Blob Blame History Raw
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bea5755
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+TAGS
diff --git a/abrt.fc b/abrt.fc
index 1a93dc5..e948aef 100644
--- a/abrt.fc
+++ b/abrt.fc
@@ -1,31 +1,47 @@
-/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 
-/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-.* 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-uefioops-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-retrace-worker	--  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/abrt-watch-log         --  gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+/usr/bin/retrace-server-worker  --  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages      --  gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
+/usr/sbin/abrtd			        --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus		        --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.*	    --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-install-ccpp-hook --	gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch     --  gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
 
-/usr/libexec/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 /usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
-/usr/libexec/abrt-hook-python	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-ccpp     --  gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+
+/var/cache/abrt(/.*)?			    gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)?            gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-retrace(/.*)?		gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/cache/retrace-server(/.*)?		gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+
+/var/log/abrt-logger.*		--	gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/lib/abrt(/.*)?               gen_context(system_u:object_r:abrt_var_lib_t,s0)
+
+/var/run/abrt\.pid		    --	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)?		    	gen_context(system_u:object_r:abrt_var_run_t,s0)
 
-/usr/sbin/abrtd	--	gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-dbus	--	gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/sbin/abrt-upload-watch	--	gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
+/var/spool/abrt(/.*)?			    gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/abrt-retrace(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/retrace-server(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/faf(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+/var/spool/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/spool/rhsm/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
 
-/var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
 
-/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
 
-/var/run/abrt\.pid	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.lock	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrtd?\.socket	-s	gen_context(system_u:object_r:abrt_var_run_t,s0)
-/var/run/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_run_t,s0)
 
-/var/spool/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
-/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908..ee0c559 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,42 @@
-## <summary>Automated bug-reporting tool.</summary>
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+########################################
+## <summary>
+##	abrt stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_stub',`
+	gen_require(`
+		type abrt_t;
+	')
+')
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  ABRT daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`abrt_basic_types_template',`
+    gen_require(`
+        attribute abrt_domain;
+    ')
+
+    type $1_t, abrt_domain;
+    type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
 
 ######################################
 ## <summary>
@@ -21,6 +59,25 @@ interface(`abrt_domtrans',`
 
 ######################################
 ## <summary>
+##	Execute abrt_dump_oops in the abrt_dump_oops_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_dump_oops_domtrans',`
+	gen_require(`
+		type abrt_dump_oops_t, abrt_dump_oops_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+')
+
+######################################
+## <summary>
 ##	Execute abrt in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -40,7 +97,7 @@ interface(`abrt_exec',`
 
 ########################################
 ## <summary>
-##	Send null signals to abrt.
+##	Send a null signal to abrt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58,7 +115,7 @@ interface(`abrt_signull',`
 
 ########################################
 ## <summary>
-##	Read process state of abrt.
+##	Allow the domain to read abrt state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -71,12 +128,13 @@ interface(`abrt_read_state',`
 		type abrt_t;
 	')
 
+	kernel_search_proc($1)
 	ps_process_pattern($1, abrt_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to abrt over an unix stream socket.
+##	Connect to abrt over a unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -116,8 +174,7 @@ interface(`abrt_dbus_chat',`
 
 #####################################
 ## <summary>
-##	Execute abrt-helper in the abrt
-##	helper domain.
+##	Execute abrt-helper in the abrt-helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -130,15 +187,13 @@ interface(`abrt_domtrans_helper',`
 		type abrt_helper_t, abrt_helper_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute abrt helper in the abrt
-##	helper domain, and allow the
-##	specified role the abrt helper domain.
+##	Execute abrt helper in the abrt_helper domain, and
+##	allow the specified role the abrt_helper domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -163,8 +218,7 @@ interface(`abrt_run_helper',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt cache files.
+##	Read abrt cache
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -172,15 +226,56 @@ interface(`abrt_run_helper',`
 ##	</summary>
 ## </param>
 #
-interface(`abrt_cache_manage',`
-	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
-	abrt_manage_cache($1)
+interface(`abrt_read_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt cache content.
+##	Append abrt cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_append_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	
+	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read/Write inherited abrt cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_rw_inherited_cache',`
+	gen_require(`
+		type abrt_var_cache_t;
+	')
+
+	
+	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage abrt cache
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -193,7 +288,6 @@ interface(`abrt_manage_cache',`
 		type abrt_var_cache_t;
 	')
 
-	files_search_var($1)
 	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 	manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
@@ -201,7 +295,7 @@ interface(`abrt_manage_cache',`
 
 ####################################
 ## <summary>
-##	Read abrt configuration files.
+##	Read abrt configuration file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -218,9 +312,29 @@ interface(`abrt_read_config',`
 	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
 ')
 
+####################################
+## <summary>
+##	Dontaudit read abrt configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_dontaudit_read_config',`
+	gen_require(`
+		type abrt_etc_t;
+	')
+
+	files_search_etc($1)
+    dontaudit $1 abrt_etc_t:dir list_dir_perms;
+    dontaudit $1 abrt_etc_t:file read_file_perms;
+')
+
 ######################################
 ## <summary>
-##	Read abrt log files.
+##	Read abrt logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -258,8 +372,7 @@ interface(`abrt_read_pid_files',`
 
 ######################################
 ## <summary>
-##	Create, read, write, and delete
-##	abrt PID files.
+##	Create, read, write, and delete abrt PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,10 +389,52 @@ interface(`abrt_manage_pid_files',`
 	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
 ')
 
+########################################
+## <summary>
+##	Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute abrt server in the abrt domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`abrt_systemctl',`
+	gen_require(`
+		type abrt_t;
+		type abrt_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 abrt_unit_file_t:file manage_file_perms;
+	allow $1 abrt_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, abrt_t)
+')
+
 #####################################
 ## <summary>
-##	All of the rules required to
-##	administrate an abrt environment,
+##	All of the rules required to administrate
+##	an abrt environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -288,39 +443,174 @@ interface(`abrt_manage_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the abrt domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`abrt_admin',`
 	gen_require(`
-		attribute abrt_domain;
-		type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
-		type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
-		type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
+		type abrt_t, abrt_etc_t;
+		type abrt_var_cache_t, abrt_var_log_t;
+		type abrt_var_run_t, abrt_tmp_t;
+		type abrt_initrc_exec_t;
+		type abrt_unit_file_t;
 	')
 
-	allow $1 abrt_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, abrt_domain)
+	allow $1 abrt_t:process { signal_perms };
+	ps_process_pattern($1, abrt_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 abrt_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, abrt_etc_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, abrt_var_log_t)
 
-	files_search_var($1)
-	admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+	files_list_var($1)
+	admin_pattern($1, abrt_var_cache_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, abrt_var_run_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, abrt_tmp_t)
+
+	abrt_systemctl($1)
+	admin_pattern($1, abrt_unit_file_t)
+	allow $1 abrt_unit_file_t:service all_service_perms;
+')
+
+####################################
+## <summary>
+##  Execute abrt-retrace in the abrt-retrace domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`abrt_domtrans_retrace_worker',`
+    gen_require(`
+        type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
+')
+
+######################################
+## <summary>
+##  Manage abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_manage_spool_retrace',`
+    gen_require(`
+        type abrt_retrace_spool_t;
+    ')
+
+	manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+	manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+	manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 ')
+
+#####################################
+## <summary>
+##  Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_read_spool_retrace',`
+    gen_require(`
+        type abrt_retrace_spool_t;
+    ')
+
+    list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+    read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+')
+
+
+#####################################
+## <summary>
+##  Read abrt retrace server cache
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`abrt_read_cache_retrace',`
+    gen_require(`
+        type abrt_retrace_cache_t;
+    ')
+
+    list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+    read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write abrt sock files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`abrt_dontaudit_write_sock_file',`
+	gen_require(`
+		type abrt_t;
+	')
+
+	dontaudit $1 abrt_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Transition to abrt named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`abrt_filetrans_named_content',`
+	gen_require(`
+		type abrt_tmp_t;
+		type abrt_etc_t;
+		type abrt_var_cache_t;
+		type abrt_var_run_t;
+	')
+
+	files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
+	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
+	files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
+	files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f07..9e51efe 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
 #
 
 ## <desc>
-##	<p>
-##	Determine whether ABRT can modify
-##	public files used for public file
-##	transfer services.
-##	</p>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
 ## </desc>
 gen_tunable(abrt_anon_write, false)
 
@@ -37,87 +36,99 @@ attribute abrt_domain;
 attribute_role abrt_helper_roles;
 roleattribute system_r abrt_helper_roles;
 
-type abrt_t, abrt_domain;
-type abrt_exec_t;
+abrt_basic_types_template(abrt)
 init_daemon_domain(abrt_t, abrt_exec_t)
 
 type abrt_initrc_exec_t;
 init_script_file(abrt_initrc_exec_t)
 
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
 type abrt_etc_t;
 files_config_file(abrt_etc_t)
 
 type abrt_var_log_t;
 logging_log_file(abrt_var_log_t)
 
+type abrt_var_lib_t;
+files_type(abrt_var_lib_t)
+
 type abrt_tmp_t;
 files_tmp_file(abrt_tmp_t)
 
 type abrt_var_cache_t;
 files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
+userdom_user_tmp_content(abrt_var_cache_t)
 
 type abrt_var_run_t;
 files_pid_file(abrt_var_run_t)
 
-type abrt_dump_oops_t, abrt_domain;
-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
 init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+domain_obj_id_change_exemption(abrt_dump_oops_t)
 
