
+##  Execute the fail2ban client in
+##  the fail2ban client domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
 interface(`fail2ban_domtrans_client',`
-	gen_require(`
-		type fail2ban_client_t, fail2ban_client_exec_t;
-	')
+    gen_require(`
+        type fail2ban_client_t, fail2ban_client_exec_t;
+    ')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+    corecmd_search_bin($1)
+    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute fail2ban client in the
-##	fail2ban client domain, and allow
-##	the specified role the fail2ban
-##	client domain.
+##  Execute fail2ban client in the
+##  fail2ban client domain, and allow
+##  the specified role the fail2ban
+##  client domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 #
 interface(`fail2ban_run_client',`
-	gen_require(`
-		attribute_role fail2ban_client_roles;
-	')
+    gen_require(`
+        attribute_role fail2ban_client_roles;
+    ')
 
-	fail2ban_domtrans_client($1)
-	roleattribute $2 fail2ban_client_roles;
+    fail2ban_domtrans_client($1)
+    roleattribute $2 fail2ban_client_roles;
 ')
 
 #####################################
 ## <summary>
-##	Connect to fail2ban over a
-##	unix domain stream socket.
+##	Connect to fail2ban over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -102,51 +102,12 @@ interface(`fail2ban_rw_inherited_tmp_files',`
 	')
 
 	files_search_tmp($1)
-	allow $1 fail2ban_tmp_t:file { read write };
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to use
-##	fail2ban file descriptors.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`fail2ban_dontaudit_use_fds',`
-	gen_require(`
-		type fail2ban_t;
-	')
-
-	dontaudit $1 fail2ban_t:fd use;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read and
-##	write fail2ban unix stream sockets
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
-	gen_require(`
-		type fail2ban_t;
-	')
-
-	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write fail2ban unix
-##	stream sockets.
+##	Read and write to an fail2ba unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -178,12 +139,12 @@ interface(`fail2ban_read_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 fail2ban_var_lib_t:file read_file_perms;
+	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read fail2ban log files.
+##	Allow the specified domain to read fail2ban's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -198,12 +159,14 @@ interface(`fail2ban_read_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Append fail2ban log files.
+##	Allow the specified domain to append
+##	fail2ban log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -217,12 +180,13 @@ interface(`fail2ban_append_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read fail2ban pid files.
+##	Read fail2ban PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,8 +205,28 @@ interface(`fail2ban_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an fail2ban environment.
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+ 	dontaudit $1 fail2ban_t:tcp_socket { read write };
+	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fail2ban environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -251,21 +235,25 @@ interface(`fail2ban_read_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the fail2ban domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fail2ban_admin',`
 	gen_require(`
-		type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
-		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
-		type fail2ban_var_lib_t, fail2ban_client_t;
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+		type fail2ban_client_t;
 	')
 
-	allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fail2ban_initrc_exec_t system_r;
@@ -277,10 +265,10 @@ interface(`fail2ban_admin',`
 	files_list_pids($1)
 	admin_pattern($1, fail2ban_var_run_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, fail2ban_var_lib_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, fail2ban_tmp_t)
 
 	fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index 0872e50..cdea6d0 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
 #
 
 allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
+allow fail2ban_t self:process { setsched signal };
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { accept connectto listen };
 allow fail2ban_t self:tcp_socket { accept listen };
@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
 
-corenet_all_recvfrom_unlabeled(fail2ban_t)
 corenet_all_recvfrom_netlabel(fail2ban_t)
 corenet_tcp_sendrecv_generic_if(fail2ban_t)
 corenet_tcp_sendrecv_generic_node(fail2ban_t)
@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
 domain_dontaudit_read_all_domains_state(fail2ban_t)
 
 files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 
@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t)
 logging_read_all_logs(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
 
-miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
 
 sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
+sysnet_filetrans_named_content(fail2ban_t)
 
 optional_policy(`
 	apache_read_log(fail2ban_t)
 ')
 
 optional_policy(`
+	dbus_system_bus_client(fail2ban_t)
+	dbus_connect_system_bus(fail2ban_t)
+
+	optional_policy(`
+		firewalld_dbus_chat(fail2ban_t)
+	')
+')
+
+optional_policy(`
 	ftp_read_log(fail2ban_t)
 ')
 
 optional_policy(`
+	gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
 	iptables_domtrans(fail2ban_t)
 ')
 
@@ -116,6 +125,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpm_exec(fail2ban_t)
+')
+
+optional_policy(`
 	shorewall_domtrans(fail2ban_t)
 ')
 
@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
 stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 
 kernel_read_system_state(fail2ban_client_t)
 
 corecmd_exec_bin(fail2ban_client_t)
 
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
 domain_use_interactive_fds(fail2ban_client_t)
 
-files_read_etc_files(fail2ban_client_t)
-files_read_usr_files(fail2ban_client_t)
 files_search_pids(fail2ban_client_t)
 
+auth_use_nsswitch(fail2ban_client_t)
+
 logging_getattr_all_logs(fail2ban_client_t)
 logging_search_all_logs(fail2ban_client_t)
 
-miscfiles_read_localization(fail2ban_client_t)
-
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
 userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+    apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
index 79b9273..28dec44 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
 # Local policy
 #
 
-allow fcoemon_t self:capability { dac_override kill net_admin };
+allow fcoemon_t self:capability { net_admin net_raw dac_override };
 allow fcoemon_t self:fifo_file rw_fifo_file_perms;
 allow fcoemon_t self:unix_stream_socket { accept listen };
 allow fcoemon_t self:netlink_socket create_socket_perms;
 allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+allow fcoemon_t self:packet_socket create_socket_perms;
+allow fcoemon_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
 
-files_read_etc_files(fcoemon_t)
-
-dev_read_sysfs(fcoemon_t)
+dev_rw_sysfs(fcoemon_t)
 
 logging_send_syslog_msg(fcoemon_t)
 
 miscfiles_read_localization(fcoemon_t)
 
+userdom_dgram_send(fcoemon_t)
+
 optional_policy(`
 	lldpad_dgram_send(fcoemon_t)
 ')
+
+optional_policy(`
+    networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
index 2486e2a..fef9bff 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
 HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
 
 /etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
 
@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
 
 /var/mail/\.fetchmail-UIDL-cache	--	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
 
-/var/run/fetchmail/.*	--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/run/fetchmail.*	    gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
+++ b/fetchmail.if
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
 		type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
 	')
 
+	ps_process_pattern($1, fetchmail_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 fetchmail_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fetchmail_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	allow $1 fetchmail_t:process { ptrace signal_perms };
-	ps_process_pattern($1, fetchmail_t)
-
 	files_list_etc($1)
 	admin_pattern($1, fetchmail_etc_t)
 
diff --git a/fetchmail.te b/fetchmail.te
index f0388cb..2e94f0e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
 #
 # Local policy
 #
-
+allow fetchmail_t self:capability setuid;
 dontaudit fetchmail_t self:capability sys_tty_config;
 allow fetchmail_t self:process { signal_perms setrlimit };
 allow fetchmail_t self:unix_stream_socket { accept listen };
 
 allow fetchmail_t fetchmail_etc_t:file read_file_perms;
 
-read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-
 manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
 manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
 manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
+
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
 
 kernel_read_kernel_sysctls(fetchmail_t)
 kernel_list_proc(fetchmail_t)
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
 corecmd_exec_bin(fetchmail_t)
 corecmd_exec_shell(fetchmail_t)
 
-corenet_all_recvfrom_unlabeled(fetchmail_t)
 corenet_all_recvfrom_netlabel(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
 corenet_tcp_sendrecv_generic_node(fetchmail_t)
@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
 
 domain_use_interactive_fds(fetchmail_t)
 
-auth_use_nsswitch(fetchmail_t)
+auth_read_passwd(fetchmail_t)
 
 logging_send_syslog_msg(fetchmail_t)
 
-miscfiles_read_localization(fetchmail_t)
 miscfiles_read_generic_certs(fetchmail_t)
 
+sysnet_dns_name_resolve(fetchmail_t)
+
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+    mta_send_mail(fetchmail_t)
+')
+
+optional_policy(`
+	kerberos_use(fetchmail_t)
+')
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
index af4b6d7..92245bf 100644
--- a/finger.te
+++ b/finger.te
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
 kernel_read_kernel_sysctls(fingerd_t)
 kernel_read_system_state(fingerd_t)
 
-corenet_all_recvfrom_unlabeled(fingerd_t)
 corenet_all_recvfrom_netlabel(fingerd_t)
 corenet_tcp_sendrecv_generic_if(fingerd_t)
 corenet_tcp_sendrecv_generic_node(fingerd_t)
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
 domain_use_interactive_fds(fingerd_t)
 
 files_read_etc_runtime_files(fingerd_t)
+files_search_home(fingerd_t)
 
 fs_getattr_all_fs(fingerd_t)
 fs_search_auto_mountpoints(fingerd_t)
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
 term_getattr_all_ptys(fingerd_t)
 
 auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
 
 init_read_utmp(fingerd_t)
 init_dontaudit_write_utmp(fingerd_t)
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
 
 mta_getattr_spool(fingerd_t)
 
-miscfiles_read_localization(fingerd_t)
+sysnet_read_config(fingerd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
 
diff --git a/firewalld.fc b/firewalld.fc
index 21d7b84..0e272bd 100644
--- a/firewalld.fc
+++ b/firewalld.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/firewalld.*  -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
 /etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
 
 /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
index 5cf6ac6..1893f7f 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,6 +2,66 @@
 
 ########################################
 ## <summary>
+##	Read firewalld config
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_read_config',`
+	gen_require(`
+		type firewalld_etc_rw_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
+')
+
+########################################
+## <summary>
+##	Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`firewalld_initrc_domtrans',`
+	gen_require(`
+		type firewalld_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`firewalld_systemctl',`
+	gen_require(`
+		type firewalld_t;
+		type firewalld_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 firewalld_unit_file_t:file read_file_perms;
+	allow $1 firewalld_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, firewalld_t)
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	firewalld over dbus.
 ## </summary>
@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an firewalld environment.
+##	Dontaudit attempts to write
+##	firewalld tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firewalld_dontaudit_write_tmp_files',`
+	gen_require(`
+		type firewalld_tmp_t;
+	')
+
+	dontaudit $1 firewalld_tmp_t:file write;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an firewalld environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',`
 interface(`firewalld_admin',`
 	gen_require(`
 		type firewalld_t, firewalld_initrc_exec_t;
-		type firewall_etc_rw_t, firewalld_var_run_t;
+		type firewalld_etc_rw_t, firewalld_var_run_t;
 		type firewalld_var_log_t;
 	')
 
-	allow $1 firewalld_t:process { ptrace signal_perms };
+	allow $1 firewalld_t:process signal_perms;
 	ps_process_pattern($1, firewalld_t)
 
-	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 firewalld_t:process ptrace;
+	')
+
+	firewalld_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 firewalld_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, firewalld_var_log_t)
 
-	files_search_etc($1)
-	admin_pattern($1, firewall_etc_rw_t)
+	admin_pattern($1, firewalld_etc_rw_t)
+
+	admin_pattern($1, firewalld_unit_file_t)
+	firewalld_systemctl($1)
+	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
diff --git a/firewalld.te b/firewalld.te
index c8014f8..bacc80c 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
 type firewalld_var_run_t;
 files_pid_file(firewalld_var_run_t)
 
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
+type firewalld_tmp_t;
+files_tmp_file(firewalld_tmp_t)
+
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
 ########################################
 #
 # Local policy
 #
-
+allow firewalld_t self:capability { dac_override net_admin };
 dontaudit firewalld_t self:capability sys_tty_config;
 allow firewalld_t self:fifo_file rw_fifo_file_perms;
 allow firewalld_t self:unix_stream_socket { accept listen };
@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
 allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
 logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
 
+manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
+allow firewalld_t firewalld_tmp_t:file execute;
+
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file execute;
+
 manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
 files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+can_exec(firewalld_t, firewalld_var_run_t)
 
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
+kernel_rw_net_sysctls(firewalld_t)
 
 corecmd_exec_bin(firewalld_t)
 corecmd_exec_shell(firewalld_t)
@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
 
 domain_use_interactive_fds(firewalld_t)
 
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
+files_dontaudit_access_check_tmp(firewalld_t)
 files_dontaudit_list_tmp(firewalld_t)
 
 fs_getattr_xattr_fs(firewalld_t)
+fs_dontaudit_all_access_check(firewalld_t)
 
-logging_send_syslog_msg(firewalld_t)
-
-miscfiles_read_localization(firewalld_t)
+auth_use_nsswitch(firewalld_t)
 
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
 
-sysnet_read_config(firewalld_t)
+sysnet_dns_name_resolve(firewalld_t)
 
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -85,9 +102,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_read_generic_data_home_dirs(firewalld_t)
+')
+
+optional_policy(`
 	iptables_domtrans(firewalld_t)
 ')
 
 optional_policy(`
 	modutils_domtrans_insmod(firewalld_t)
 ')
+
+optional_policy(`
+    NetworkManager_read_state(firewalld_t)
+')
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
+++ b/firewallgui.if
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
 		type firewallgui_t;
 	')
 