-type abrt_handle_event_t, abrt_domain;
-type abrt_handle_event_exec_t;
-domain_type(abrt_handle_event_t)
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
 role system_r types abrt_handle_event_t;
 
-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
+# type needed to allow all domains
+# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
 application_domain(abrt_helper_t, abrt_helper_exec_t)
 role abrt_helper_roles types abrt_helper_t;
 
-type abrt_retrace_coredump_t, abrt_domain;
-type abrt_retrace_coredump_exec_t;
-domain_type(abrt_retrace_coredump_t)
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
-role system_r types abrt_retrace_coredump_t;
-
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
 role system_r types abrt_retrace_worker_t;
 
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
 type abrt_retrace_cache_t;
 files_type(abrt_retrace_cache_t)
 
 type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
 
-type abrt_watch_log_t, abrt_domain;
-type abrt_watch_log_exec_t;
+abrt_basic_types_template(abrt_watch_log)
 init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
 
-type abrt_upload_watch_t, abrt_domain;
-type abrt_upload_watch_exec_t;
+abrt_basic_types_template(abrt_upload_watch)
 init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
 
+type abrt_upload_watch_tmp_t;
+files_tmp_file(abrt_upload_watch_tmp_t)
+
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
 ')
 
 ########################################
 #
-# Local policy
+# abrt local policy
 #
 
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
 allow abrt_t self:fifo_file rw_fifo_file_perms;
-allow abrt_t self:tcp_socket { accept listen };
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow abrt_t abrt_etc_t:dir list_dir_perms;
+# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
 
+# log file
 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
 
@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
 
+# abrt var/cache files
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
 files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
 
+# abrt pid files
 manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
 
-can_exec(abrt_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
 
+kernel_read_all_proc(abrt_t)
 kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
+kernel_read_network_state(abrt_t)
+kernel_read_software_raid_state(abrt_t)
 kernel_request_load_module(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
 kernel_rw_kernel_sysctl(abrt_t)
+# needed by docker BZ #1194280
+kernel_read_net_sysctls(abrt_t)
+kernel_rw_usermodehelper_state(abrt_t)
 
 corecmd_exec_bin(abrt_t)
 corecmd_exec_shell(abrt_t)
 corecmd_read_all_executables(abrt_t)
 
 corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
 corenet_tcp_sendrecv_generic_if(abrt_t)
 corenet_tcp_sendrecv_generic_node(abrt_t)
-corenet_tcp_sendrecv_all_ports(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
 corenet_tcp_bind_generic_node(abrt_t)
-
-corenet_sendrecv_all_client_packets(abrt_t)
 corenet_tcp_connect_http_port(abrt_t)
 corenet_tcp_connect_ftp_port(abrt_t)
 corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
 
 dev_getattr_all_chr_files(abrt_t)
 dev_getattr_all_blk_files(abrt_t)
 dev_read_rand(abrt_t)
 dev_read_urand(abrt_t)
 dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory(abrt_t)
+dev_write_kmsg(abrt_t)
 
 domain_getattr_all_domains(abrt_t)
 domain_read_all_domains_state(abrt_t)
@@ -176,29 +198,43 @@ files_getattr_all_files(abrt_t)
 files_read_config_files(abrt_t)
 files_read_etc_runtime_files(abrt_t)
 files_read_var_symlinks(abrt_t)
-files_read_usr_files(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
 files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
 files_dontaudit_read_default_files(abrt_t)
 files_dontaudit_read_all_symlinks(abrt_t)
 files_dontaudit_getattr_all_sockets(abrt_t)
 files_list_mnt(abrt_t)
+fs_list_all(abrt_t)
 
+fs_list_inotifyfs(abrt_t)
 fs_getattr_all_fs(abrt_t)
 fs_getattr_all_dirs(abrt_t)
-fs_list_inotifyfs(abrt_t)
 fs_read_fusefs_files(abrt_t)
 fs_read_noxattr_fs_files(abrt_t)
 fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 
-auth_use_nsswitch(abrt_t)
+storage_dontaudit_read_fixed_disk(abrt_t)
 
 logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+
+auth_use_nsswitch(abrt_t)
+
+init_read_utmp(abrt_t)
 
+miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
+miscfiles_dontaudit_write_generic_cert_files(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
 
 tunable_policy(`abrt_anon_write',`
 	miscfiles_manage_public_files(abrt_t)
@@ -206,15 +242,11 @@ tunable_policy(`abrt_anon_write',`
 
 optional_policy(`
 	apache_list_modules(abrt_t)
-	apache_read_module_files(abrt_t)
+	apache_read_modules(abrt_t)
 ')
 
 optional_policy(`
 	dbus_system_domain(abrt_t, abrt_exec_t)
-
-	optional_policy(`
-		policykit_dbus_chat(abrt_t)
-	')
 ')
 
 optional_policy(`
@@ -222,6 +254,28 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kdump_read_crash(abrt_t)
+')
+
+optional_policy(`
+	lvm_dontaudit_rw_lock_dir(abrt_t)
+')
+
+optional_policy(`
+	mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+	mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+	mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
+    pcp_read_lib_files(abrt_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
 	policykit_read_reload(abrt_t)
@@ -234,15 +288,22 @@ optional_policy(`
 ')
 
 optional_policy(`
+    puppet_read_lib(abrt_t)
+')
+
+# to install debuginfo packages
+optional_policy(`
 	rpm_exec(abrt_t)
 	rpm_dontaudit_manage_db(abrt_t)
 	rpm_manage_cache(abrt_t)
 	rpm_manage_log(abrt_t)
 	rpm_manage_pid_files(abrt_t)
+	rpm_read_tmp_files(abrt_t)
 	rpm_read_db(abrt_t)
 	rpm_signull(abrt_t)
 ')
 
+# to run mailx plugin
 optional_policy(`
 	sendmail_domtrans(abrt_t)
 ')
@@ -253,9 +314,21 @@ optional_policy(`
 	sosreport_delete_tmp_files(abrt_t)
 ')
 
+optional_policy(`
+	sssd_stream_connect(abrt_t)
+')
+
+optional_policy(`
+	xserver_read_log(abrt_t)
+')
+
+optional_policy(`
+	udev_read_db(abrt_t)
+')
+
 #######################################
 #
-# Handle-event local policy
+# abrt-handle-event local policy
 #
 
 allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +339,13 @@ tunable_policy(`abrt_handle_event',`
 	can_exec(abrt_t, abrt_handle_event_exec_t)
 ')
 
+optional_policy(`
+	unconfined_domain(abrt_handle_event_t)
+')
+
 ########################################
 #
-# Helper local policy
+# abrt--helper local policy
 #
 
 allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +358,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
 
 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +367,20 @@ corecmd_read_all_executables(abrt_helper_t)
 
 domain_read_all_domains_state(abrt_helper_t)
 
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
 fs_list_inotifyfs(abrt_helper_t)
 fs_getattr_all_fs(abrt_helper_t)
 
 auth_use_nsswitch(abrt_helper_t)
 
+logging_send_syslog_msg(abrt_helper_t)
+
 term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
 ifdef(`hide_broken_symptoms',`
+	domain_dontaudit_leaks(abrt_helper_t)
 	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
 	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
 	dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +388,25 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 	dev_dontaudit_write_all_blk_files(abrt_helper_t)
 	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+	optional_policy(`
+		rpm_dontaudit_leaks(abrt_helper_t)
+	')
+')
+
+ifdef(`hide_broken_symptoms',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow abrt_t self:capability sys_resource;
+	allow abrt_t domain:file write;
+	allow abrt_t domain:process setrlimit;
 ')
 
 #######################################
 #
-# Retrace coredump policy
+# abrt retrace coredump policy
 #
 
 allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +424,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
 
 dev_read_urand(abrt_retrace_coredump_t)
 
-files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
 
 sysnet_dns_name_resolve(abrt_retrace_coredump_t)
 
+# to install debuginfo packages
 optional_policy(`
 	rpm_exec(abrt_retrace_coredump_t)
 	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +442,11 @@ optional_policy(`
 
 #######################################
 #
-# Retrace worker policy
+# abrt retrace worker policy
 #
 
-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +465,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
-files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
 
 sysnet_dns_name_resolve(abrt_retrace_worker_t)
 
+optional_policy(`
+	mock_domtrans(abrt_retrace_worker_t)
+	mock_manage_lib_files(abrt_t)
+')
+
 ########################################
 #
-# Dump oops local policy
+# abrt_dump_oops local policy
 #
 
-allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
+allow abrt_dump_oops_t self:process setfscreate;
 allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
 
 files_search_spool(abrt_dump_oops_t)
 manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
 files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+
+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
+manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
 
 read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 
 read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
 
+kernel_read_debugfs(abrt_dump_oops_t)
 kernel_read_kernel_sysctls(abrt_dump_oops_t)
 kernel_read_ring_buffer(abrt_dump_oops_t)
+kernel_read_security_state(abrt_dump_oops_t)
+
+auth_read_passwd(abrt_dump_oops_t)
+
+corecmd_getattr_all_executables(abrt_dump_oops_t)
+
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
 
 domain_use_interactive_fds(abrt_dump_oops_t)
+domain_signull_all_domains(abrt_dump_oops_t)
+domain_ptrace_all_domains(abrt_dump_oops_t)
+domain_read_all_domains_state(abrt_dump_oops_t)
+domain_getattr_all_domains(abrt_dump_oops_t)
 