-	dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
 ')
diff --git a/firewallgui.te b/firewallgui.te
index c5ceab1..86b8098 100644
--- a/firewallgui.te
+++ b/firewallgui.te
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
 dev_read_sysfs(firewallgui_t)
 dev_read_urand(firewallgui_t)
 
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
 files_list_kernel_modules(firewallgui_t)
-files_read_usr_files(firewallgui_t)
 
 auth_use_nsswitch(firewallgui_t)
 
@@ -60,12 +62,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_read_generic_gconf_home_content(firewallgui_t)
+	gnome_read_gconf_home_files(firewallgui_t)
 ')
 
 optional_policy(`
 	iptables_domtrans(firewallgui_t)
 	iptables_initrc_domtrans(firewallgui_t)
+	iptables_systemctl(firewallgui_t)
 ')
 
 optional_policy(`
diff --git a/firstboot.fc b/firstboot.fc
index 12c782c..ba614e4 100644
--- a/firstboot.fc
+++ b/firstboot.fc
@@ -1,5 +1,3 @@
-/etc/rc\.d/init\.d/firstboot.*	--	gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/sbin/firstboot		--	gen_context(system_u:object_r:firstboot_exec_t,s0)
 
-/usr/sbin/firstboot	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot/firstboot\.py	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/share/firstboot/firstboot\.py --	gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
index 280f875..f3a67c9 100644
--- a/firstboot.if
+++ b/firstboot.if
@@ -1,4 +1,7 @@
-## <summary>Initial system configuration utility.</summary>
+## <summary>
+##	Final system configuration run during the first boot
+##	after installation of Red Hat/Fedora systems.
+## </summary>
 
 ########################################
 ## <summary>
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
 		type firstboot_t, firstboot_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, firstboot_exec_t, firstboot_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute firstboot in the firstboot
-##	domain, and allow the specified role
-##	the firstboot domain.
+##	Execute firstboot in the firstboot domain, and
+##	allow the specified role the firstboot domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
 #
 interface(`firstboot_run',`
 	gen_require(`
-		attribute_role firstboot_roles;
+		type firstboot_t;
 	')
 
 	firstboot_domtrans($1)
-	roleattribute $2 firstboot_roles;
+	role $2 types firstboot_t;
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use firstboot file descriptors.
+##	Inherit and use a file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit
-##	firstboot file descriptors.
+##	Do not audit attempts to inherit a
+##	file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Write firstboot unnamed pipes.
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_leaks',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:socket_class_set { read write };
+	dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
 		type firstboot_t;
 	')
 
+	allow $1 firstboot_t:fd use;
 	allow $1 firstboot_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read and Write firstboot unnamed pipes.
+##	Read and Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and
-##	write firstboot unnamed pipes.
+## 	Do not audit attemps to read and write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and
-##	write firstboot unix domain
-##	stream sockets.
+## 	Do not audit attemps to read and write to a firstboot
+##	unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/firstboot.te b/firstboot.te
index c12c067..a415012 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
-policy_module(firstboot, 1.12.3)
+policy_module(firstboot, 1.12.0)
 
 gen_require(`
-	class passwd { passwd chfn chsh rootok };
+	class passwd { passwd chfn chsh rootok crontab };
 ')
 
 ########################################
@@ -9,17 +9,12 @@ gen_require(`
 # Declarations
 #
 
-attribute_role firstboot_roles;
-
 type firstboot_t;
 type firstboot_exec_t;
 init_system_domain(firstboot_t, firstboot_exec_t)
 domain_obj_id_change_exemption(firstboot_t)
 domain_subj_id_change_exemption(firstboot_t)
-role firstboot_roles types firstboot_t;
-
-type firstboot_initrc_exec_t;
-init_script_file(firstboot_initrc_exec_t)
+role system_r types firstboot_t;
 
 type firstboot_etc_t;
 files_config_file(firstboot_etc_t)
@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t)
 allow firstboot_t self:capability { dac_override setgid };
 allow firstboot_t self:process setfscreate;
 allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
 allow firstboot_t self:passwd { rootok passwd chfn chsh };
 
 allow firstboot_t firstboot_etc_t:file read_file_perms;
 
+files_manage_generic_tmp_dirs(firstboot_t)
+files_manage_generic_tmp_files(firstboot_t)
+
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
 
-corecmd_exec_all_executables(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
 
 dev_read_urand(firstboot_t)
 
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-files_create_boot_flag(firstboot_t)
-files_delete_boot_flag(firstboot_t)
-
 selinux_get_fs_mount(firstboot_t)
 selinux_validate_context(firstboot_t)
 selinux_compute_access_vector(firstboot_t)
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
 
 auth_dontaudit_getattr_shadow(firstboot_t)
 
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
 init_domtrans_script(firstboot_t)
 init_rw_utmp(firstboot_t)
 
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
 
 logging_send_syslog_msg(firstboot_t)
 
-miscfiles_read_localization(firstboot_t)
-
 sysnet_dns_name_resolve(firstboot_t)
 
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
+
+# Add/remove user home directories
 userdom_manage_user_home_content_dirs(firstboot_t)
 userdom_manage_user_home_content_files(firstboot_t)
 userdom_manage_user_home_content_symlinks(firstboot_t)
 userdom_manage_user_home_content_pipes(firstboot_t)
 userdom_manage_user_home_content_sockets(firstboot_t)
 userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(firstboot_t)
 
 optional_policy(`
 	dbus_system_bus_client(firstboot_t)
@@ -102,20 +105,18 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(firstboot_t)
-')
-
-optional_policy(`
 	samba_rw_config(firstboot_t)
 ')
 
 optional_policy(`
 	unconfined_domtrans(firstboot_t)
-	unconfined_domain(firstboot_t)
+	# The big hammer
+	unconfined_domain_noaudit(firstboot_t)
 ')
 
 optional_policy(`
-	gnome_manage_generic_home_content(firstboot_t)
+	gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+	gnome_manage_config(firstboot_t)
 ')
 
 optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index c81b6e8..72b7712 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
 allow fprintd_t self:capability sys_nice;
 allow fprintd_t self:process { getsched setsched signal sigkill };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
 
 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -28,15 +30,16 @@ kernel_read_system_state(fprintd_t)
 
 dev_list_usbfs(fprintd_t)
 dev_read_sysfs(fprintd_t)
+dev_read_urand(fprintd_t)
 dev_rw_generic_usb_dev(fprintd_t)
 
-files_read_usr_files(fprintd_t)
+files_dontaudit_list_tmp(fprintd_t)
 
 fs_getattr_all_fs(fprintd_t)
 
 auth_use_nsswitch(fprintd_t)
 
-miscfiles_read_localization(fprintd_t)
+logging_send_syslog_msg(fprintd_t)
 
 userdom_use_user_ptys(fprintd_t)
 userdom_read_all_users_state(fprintd_t)
@@ -54,8 +57,17 @@ optional_policy(`
 	')
 ')
 
+
 optional_policy(`
-	policykit_domtrans_auth(fprintd_t)
 	policykit_read_reload(fprintd_t)
 	policykit_read_lib(fprintd_t)
+	policykit_domtrans_auth(fprintd_t)
+')
+
+optional_policy(`
+	udev_read_db(fprintd_t)
+')
+
+optional_policy(`
+	xserver_read_state_xdm(fprintd_t)
 ')
diff --git a/freeipmi.fc b/freeipmi.fc
new file mode 100644
index 0000000..0942a2e
--- /dev/null
+++ b/freeipmi.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/bmc-watchdog.*		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
+/usr/lib/systemd/system/ipmidetectd.*		--	gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
+/usr/lib/systemd/system/ipmiseld.*        --  gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
+
+/usr/sbin/bmc-watchdog		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
+/usr/sbin/ipmidetectd			--	gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
+/usr/sbin/ipmiseld		--	gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
+
+/var/cache/ipmiseld(/.*)?       			gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+/var/cache/ipmimonitoringsdrcache(/.*)?		gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+
+/var/lib/freeipmi(/.*)?     gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
+
+
+/var/run/ipmidetectd\.pid	--	gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
+/var/run/ipmiseld\.pid	--	gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
+/var/run/bmc-watchdog\.pid	--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
index 0000000..9715f27
--- /dev/null
+++ b/freeipmi.if
@@ -0,0 +1,73 @@
+## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  freeipmi init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`freeipmi_domain_template',`
+    gen_require(`
+        attribute freeipmi_domain, freeipmi_pid;
+    ')
+
+    #############################
+    #
+    # Declarations
+    #
+
+    type freeipmi_$1_t, freeipmi_domain;
+    type freeipmi_$1_exec_t;
+    init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
+    role system_r types freeipmi_$1_t;
+
+	type freeipmi_$1_unit_file_t;
+	systemd_unit_file(freeipmi_$1_unit_file_t)
+
+	type freeipmi_$1_var_run_t, freeipmi_pid;
+	files_pid_file(freeipmi_$1_var_run_t)
+
+    #############################
+    #
+    # Local policy
+    #
+
+	manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
+
+	kernel_read_system_state(freeipmi_$1_t)
+
+	corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+	corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
+    dev_read_raw_memory(freeipmi_$1_t)
+
+    auth_use_nsswitch(freeipmi_$1_t)
+
+    logging_send_syslog_msg(freeipmi_$1_t)
+')
+
+####################################
+## <summary>
+##	Connect to cluster domains over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`freeipmi_stream_connect',`
+	gen_require(`
+		attribute freeipmi_domain, freeipmi_pid;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
+')
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
index 0000000..0710d79
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,75 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute freeipmi_domain;
+attribute freeipmi_pid;
+
+freeipmi_domain_template(ipmidetectd)
+freeipmi_domain_template(ipmiseld)
+freeipmi_domain_template(bmc_watchdog)
+
+type freeipmi_var_lib_t;
+files_type(freeipmi_var_lib_t)
+
+type freeipmi_var_cache_t;
+files_type(freeipmi_var_cache_t)
+
+########################################
+#
+# freeipmi_domain local policy
+#
+
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
+allow freeipmi_domain self:tcp_socket { listen create_stream_socket_perms };
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
+dev_read_rand(freeipmi_domain)
+dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
+
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
+#
+# bmc-watchdog local policy
+#
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+
+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+#######################################
+#
+# ipmidetectd local policy
+#
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
+
+#######################################
+#
+# ipmiseld local policy
+#
+
+allow freeipmi_ipmiseld_t self:capability sys_rawio;
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 0000000..3cd9c38
--- /dev/null
+++ b/freqset.fc
@@ -0,0 +1 @@
+/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset		--	gen_context(system_u:object_r:freqset_exec_t,s0)
diff --git a/freqset.if b/freqset.if
new file mode 100644
index 0000000..190ccc0
--- /dev/null
+++ b/freqset.if
@@ -0,0 +1,76 @@
+
+## <summary>policy for freqset</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the freqset domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`freqset_domtrans',`
+	gen_require(`
+		type freqset_t, freqset_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, freqset_exec_t, freqset_t)
+')
+
+########################################
+## <summary>
+##	Execute freqset in the freqset domain, and
+##	allow the specified role the freqset domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the freqset domain.
+##	</summary>
+## </param>
+#
+interface(`freqset_run',`
+	gen_require(`
+		type freqset_t;
+		attribute_role freqset_roles;
+	')
+
+	freqset_domtrans($1)
+	roleattribute $2 freqset_roles;
+')
+
+########################################
+## <summary>
+##	Role access for freqset
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`freqset_role',`
+	gen_require(`
+		type freqset_t;
+		attribute_role freqset_roles;
+	')
+
+	roleattribute $1 freqset_roles;
+
+	freqset_domtrans($2)
+
+	ps_process_pattern($2, freqset_t)
+	allow $2 freqset_t:process { signull signal sigkill };
+')
diff --git a/freqset.te b/freqset.te
new file mode 100644
index 0000000..0d09fbd
--- /dev/null
+++ b/freqset.te
@@ -0,0 +1,34 @@
+policy_module(freqset, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role freqset_roles;
+roleattribute system_r freqset_roles;
+
+type freqset_t;
+type freqset_exec_t;
+application_domain(freqset_t, freqset_exec_t)
+
+role freqset_roles types freqset_t;
+
+########################################
+#
+# freqset local policy
+#
+allow freqset_t self:capability { setuid };
+
+allow freqset_t self:fifo_file manage_fifo_file_perms;
+allow freqset_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_rw_sysfs(freqset_t)
+
+domain_use_interactive_fds(freqset_t)
+
+files_read_etc_files(freqset_t)
+
+miscfiles_read_localization(freqset_t)
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c1..44f74e6 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
 
+/usr/lib/systemd/system/vsftpd.* 	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.*	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
 /etc/rc\.d/init\.d/vsftpd	--	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
diff --git a/ftp.if b/ftp.if
index d062080..97fb494 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,66 @@
 ## <summary>File transfer protocol service.</summary>
 
+######################################
+## <summary>
+##      Execute a domain transition to run ftpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans',`
+        gen_require(`
+                type ftpd_t, ftpd_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+## <summary>
+##  Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The type of the process performing this action.
+##  </summary>
+## </param>
+#
+interface(`ftp_initrc_domtrans',`
+    gen_require(`
+        type ftpd_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ftp_systemctl',`
+	gen_require(`
+		type ftpd_unit_file_t;
+		type ftpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 ftpd_unit_file_t:file read_file_perms;
+	allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ftpd_t)
+')
+
 #######################################
 ## <summary>
 ##	Execute a dyntransition to run anon sftpd.
@@ -178,8 +239,11 @@ interface(`ftp_admin',`
 		type ftpd_initrc_exec_t, ftpdctl_tmp_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 ftpd_t:process signal_perms;
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -203,5 +267,9 @@ interface(`ftp_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, xferlog_t)
 
+	ftp_systemctl($1)
+	admin_pattern($1, ftpd_unit_file_t)
+	allow $1 ftpd_unit_file_t:service all_service_perms;
+
 	ftp_run_ftpdctl($1, $2)
 ')
diff --git a/ftp.te b/ftp.te
index e50f33c..de8e914 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
 ##	be labeled public_content_rw_t.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_anon_write, false)
+gen_tunable(ftpd_anon_write, false)
 
 ## <desc>
 ##	<p>
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
 ##	all files on the system, governed by DAC.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_full_access, false)
+gen_tunable(ftpd_full_access, false)
 
 ## <desc>
 ##	<p>
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
 ##	used for public file transfer services.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow ftpd to use ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(ftpd_use_fusefs, false)
 
 ## <desc>
 ##	<p>
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
 ##	used for public file transfer services.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_use_nfs, false)
 
 ## <desc>
 ##	<p>
@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
 
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
 type ftpd_lock_t;
 files_lock_file(ftpd_lock_t)
 
@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
 allow ftpd_t ftpd_lock_t:file manage_file_perms;
 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 
 allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
-allow ftpd_t xferlog_t:dir setattr_dir_perms;
-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-logging_log_filetrans(ftpd_t, xferlog_t, file)
+manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
 
 kernel_read_kernel_sysctls(ftpd_t)
 kernel_read_system_state(ftpd_t)
-kernel_search_network_state(ftpd_t)
+kernel_read_network_state(ftpd_t)
 
 dev_read_sysfs(ftpd_t)
 dev_read_urand(ftpd_t)
 
 corecmd_exec_bin(ftpd_t)
 
-corenet_all_recvfrom_unlabeled(ftpd_t)
 corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_generic_if(ftpd_t)
 corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_sendrecv_ftp_data_server_packets(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+
 domain_use_interactive_fds(ftpd_t)
 
-files_read_etc_files(ftpd_t)
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
 
@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
 logging_set_loginuid(ftpd_t)
 
-miscfiles_read_localization(ftpd_t)
 miscfiles_read_public_files(ftpd_t)
 
 seutil_dontaudit_search_config(ftpd_t)
@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
 
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_cifs',`
+tunable_policy(`ftpd_use_cifs',`
 	fs_read_cifs_files(ftpd_t)
 	fs_read_cifs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
 	fs_manage_cifs_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+        fs_manage_fusefs_dirs(ftpd_t)
+        fs_manage_fusefs_files(ftpd_t)
+        fs_manage_fusefs_symlinks(ftpd_t)
+',`
+        fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',`
 	fs_read_nfs_files(ftpd_t)
 	fs_read_nfs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
 	fs_manage_nfs_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_full_access',`
+tunable_policy(`ftpd_full_access',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
-	files_manage_non_auth_files(ftpd_t)
+	files_manage_non_security_dirs(ftpd_t)
+	files_manage_non_security_files(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_passive_mode',`
+	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+	corenet_tcp_connect_all_unreserved_ports(ftpd_t)
 ')
 
 tunable_policy(`ftpd_use_passive_mode',`
@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
-	corenet_sendrecv_oracledb_client_packets(ftpd_t)
-	corenet_tcp_connect_oracledb_port(ftpd_t)
-	corenet_tcp_sendrecv_oracledb_port(ftpd_t)
+	corenet_sendrecv_oracle_client_packets(ftpd_t)
+	corenet_tcp_connect_oracle_port(ftpd_t)
+	corenet_tcp_sendrecv_oracle_port(ftpd_t)
 ')
 
 tunable_policy(`ftp_home_dir',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
 
-	userdom_manage_user_home_content_dirs(ftpd_t)
-	userdom_manage_user_home_content_files(ftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
+    userdom_manage_all_user_home_type_dirs(ftpd_t)
+    userdom_manage_all_user_home_type_files(ftpd_t)
 	userdom_manage_user_tmp_dirs(ftpd_t)
 	userdom_manage_user_tmp_files(ftpd_t)
-	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
 ',`
-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
 	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
 ')
 
@@ -360,7 +387,7 @@ optional_policy(`
 	selinux_validate_context(ftpd_t)
 
 	kerberos_keytab_template(ftpd, ftpd_t)
-	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+    kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
 ')
 
 optional_policy(`
@@ -410,21 +437,20 @@ optional_policy(`
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
 
 allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 
-files_read_etc_files(ftpdctl_t)
 files_search_pids(ftpdctl_t)
 
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
 
 ########################################
 #
 # Anon sftpd local policy
 #
 
-files_read_etc_files(anon_sftpd_t)
 
 miscfiles_read_public_files(anon_sftpd_t)
 
@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
 # Sftpd local policy
 #
 
-files_read_etc_files(sftpd_t)
 
 userdom_read_user_home_content_files(sftpd_t)
 userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+	allow sftpd_t self:capability { dac_override dac_read_search };
+	fs_read_noxattr_fs_files(sftpd_t)
+	files_manage_non_security_dirs(sftpd_t)
+	files_manage_non_security_files(sftpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`sftpd_write_ssh_home',`
+		ssh_manage_home_files(sftpd_t)
+	')
+')
+
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
 
 tunable_policy(`sftpd_enable_homedirs',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 
 	userdom_manage_user_home_content_dirs(sftpd_t)
 	userdom_manage_user_home_content_files(sftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
 	userdom_manage_user_tmp_dirs(sftpd_t)
 	userdom_manage_user_tmp_files(sftpd_t)
-	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-',`
-	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
-	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
 ')
 
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
-	files_manage_non_auth_files(sftpd_t)
+	files_manage_non_security_files(sftpd_t)
 ')
 
+userdom_home_reader(sftpd_t)
+
 tunable_policy(`sftpd_write_ssh_home',`
 	ssh_manage_home_files(sftpd_t)
 ')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_list_cifs(sftpd_t)
-	fs_read_cifs_files(sftpd_t)
-	fs_read_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_list_nfs(sftpd_t)
-	fs_read_nfs_files(sftpd_t)
-	fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/games.te b/games.te
index 572fb12..879c59a 100644
--- a/games.te
+++ b/games.te
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
 
 logging_send_syslog_msg(games_srv_t)
 
-miscfiles_read_localization(games_srv_t)
-
 userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
 
 userdom_dontaudit_search_user_home_dirs(games_srv_t)
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
 
-corenet_all_recvfrom_unlabeled(games_t)
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
 corenet_tcp_sendrecv_generic_node(games_t)
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
 files_list_var(games_t)
 files_search_var_lib(games_t)
 files_dontaudit_search_var(games_t)
-files_read_etc_files(games_t)
-files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
 init_dontaudit_rw_utmp(games_t)
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
 logging_dontaudit_search_logs(games_t)
 
 miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
 
 sysnet_dns_name_resolve(games_t)
 
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
 userdom_manage_user_tmp_sockets(games_t)
 userdom_dontaudit_read_user_home_content_files(games_t)
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`', `
 	allow games_t self:process execmem;
 ')
 
diff --git a/gatekeeper.te b/gatekeeper.te
index fc3b036..10a1bbe 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
 
 corecmd_list_bin(gatekeeper_t)
 
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
 corenet_all_recvfrom_netlabel(gatekeeper_t)
 corenet_tcp_sendrecv_generic_if(gatekeeper_t)
 corenet_udp_sendrecv_generic_if(gatekeeper_t)
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
 
 domain_use_interactive_fds(gatekeeper_t)
 
-files_read_etc_files(gatekeeper_t)
-
 fs_getattr_all_fs(gatekeeper_t)
 fs_search_auto_mountpoints(gatekeeper_t)
 
 logging_send_syslog_msg(gatekeeper_t)
 
-miscfiles_read_localization(gatekeeper_t)
-
 sysnet_read_config(gatekeeper_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 0000000..98c012c
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,7 @@
+/usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
+
+/usr/lib/systemd/system/gear.service	--	gen_context(system_u:object_r:gear_unit_file_t,s0)
+
+/var/lib/containers(/.*)?			gen_context(system_u:object_r:gear_var_lib_t,s0)
+/var/lib/containers/units(/.*)?			gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
index 0000000..04e159f
--- /dev/null
+++ b/gear.if
@@ -0,0 +1,288 @@
+
+## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
+##	Execute gear in the gear domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gear_domtrans',`
+	gen_require(`
+		type gear_t, gear_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gear_exec_t, gear_t)
+')
+
+########################################
+## <summary>
+##	Search gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_search_lib',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	allow $1 gear_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Execute gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_exec_lib',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	allow $1 gear_var_lib_t:dir search_dir_perms;
+	can_exec($1, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read gear lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_read_lib_files',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gear lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_manage_lib_files',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+	manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_manage_lib_dirs',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create objects in a gear var lib directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`gear_lib_filetrans',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read gear PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_read_pid_files',`
+	gen_require(`
+		type gear_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, gear_var_run_t, gear_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute gear server in the gear domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`gear_systemctl',`
+	gen_require(`
+		type gear_t;
+		type gear_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 gear_unit_file_t:file read_file_perms;
+	allow $1 gear_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, gear_t)
+')
+
+########################################
+## <summary>
+##	Read and write gear shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_rw_sem',`
+	gen_require(`
+		type gear_t;
+	')
+
+	allow $1 gear_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write the gear pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gear_use_ptys',`
+    gen_require(`
+        type gear_devpts_t;
+    ')
+
+    allow $1 gear_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow domain to create gear content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gear_filetrans_named_content',`
+    gen_require(`
+            type gear_var_lib_t;
+	    type gear_var_run_t;
+    ')
+
+    files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
+    files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gear environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_admin',`
+	gen_require(`
+		type gear_t;
+		type gear_var_lib_t, gear_var_run_t;
+		type gear_unit_file_t;
+		type gear_lock_t;
+		type gear_log_t;
+	')
+
+	allow $1 gear_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gear_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, gear_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gear_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, gear_log_t)
+
+	gear_systemctl($1)
+	admin_pattern($1, gear_unit_file_t)
+	allow $1 gear_unit_file_t:service all_service_perms;
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000..781c76d
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,122 @@
+policy_module(gear, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gear_t;
+type gear_exec_t;
+init_daemon_domain(gear_t, gear_exec_t)
+
+type gear_var_lib_t;
+files_type(gear_var_lib_t)
+
+type gear_log_t;
+logging_log_file(gear_log_t)
+
+type gear_var_run_t;
+files_pid_file(gear_var_run_t)
+
+type gear_unit_file_t;
+systemd_unit_file(gear_unit_file_t)
+
+########################################
+#
+# gear local policy
+#
+allow gear_t self:capability { chown net_admin fowner dac_override };
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
+logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
+
+gear_filetrans_named_content(gear_t)
+
+manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(gear_t)
+kernel_read_network_state(gear_t)
+kernel_read_all_sysctls(gear_t)
+kernel_rw_net_sysctls(gear_t)
+
+domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
+
+corecmd_exec_bin(gear_t)
+corecmd_exec_shell(gear_t)
+
+corenet_tcp_bind_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_if(gear_t)
+corenet_tcp_sendrecv_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_port(gear_t)
+corenet_tcp_bind_gear_port(gear_t)
+
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_read_cgroup_files(gear_t)
+fs_read_tmpfs_symlinks(gear_t)
+
+auth_use_nsswitch(gear_t)
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+
+miscfiles_read_localization(gear_t)
+
+mount_domtrans(gear_t)
+
+seutil_read_default_contexts(gear_t)
+
+sysnet_dns_name_resolve(gear_t)
+
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+
+optional_policy(`
+	hostname_exec(gear_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
+	docker_stream_connect(gear_t)
+')
+
+optional_policy(`
+	openshift_manage_lib_dirs(gear_t)
+	openshift_manage_lib_files(gear_t)
+	openshift_relabelfrom_lib(gear_t)
+')
diff --git a/gift.te b/gift.te
index 395238e..af76abb 100644
--- a/gift.te
+++ b/gift.te
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
 
 userdom_dontaudit_read_user_home_content_files(gift_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gift_t)
-	fs_manage_nfs_files(gift_t)
-	fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gift_t)
-	fs_manage_cifs_files(gift_t)
-	fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
 
 optional_policy(`
 	xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
 corenet_tcp_connect_all_ports(giftd_t)
 
 files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
 
 sysnet_dns_name_resolve(giftd_t)
 
-userdom_use_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(giftd_t)
-	fs_manage_nfs_files(giftd_t)
-	fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(giftd_t)
-	fs_manage_cifs_files(giftd_t)
-	fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.if b/git.if
index 1e29af1..6c64f55 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
 	allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
 	userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
 