+files_manage_non_security_dirs(abrt_dump_oops_t)
+files_manage_non_security_files(abrt_dump_oops_t)
+
+fs_getattr_all_fs(abrt_dump_oops_t)
 fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
+fs_getattr_nsfs_files(abrt_dump_oops_t)
+
+selinux_compute_create_context(abrt_dump_oops_t)
 
 logging_read_generic_logs(abrt_dump_oops_t)
+logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
+
+init_read_var_lib_files(abrt_dump_oops_t)
+
+optional_policy(`
+	xserver_exec(abrt_dump_oops_t)
+')
 
 #######################################
 #
@@ -404,25 +544,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
 
+auth_read_passwd(abrt_watch_log_t)
+auth_use_nsswitch(abrt_watch_log_t)
+
 domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
 
 corecmd_exec_bin(abrt_watch_log_t)
 
 logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+optional_policy(`
+    gnome_list_home_config(abrt_watch_log_t)
+')
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+	miscfiles_manage_public_files(abrt_upload_watch_t)
+')
 
 #######################################
 #
 # Upload watch local policy
 #
 
+allow abrt_upload_watch_t self:capability { dac_override chown fsetid };
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
+
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
+
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
+
+abrt_dbus_chat(abrt_upload_watch_t)
+
 corecmd_exec_bin(abrt_upload_watch_t)
 
+dev_read_urand(abrt_upload_watch_t)
+
+files_search_spool(abrt_upload_watch_t)
+
+auth_read_passwd(abrt_upload_watch_t)
+
 tunable_policy(`abrt_upload_watch_anon_write',`
-	miscfiles_manage_public_files(abrt_upload_watch_t)
+    miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(abrt_upload_watch_t)
 ')
 
 #######################################
@@ -430,10 +605,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
-kernel_read_system_state(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
 
 files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.*  --              gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
 /usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
 
 /usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9a..554177c 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -126,23 +126,51 @@ interface(`accountsd_manage_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`accountsd_systemctl',`
+	gen_require(`
+		type accountsd_t;
+		type accountsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 accountsd_unit_file_t:file read_file_perms;
+	allow $1 accountsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, accountsd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an accountsd environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`accountsd_admin',`
 	gen_require(`
 		type accountsd_t;
+		type accountsd_unit_file_t;
 	')
 
-	allow $1 accountsd_t:process { ptrace signal_perms };
+	allow $1 accountsd_t:process signal_perms;
 	ps_process_pattern($1, accountsd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 accountsd_t:process ptrace;
+	')
+
 	accountsd_manage_lib_files($1)
+
+	accountsd_systemctl($1)
+	admin_pattern($1, accountsd_unit_file_t)
+	allow $1 accountsd_unit_file_t:service all_service_perms;
 ')
diff --git a/accountsd.te b/accountsd.te
index 3593510..b6a0f70 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
 	class passwd all_passwd_perms;
 ')
 
+gen_require(`
+	class passwd { passwd chfn chsh rootok crontab };
+')
+
 ########################################
 #
 # Declarations
@@ -11,11 +15,15 @@ gen_require(`
 
 type accountsd_t;
 type accountsd_exec_t;
-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
 
 type accountsd_var_lib_t;
 files_type(accountsd_var_lib_t)
 
+type accountsd_unit_file_t;
+systemd_unit_file(accountsd_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
 dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
-files_read_usr_files(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
 auth_read_login_records(accountsd_t)
 auth_read_shadow(accountsd_t)
 
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
 
 logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
@@ -66,9 +73,16 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_domain(accountsd_t, accountsd_exec_t)
+')
+
+optional_policy(`
 	policykit_dbus_chat(accountsd_t)
 ')
 
 optional_policy(`
 	xserver_read_xdm_tmp_files(accountsd_t)
+	xserver_read_state_xdm(accountsd_t)
+	xserver_dbus_chat_xdm(accountsd_t)
+	xserver_manage_xdm_etc_files(accountsd_t)
 ')
diff --git a/acct.if b/acct.if
index 81280d0..bc4038b 100644
--- a/acct.if
+++ b/acct.if
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
 
 ########################################
 ## <summary>
+##	Dontaudit Attempts to list acct_data directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`acct_dontaudit_list_data',`
+	gen_require(`
+		type acct_data_t;
+	')
+
+	dontaudit $1 acct_data_t:dir list_dir_perms;	
+')
+
+#######################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an acct environment.
 ## </summary>
@@ -103,9 +121,13 @@ interface(`acct_admin',`
 		type acct_t, acct_initrc_exec_t, acct_data_t;
 	')
 
-	allow $1 acct_t:process { ptrace signal_perms };
+	allow $1 acct_t:process { signal_perms };
 	ps_process_pattern($1, acct_t)
 
+    tunable_policy(`deny_ptrace',`',`
+		allow $1 acct_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, acct_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
index 8b9ad83..f4f2486 100644
--- a/acct.te
+++ b/acct.te
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
 dev_read_sysfs(acct_t)
 dev_read_urand(acct_t)
 
-domain_use_interactive_fds(acct_t)
-
 fs_search_auto_mountpoints(acct_t)
 fs_getattr_xattr_fs(acct_t)
 
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
 term_dontaudit_use_generic_ptys(acct_t)
 
 files_read_etc_runtime_files(acct_t)
-files_list_usr(acct_t)
 
 auth_use_nsswitch(acct_t)
 
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
 
 logging_send_syslog_msg(acct_t)
 
-miscfiles_read_localization(acct_t)
-
 userdom_dontaudit_search_user_home_dirs(acct_t)
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
 
diff --git a/ada.te b/ada.te
index 8d42c97..2377f8f 100644
--- a/ada.te
+++ b/ada.te
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
 
 allow ada_t self:process { execstack execmem };
 
-userdom_use_user_terminals(ada_t)
+userdom_use_inherited_user_terminals(ada_t)
 
 optional_policy(`
 	unconfined_domain(ada_t)
diff --git a/afs.fc b/afs.fc
index 8926c16..206ea16 100644
--- a/afs.fc
+++ b/afs.fc
@@ -3,6 +3,8 @@
 /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 
+/usr/afs(/.*)?		gen_context(system_u:object_r:afs_files_t,s0)
+
 /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
 /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
@@ -10,6 +12,10 @@
 /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+/usr/afs/bin/dafileserver      --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver       --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver     --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager        --      gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 
 /usr/afs/db	-d	gen_context(system_u:object_r:afs_dbdir_t,s0)
 /usr/afs/db/pr.*	--	gen_context(system_u:object_r:afs_pt_db_t,s0)
diff --git a/afs.if b/afs.if
index 3b41be6..97d99f9 100644
--- a/afs.if
+++ b/afs.if
@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
 
 ########################################
 ## <summary>
+##	Read AFS config data
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`afs_read_config',`
+	gen_require(`
+		type afs_config_t;
+	')
+
+	read_files_pattern($1, afs_config_t, afs_config_t)
+')
+
+########################################
+## <summary>
 ##	Read and write afs cache files.
 ## </summary>
 ## <param name="domain">
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
 interface(`afs_admin',`
 	gen_require(`
 		attribute afs_domain;
-		type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
+		type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
 		type afs_ka_db_t, afs_vl_db_t, afs_config_t;
 		type afs_logfile_t, afs_cache_t, afs_files_t;
 	')
 
-	allow $1 afs_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, afs_domain)
+	allow $1 afs_t:process signal_perms;
+	ps_process_pattern($1, afs_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 afs_t:process ptrace;
+	')
 
 	afs_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
index 90ce637..07db31b 100644
--- a/afs.te
+++ b/afs.te
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
 files_mounton_mnt(afs_t)
-files_read_usr_files(afs_t)
 files_rw_etc_runtime_files(afs_t)
 
 fs_getattr_xattr_fs(afs_t)
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
 
 logging_send_syslog_msg(afs_t)
 
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+	kernel_rw_unlabeled_files(afs_t)
+')
+
 ########################################
 #
 # AFS bossserver local policy
@@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t)
 
 manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
 manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local")
 
-allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t)
+filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db")
 
 allow afs_bosserver_t afs_fsserver_t:process signal_perms;
 domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
@@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
 
 kernel_read_kernel_sysctls(afs_bosserver_t)
 
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
 corenet_all_recvfrom_netlabel(afs_bosserver_t)
 corenet_udp_sendrecv_generic_if(afs_bosserver_t)
 corenet_udp_sendrecv_generic_node(afs_bosserver_t)
@@ -136,10 +152,13 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
 corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
 
 files_list_home(afs_bosserver_t)
-files_read_usr_files(afs_bosserver_t)
 
 seutil_read_config(afs_bosserver_t)
 
+optional_policy(`
+    kerberos_read_config(afs_bosserver_t)
+')
+
 ########################################
 #
 # fileserver local policy
@@ -151,9 +170,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
 allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
 allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 
@@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
 
 corenet_all_recvfrom_unlabeled(afs_fsserver_t)
 corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
 corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
 corenet_udp_sendrecv_generic_if(afs_fsserver_t)
 corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
 corenet_udp_sendrecv_generic_node(afs_fsserver_t)
-corenet_tcp_bind_generic_node(afs_fsserver_t)
-corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
 
 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
 corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
 
 files_read_etc_runtime_files(afs_fsserver_t)
 files_list_home(afs_fsserver_t)
-files_read_usr_files(afs_fsserver_t)
 files_list_pids(afs_fsserver_t)
 files_dontaudit_search_mnt(afs_fsserver_t)
 
@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
 
 kernel_read_kernel_sysctls(afs_kaserver_t)
 
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
 corenet_all_recvfrom_netlabel(afs_kaserver_t)
 corenet_udp_sendrecv_generic_if(afs_kaserver_t)
 corenet_udp_sendrecv_generic_node(afs_kaserver_t)
@@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
 corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
 
 files_list_home(afs_kaserver_t)
-files_read_usr_files(afs_kaserver_t)
 
 seutil_read_config(afs_kaserver_t)
 
@@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
 allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
 allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 
 manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
 filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
 
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
 corenet_all_recvfrom_netlabel(afs_ptserver_t)
 corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
 corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
 corenet_udp_bind_afs_pt_port(afs_ptserver_t)
 corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 
+sysnet_read_config(afs_ptserver_t)
+
 userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
 ########################################
@@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
 allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
 
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-
 manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 
 manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
 filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
 
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
 corenet_all_recvfrom_netlabel(afs_vlserver_t)
 corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
 corenet_udp_sendrecv_generic_if(afs_vlserver_t)
@@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
 
 allow afs_domain self:udp_socket create_socket_perms;
 
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
+allow afs_domain afs_config_t:dir list_dir_perms;
 
 sysnet_read_config(afs_domain)
+
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb9..fbe187f 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
 		type aiccu_var_run_t;
 	')
 
-	allow $1 aiccu_t:process { ptrace signal_perms };
+	allow $1 aiccu_t:process signal_perms;
 	ps_process_pattern($1, aiccu_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aiccu_t:process ptrace;
+	')
+
 	aiccu_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
index 5d2b90e..7374df0 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
 corenet_tcp_bind_generic_node(aiccu_t)
 corenet_tcp_sendrecv_generic_if(aiccu_t)
 corenet_tcp_sendrecv_generic_node(aiccu_t)
-
 corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
 corenet_tcp_connect_sixxsconfig_port(aiccu_t)
 corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t)
 dev_read_rand(aiccu_t)
 dev_read_urand(aiccu_t)
 
-files_read_etc_files(aiccu_t)
+
+auth_read_passwd(aiccu_t)
 
 logging_send_syslog_msg(aiccu_t)
 
-miscfiles_read_localization(aiccu_t)
+optional_policy(`
+    gnome_dontaudit_search_config(aiccu_t)
+')
 
 optional_policy(`
 	modutils_domtrans_insmod(aiccu_t)
 ')
 
 optional_policy(`
+    pcscd_stream_connect(aiccu_t)
+')
+
+optional_policy(`
 	sysnet_dns_name_resolve(aiccu_t)
 	sysnet_domtrans_ifconfig(aiccu_t)
 ')
diff --git a/aide.if b/aide.if
index 01cbb67..94a4a24 100644
--- a/aide.if
+++ b/aide.if
@@ -67,9 +67,13 @@ interface(`aide_admin',`
 		type aide_t, aide_db_t, aide_log_t;
 	')
 
-	allow $1 aide_t:process { ptrace signal_perms };
+	allow $1 aide_t:process signal_perms;
 	ps_process_pattern($1, aide_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aide_t:process ptrace;
+	')
+
 	aide_run($1, $2)
 
 	files_list_etc($1)
diff --git a/aide.te b/aide.te
index 03831e6..94a723f 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
 type aide_t;
 type aide_exec_t;
 application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
 role aide_roles types aide_t;
 
 type aide_log_t;
@@ -23,22 +24,34 @@ files_type(aide_db_t)
 # Local policy
 #
 
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
+allow aide_t self:process signal;
 
 manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
 
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
 logging_log_filetrans(aide_t, aide_log_t, file)
 
+dev_read_rand(aide_t)
+dev_read_urand(aide_t)
+
 files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
 
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)
 
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
+
+optional_policy(`
+	prelink_domtrans(aide_t)
+')
 
 optional_policy(`
 	seutil_use_newrole_fds(aide_t)
diff --git a/aisexec.if b/aisexec.if
index a2997fa..861cebd 100644
--- a/aisexec.if
+++ b/aisexec.if
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
 		type aisexec_initrc_exec_t;
 	')
 
-	allow $1 aisexec_t:process { ptrace signal_perms };
+	allow $1 aisexec_t:process signal_perms;
 	ps_process_pattern($1, aisexec_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 aisexec_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
index 4e4f063..808e067 100644
--- a/aisexec.te
+++ b/aisexec.te
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
 kernel_read_system_state(aisexec_t)
 
 corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
 
 corenet_all_recvfrom_unlabeled(aisexec_t)
 corenet_all_recvfrom_netlabel(aisexec_t)
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
 
 logging_send_syslog_msg(aisexec_t)
 
-miscfiles_read_localization(aisexec_t)
-
 userdom_rw_unpriv_user_semaphores(aisexec_t)
 userdom_rw_unpriv_user_shared_mem(aisexec_t)
 
@@ -105,6 +104,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	corosync_domtrans(aisexec_t)
+')
+
+optional_policy(`
+	# to communication with RHCS
 	rhcs_rw_dlm_controld_semaphores(aisexec_t)
 
 	rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
--- /dev/null
+++ b/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm	--	gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py	--	gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid		--	gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/ajaxterm.if b/ajaxterm.if
new file mode 100644
index 0000000..7abe946
--- /dev/null
+++ b/ajaxterm.if
@@ -0,0 +1,90 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+	gen_require(`
+		type ajaxterm_t, ajaxterm_exec_t;
+	')
+
+	domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+## <summary>
+##	Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+	gen_require(`
+		type ajaxterm_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Read and write the ajaxterm pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ajaxterm_rw_ptys',`
+    gen_require(`
+        type ajaxterm_devpts_t;
+    ')
+
+    allow $1 ajaxterm_devpts_t:chr_file	rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ajaxterm environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+	gen_require(`
+		type ajaxterm_t, ajaxterm_initrc_exec_t;
+	')
+
+	allow $1 ajaxterm_t:process signal_perms;
+	ps_process_pattern($1, ajaxterm_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ajaxterm_t:process ptrace;
+	')
+
+	ajaxterm_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 ajaxterm_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
index 0000000..a95a4ad
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,60 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+
+sysnet_dns_name_resolve(ajaxterm_t)
+
+#######################################
+#
+# SSH component local policy
+#
+
+optional_policy(`
+	ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
diff --git a/alsa.fc b/alsa.fc
index 33d9d31..58bf182 100644
--- a/alsa.fc
+++ b/alsa.fc
@@ -23,4 +23,10 @@ ifdef(`distro_debian',`
 /usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 
-/var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/var/lock/asound\.state\.lock   --  gen_context(system_u:object_r:alsa_lock_t,s0)
+
+/usr/lib/systemd/system/alsa.*  --              gen_context(system_u:object_r:alsa_unit_file_t,s0)
+
+/var/run/alsactl\.pid		--	gen_context(system_u:object_r:alsa_var_run_t,s0)
diff --git a/alsa.if b/alsa.if
index ca8d8cf..053a30a 100644
--- a/alsa.if
+++ b/alsa.if
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
 
 	userdom_search_user_home_dirs($1)
 	allow $1 alsa_home_t:file manage_file_perms;
+	alsa_filetrans_home_content($1)
 ')
 
 ########################################
@@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',`
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic alsa
-##	home type.
+##	Read Alsa lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="object_class">
+#
+interface(`alsa_read_lib',`
+	gen_require(`
+		type alsa_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Class of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+#
+interface(`alsa_filetrans_home_content',`
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+## <summary>
+##	Transition to alsa named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The name of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`alsa_home_filetrans_alsa_home',`
+interface(`alsa_filetrans_named_content',`
 	gen_require(`
 		type alsa_home_t;
+		type alsa_etc_rw_t;
+		type alsa_var_lib_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
+	files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+	files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+	files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+	files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+	files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+	files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
 ')
 
 ########################################
 ## <summary>
-##	Read Alsa lib files.
+##	Execute alsa server in the alsa domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`alsa_read_lib',`
+interface(`alsa_systemctl',`
 	gen_require(`
-		type alsa_var_lib_t;
+		type alsa_t;
+		type alsa_unit_file_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 alsa_unit_file_t:file read_file_perms;
+	allow $1 alsa_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, alsa_t)
 ')
 
 #########################################
diff --git a/alsa.te b/alsa.te
index 4b153f1..a799cd3 100644
--- a/alsa.te
+++ b/alsa.te
@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
 type alsa_etc_rw_t;
 files_config_file(alsa_etc_rw_t)
 
+type alsa_lock_t;
+files_lock_file(alsa_lock_t)
+
 type alsa_tmp_t;
 files_tmp_file(alsa_tmp_t)
 
@@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t)
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
 
+type alsa_var_run_t;
+files_pid_file(alsa_var_run_t)
+
 type alsa_home_t;
 userdom_user_home_content(alsa_home_t)
 
+type alsa_unit_file_t;
+systemd_unit_file(alsa_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket { accept listen };
@@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
 
 can_exec(alsa_t, alsa_exec_t)
 
+manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t)
+files_lock_filetrans(alsa_t, alsa_lock_t, file)
+
 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
@@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
 manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
+
 kernel_read_system_state(alsa_t)
+kernel_signal(alsa_t)
 
 corecmd_exec_bin(alsa_t)
 
@@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t)
 dev_read_urand(alsa_t)
 dev_write_sound(alsa_t)
 
-files_read_usr_files(alsa_t)
 files_search_var_lib(alsa_t)
 
 term_dontaudit_use_console(alsa_t)
@@ -80,8 +98,6 @@ init_use_fds(alsa_t)
 
 logging_send_syslog_msg(alsa_t)
 