-	allow $2 git_session_t:process { ptrace signal_perms };
+	allow $2 git_session_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 git_session_t:process ptrace;
+	')
 	ps_process_pattern($2, git_session_t)
 
 	tunable_policy(`git_session_users',`
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
 
 	list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
 	read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+    read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
 
 	files_search_var_lib($1)
 
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
 		fs_read_nfs_files($1)
 	')
 ')
+
+#######################################
+## <summary>
+##      Create Git user content with a
+##      named file transition.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`git_filetrans_user_content',`
+		gen_require(`
+			type git_user_content_t;
+		')
+		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index 93b0301..6acc1f0 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether Git session daemons
-##	can send syslog messages.
-##	</p>
-## </desc>
-gen_tunable(git_session_send_syslog_msg, false)
-
-## <desc>
-##	<p>
 ##	Determine whether Git system daemon
 ##	can search home directories.
 ##	</p>
@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
 userdom_user_application_domain(git_session_t, gitd_exec_t)
 role git_session_roles types git_session_t;
 
-type git_sys_content_t;
+type git_sys_content_t alias git_system_content_t;
 files_type(git_sys_content_t)
 
-type git_user_content_t;
+type git_user_content_t alias git_session_content_t;
 userdom_user_home_content(git_user_content_t)
 
 ########################################
@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
 read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
 userdom_search_user_home_dirs(git_session_t)
 
+kernel_read_system_state(git_session_t)
+
 corenet_all_recvfrom_netlabel(git_session_t)
 corenet_all_recvfrom_unlabeled(git_session_t)
 corenet_tcp_bind_generic_node(git_session_t)
@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
 	corenet_tcp_sendrecv_all_ports(git_session_t)
 ')
 
-tunable_policy(`git_session_send_syslog_msg',`
-	logging_send_syslog_msg(git_session_t)
-')
+logging_send_syslog_msg(git_session_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_getattr_nfs(git_session_t)
@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',`
 list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
+corenet_tcp_bind_git_port(git_system_t)
+
 files_search_var_lib(git_system_t)
 
 auth_use_nsswitch(git_system_t)
@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs',`
 	userdom_search_user_home_dirs(git_system_t)
+	list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
+	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
 	fs_dontaudit_read_nfs_files(httpd_git_script_t)
 ')
 
+
+optional_policy(`
+    gitosis_read_lib_files(httpd_git_script_t)
+')
+
 ########################################
 #
 # Git global policy
@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
 
-kernel_read_system_state(git_daemon)
+#kernel_read_system_state(git_daemon)
 
 corecmd_exec_bin(git_daemon)
 
-files_read_usr_files(git_daemon)
-
 fs_search_auto_mountpoints(git_daemon)
 
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
index 3194b76..d3acb1a 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
 
 dev_read_urand(gitosis_t)
 
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
 files_search_var_lib(gitosis_t)
 
-miscfiles_read_localization(gitosis_t)
-
 sysnet_read_config(gitosis_t)
 
 tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.if b/glance.if
index 9eacb2c..229782f 100644
--- a/glance.if
+++ b/glance.if
@@ -1,5 +1,30 @@
 ## <summary>OpenStack image registry and delivery service.</summary>
 
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  glance daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`glance_basic_types_template',`
+    gen_require(`
+		attribute glance_domain;
+    ')
+
+	type $1_t, glance_domain;
+	type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to
@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',`
 ##	run glance api.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`glance_domtrans_api',`
@@ -242,8 +267,13 @@ interface(`glance_admin',`
 		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
 	')
 
-	allow $1 { glance_api_t glance_registry_t }:process signal_perms;
-	ps_process_pattern($1, { glance_api_t glance_registry_t })
+	allow $1 glance_registry_t:process signal_perms;
+	ps_process_pattern($1, glance_registry_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 glance_registry_t:process ptrace;
+		allow $1 glance_api_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
 	domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index e0a4f46..2d17fe6 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,16 @@ policy_module(glance, 1.0.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
 attribute glance_domain;
 
-type glance_registry_t, glance_domain;
-type glance_registry_exec_t;
+glance_basic_types_template(glance_registry)
 init_daemon_domain(glance_registry_t, glance_registry_exec_t)
 
 type glance_registry_initrc_exec_t;
@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
 type glance_registry_tmp_t;
 files_tmp_file(glance_registry_tmp_t)
 
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
+type glance_registry_tmpfs_t;
+files_tmpfs_file(glance_registry_tmpfs_t)
+
+glance_basic_types_template(glance_api)
 init_daemon_domain(glance_api_t, glance_api_exec_t)
 
 type glance_api_initrc_exec_t;
@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
 # Common local policy
 #
 
+allow glance_domain self:process signal_perms;
 allow glance_domain self:fifo_file rw_fifo_file_perms;
 allow glance_domain self:unix_stream_socket create_stream_socket_perms;
 allow glance_domain self:tcp_socket { accept listen };
@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
 manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 
-kernel_read_system_state(glance_domain)
-
-corenet_all_recvfrom_unlabeled(glance_domain)
-corenet_all_recvfrom_netlabel(glance_domain)
 corenet_tcp_sendrecv_generic_if(glance_domain)
 corenet_tcp_sendrecv_generic_node(glance_domain)
 corenet_tcp_sendrecv_all_ports(glance_domain)
 corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
+corenet_tcp_connect_http_port(glance_domain)
 
 corecmd_exec_bin(glance_domain)
 corecmd_exec_shell(glance_domain)
 
 dev_read_urand(glance_domain)
+dev_read_sysfs(glance_domain)
 
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
+auth_read_passwd(glance_domain)
 
 libs_exec_ldconfig(glance_domain)
 
-miscfiles_read_localization(glance_domain)
-
 sysnet_dns_name_resolve(glance_domain)
 
+tunable_policy(`glance_use_fusefs',`
+	fs_manage_fusefs_dirs(glance_domain)
+	fs_manage_fusefs_files(glance_domain)
+	fs_read_fusefs_symlinks(glance_domain)
+	fs_getattr_fusefs(glance_domain)
+')
+
+
+
+optional_policy(`
+    mysql_read_db_lnk_files(glance_domain)
+')
+
 ########################################
 #
 # Registry local policy
@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
 manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
 files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
 
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
 corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
 corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
 
 logging_send_syslog_msg(glance_registry_t)
 
@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
 files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
 can_exec(glance_api_t, glance_tmp_t)
 
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-
-corenet_sendrecv_hplip_server_packets(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_bind_generic_node(glance_api_t)
 
+corenet_tcp_bind_glance_port(glance_api_t)
 corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
 corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_mysqld_port(glance_api_t)
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
 
 fs_getattr_xattr_fs(glance_api_t)
+
+optional_policy(`
+    mysql_stream_connect(glance_api_t)
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000..9614520
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,16 @@
+/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000..1ed97fe
--- /dev/null
+++ b/glusterd.if
@@ -0,0 +1,150 @@
+
+## <summary>policy for glusterd</summary>
+
+
+########################################
+## <summary>
+##	Transition to glusterd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glusterd_domtrans',`
+	gen_require(`
+		type glusterd_t, glusterd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute glusterd server in the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_initrc_domtrans',`
+	gen_require(`
+		type glusterd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+##	Read glusterd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_read_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to glusterd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_append_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage glusterd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_manage_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an glusterd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_admin',`
+	gen_require(`
+		type glusterd_t;
+		type glusterd_initrc_exec_t;
+		type glusterd_log_t;
+		type glusterd_tmp_t;
+		type glusterd_conf_t; 
+	')
+
+	allow $1 glusterd_t:process { signal_perms };
+	ps_process_pattern($1, glusterd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 glusterd_t:process ptrace;
+    ')
+
+	glusterd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 glusterd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, glusterd_log_t)
+
+	admin_pattern($1, glusterd_tmp_t)
+
+	admin_pattern($1, glusterd_conf_t)
+
+')
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 0000000..36ff903
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,200 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
+## <p>
+## Allow glusterfsd to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(gluster_anon_write, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_rw, true)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+kernel_read_network_state(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
+
+# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_mountd_port(glusterd_t)
+corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_non_security(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+
+mount_domtrans(glusterd_t)
+tunable_policy(`gluster_anon_write',`
+	miscfiles_manage_public_files(glusterd_t)
+') 
+
+tunable_policy(`gluster_export_all_ro',`
+	fs_read_noxattr_fs_files(glusterd_t) 
+	files_read_non_security_files(glusterd_t) 
+')
+
+tunable_policy(`gluster_export_all_rw',`
+	fs_manage_noxattr_fs_files(glusterd_t) 
+	files_manage_non_security_dirs(glusterd_t)
+	files_manage_non_security_files(glusterd_t)
+    files_relabel_base_file_types(glusterd_t)
+')
+
+optional_policy(`
+    rpc_domtrans_rpcd(glusterd_t)
+    rpc_kill_rpcd(glusterd_t)
+')
+
+optional_policy(`
+	rsync_exec(glusterd_t)
+')
+
+optional_policy(`
+	ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c8..0000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## <summary>Cluster File System binary, daemon and command line.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterd_admin',`
-	refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
-	glusterfs_admin($1, $2)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterfs_admin',`
-	gen_require(`
-		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
-		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_var_run_t;
-	')
-
-	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 glusterd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	allow $1 glusterd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, glusterd_t)
-
-	files_search_etc($1)
-	admin_pattern($1, glusterd_conf_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, glusterd_log_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, glusterd_tmp_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, glusterd_var_lib_t)
-
-	files_search_pids($1)
-	admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index fd02acc..0000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,102 +0,0 @@
-policy_module(glusterfs, 1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t);
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index e39de43..6a6db28 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,15 +1,61 @@
-HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)?  gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.nv/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-metadata-store		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults		gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
 
-/etc/gconf(/.*)?	gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.*	gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.cache/gstreamer-.*        gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.*			gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults		gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
 /tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
+/usr/share/config(/.*)? 	gen_context(system_u:object_r:config_usr_t,s0)
+
 /usr/bin/gnome-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 --	gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
 
-/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index d03fd43..af9415c 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,157 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
 
-########################################
+###########################################################
 ## <summary>
-##	Role access for gnome.  (Deprecated)
+##  Role access for gnome
 ## </summary>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access
+##  </summary>
 ## </param>
 ## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
+##  <summary>
+##  User domain for the role
+##  </summary>
 ## </param>
 #
 interface(`gnome_role',`
-	refpolicywarn(`$0($*) has been deprecated')
+    gen_require(`
+        type gconfd_t, gconfd_exec_t;
+        type gconf_tmp_t;
+    ')
+
+    role $1 types gconfd_t;
+
+    domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+    allow gconfd_t $2:fd use;
+    allow gconfd_t $2:fifo_file write;
+    allow gconfd_t $2:unix_stream_socket connectto;
+
+    ps_process_pattern($2, gconfd_t)
+
+	#gnome_stream_connect_gconf_template($1, $2)
+	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+	allow $2 gconfd_t:unix_stream_socket connectto;
 ')
 
-#######################################
+######################################
 ## <summary>
-##	The role template for gnome.
+##      The role template for the gnome-keyring-daemon.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
+## <param name="user_prefix">
+##      <summary>
+##      The user prefix.
+##      </summary>
 ## </param>
 ## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
-##	</summary>
+##      <summary>
+##      The user role.
+##      </summary>
 ## </param>
 ## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
+##      <summary>
+##      The user domain associated with the role.
+##      </summary>
 ## </param>
 #
-template(`gnome_role_template',`
-	gen_require(`
-		attribute gnomedomain, gkeyringd_domain;
-		attribute_role gconfd_roles;
-		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
-		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
-		type gconf_home_t;
-	')
-
-	########################################
-	#
-	# Gconf declarations
-	#
-
-	roleattribute $2 gconfd_roles;
-
-	########################################
-	#
-	# Gkeyringd declarations
-	#
+interface(`gnome_role_gkeyringd',`
+        gen_require(`
+                attribute gkeyringd_domain;
+                attribute gnomedomain;
+                type gnome_home_t;
+                type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+		class dbus send_msg;
+        ')
 
 	type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
-	userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+	typealias $1_gkeyringd_t alias gkeyringd_$1_t;
+	application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+	ubac_constrained($1_gkeyringd_t)
 	domain_user_exemption_target($1_gkeyringd_t)
 
+	userdom_home_manager($1_gkeyringd_t)
+
 	role $2 types $1_gkeyringd_t;
 
-	########################################
-	#
-	# Gconf policy
-	#
+	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 
-	domtrans_pattern($3, gconfd_exec_t, gconfd_t)
+	allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+	allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
 
-	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
+	allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
 
-	allow $3 gconfd_t:process { ptrace signal_perms };
-	ps_process_pattern($3, gconfd_t)
+	corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+	corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+	allow $1_gkeyringd_t $3:process sigkill;
+	allow $3 $1_gkeyringd_t:fd use;
+	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
 
-	########################################
-	#
-	# Gkeyringd policy
-	#
 
-	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+	kernel_read_system_state($1_gkeyringd_t)
 