-miscfiles_read_localization(alsa_t)
-
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
+++ b/amanda.fc
@@ -1,5 +1,6 @@
 /etc/amanda(/.*)?	gen_context(system_u:object_r:amanda_config_t,s0)
 /etc/amanda/.*/tapelist(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amanda/DailySet1(/.*)?	gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates	gen_context(system_u:object_r:amanda_amandates_t,s0)
 /etc/dumpdates	gen_context(system_u:object_r:amanda_dumpdates_t,s0)
 # empty m4 string so the index macro is not invoked
@@ -13,6 +14,8 @@
 /usr/lib/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 
+/usr/lib/systemd/system/amanda.*    --  gen_context(system_u:object_r:amanda_unit_file_t,s0)
+
 /usr/sbin/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
diff --git a/amanda.te b/amanda.te
index 519051c..0f871e6 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
 roleattribute system_r amanda_recover_roles;
 
 type amanda_t;
+type amanda_exec_t;
 type amanda_inetd_exec_t;
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+application_executable_file(amanda_exec_t)
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
 
-type amanda_exec_t;
-domain_entry_file(amanda_t, amanda_exec_t)
+type amanda_unit_file_t;
+systemd_unit_file(amanda_unit_file_t)
 
 type amanda_log_t;
 logging_log_file(amanda_log_t)
@@ -60,7 +63,7 @@ optional_policy(`
 #
 
 allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:process { getsched setsched setpgid signal };
 allow amanda_t self:fifo_file rw_fifo_file_perms;
 allow amanda_t self:unix_stream_socket { accept listen };
 allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
 
 manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
 corecmd_exec_shell(amanda_t)
 corecmd_exec_bin(amanda_t)
 
-corenet_all_recvfrom_unlabeled(amanda_t)
 corenet_all_recvfrom_netlabel(amanda_t)
 corenet_tcp_sendrecv_generic_if(amanda_t)
 corenet_tcp_sendrecv_generic_node(amanda_t)
 corenet_tcp_sendrecv_all_ports(amanda_t)
 corenet_tcp_bind_generic_node(amanda_t)
 
+corenet_tcp_bind_amanda_port(amanda_t)
+corenet_udp_bind_amanda_port(amanda_t)
+
 corenet_sendrecv_all_server_packets(amanda_t)
 corenet_tcp_bind_all_rpc_ports(amanda_t)
 corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
 
 dev_getattr_all_blk_files(amanda_t)
 dev_getattr_all_chr_files(amanda_t)
+dev_read_urand(amanda_t)
 
 files_read_etc_runtime_files(amanda_t)
 files_list_all(amanda_t)
@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
 storage_raw_read_fixed_disk(amanda_t)
 storage_read_tape(amanda_t)
 storage_write_tape(amanda_t)
+storage_write_scsi_generic(amanda_t)
 
 auth_use_nsswitch(amanda_t)
 auth_read_shadow(amanda_t)
@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
 corecmd_exec_shell(amanda_recover_t)
 corecmd_exec_bin(amanda_recover_t)
 
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
 corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_generic_if(amanda_recover_t)
 corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
 
 auth_use_nsswitch(amanda_recover_t)
 
-fstools_domtrans(amanda_t)
-fstools_signal(amanda_t)
-
 logging_search_logs(amanda_recover_t)
 
-miscfiles_read_localization(amanda_recover_t)
-
-userdom_use_user_terminals(amanda_recover_t)
+userdom_use_inherited_user_terminals(amanda_recover_t)
 userdom_search_user_home_content(amanda_recover_t)
+
+optional_policy(`
+    inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+')
+
+optional_policy(`
+	fstools_domtrans(amanda_t)
+	fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
index 17689a7..8aa6849 100644
--- a/amavis.fc
+++ b/amavis.fc
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
 /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 ')
 
-/var/opt/f-secure(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
-
 /var/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
 
 /var/lib/amavis(/.*)?	gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
index 60d4f8c..18ef077 100644
--- a/amavis.if
+++ b/amavis.if
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
 
 	files_search_spool($1)
 	read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+	allow $1 amavis_spool_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
 
 ########################################
 ## <summary>
+##	Read and write amavis lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`amavis_rw_lib_files',`
+	gen_require(`
+		type amavis_var_lib_t;
+	')
+
+	rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+	allow $1 amavis_var_lib_t:dir list_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	amavis lib files.
 ## </summary>
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
 		type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
 	')
 
-	allow $1 amavis_t:process { ptrace signal_perms };
+	allow $1 amavis_t:process signal_perms;
 	ps_process_pattern($1, amavis_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 amavis_t:process ptrace;
+	')
+
 	amavis_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
index 91fa72a..0b1afd6 100644
--- a/amavis.te
+++ b/amavis.te
@@ -39,7 +39,7 @@ type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
 
 type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
 
 ########################################
 #
@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
 
+# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
 manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
 allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
 
 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
 manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
 corecmd_exec_bin(amavis_t)
 corecmd_exec_shell(amavis_t)
 
-corenet_all_recvfrom_unlabeled(amavis_t)
 corenet_all_recvfrom_netlabel(amavis_t)
 corenet_tcp_sendrecv_generic_if(amavis_t)
 corenet_udp_sendrecv_generic_if(amavis_t)
@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
 
 corenet_sendrecv_razor_client_packets(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
 
 dev_read_rand(amavis_t)
 dev_read_sysfs(amavis_t)
@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
 domain_dontaudit_read_all_domains_state(amavis_t)
 
 files_read_etc_runtime_files(amavis_t)
-files_read_usr_files(amavis_t)
 files_search_spool(amavis_t)
 
 fs_getattr_xattr_fs(amavis_t)
@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
 
-miscfiles_read_localization(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
+
+sysnet_use_ldap(amavis_t)
 
 userdom_dontaudit_search_user_home_dirs(amavis_t)
 
 tunable_policy(`amavis_use_jit',`
-	allow amavis_t self:process execmem;
+    allow amavis_t self:process execmem;
 ',`
-	dontaudit amavis_t self:process execmem;
+    dontaudit amavis_t self:process execmem;
+')
+
+optional_policy(`
+	antivirus_domain_template(amavis_t)
 ')
 
 optional_policy(`
@@ -173,6 +181,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
 	postfix_read_config(amavis_t)
 	postfix_list_spool(amavis_t)
 ')
diff --git a/amtu.te b/amtu.te
index 16d0d66..60abfd0 100644
--- a/amtu.te
+++ b/amtu.te
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
 
 files_manage_boot_files(amtu_t)
 files_read_etc_runtime_files(amtu_t)
-files_read_etc_files(amtu_t)
 
 logging_send_audit_msgs(amtu_t)
 
-userdom_use_user_terminals(amtu_t)
+userdom_use_inherited_user_terminals(amtu_t)
 
 optional_policy(`
 	nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
index b098089..fe35beb 100644
--- a/anaconda.fc
+++ b/anaconda.fc
@@ -1 +1,13 @@
 # No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda      --  gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/initial-setup  --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
+/usr/libexec/rpm-ostreed --  gen_context(system_u:object_r:install_exec_t,s0)
+
+/usr/bin/preupg.*   --  gen_context(system_u:object_r:preupgrade_exec_t,s0)
+/var/lib/preupgrade(/.*)?   gen_context(system_u:object_r:preupgrade_data_t,s0)
+/var/log/preupgrade(/.*)?   gen_context(system_u:object_r:preupgrade_data_t,s0)
diff --git a/anaconda.if b/anaconda.if
index 14a61b7..76d9329 100644
--- a/anaconda.if
+++ b/anaconda.if
@@ -1 +1,132 @@
 ## <summary>Anaconda installer.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run install.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_install',`
+	gen_require(`
+		type install_t, install_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, install_exec_t, install_t)
+')
+
+########################################
+## <summary>
+##	Execute install in the install
+##	domain, and allow the specified
+##	role the install domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_run_install',`
+	gen_require(`
+		type install_t;
+		type install_exec_t;
+		attribute_role install_roles;
+	')
+
+	anaconda_domtrans_install($1)
+	roleattribute $2 install_roles;
+	role_transition $2 install_exec_t system_r;
+
+	optional_policy(`
+		rpm_transition_script(install_t, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Execute preupgrade in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_exec_preupgrade',`
+	gen_require(`
+		type preupgrade_exec_t;
+	')
+
+	corecmd_search_bin($1)
+    can_exec($1, preupgrade_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run preupgrade.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`anaconda_domtrans_preupgrade',`
+	gen_require(`
+		type preupgrade_t, preupgrade_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
+')
+
+########################################
+## <summary>
+##	Read preupgrade lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_read_lib_files_preupgrade',`
+	gen_require(`
+		type preupgrade_data_t;
+	')
+
+	read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Manage preupgrade lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`anaconda_manage_lib_files_preupgrade',`
+	gen_require(`
+		type preupgrade_data_t;
+	')
+
+	manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
+	files_search_var_lib($1)
+')
diff --git a/anaconda.te b/anaconda.te
index aa44abf..9e76516 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
 	class passwd all_passwd_perms;
 ')
 
+gen_require(`
+	class passwd { passwd chfn chsh rootok crontab };
+')
+
 ########################################
 #
 # Declarations
@@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
 domain_obj_id_change_exemption(anaconda_t)
 role system_r types anaconda_t;
 