-	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
-	allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+	ps_process_pattern($1_gkeyringd_t, $3)
 
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-	
-	gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+	auth_use_nsswitch($1_gkeyringd_t)
 
-	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+	logging_send_syslog_msg($1_gkeyringd_t)
 
 	ps_process_pattern($3, $1_gkeyringd_t)
-	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-
-	corecmd_bin_domtrans($1_gkeyringd_t, $3)
-	corecmd_shell_domtrans($1_gkeyringd_t, $3)
+	allow $3 $1_gkeyringd_t:process signal_perms;
+	dontaudit $3 gkeyringd_exec_t:file entrypoint;
 
-	gnome_stream_connect_gkeyringd($1, $3)
+	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
 
+	allow $1_gkeyringd_t $3:dbus send_msg;
+	allow $3 $1_gkeyringd_t:dbus send_msg;
 	optional_policy(`
-		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+	       	dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+		dbus_session_bus_client($1_gkeyringd_t)
+		gnome_manage_generic_home_dirs($1_gkeyringd_t)
+		gnome_read_generic_data_home_files($1_gkeyringd_t)
+		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
+
+		optional_policy(`
+			telepathy_mission_control_read_state($1_gkeyringd_t)
+            telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
+		')
+	')
+')
 
-		gnome_dbus_chat_gkeyringd($1, $3)
+#######################################
+## <summary>
+##  Allow domain to run gkeyring in the $1_gkeyringd_t domain.
+## </summary>
+## <param name="user_prefix">
+##      <summary>
+##      The user prefix.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The user role.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##	Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_run_gkeyringd',`
+    gen_require(`
+		type $1_gkeyringd_t;
+		type gkeyringd_exec_t;
 	')
+	role $2 types $1_gkeyringd_t;
+	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute gconf in the caller domain.
+##	gconf connection template.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -125,18 +159,18 @@ template(`gnome_role_template',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
 	gen_require(`
-		type gconfd_exec_t;
+		type gconfd_t, gconf_tmp_t;
 	')
 
-	corecmd_search_bin($1)
-	can_exec($1, gconfd_exec_t)
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Read gconf configuration content.
+##	Connect to gkeyringd with a unix stream socket. 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
 	gen_require(`
-		type gconf_etc_t;
+			attribute gkeyringd_domain;
+			type gkeyringd_tmp_t;
+			type gconf_tmp_t;
+			type cache_home_t;
 	')
 
-	files_search_etc($1)
-	allow $1 gconf_etc_t:dir list_dir_perms;
-	allow $1 gconf_etc_t:file read_file_perms;
-	allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+	allow $1 gconf_tmp_t:dir search_dir_perms;
+	userdom_search_user_tmp_dirs($1)
+	stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+	stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	inherited gconf configuration files.
+##	Run gconfd in gconfd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconfd_exec_t;
 	')
 
-	dontaudit $1 gconf_etc_t:file read;
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete
-##	gconf configuration content.
+##	Dontaudit read gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
 	gen_require(`
-		type gconf_etc_t;
+		attribute gnome_home_type;
 	')
 
-	files_search_etc($1)
-	allow $1 gconf_etc_t:dir manage_dir_perms;
-	allow $1 gconf_etc_t:file manage_file_perms;
-	allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+	dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Connect to gconf using a unix
-##	domain stream socket.
+##	Dontaudit search gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
 	gen_require(`
-		type gconfd_t, gconf_tmp_t;
+		attribute gnome_home_type;
 	')
 
-	files_search_tmp($1)
-	stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+	dontaudit $1 gnome_home_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Run gconfd in gconfd domain.
+##	Dontaudit write gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_append_config_files',`
 	gen_require(`
-		type gconfd_t, gconfd_exec_t;
+		attribute gnome_home_type;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+	dontaudit $1 gnome_home_type:file append;
 ')
 
+
 ########################################
 ## <summary>
-##	Create generic gnome home directories.
+##	Dontaudit write gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;
 	')
 
-	allow $1 gnome_home_t:dir create_dir_perms;
+	dontaudit $1 gnome_home_type:file write;
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of generic gnome
-##	user home directories.  (Deprecated)
+##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_setattr_config_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
-	gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	allow $1 gnome_home_type:dir manage_dir_perms;
+	allow $1 gnome_home_type:file manage_file_perms;
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+	allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of generic gnome
-##	user home directories.
+##	Send general signals to all gconf domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnomedomain;
 	')
 
-	userdom_search_user_home_dirs($1)
-	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	allow $1 gnomedomain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Read generic gnome user home content.  (Deprecated)
+##	Create objects in a Gnome cache home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_read_config',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
-	gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	filetrans_pattern($1, cache_home_t, $2, $3, $4)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read generic gnome home content.
+##	Create objects in a Gnome cache home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
 	gen_require(`
-		type gnome_home_t;
+		type config_home_t;
 	')
 
+	filetrans_pattern($1, config_home_t, $2, $3, $4)
 	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir list_dir_perms;
-	allow $1 gnome_home_t:file read_file_perms;
-	allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
-	allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
-	allow $1 gnome_home_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gnome user home content.  (Deprecated)
+##	Read generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_config',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
-	gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	read_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gnome home content.
+##	Create generic cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_create_generic_cache_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir manage_dir_perms;
-	allow $1 gnome_home_t:file manage_file_perms;
-	allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+	allow $1 cache_home_t:dir create_dir_perms;
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
 ')
 
 ########################################
 ## <summary>
-##	Search generic gnome home directories.
+##	Set attributes of cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_search_generic_home',`
+interface(`gnome_setattr_cache_home_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
+	setattr_dirs_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in gnome user home
-##	directories with a private type.
+##	Manage cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private_type">
-##	<summary>
-##	Private file type.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`gnome_home_filetrans',`
+interface(`gnome_manage_cache_home_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
+	manage_dirs_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	filetrans_pattern($1, gnome_home_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Create generic gconf home directories.
+##	append to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_append_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
-	allow $1 gconf_home_t:dir create_dir_perms;
+	append_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read generic gconf home content.
+##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
+	write_files_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir list_dir_perms;
-	allow $1 gconf_home_t:file read_file_perms;
-	allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
-	allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
-	allow $1 gconf_home_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gconf home content.
+##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
+	manage_files_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir manage_dir_perms;
-	allow $1 gconf_home_t:file manage_file_perms;
-	allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 gconf_home_t:sock_file manage_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search generic gconf home directories.
+##	Manage a sock_file in the generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_manage_generic_cache_sockets',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir search_dir_perms;
+	manage_sock_files_pattern($1, cache_home_t, cache_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic gconf
-##	home type.
+##	Dontaudit read/write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+	dontaudit $1 cache_home_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic gnome
-##	home type.
+##	read gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_config',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;
 	')
 
-	userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+	read_files_pattern($1, gnome_home_type, gnome_home_type)
+	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+	gnome_read_usr_config($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in gnome gconf home
-##	directories with a private type.
+##	Create objects in a Gnome gconf home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
 ## </param>
 ## <param name="private_type">
 ##	<summary>
-##	Private file type.
+##	The type of the object to create.
 ##	</summary>
 ## </param>
 ## <param name="object_class">
 ##	<summary>
-##	Class of the object being created.
+##	The class of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="name" optional="true">
@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_data_filetrans',`
 	gen_require(`
-		type gconf_home_t;
+		type data_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+	filetrans_pattern($1, data_home_t, $2, $3, $4)
+	gnome_search_gconf($1)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Read generic gnome keyring home files.
+##	Read generic data home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_read_generic_data_home_files',`
 	gen_require(`
-		type gnome_home_t, gnome_keyring_home_t;
+		type data_home_t, gconf_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+	read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+	read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Send and receive messages from
-##	gnome keyring daemon over dbus.
+##  Read generic data home dirs.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_read_generic_data_home_dirs',`
+    gen_require(`
+        type data_home_t, gconf_home_t;
+    ')
+
+    list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
+')
+
+#######################################
+## <summary>
+##	Manage gconf data home files
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+#
+interface(`gnome_manage_data',`
+	gen_require(`
+		type data_home_t;
+		type gconf_home_t;
+	')
+
+	allow $1 gconf_home_t:dir search_dir_perms;
+	manage_dirs_pattern($1, data_home_t, data_home_t)
+	manage_files_pattern($1, data_home_t, data_home_t)
+	manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+##	Read icc data home content.
+## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_home_icc_data_content',`
 	gen_require(`
-		type $1_gkeyringd_t;
-		class dbus send_msg;
+		type icc_data_home_t, gconf_home_t, data_home_t;
 	')
 
-	allow $2 $1_gkeyringd_t:dbus send_msg;
-	allow $1_gkeyringd_t $2:dbus send_msg;
+	userdom_search_user_home_dirs($1)
+	allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+	list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+	read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+	read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Send and receive messages from all
-##	gnome keyring daemon over dbus.
+##	Read inherited icc data home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_read_inherited_home_icc_data_files',`
 	gen_require(`
-		attribute gkeyringd_domain;
-		class dbus send_msg;
+		type icc_data_home_t;
 	')
 
-	allow $1 gkeyringd_domain:dbus send_msg;
-	allow gkeyringd_domain $1:dbus send_msg;
+	allow $1 icc_data_home_t:file read_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Connect to gnome keyring daemon
-##	with a unix stream socket.
+##	Create gconf_home_t objects in the /root directory
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The name of the object being created.
 ##	</summary>
 ## </param>
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	inherited gconf config files.
+## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
 	gen_require(`
-		type $1_gkeyringd_t, gnome_keyring_tmp_t;
+		type gconf_etc_t;
 	')
 
-	files_search_tmp($2)
-	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Connect to all gnome keyring daemon
-##	with a unix stream socket.
+##	read gconf config files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -704,12 +778,966 @@ interface(`gnome_stream_connect_gkeyringd',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_read_gconf_config',`
 	gen_require(`
-		attribute gkeyringd_domain;
-		type gnome_keyring_tmp_t;
+		type gconf_etc_t;
 	')
 