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+type install_t;
+type install_exec_t;
+application_domain(install_t, install_exec_t)
+role install_roles types install_t;
+
+type preupgrade_t;
+type preupgrade_exec_t;
+application_domain(preupgrade_t, preupgrade_exec_t)
+role system_r types preupgrade_t;
+
+type preupgrade_data_t;
+files_type(preupgrade_data_t)
+
 ########################################
 #
 # Local policy
@@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t)
 modutils_domtrans_depmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(anaconda_t)
 
 optional_policy(`
 	rpm_domtrans(anaconda_t)
@@ -53,3 +74,55 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain_noaudit(anaconda_t)
 ')
+
+########################################
+#
+# Local policy
+#
+
+allow install_t self:capability2 mac_admin;
+
+systemd_dbus_chat_localed(install_t)
+systemd_dbus_chat_logind(install_t)
+
+tunable_policy(`deny_ptrace',`',`
+	domain_ptrace_all_domains(install_t)
+')
+
+optional_policy(`
+    iscsid_run(install_t, install_roles)
+')
+
+optional_policy(`
+    mount_run(install_t, install_roles)
+')
+
+optional_policy(`
+    networkmanager_dbus_chat(install_t)
+')
+
+optional_policy(`
+    policykit_dbus_chat(install_t)
+')
+
+optional_policy(`
+	seutil_run_setfiles_mac(install_t, install_roles)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(install_t)
+')
+
+
+########################################
+#
+# Local policy
+#
+
+manage_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_dirs_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+manage_lnk_files_pattern(preupgrade_t, preupgrade_data_t, preupgrade_data_t)
+
+optional_policy(`
+    unconfined_domain_noaudit(preupgrade_t)
+')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..219f32d
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,44 @@
+/etc/amavis(d)?\.conf			--	gen_context(system_u:object_r:antivirus_conf_t,s0)
+/etc/amavisd(/.*)?					gen_context(system_u:object_r:antivirus_conf_t,s0)
+
+/etc/rc\.d/init\.d/amavis		--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/amavisd-snmp	--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/clamd.*		--	gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/clamd.*	--	gen_context(system_u:object_r:antivirus_unit_file_t,s0)
+
+/usr/lib/AntiVir/antivir		--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/amavi 				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/amavisd.*				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/clamdscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/bin/freshclam				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/usr/sbin/clamd					--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+/usr/sbin/clamav-milter			--	gen_context(system_u:object_r:antivirus_exec_t,s0)
+
+/var/clamav(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/amavis(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav-unofficial-sigs(/.*)?   gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.*					gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)?			gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/virusmails(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
+
+/var/log/amavisd\.log.* 		--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav.*   				gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/freshclam.*    		--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamav/freshclam.* 	--  gen_context(system_u:object_r:antivirus_log_t,s0)
+/var/log/clamd.*    				gen_context(system_u:object_r:antivirus_log_t,s0)
+
+/var/run/amavis(d)?(/.*)?			gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/amavisd-snmp-subagent\.pid	--	gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
+/var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamav.*					gen_context(system_u:object_r:antivirus_var_run_t,s0)
+/var/run/clamd.*					gen_context(system_u:object_r:antivirus_var_run_t,s0)
+
diff --git a/antivirus.if b/antivirus.if
new file mode 100644
index 0000000..36251b9
--- /dev/null
+++ b/antivirus.if
@@ -0,0 +1,325 @@
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  antivirus domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+interface(`antivirus_domain_template',`
+        gen_require(`
+                attribute antivirus_domain;
+        ')
+
+        typeattribute $1 antivirus_domain;
+
+        kernel_read_system_state($1)
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run antivirus program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`antivirus_domtrans',`
+    gen_require(`
+        type antivirus_t, antivirus_exec_t;
+    ')
+
+    domtrans_pattern($1, antivirus_exec_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  Execute antivirus program without a transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_exec',`
+    gen_require(`
+        type antivirus_exec_t;
+    ')
+
+    can_exec($1, antivirus_exec_t)
+')
+
+#######################################
+## <summary>
+##  Connect to run antivirus program.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_stream_connect',`
+    gen_require(`
+        type antivirus_t, antivirus_db_t, antivirus_var_run_t;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
+	stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to append
+##  to antivirus log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_append_log',`
+    gen_require(`
+        type antivirus_log_t;
+    ')
+
+    logging_search_logs($1)
+    allow $1 antivirus_log_t:dir list_dir_perms;
+    append_files_pattern($1, antivirus_log_t, antivirus_log_t)
+')
+
+#######################################
+## <summary>
+##  Read antivirus configuration files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_read_config',`
+    gen_require(`
+        type antivirus_conf_t;
+    ')
+
+    files_search_etc($1)
+    allow $1 antivirus_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Search antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_search_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+	files_search_spool($1)
+    allow $1 antivirus_db_t:dir search_dir_perms;
+')
+
+######################################
+## <summary>
+##  Read antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_read_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+	read_files_pattern($1, antivirus_db_t, antivirus_db_t)
+	read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#####################################
+## <summary>
+##  Read and write antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_rw_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+    write_files_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+####################################
+## <summary>
+##  Manage antivirus db content directories.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_manage_db',`
+    gen_require(`
+        type antivirus_db_t;
+    ')
+
+    files_search_var_lib($1)
+    files_search_spool($1)
+    manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
+	manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
+')
+
+#######################################
+## <summary>
+##  Manage antivirus pid content.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`antivirus_manage_pid',`
+    gen_require(`
+        type antivirus_var_run_t;
+    ')
+
+    manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+    manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
+')
+
+######################################
+## <summary>
+##      Read antivirus state files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`antivirus_read_state_clamd',`
+        gen_require(`
+                type antivirus_t;
+        ')
+
+        kernel_search_proc($1)
+        ps_process_pattern($1, antivirus_t)
+')
+
+######################################
+## <summary>
+##      Execute antivirus server in the antivirus domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`antivirus_systemctl',`
+        gen_require(`
+                type antivirus_t;
+                type antivirus_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 antivirus_unit_file_t:file read_file_perms;
+        allow $1 antivirus_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, antivirus_t)
+')
+
+#######################################
+## <summary>
+##  All of the rules required to administrate
+##  an antivirus programs environment
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed to manage the clamav domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`antivirus_admin',`
+    gen_require(`
+		attribute antivirus_domain;
+        type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
+        type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
+        type antivirus_initrc_exec_t, antivirus_unit_file_t;
+    ')
+
+	allow $1 antivirus_t:process signal_perms;
+    ps_process_pattern($1, antivirus_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 antivirus_t:process ptrace;
+    ')
+
+    init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 antivirus_initrc_exec_t system_r;
+    allow $2 system_r;
+
+	antivirus_systemctl($1)
+    admin_pattern($1, antivirus_unit_file_t)
+    allow $1 antivirus_unit_file_t:service all_service_perms;
+
+    files_list_etc($1)
+    admin_pattern($1, antivirus_conf_t)
+
+    files_list_var_lib($1)
+	admin_pattern($1, antivirus_db_t)
+
+    logging_list_logs($1)
+    admin_pattern($1, antivirus_log_t)
+
+    files_list_pids($1)
+    admin_pattern($1, antivirus_var_run_t)
+
+    files_list_tmp($1)
+    admin_pattern($1, antivirus_tmp_t)
+
+    optional_policy(`
+        systemd_passwd_agent_exec($1)
+        systemd_read_fifo_file_passwd_run($1)
+    ')
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000..d8b04b5
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,273 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Allow antivirus programs to read non security files on a system
+##  </p>
+## </desc>
+gen_tunable(antivirus_can_scan_system, false)
+
+## <desc>
+##  <p>
+##  Determine whether can antivirus programs use JIT compiler.
+##  </p>
+## </desc>
+gen_tunable(antivirus_use_jit, false)
+
+attribute antivirus_domain;
+
+type antivirus_t;
+type antivirus_exec_t;
+typeattribute antivirus_t antivirus_domain;
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
+init_daemon_domain(antivirus_t, antivirus_exec_t)
+
+type antivirus_initrc_exec_t;
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
+init_script_file(antivirus_initrc_exec_t)
+
+type antivirus_unit_file_t;
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
+files_pid_file(antivirus_var_run_t)
+
+type antivirus_log_t;
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
+logging_log_file(antivirus_log_t)
+
+type antivirus_db_t;
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
+files_type(antivirus_db_t)
+
+type antivirus_home_t;
+userdom_user_home_content(antivirus_home_t)
+
+type antivirus_tmp_t;
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
+files_tmp_file(antivirus_tmp_t)
+
+########################################
+#
+# antivirus domain local policy
+#
+
+allow antivirus_domain self:capability { dac_override chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
+allow antivirus_domain self:tcp_socket { listen accept };
+
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
+
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
+
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
+
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
+
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
+
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
+kernel_read_system_state(antivirus_t)
+kernel_read_network_state(antivirus_domain)
+kernel_read_all_sysctls(antivirus_domain)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
+
+corenet_all_recvfrom_netlabel(antivirus_t)
+corenet_tcp_bind_all_unreserved_ports(antivirus_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(antivirus_t)
+corenet_tcp_sendrecv_generic_if(antivirus_t)
+corenet_udp_sendrecv_generic_if(antivirus_t)
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
+corenet_udp_sendrecv_generic_node(antivirus_domain)
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
+corenet_udp_sendrecv_all_ports(antivirus_domain)
+corenet_tcp_bind_generic_node(antivirus_domain)
+corenet_udp_bind_generic_node(antivirus_domain)
+
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
+
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
+
+corenet_sendrecv_generic_server_packets(antivirus_domain)
+corenet_udp_bind_generic_port(antivirus_domain)
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
+
+corenet_sendrecv_razor_client_packets(antivirus_domain)
+corenet_tcp_connect_razor_port(antivirus_domain)
+corenet_tcp_connect_agentx_port(antivirus_domain)
+
+corenet_tcp_connect_clamd_port(antivirus_domain)
+
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
+corenet_tcp_bind_clamd_port(antivirus_domain)
+
+corenet_sendrecv_http_client_packets(antivirus_domain)
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
+corenet_tcp_connect_http_cache_port(antivirus_domain)
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
+
+#support for MySQL/PostgreSQL
+corenet_tcp_connect_mysqld_port(antivirus_domain)
+corenet_tcp_connect_postgresql_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
+
+dev_read_rand(antivirus_domain)
+dev_read_sysfs(antivirus_domain)
+dev_read_urand(antivirus_domain)
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
+files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
+fs_getattr_xattr_fs(antivirus_domain)
+
+auth_use_nsswitch(antivirus_t)
+auth_dontaudit_read_shadow(antivirus_domain)
+
+init_read_state(antivirus_domain)
+init_read_utmp(antivirus_domain)
+init_stream_connect_script(antivirus_domain)
+init_dontaudit_write_utmp(antivirus_domain)
+
+logging_send_syslog_msg(antivirus_t)
+
+miscfiles_read_generic_certs(antivirus_domain)
+
+sysnet_use_ldap(antivirus_domain)
+
+userdom_stream_connect(antivirus_domain)
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
+
+tunable_policy(`antivirus_can_scan_system',`
+	files_read_non_security_files(antivirus_domain)
+	files_getattr_all_pipes(antivirus_domain)
+	files_getattr_all_sockets(antivirus_domain)
+    dev_getattr_all_blk_files(antivirus_domain)
+    dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
+    allow antivirus_domain self:process execmem;
+    allow antivirus_domain self:process execmem;
+',`
+    dontaudit antivirus_domain self:process execmem;
+    dontaudit antivirus_domain self:process execmem;
+')
+
+optional_policy(`
+	apache_read_sys_content(antivirus_domain)
+')
+
+optional_policy(`
+	antivirus_systemctl(antivirus_domain)
+')
+
+optional_policy(`
+	cron_system_entry(antivirus_t, antivirus_exec_t)
+    cron_use_fds(antivirus_domain)
+    cron_use_system_job_fds(antivirus_domain)
+    cron_rw_pipes(antivirus_domain)
+')
+
+optional_policy(`
+    dcc_domtrans_client(antivirus_domain)
+    dcc_stream_connect_dccifd(antivirus_domain)
+')
+
+optional_policy(`
+    exim_read_spool_files(antivirus_domain)
+')
+
+optional_policy(`
+    mta_read_config(antivirus_domain)
+	mta_read_queue(antivirus_domain)
+	mta_send_mail(antivirus_domain)
+')
+
+optional_policy(`
+    nslcd_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+	mysql_stream_connect(antivirus_domain)
+	corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
+    postfix_read_config(antivirus_domain)
+    postfix_list_spool(antivirus_domain)
+')
+
+optional_policy(`
+    pyzor_domtrans(antivirus_domain)
+    pyzor_signal(antivirus_domain)
+')
+
+optional_policy(`
+    razor_domtrans(antivirus_domain)
+')
+
+optional_policy(`
+    snmp_manage_var_lib_dirs(antivirus_domain)
+    snmp_manage_var_lib_files(antivirus_domain)
+    snmp_stream_connect(antivirus_domain)
+')
+
+optional_policy(`
+	spamd_stream_connect(clamd_t)
+	spamassassin_exec(antivirus_domain)
+	spamassassin_exec_client(antivirus_domain)
+	spamassassin_read_lib_files(antivirus_domain)
+	spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 7caefc3..4313ba3 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,162 +1,212 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
 HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
 
-/etc/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/apache-ssl(2)?(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/cherokee(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/horde(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf/keytab	--	gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs	gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules	gen_context(system_u:object_r:httpd_modules_t,s0)
-/etc/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/mock/koji(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/etc/rc\.d/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/glpi(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/rt(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/opt/rh/rh-nginx18/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 
-/etc/vhosts	--	gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/WebCalendar(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/etc/zabbix/web(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/thttpd\.conf       -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/opt/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi			-- 	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/thttpd.*  --     gen_context(system_u:object_r:httpd_unit_file_t,s0)
 
-/srv/([^/]*/)?www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/lib/systemd/system/php-fpm.*	--  gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.*     --  gen_context(system_u:object_r:httpd_unit_file_t,s0)
 
-/usr/.*\.cgi	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog      --      gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
-/usr/bin/htsslpass	--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)?        gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/usr/lib/apache-ssl/.+	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)?	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-/usr/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/bin/htsslpass 		--	gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/share/joomla(/.*)?                 gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
-/usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib/cherokee(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 
-/usr/sbin/apache(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/cherokee	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/httpd\.event	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/lighttpd	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/sbin/rotatelogs	--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-/usr/sbin/suexec	--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.*	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/htcacheclean      --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx         --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm       --  gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 
-/usr/share/dirsrv(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/doc/ghc/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal.*	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/icecast(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/jetty/bin/jetty\.sh	--	gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/wordpress-mu/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-content/upgrade(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/share/wordpress/wp-includes/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-
-/var/cache/apache2(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/httpd(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mason(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_.*	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_gnutls(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_proxy(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/mod_ssl(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-.*	gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.*			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/share/glpi(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/nginx/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php		--		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-config\.php	-- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php    --  gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.*			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.*			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/php-eaccelerator(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/php-mmcache(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/rt3(/.*)?	gen_context(system_u:object_r:httpd_cache_t,s0)
-/var/cache/ssl.*\.sem	--	gen_context(system_u:object_r:httpd_cache_t,s0)
-
-/var/lib/cacti/rra(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cherokee(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dav(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/dokuwiki(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/drupal.*	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/htdig(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/php/session(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/lib/pootle/po(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/cache/php-mmcache(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/glpi(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/graphite-web(/.*)?     gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.*			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/ipsilon(/.*)?          gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/moodle(/.*)?		    gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)?     gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/opt/rh/rh-nginx18/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+
 /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-/var/lib/stickshift/.httpd.d(/.*)?	gen_context(system_u:object_r:httpd_config_t,s0)
-/var/lib/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/lib/trac(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
-/var/log/apache(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/apache-ssl(2)?(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cacti(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cgiwrap\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)?		  gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/roundcubemail(/.*)?    gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/graphite-web(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
+/var/opt/rh/rh-nginx18/log(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/thttpd\.log.*  -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+')
 
-/var/run/apache.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/cherokee\.pid	--	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/gcache_port	-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/httpd.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/mod_.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/wsgi.*	-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/run/user/apache(/.*)?	gen_context(system_u:object_r:httpd_tmp_t,s0)
-
-/var/spool/gosa(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/spool/squirrelmail(/.*)?	gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-/var/spool/viewvc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-
-/var/www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/gallery/albums(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/opt/rh/rh-nginx18/run/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid    -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
+
+/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/html/[^/]*/sites/default/settings\.php	--	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/[^/]*/sites/default/files(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-/var/www/html/configuration\.php	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/html/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/icons(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/miq/vmdb/log(/.*)?	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
-/var/www/moodledata(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/perl(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/var/www/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/www/svn/conf(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/html(/.*)?/sites/default/settings\.php	-- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html(/.*)?/sites/default/files(/.*)? 	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html/owncloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/miq/vmdb/log(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/moodle/data(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/openshift/console/tmp(/.*)?    gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/console/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/openshift/broker/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/openshift/console/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/stickshift/[^/]*/log(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb485..ce5dba7 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
-## <summary>Various web servers.</summary>
+## <summary>Apache web server</summary>
 
 ########################################
 ## <summary>
-##	Create a set of derived types for
-##	httpd web content.
+##	Create a set of derived types for apache
+##	web content.
 ## </summary>
 ## <param name="prefix">
 ##	<summary>
@@ -11,120 +11,233 @@
 ##	</summary>
 ## </param>
 #
-template(`apache_content_template',`
+template(`apache_user_content_template',`
 	gen_require(`
-		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
-		attribute httpd_script_domains, httpd_htaccess_type;
+		attribute httpd_exec_scripts, httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t;
+		attribute httpd_script_type, httpd_user_content_type;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	## <desc>
-	##	<p>
-	##	Determine whether the script domain can
-	##	modify public files used for public file
-	##	transfer services. Directories/Files must
-	##	be labeled public_content_rw_t.
-	##	</p>
-	## </desc>
-	gen_tunable(allow_httpd_$1_script_anon_write, false)
-
-	type httpd_$1_content_t, httpdcontent; # customizable
-	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
-	files_type(httpd_$1_content_t)
-
-	type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
-	files_type(httpd_$1_htaccess_t)
-
-	type httpd_$1_script_t, httpd_script_domains;
-	domain_type(httpd_$1_script_t)
-	role system_r types httpd_$1_script_t;
-
-	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
-	corecmd_shell_entry_type(httpd_$1_script_t)
-	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
-
-	type httpd_$1_rw_content_t, httpdcontent; # customizable
-	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
-	files_type(httpd_$1_rw_content_t)
+	#This type is for webpages
+	type $1_content_t; # customizable;
+	typeattribute $1_content_t httpd_user_content_type;
+	typealias $1_content_t alias httpd_$1_script_ro_t;
+	files_type($1_content_t)
+
+	# This type is used for .htaccess files
+	type $1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute $1_htaccess_t httpd_user_content_type;
+	files_type($1_htaccess_t)
+
+	# Type that CGI scripts run as
+	type $1_script_t,	httpd_script_type;
+	domain_type($1_script_t)
+	role system_r types $1_script_t;
+
+	kernel_read_system_state($1_script_t)
+
+	# This type is used for executable scripts files
+	type $1_script_exec_t, httpd_script_exec_type; # customizable;
+	typeattribute $1_script_exec_t httpd_user_content_type;
+	domain_entry_file($1_script_t, $1_script_exec_t)
+
+	type $1_rw_content_t; # customizable
+	typeattribute $1_rw_content_t httpd_user_content_type;
+	typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+	files_type($1_rw_content_t)
+
+	type $1_ra_content_t, httpd_content_type; # customizable
+	typeattribute $1_ra_content_t httpd_user_content_type;
+	typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+	files_type($1_ra_content_t)
+
+	# Allow the script process to search the cgi directory, and users directory
+	allow $1_script_t $1_content_t:dir search_dir_perms;
+
+	can_exec($1_script_t, $1_script_exec_t)
+	allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+	allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+	allow $1_script_t $1_content_t:dir list_dir_perms;
+	read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+	read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+	manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+
+	# Allow the web server to run scripts and serve pages
+	tunable_policy(`httpd_builtin_scripting',`
+		manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
 