-	files_search_tmp($1)
-	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+	allow $1 gconf_etc_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+	files_search_etc($1)
+')
+
+#######################################
+## <summary>
+##      Manage gconf config files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+        gen_require(`
+                type gconf_etc_t;
+        ')
+
+        allow $1 gconf_etc_t:dir list_dir_perms;
+        manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+##	Execute gconf programs in 
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+	gen_require(`
+		type gconfd_exec_t;
+	')
+
+	can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_exec_keyringd',`
+	gen_require(`
+		type gkeyringd_exec_t;
+	')
+
+	can_exec($1, gkeyringd_exec_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Search gconf home data dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_search_gconf_data_dir',`
+	gen_require(`
+		type gconf_home_t;
+		type data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 gconf_home_t:dir list_dir_perms;
+	allow $1 data_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+		type data_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 gconf_home_t:dir list_dir_perms;
+	allow $1 data_home_t:dir list_dir_perms;
+	read_files_pattern($1, gconf_home_t, gconf_home_t)
+	read_files_pattern($1, data_home_t, data_home_t)
+	read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
+	read_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+##	Search gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+	gen_require(`
+		type gkeyringd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+	gen_require(`
+		type gkeyringd_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Delete gkeyringd temporary
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_delete_gkeyringd_tmp_content',`
+    gen_require(`
+        type gkeyringd_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+    delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+    delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+#######################################
+## <summary>
+##  Manage gkeyringd temporary directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_manage_gkeyringd_tmp_dirs',`
+    gen_require(`
+        type gkeyringd_tmp_t;
+    ')
+
+    files_search_tmp($1)
+    manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
+')
+
+########################################
+## <summary>
+##	search gconf homedir (.local)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_search_gconf',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	allow $1 gconf_home_t:dir search_dir_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage generic gnome home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_files',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+##	Manage generic gnome home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Append gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_append_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+##	manage gconf home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+	gen_require(`
+		type gconf_home_t;
+	')
+
+	allow $1 gconf_home_t:dir list_dir_perms;
+	manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+##	Connect to gnome over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	# Connect to pulseaudit server
+	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+##	list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_list_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Set attributes of gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	setattr_dirs_pattern($1, config_home_t, config_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	list_dirs_pattern($1, config_home_t, config_home_t)
+	read_files_pattern($1, config_home_t, config_home_t)
+	read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+#######################################
+## <summary>
+##  append gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_append_home_config',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    append_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+##  delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_delete_home_config',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    delete_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	Create gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_create_home_config_dirs',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	allow $1 config_home_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
+##  setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_setattr_home_config_dirs',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_home_config',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+#######################################
+## <summary>
+##  delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_delete_home_config_dirs',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    delete_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_home_config_dirs',`
+	gen_require(`
+		type config_home_t;
+	')
+
+	manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##	manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_files',`
+	gen_require(`
+		type gstreamer_home_t;
+	')
+
+	manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+	manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+	gnome_filetrans_gstreamer_home_content($1)
+')
+
+######################################
+## <summary>
+##      Allow to execute gstreamer home content files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_exec_gstreamer_home_files',`
+        gen_require(`
+                type gstreamer_home_t;
+        ')
+
+        can_exec($1, gstreamer_home_t)
+')
+
+######################################
+## <summary>
+##      Allow to execute config home content files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_exec_config_home_files',`
+        gen_require(`
+                type config_home_t;
+        ')
+
+        can_exec($1, config_home_t)
+')
+
+#######################################
+## <summary>
+##  file name transition gstreamer home content files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_filetrans_gstreamer_home_content',`
+    gen_require(`
+        type gstreamer_home_t;
+    ')
+
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+    userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
+    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
+')
+
+#######################################
+## <summary>
+##  manage gstreamer home content files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_home_dirs',`
+    gen_require(`
+        type gstreamer_home_t;
+    ')
+
+    manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+')
+
+########################################
+## <summary>
+##	Read/Write all inherited gnome home config 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit Read/Write all inherited gnome home config 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`gnome_dontaudit_rw_inherited_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	gconf system service over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+	gen_require(`
+		type gconfdefaultsm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 gconfdefaultsm_t:dbus send_msg;
+	allow gconfdefaultsm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	gkeyringd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+	gen_require(`
+		attribute gkeyringd_domain;
+		class dbus send_msg;
+	')
+
+	allow $1 gkeyringd_domain:dbus send_msg;
+	allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send signull signal to gkeyringd processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_signull_gkeyringd',`
+	gen_require(`
+		attribute gkeyringd_domain;
+	')
+
+	allow $1 gkeyringd_domain:process signull;
+')
+
+########################################
+## <summary>
+##	Allow the domain to read gkeyringd state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_read_gkeyringd_state',`
+	gen_require(`
+		attribute gkeyringd_domain;
+	')
+
+	ps_process_pattern($1, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+##	Create directories in user home directories
+##	with the gnome home file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
+	userdom_search_user_home_dirs($1)
+')
+
+######################################
+## <summary>
+##      Allow read kde config content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_read_usr_config',`
+        gen_require(`
+                type config_usr_t;
+        ')
+
+        files_search_usr($1)
+		list_dirs_pattern($1, config_usr_t, config_usr_t)
+		read_files_pattern($1, config_usr_t, config_usr_t)
+		read_lnk_files_pattern($1, config_usr_t, config_usr_t)	
+')
+
+#######################################
+## <summary>
+##      Allow manage kde config content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_manage_usr_config',`
+        gen_require(`
+                type config_usr_t;
+        ')
+
+        files_search_usr($1)
+		manage_dirs_pattern($1, config_usr_t, config_usr_t)
+		manage_files_pattern($1, config_usr_t, config_usr_t)
+		manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
+
+########################################
+## <summary>
+##	Execute gnome-keyring in the user gkeyring domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`gnome_transition_gkeyringd',`
+	gen_require(`
+		attribute gkeyringd_domain;
+	')
+
+	allow $1 gkeyringd_domain:process transition;
+	dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
+	allow gkeyringd_domain $1:process { sigchld signull };
+	allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Create gnome content in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+	type config_home_t;
+	type cache_home_t;
+	type dbus_home_t;
+	type gconf_home_t;
+	type gnome_home_t;
+	type data_home_t, icc_data_home_t;
+	type gkeyringd_gnome_home_t;
+')
+
+	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
+	userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+	userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+	userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+	userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+	userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+
+	# ~/.color/icc: legacy
+	userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+	filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+	filetrans_pattern($1, data_home_t,  gkeyringd_gnome_home_t, dir, "keyrings")
+	filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+	filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+	filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
+	userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+	gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+	gnome_filetrans_gstreamer_home_content($1)
+')
+
+########################################
+## <summary>
+##	Create gnome dconf dir in the user home directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_filetrans_config_home_content',`
+    gen_require(`
+        type config_home_t;
+    ')
+
+    gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
+## <summary>
+##	Create gnome directory in the /root directory
+##	with an correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+	type config_home_t;
+	type cache_home_t;
+	type dbus_home_t;
+	type gstreamer_home_t;
+	type gconf_home_t;
+	type gnome_home_t;
+	type icc_data_home_t;
+')
+
+	userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
+	userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+	userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
+	userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
+	userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
+	userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+	userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+	userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+	gnome_filetrans_gstreamer_home_content($1)
+	# /root/.color/icc: legacy
+	userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+
+#####################################
+## <summary>
+##  Execute gnome-keyring executable
+##  in the specified domain.
+## </summary>
+## <desc>
+##  <p>
+##  Execute a telepathy executable
+##  in the specified domain.  This allows
+##  the specified domain to execute any file
+##  on these filesystems in the specified
+##  domain. 
+##  </p>
+##  <p>
+##  No interprocess communication (signals, pipes,
+##  etc.) is provided by this interface since
+##  the domains are not owned by this module.
+##  </p>
+##  <p>
+##  This interface was added to handle
+##  the ssh-agent policy.
+##  </p>
+## </desc>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="target_domain">
+##  <summary>
+##  The type of the new process.
+##  </summary>
+## </param>
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+    gen_require(`
+        type gkeyringd_exec_t;
+    ')
+
+    allow $2 gkeyringd_exec_t:file entrypoint;
+    domain_transition_pattern($1, gkeyringd_exec_t, $2)
+    type_transition $1 gkeyringd_exec_t:process $2;
 ')
diff --git a/gnome.te b/gnome.te
index 20f726b..ea1115c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
-policy_module(gnome, 2.2.5)
+policy_module(gnome, 2.2.0)
 
 ##############################
 #
 # Declarations
 #
 
-attribute gkeyringd_domain;
 attribute gnomedomain;
-attribute_role gconfd_roles;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
 
 type gconf_etc_t;
 files_config_file(gconf_etc_t)
 
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type dbus_home_t, gnome_home_type;
+userdom_user_home_content(dbus_home_t)
+
+type icc_data_home_t, gnome_home_type;
+userdom_user_home_content(icc_data_home_t)
+
+type gconf_home_t, gnome_home_type;
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
 typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -29,107 +47,226 @@ type gconfd_exec_t;
 typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
 typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
 userdom_user_application_domain(gconfd_t, gconfd_exec_t)
-role gconfd_roles types gconfd_t;
 
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
 typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
 typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
 typealias gnome_home_t alias unconfined_gnome_home_t;
 userdom_user_home_content(gnome_home_t)
 
+# type KDE /usr/share/config files
+type config_usr_t;
+files_type(config_usr_t)
+
 type gkeyringd_exec_t;
-application_executable_file(gkeyringd_exec_t)
+corecmd_executable_file(gkeyringd_exec_t)
 
-type gnome_keyring_home_t;
-userdom_user_home_content(gnome_keyring_home_t)
+type gkeyringd_gnome_home_t;
+userdom_user_home_content(gkeyringd_gnome_home_t)
 
-type gnome_keyring_tmp_t;
-userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
 
 ##############################
 #
-# Common local Policy
+# Local Policy
 #
 
-allow gnomedomain self:process { getsched signal };
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
 
-dev_read_urand(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
 
-domain_use_interactive_fds(gnomedomain)
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
 
-files_read_etc_files(gnomedomain)
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
 
-miscfiles_read_localization(gnomedomain)
 
-logging_send_syslog_msg(gnomedomain)
 
-userdom_use_user_terminals(gnomedomain)
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
 
 optional_policy(`
-	xserver_rw_xdm_pipes(gnomedomain)
-	xserver_use_xdm_fds(gnomedomain)
+	nscd_dontaudit_search_pid(gconfd_t)
 ')
 
-##############################
+optional_policy(`
+	xserver_use_xdm_fds(gconfd_t)
+	xserver_rw_xdm_pipes(gconfd_t)
+')
+
+#######################################
 #
-# Conf daemon local Policy
+# gconf-defaults-mechanisms local policy
 #
 
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
 
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+corecmd_search_bin(gconfdefaultsm_t)
 
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+auth_read_passwd(gconfdefaultsm_t)
 
-userdom_manage_user_tmp_dirs(gconfd_t)
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
 
 optional_policy(`
-	nscd_dontaudit_search_pid(gconfd_t)
+	consolekit_dbus_chat(gconfdefaultsm_t)
 ')
 
-##############################
+optional_policy(`
+	dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+	policykit_domtrans_auth(gconfdefaultsm_t)
+	policykit_dbus_chat(gconfdefaultsm_t)
+	policykit_read_lib(gconfdefaultsm_t)
+	policykit_read_reload(gconfdefaultsm_t)
+')
+
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_admin sys_nice };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
+
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
+auth_read_passwd(gnomesystemmm_t)
+
+logging_send_syslog_msg(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+	consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+	dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+')
+
+optional_policy(`
+ 	gnome_manage_home_config(gnomesystemmm_t)
+')
+
+optional_policy(`
+	nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(gnomesystemmm_t)
+	policykit_domtrans_auth(gnomesystemmm_t)
+	policykit_read_lib(gnomesystemmm_t)
+	policykit_read_reload(gnomesystemmm_t)
+')
+
+######################################
 #
-# Keyring-daemon local policy
+# gnome-keyring-daemon local policy
 #
 
 allow gkeyringd_domain self:capability ipc_lock;
-allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
 allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
 
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
 
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+allow gkeyringd_domain data_home_t:dir create_dir_perms;
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
 
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
 
-kernel_read_system_state(gkeyringd_domain)
 kernel_read_crypto_sysctls(gkeyringd_domain)
 
+corecmd_search_bin(gkeyringd_domain)
+
 dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
 dev_read_sysfs(gkeyringd_domain)
 
-files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
 
-fs_getattr_all_fs(gkeyringd_domain)
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
 
-selinux_getattr_fs(gkeyringd_domain)
+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
 
 optional_policy(`
-	ssh_read_user_home_files(gkeyringd_domain)
+	xserver_append_xdm_home_files(gkeyringd_domain)
+	xserver_read_xdm_home_files(gkeyringd_domain)
+	xserver_use_xdm_fds(gkeyringd_domain)
 ')
 
 optional_policy(`
-	telepathy_mission_control_read_state(gkeyringd_domain)
+    gnome_create_home_config_dirs(gkeyringd_domain)
+	gnome_read_home_config(gkeyringd_domain)
+    gnome_manage_generic_cache_files(gkeyringd_domain)
+	gnome_manage_cache_home_dir(gkeyringd_domain)
+	gnome_manage_generic_cache_sockets(gkeyringd_domain)
 ')
+
+optional_policy(`
+	ssh_read_user_home_files(gkeyringd_domain)
+')
+
+domain_use_interactive_fds(gnomedomain)
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
index b687443..e4c1b83 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
@@ -1,5 +1,9 @@
+/usr/lib/systemd/systemd-timedated		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
 /usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
-/usr/libexec/gsd-datetime-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
+/usr/libexec/kde3/kcmdatetimehelper		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde4/kcmdatetimehelper     --  gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
-/usr/libexec/kde(3|4)/kcmdatetimehelper	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
@@ -2,8 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run gnomeclock.
+##	Execute a domain transition to run gnomeclock.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
 		type gnomeclock_t, gnomeclock_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute gnomeclock in the gnomeclock
-##	domain, and allow the specified
-##	role the gnomeclock domain.
+##	Execute gnomeclock in the gnomeclock domain, and
+##	allow the specified role the gnomeclock domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
 #
 interface(`gnomeclock_run',`
 	gen_require(`
-		attribute_role gnomeclock_roles;
+		type gnomeclock_t;
 	')
 
 	gnomeclock_domtrans($1)
-	roleattribute $2 gnomeclock_roles;
+	role $2 types gnomeclock_t;
 ')
 
 ########################################
@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to send and
-##	receive messages from gnomeclock
-##	over dbus.
+##	Do not audit send and receive messages from
+##	gnomeclock over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/gnomeclock.te b/gnomeclock.te
index 6d79eb5..c728009 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -1,86 +1,99 @@
-policy_module(gnomeclock, 1.0.5)
+policy_module(gnomeclock, 1.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-attribute_role gnomeclock_roles;
-
 type gnomeclock_t;
 type gnomeclock_exec_t;
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
-role gnomeclock_roles types gnomeclock_t;
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+type gnomeclock_tmp_t;
+files_tmp_file(gnomeclock_tmp_t)
 
 ########################################
 #
-# Local policy
+# gnomeclock local policy
 #
 
-allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
 allow gnomeclock_t self:process { getattr getsched signal };
 allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
 
 kernel_read_system_state(gnomeclock_t)
 
 corecmd_exec_bin(gnomeclock_t)
 corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
 
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
-corenet_all_recvfrom_netlabel(gnomeclock_t)
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
 
-# tcp:37 (time)
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
-
-dev_read_sysfs(gnomeclock_t)
-dev_read_urand(gnomeclock_t)
 dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
 
-files_read_usr_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
 
 fs_getattr_xattr_fs(gnomeclock_t)
 
 auth_use_nsswitch(gnomeclock_t)
 
+init_dbus_chat(gnomeclock_t)
+
+logging_stream_connect_syslog(gnomeclock_t)
 logging_send_syslog_msg(gnomeclock_t)
 
-miscfiles_etc_filetrans_localization(gnomeclock_t)
 miscfiles_manage_localization(gnomeclock_t)
-miscfiles_read_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
 
 userdom_read_all_users_state(gnomeclock_t)
 
 optional_policy(`
-	chronyd_initrc_domtrans(gnomeclock_t)
+	chronyd_systemctl(gnomeclock_t)
 ')
 
 optional_policy(`
+	clock_read_adjtime(gnomeclock_t)
 	clock_domtrans(gnomeclock_t)
 ')
 
 optional_policy(`
-	dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+	consolekit_dbus_chat(gnomeclock_t)
+')
 
-	optional_policy(`
-		consolekit_dbus_chat(gnomeclock_t)
-	')
+optional_policy(`
+    consoletype_exec(gnomeclock_t)
+')
 
-	optional_policy(`
-		policykit_dbus_chat(gnomeclock_t)
-	')
+optional_policy(`
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+')
+
+optional_policy(`
+	gnome_manage_usr_config(gnomeclock_t)
+	gnome_manage_home_config(gnomeclock_t)
+	gnome_filetrans_admin_home_content(gnomeclock_t)
 ')
 
 optional_policy(`
 	ntp_domtrans_ntpdate(gnomeclock_t)
 	ntp_initrc_domtrans(gnomeclock_t)
+	init_dontaudit_getattr_all_script_files(gnomeclock_t)
+	init_dontaudit_getattr_exec(gnomeclock_t)
+	ntp_systemctl(gnomeclock_t)
 ')
 
 optional_policy(`
+	policykit_dbus_chat(gnomeclock_t)
 	policykit_domtrans_auth(gnomeclock_t)
 	policykit_read_lib(gnomeclock_t)
 	policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
index 888cd2c..c02fa56 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,10 +1,14 @@
-HOME_DIR/\.gnupg(/.+)?	gen_context(system_u:object_r:gpg_secret_t,s0)
-HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/etc/mail/spamassassin/sa-update-keys(/.*)?	gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/root/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
 
 /usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.*	--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index 180f1b7..951b790 100644
--- a/gpg.if
+++ b/gpg.if
@@ -2,57 +2,75 @@
 
 ############################################################
 ## <summary>
-##	Role access for gpg.
+##	Role access for gpg
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`gpg_role',`
 	gen_require(`
-		attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
-		type gpg_t, gpg_exec_t, gpg_agent_t;
-		type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
-		type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+		type gpg_t, gpg_exec_t;
+		type gpg_agent_t, gpg_agent_exec_t;
+		type gpg_agent_tmp_t;
+		type gpg_helper_t, gpg_pinentry_t;
+		type gpg_pinentry_tmp_t;
 	')
 
-	roleattribute $1 gpg_roles;
-	roleattribute $1 gpg_agent_roles;
-	roleattribute $1 gpg_helper_roles;
-	roleattribute $1 gpg_pinentry_roles;
+	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
 
+	# transition from the userdomain to the derived domain
 	domtrans_pattern($2, gpg_exec_t, gpg_t)
-	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
 
-	allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
-	ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+	# allow ps to show gpg
+	ps_process_pattern($2, gpg_t)
+	allow $2 gpg_t:process { signull sigstop signal sigkill };
 
-	allow gpg_pinentry_t $2:process signull;
+	# communicate with the user
 	allow gpg_helper_t $2:fd use;
-	allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+	allow gpg_helper_t $2:fifo_file write;
+
+	# allow ps to show gpg-agent
+	ps_process_pattern($2, gpg_agent_t)
 
-	allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
-	allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-	userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+	# Allow the user shell to signal the gpg-agent program.
+	allow $2 gpg_agent_t:process { signal sigkill };
+
+	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+	# Transition from the user domain to the agent domain.
+	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+	allow gpg_pinentry_t $2:fifo_file { read write };
 
 	optional_policy(`
 		gpg_pinentry_dbus_chat($2)
 	')
+
+	allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+	ifdef(`hide_broken_symptoms',`
+		#Leaked File Descriptors
+		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+		dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+	')
 ')
 
 ########################################
 ## <summary>
-##	Execute the gpg in the gpg domain.
+##	Transition to a user gpg domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -65,13 +83,12 @@ interface(`gpg_domtrans',`
 		type gpg_t, gpg_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, gpg_exec_t, gpg_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute the gpg in the caller domain.
+##	Execute gpg in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,76 +105,46 @@ interface(`gpg_exec',`
 	can_exec($1, gpg_exec_t)
 ')
 
-########################################
-## <summary>
-##	Execute gpg in a specified domain.
-## </summary>
-## <desc>
-##	<p>
-##	Execute gpg in a specified domain.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-## </desc>
-## <param name="source_domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="target_domain">
-##	<summary>
-##	Domain to transition to.
-##	</summary>
-## </param>
-#
-interface(`gpg_spec_domtrans',`
-	gen_require(`
-		type gpg_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domain_auto_trans($1, gpg_exec_t, $2)
-')
-
 ######################################
 ## <summary>
-##	Execute gpg in the gpg web domain.  (Deprecated)
+##  Transition to a gpg web domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`gpg_domtrans_web',`
-	refpolicywarn(`$0($*) has been deprecated.')
+    gen_require(`
+        type gpg_web_t, gpg_exec_t;
+    ')
+
+    domtrans_pattern($1, gpg_exec_t, gpg_web_t)
 ')
 
 ######################################
 ## <summary>
-##	Make gpg executable files an
-##	entrypoint for the specified domain.
+##  Make gpg an entrypoint for
+##  the specified domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	The domain for which gpg_exec_t is an entrypoint.
-##	</summary>
+##  <summary>
+##  The domain for which cifs_t is an entrypoint.
+##  </summary>
 ## </param>
 #
 interface(`gpg_entry_type',`
-	gen_require(`
-		type gpg_exec_t;
-	')
+    gen_require(`
+        type gpg_exec_t;
+    ')
 
-	domain_entry_file($1, gpg_exec_t)
+    domain_entry_file($1, gpg_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Send generic signals to gpg.
+##	Send generic signals to user gpg processes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -175,7 +162,7 @@ interface(`gpg_signal',`
 
 ########################################
 ## <summary>
-##	Read and write gpg agent pipes.
+##	Read and write GPG agent pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,6 +171,7 @@ interface(`gpg_signal',`
 ## </param>
 #
 interface(`gpg_rw_agent_pipes',`
+	# Just wants read/write could this be a leak?
 	gen_require(`
 		type gpg_agent_t;
 	')
@@ -193,8 +181,8 @@ interface(`gpg_rw_agent_pipes',`
 
 ########################################
 ## <summary>
-##	Send messages to and from gpg
-##	pinentry over DBUS.
+##	Send messages to and from GPG
+##	Pinentry over DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -214,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',`
 
 ########################################
 ## <summary>
-##	List gpg user secrets.
+##	List Gnu Privacy Guard user secrets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -230,3 +218,39 @@ interface(`gpg_list_user_secrets',`
 	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
 	userdom_search_user_home_dirs($1)
 ')
+###########################
+## <summary>
+##	Allow to manage gpg named home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_manage_home_content',`
+	gen_require(`
+		type gpg_secret_t;
+	')
+
+	manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
+	manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+########################################
+## <summary>
+##	Transition to gpg named home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_filetrans_home_content',`
+	gen_require(`
+		type gpg_secret_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
index 44cf341..4af1ba0 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
-policy_module(gpg, 2.7.3)
+policy_module(gpg, 2.6.0)
 
 ########################################
 #
 # Declarations
 #
+attribute gpgdomain;
 
 ## <desc>
-##	<p>
-##	Determine whether GPG agent can manage
-##	generic user home content files. This is
-##	required by the --write-env-file option.
-##	</p>
+## <p>
+## Allow usage of the gpg-agent --write-env-file option.
+## This also allows gpg-agent to manage user files.
+## </p>
 ## </desc>
 gen_tunable(gpg_agent_env_file, false)
 
-attribute_role gpg_roles;
-roleattribute system_r gpg_roles;
-
-attribute_role gpg_agent_roles;
-
-attribute_role gpg_helper_roles;
-roleattribute system_r gpg_helper_roles;
-
-attribute_role gpg_pinentry_roles;
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
 
-type gpg_t;
+type gpg_t, gpgdomain;
 type gpg_exec_t;
 typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
-userdom_user_application_domain(gpg_t, gpg_exec_t)
-role gpg_roles types gpg_t;
+application_domain(gpg_t, gpg_exec_t)
+ubac_constrained(gpg_t)
+role system_r types gpg_t;
 
 type gpg_agent_t;
 type gpg_agent_exec_t;
 typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
 typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
-userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
-role gpg_agent_roles types gpg_agent_t;
+application_domain(gpg_agent_t, gpg_agent_exec_t)
+ubac_constrained(gpg_agent_t)
 
 type gpg_agent_tmp_t;
 typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
 typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
-userdom_user_tmp_file(gpg_agent_tmp_t)
+files_tmp_file(gpg_agent_tmp_t)
+ubac_constrained(gpg_agent_tmp_t)
 
 type gpg_secret_t;
 typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
@@ -52,112 +52,116 @@ type gpg_helper_t;
 type gpg_helper_exec_t;
 typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
 typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
-userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
-role gpg_helper_roles types gpg_helper_t;
+application_domain(gpg_helper_t, gpg_helper_exec_t)
+ubac_constrained(gpg_helper_t)
+role system_r types gpg_helper_t;
 
 type gpg_pinentry_t;
 type pinentry_exec_t;
 typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
 typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
-userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
-role gpg_pinentry_roles types gpg_pinentry_t;
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+ubac_constrained(gpg_pinentry_t)
 
 type gpg_pinentry_tmp_t;
-userdom_user_tmp_file(gpg_pinentry_tmp_t)
+files_tmp_file(gpg_pinentry_tmp_t)
+ubac_constrained(gpg_pinentry_tmp_t)
 
 type gpg_pinentry_tmpfs_t;
-userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
 
-optional_policy(`
-	pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
-')
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
 
 ########################################
 #
-# Local policy
+# GPG local policy
 #
 
-allow gpg_t self:capability { ipc_lock setuid };
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket { accept listen };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
 
 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
 
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
 manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
 
 kernel_read_sysctl(gpg_t)
+kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
 
 corecmd_exec_shell(gpg_t)
 corecmd_exec_bin(gpg_t)
 
-corenet_all_recvfrom_unlabeled(gpg_t)
 corenet_all_recvfrom_netlabel(gpg_t)
 corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
 corenet_tcp_sendrecv_generic_node(gpg_t)
-
-corenet_sendrecv_all_client_packets(gpg_t)
-corenet_tcp_connect_all_ports(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
 corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
 
-dev_read_generic_usb_dev(gpg_t)
 dev_read_rand(gpg_t)
 dev_read_urand(gpg_t)
-
-files_read_usr_files(gpg_t)
-files_dontaudit_search_var(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+dev_dontaudit_getattr_all(gpg_t)
 
 fs_getattr_xattr_fs(gpg_t)
 fs_list_inotifyfs(gpg_t)
 
 domain_use_interactive_fds(gpg_t)
 
-auth_use_nsswitch(gpg_t)
+files_dontaudit_search_var(gpg_t)
 
-logging_send_syslog_msg(gpg_t)
+auth_use_nsswitch(gpg_t)
 
-miscfiles_read_localization(gpg_t)
+init_dontaudit_getattr_initctl(gpg_t)
 
-userdom_use_user_terminals(gpg_t)
+logging_send_syslog_msg(gpg_t)
 
-userdom_manage_user_tmp_files(gpg_t)
+userdom_use_inherited_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_manage_user_home_content_dirs(gpg_t)
+userdom_filetrans_home_content(gpg_t)
+userdom_stream_connect(gpg_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gpg_t)
-	fs_manage_nfs_files(gpg_t)
-')
+mta_manage_config(gpg_t)
+mta_read_spool(gpg_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gpg_t)
-	fs_manage_cifs_files(gpg_t)
-')
+userdom_home_manager(gpg_t)
 
 optional_policy(`
-	gnome_read_generic_home_content(gpg_t)
-	gnome_stream_connect_all_gkeyringd(gpg_t)
+	gpm_dontaudit_getattr_gpmctl(gpg_t)
 ')
 
 optional_policy(`
-	mozilla_dontaudit_rw_user_home_files(gpg_t)
+	gnome_manage_config(gpg_t)
+	gnome_stream_connect_gkeyringd(gpg_t)
 ')
 
 optional_policy(`
-	mta_read_spool_files(gpg_t)
-	mta_write_config(gpg_t)
+	mozilla_read_user_home_files(gpg_t)
+	mozilla_write_user_home_files(gpg_t)
 ')
 
 optional_policy(`
@@ -165,37 +169,51 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_system_entry(gpg_t, gpg_exec_t)
-	cron_read_system_job_tmp_files(gpg_t)
-')
-
-optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
 ')
 
+#optional_policy(`
+#	cron_system_entry(gpg_t, gpg_exec_t)
+#	cron_read_system_job_tmp_files(gpg_t)
+#')
+
 ########################################
 #
-# Helper local policy
+# GPG helper local policy
 #
 
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
 allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
 allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
 
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+dontaudit gpg_helper_t gpg_secret_t:file read;
 
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
 corenet_all_recvfrom_netlabel(gpg_helper_t)
 corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
 corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
 corenet_tcp_sendrecv_all_ports(gpg_helper_t)
-
-corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
 corenet_tcp_connect_all_ports(gpg_helper_t)
 
+
 auth_use_nsswitch(gpg_helper_t)
 
-userdom_use_user_terminals(gpg_helper_t)
+userdom_use_inherited_user_terminals(gpg_helper_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -207,29 +225,36 @@ tunable_policy(`use_samba_home_dirs',`
 
 ########################################
 #
-# Agent local policy
+# GPG agent local policy
 #
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process { setrlimit signal_perms };
 
-allow gpg_agent_t self:process setrlimit;
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
 allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
 
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 
+# Allow the gpg-agent to manage its tmp files (socket)
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
 
-kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
 
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_exec_bin(gpg_agent_t)
 corecmd_exec_shell(gpg_agent_t)
 
 dev_read_rand(gpg_agent_t)
@@ -239,37 +264,41 @@ domain_use_interactive_fds(gpg_agent_t)
 
 fs_dontaudit_list_inotifyfs(gpg_agent_t)
 
-miscfiles_read_localization(gpg_agent_t)
+miscfiles_read_certs(gpg_agent_t)
 
-userdom_use_user_terminals(gpg_agent_t)
+# Write to the user domain tty.
+userdom_use_inherited_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 userdom_search_user_home_dirs(gpg_agent_t)
+userdom_filetrans_home_content(gpg_agent_t)
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+	userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
 ')
 
 tunable_policy(`gpg_agent_env_file',`
+	# write ~/.gpg-agent-info or a similar to the users home dir
+	# or subdir (gpg-agent --write-env-file option)
+	#
 	userdom_manage_user_home_content_dirs(gpg_agent_t)
 	userdom_manage_user_home_content_files(gpg_agent_t)
-	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gpg_agent_t)
-	fs_manage_nfs_files(gpg_agent_t)
-	fs_manage_nfs_symlinks(gpg_agent_t)
-')
+userdom_home_manager(gpg_agent_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gpg_agent_t)
-	fs_manage_cifs_files(gpg_agent_t)
-	fs_manage_cifs_symlinks(gpg_agent_t)
+optional_policy(`
+	gnome_manage_config(gpg_agent_t)
 ')
 
 optional_policy(`
 	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
 ')
 
+optional_policy(`
+	pcscd_stream_connect(gpg_agent_t)
+')
+
 ##############################
 #
 # Pinentry local policy
@@ -277,8 +306,17 @@ optional_policy(`
 
 allow gpg_pinentry_t self:process { getcap getsched setsched signal };
 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
 allow gpg_pinentry_t self:shm create_shm_perms;
-allow gpg_pinentry_t self:tcp_socket { accept listen };
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
 
 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
@@ -287,53 +325,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
 
-can_exec(gpg_pinentry_t, pinentry_exec_t)
-
+# read /proc/meminfo
 kernel_read_system_state(gpg_pinentry_t)
 
 corecmd_exec_shell(gpg_pinentry_t)
 corecmd_exec_bin(gpg_pinentry_t)
 
 corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
 corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
 corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
 
 dev_read_urand(gpg_pinentry_t)
 dev_read_rand(gpg_pinentry_t)
 
-domain_use_interactive_fds(gpg_pinentry_t)
-
-files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
 
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
 
 auth_use_nsswitch(gpg_pinentry_t)
 
 logging_send_syslog_msg(gpg_pinentry_t)
 
 miscfiles_read_fonts(gpg_pinentry_t)
-miscfiles_read_localization(gpg_pinentry_t)
 
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
 userdom_use_user_terminals(gpg_pinentry_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(gpg_pinentry_t)
-')
+userdom_home_reader(gpg_pinentry_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(gpg_pinentry_t)
+optional_policy(`
+	gnome_read_home_config(gpg_pinentry_t)
 ')
 
 optional_policy(`
-	dbus_all_session_bus_client(gpg_pinentry_t)
+	dbus_session_bus_client(gpg_pinentry_t)
 	dbus_system_bus_client(gpg_pinentry_t)
 ')
 
 optional_policy(`
-	pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+	gnome_write_generic_cache_files(gpg_pinentry_t)
+	gnome_read_generic_cache_files(gpg_pinentry_t)
+	gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+	pulseaudio_exec(gpg_pinentry_t)
+	pulseaudio_rw_home_files(gpg_pinentry_t)
+	pulseaudio_setattr_home_dir(gpg_pinentry_t)
+	pulseaudio_stream_connect(gpg_pinentry_t)
+	pulseaudio_signull(gpg_pinentry_t)
 ')
 
 optional_policy(`
 	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+    miscfiles_manage_public_files(gpg_web_t)
 ')
diff --git a/gpm.te b/gpm.te
index 3226f52..68b2eb8 100644
--- a/gpm.te
+++ b/gpm.te
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
 init_script_file(gpm_initrc_exec_t)
 
 type gpm_conf_t;
-files_type(gpm_conf_t)
+files_config_file(gpm_conf_t)
 
 type gpm_tmp_t;
 files_tmp_file(gpm_tmp_t)
@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
 dev_rw_input_dev(gpm_t)
 dev_rw_mouse(gpm_t)
 
-files_read_etc_files(gpm_t)
 
 fs_getattr_all_fs(gpm_t)
 fs_search_auto_mountpoints(gpm_t)
@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
 
 logging_send_syslog_msg(gpm_t)
 
-miscfiles_read_localization(gpm_t)
-
-userdom_use_user_terminals(gpm_t)
 userdom_dontaudit_use_unpriv_user_fds(gpm_t)
 userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
index 25f09ae..3085534 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
 #
 
 allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
 allow gpsd_t self:process { setsched signal_perms };
 allow gpsd_t self:shm create_shm_perms;
 allow gpsd_t self:unix_dgram_socket sendto;
 allow gpsd_t self:tcp_socket { accept listen };
+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
 manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
 
 term_use_unallocated_ttys(gpsd_t)
 term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
+term_setattr_usb_ttys(gpsd_t)
 
 auth_use_nsswitch(gpsd_t)
 
 logging_send_syslog_msg(gpsd_t)
 
-miscfiles_read_localization(gpsd_t)
-
 optional_policy(`
 	chronyd_rw_shm(gpsd_t)
 	chronyd_stream_connect(gpsd_t)
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 0000000..f4659d1
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service		--	gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
+
+/usr/sbin/gssproxy		--	gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?		gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/var/run/gssproxy\.pid		--	gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+/var/run/gssproxy\.sock		-s	gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 0000000..3ce0ac0
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,198 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+	gen_require(`
+		type gssproxy_t, gssproxy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+##	Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+	gen_require(`
+		type gssproxy_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+	gen_require(`
+		type gssproxy_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+	gen_require(`
+		type gssproxy_t;
+		type gssproxy_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	allow $1 gssproxy_unit_file_t:file read_file_perms;
+	allow $1 gssproxy_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+##	Connect to gssproxy over an unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+	gen_require(`
+		type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
+	stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gssproxy environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+	gen_require(`
+		type gssproxy_t;
+		type gssproxy_var_lib_t;
+		type gssproxy_var_run_t;
+		type gssproxy_unit_file_t;
+	')
+
+	allow $1 gssproxy_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gssproxy_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, gssproxy_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gssproxy_var_run_t)
+
+	gssproxy_systemctl($1)
+	admin_pattern($1, gssproxy_unit_file_t)
+	allow $1 gssproxy_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 0000000..bbd5979
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,68 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_var_run_t;
+files_pid_file(gssproxy_var_run_t)
+
+type gssproxy_unit_file_t;
+systemd_unit_file(gssproxy_unit_file_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+	kerberos_use(gssproxy_t)
+	kerberos_filetrans_named_content(gssproxy_t)
+')
+
+optional_policy(`
+	kerberos_keytab_template(gssproxy, gssproxy_t)
+	kerberos_manage_host_rcache(gssproxy_t)
+')
diff --git a/guest.te b/guest.te
index d928711..93d2d83 100644
--- a/guest.te
+++ b/guest.te
@@ -20,4 +20,4 @@ optional_policy(`
 	apache_role(guest_r, guest_t)
 ')
 
-#gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hadoop.te b/hadoop.te
index e62bcb7..f44ad99 100644
--- a/hadoop.te
+++ b/hadoop.te
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
 domain_use_interactive_fds(hadoop_t)
 
 files_dontaudit_search_spool(hadoop_t)
-files_read_usr_files(hadoop_t)
 
 fs_getattr_xattr_fs(hadoop_t)
 
@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
 corecmd_exec_bin(hadoop_initrc_domain)
 corecmd_exec_shell(hadoop_initrc_domain)
 
-files_read_etc_files(hadoop_initrc_domain)
-files_read_usr_files(hadoop_initrc_domain)
 files_search_locks(hadoop_initrc_domain)
 files_search_pids(hadoop_initrc_domain)
 
@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
 
 domain_use_interactive_fds(zookeeper_t)
 
-files_read_usr_files(zookeeper_t)
 
 auth_use_nsswitch(zookeeper_t)
 
@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
 dev_read_sysfs(zookeeper_server_t)
 dev_read_urand(zookeeper_server_t)
 
-files_read_usr_files(zookeeper_server_t)
 
 fs_getattr_xattr_fs(zookeeper_server_t)
 
diff --git a/hal.te b/hal.te
index 0801fe1..85b6f3e 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
 # Common local policy
 #
 
-files_read_usr_files(hald_domain)
 
 miscfiles_read_localization(hald_domain)
 
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
 
 dev_rw_input_dev(hald_keymap_t)
 
-files_read_etc_files(hald_keymap_t)
 
 logging_search_logs(hald_keymap_t)
 
diff --git a/hddtemp.if b/hddtemp.if
index 1728071..77e71ea 100644
--- a/hddtemp.if
+++ b/hddtemp.if
@@ -60,9 +60,13 @@ interface(`hddtemp_admin',`
 		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
 	')
 
-	allow $1 hddtemp_t:process { ptrace signal_perms };
+	allow $1 hddtemp_t:process signal_perms;
 	ps_process_pattern($1, hddtemp_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 hddtemp_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
index 18d76bb..588c964 100644
--- a/hddtemp.te
+++ b/hddtemp.te
@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
 
 allow hddtemp_t hddtemp_etc_t:file read_file_perms;
 
-corenet_all_recvfrom_unlabeled(hddtemp_t)
 corenet_all_recvfrom_netlabel(hddtemp_t)
 corenet_tcp_sendrecv_generic_if(hddtemp_t)
 corenet_tcp_sendrecv_generic_node(hddtemp_t)
@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
 corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
 corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
 
-files_search_etc(hddtemp_t)
-files_read_usr_files(hddtemp_t)
-
 storage_raw_read_fixed_disk(hddtemp_t)
 storage_raw_read_removable_device(hddtemp_t)
 
@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t)
 
 logging_send_syslog_msg(hddtemp_t)
 
-miscfiles_read_localization(hddtemp_t)
diff --git a/howl.te b/howl.te
index e207823..4e0f8ba 100644
--- a/howl.te
+++ b/howl.te
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
 kernel_list_proc(howl_t)
 kernel_read_proc_symlinks(howl_t)
 
-corenet_all_recvfrom_unlabeled(howl_t)
 corenet_all_recvfrom_netlabel(howl_t)
 corenet_tcp_sendrecv_generic_if(howl_t)
 corenet_udp_sendrecv_generic_if(howl_t)
@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
 
 logging_send_syslog_msg(howl_t)
 
-miscfiles_read_localization(howl_t)
-
 userdom_dontaudit_use_unpriv_user_fds(howl_t)
 userdom_dontaudit_search_user_home_dirs(howl_t)
 
diff --git a/hypervkvp.fc b/hypervkvp.fc
new file mode 100644
index 0000000..e2ae3b2
--- /dev/null
+++ b/hypervkvp.fc
@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/hypervvssd.*      --  gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
+
+/usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+
+/usr/sbin/hypervvssd        --  gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
new file mode 100644
index 0000000..b7ca833
--- /dev/null
+++ b/hypervkvp.if
@@ -0,0 +1,134 @@
+
+## <summary>policy for hypervkvp</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the hypervkvp domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_domtrans',`
+	gen_require(`
+		type hypervkvp_t, hypervkvp_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
+
+########################################
+## <summary>
+##	Search hypervkvp lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hypervkvp_search_lib',`
+	gen_require(`
+		type hypervkvp_var_lib_t;
+	')
+
+	allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read hypervkvp lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hypervkvp_read_lib_files',`
+	gen_require(`
+		type hypervkvp_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	hypervkvp lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hypervkvp_manage_lib_files',`
+	gen_require(`
+		type hypervkvp_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Execute hypervkvp server in the hypervkvp domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`hypervkvp_systemctl',`
+    gen_require(`
+        type hypervkvp_t;
+        type hypervkvp_unit_file_t;
+    ')
+
+    systemd_exec_systemctl($1)
+    allow $1 hypervkvp_unit_file_t:file read_file_perms;
+    allow $1 hypervkvp_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, hypervkvp_t)
+    ')
+
+###################################