-	type httpd_$1_ra_content_t, httpdcontent; # customizable
-	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
-	files_type(httpd_$1_ra_content_t)
+		allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+		read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
 
-	########################################
-	#
-	# Policy
-	#
+	')
 
-	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+	tunable_policy(`httpd_enable_cgi',`
+		allow $1_script_t $1_script_exec_t:file entrypoint;
 
-	allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-	allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-	allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+		domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
 
-	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
-	allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
-	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
+		# privileged users run the script:
+		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
 
-	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
+		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
+		# apache runs the script:
+		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+		allow httpd_t $1_script_t:unix_dgram_socket sendto;
+	')
+')
 
-	tunable_policy(`allow_httpd_$1_script_anon_write',`
-		miscfiles_manage_public_files(httpd_$1_script_t)
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`apache_content_template',`
+	gen_require(`
+		attribute httpd_exec_scripts, httpd_script_exec_type;
+		type httpd_t, httpd_suexec_t;
+		attribute httpd_script_type, httpd_content_type;
 	')
 
+	#This type is for webpages
+	type $1_content_t; # customizable;
+	typeattribute $1_content_t httpd_content_type;
+	typealias $1_content_t alias httpd_$1_script_ro_t;
+	files_type($1_content_t)
+
+	# This type is used for .htaccess files
+	type $1_htaccess_t, httpd_content_type; # customizable;
+	typeattribute $1_htaccess_t httpd_content_type;
+	files_type($1_htaccess_t)
+
+	# Type that CGI scripts run as
+	type $1_script_t,	httpd_script_type;
+	domain_type($1_script_t)
+	role system_r types $1_script_t;
+
+	kernel_read_system_state($1_script_t)
+
+	# This type is used for executable scripts files
+	type $1_script_exec_t, httpd_script_exec_type; # customizable;
+	typeattribute $1_script_exec_t httpd_content_type;
+	domain_entry_file($1_script_t, $1_script_exec_t)
+
+	type $1_rw_content_t; # customizable
+	typeattribute $1_rw_content_t httpd_content_type;
+	typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
+	files_type($1_rw_content_t)
+
+	type $1_ra_content_t, httpd_content_type; # customizable
+	typeattribute $1_ra_content_t httpd_content_type;
+	typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
+	files_type($1_ra_content_t)
+
+	# Allow the script process to search the cgi directory, and users directory
+	allow $1_script_t $1_content_t:dir search_dir_perms;
+
+	can_exec($1_script_t, $1_script_exec_t)
+	allow $1_script_t $1_script_exec_t:dir list_dir_perms;
+	allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+	read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+	read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
+
+	allow $1_script_t $1_content_t:dir list_dir_perms;
+	read_files_pattern($1_script_t, $1_content_t, $1_content_t)
+	read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
+
+	manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
+
+	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+		manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
+		rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
 
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-		allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-		allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-	')
+		allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
+		read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
+		read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
 
-	tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-		can_exec(httpd_t, httpd_$1_rw_content_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi',`
-		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
-		domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
-	')
+		allow $1_script_t $1_script_exec_t:file entrypoint;
 
-	tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
-		can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
-	')
+		domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
-		allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
-	')
+		# privileged users run the script:
+		domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
+
+		allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
 
-	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
-		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+		# apache runs the script:
+		domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
+		allow httpd_t $1_script_t:unix_dgram_socket sendto;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for apache.
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving new type names.
+##	</summary>
+## </param>
+## <param name="oldprefix">
+##	<summary>
+##	The prefix to be used for deriving old type names.
+##	</summary>
+## </param>
+#
+template(`apache_content_alias_template',`
+	typealias $1_htaccess_t alias httpd_$2_htaccess_t;
+	typealias $1_script_t alias httpd_$2_script_t;
+	typealias $1_script_exec_t alias httpd_$2_script_exec_t;
+	typealias $1_content_t alias httpd_$2_content_t;
+	typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
+	typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
+')
+
+########################################
+## <summary>
+##	Role access for apache
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -133,47 +246,61 @@ template(`apache_content_template',`
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
 interface(`apache_role',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_user_content_t, httpd_user_htaccess_t;
-		type httpd_user_script_t, httpd_user_script_exec_t;
-		type httpd_user_ra_content_t, httpd_user_rw_content_t;
+		type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+		type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
 	')
 
 	role $1 types httpd_user_script_t;
 
-	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
-
-	allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
-	allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
-	userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
-
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
-	filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+	manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+	relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+	manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+	apache_exec_modules($2)
+	apache_filetrans_home_content($2)
 
 	tunable_policy(`httpd_enable_cgi',`
+		# If a user starts a script by hand it gets the proper context
 		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
 	')
 
@@ -184,7 +311,7 @@ interface(`apache_role',`
 
 ########################################
 ## <summary>
-##	Read user httpd script executable files.
+##	Read httpd user scripts executables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -204,7 +331,7 @@ interface(`apache_read_user_scripts',`
 
 ########################################
 ## <summary>
-##	Read user httpd content.
+##	Read user web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -224,7 +351,7 @@ interface(`apache_read_user_content',`
 
 ########################################
 ## <summary>
-##	Execute httpd with a domain transition.
+##	Transition to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,27 +368,47 @@ interface(`apache_domtrans',`
 	domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Execute httpd server in the httpd domain.
+##	Allow the specified domain to execute apache
+##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
 	gen_require(`
-		type httpd_initrc_exec_t;
+		type httpd_exec_t;
 	')
 
-	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+	can_exec($1, httpd_exec_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to execute apache suexec
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_suexec',`
+	gen_require(`
+		type httpd_suexec_exec_t;
+	')
+
+	can_exec($1, httpd_suexec_exec_t)
 ')
 
 #######################################
 ## <summary>
-##	Send generic signals to httpd.
+##	Send a generic signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -279,7 +426,7 @@ interface(`apache_signal',`
 
 ########################################
 ## <summary>
-##	Send null signals to httpd.
+##	Send a null signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -297,7 +444,7 @@ interface(`apache_signull',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to httpd.
+##	Send a SIGCHLD signal to apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -315,8 +462,7 @@ interface(`apache_sigchld',`
 
 ########################################
 ## <summary>
-##	Inherit and use file descriptors
-##	from httpd.
+##	Inherit and use file descriptors from Apache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -334,8 +480,8 @@ interface(`apache_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd unnamed pipes.
+##	Do not audit attempts to read and write Apache
+##	unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -348,13 +494,32 @@ interface(`apache_dontaudit_rw_fifo_file',`
 		type httpd_t;
 	')
 
-	dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write Apache
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd unix domain stream sockets.
+##	Do not audit attempts to read and write Apache
+##	unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -367,13 +532,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
 		type httpd_t;
 	')
 
-	dontaudit $1 httpd_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd TCP sockets.
+##	Do not audit attempts to read and write Apache
+##	TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -391,8 +556,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	all httpd content.
+##	Create, read, write, and delete all web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -417,7 +581,8 @@ interface(`apache_manage_all_content',`
 
 ########################################
 ## <summary>
-##	Set attributes httpd cache directories.
+##	Allow domain to  set the attributes
+##	of the APACHE cache directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -435,7 +600,8 @@ interface(`apache_setattr_cache_dirs',`
 
 ########################################
 ## <summary>
-##	List httpd cache directories.
+##	Allow the specified domain to list
+##	Apache cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -453,7 +619,8 @@ interface(`apache_list_cache',`
 
 ########################################
 ## <summary>
-##	Read and write httpd cache files.
+##	Allow the specified domain to read
+##	and write Apache cache files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -471,7 +638,8 @@ interface(`apache_rw_cache_files',`
 
 ########################################
 ## <summary>
-##	Delete httpd cache directories.
+##	Allow the specified domain to delete
+##	Apache cache dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -489,7 +657,8 @@ interface(`apache_delete_cache_dirs',`
 
 ########################################
 ## <summary>
-##	Delete httpd cache files.
+##	Allow the specified domain to delete
+##	Apache cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -507,49 +676,51 @@ interface(`apache_delete_cache_files',`
 
 ########################################
 ## <summary>
-##	Read httpd configuration files.
+##	Allow the specified domain to search
+##	apache configuration dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`apache_read_config',`
+interface(`apache_search_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 
 	files_search_etc($1)
-	allow $1 httpd_config_t:dir list_dir_perms;
-	read_files_pattern($1, httpd_config_t, httpd_config_t)
-	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+	allow $1 httpd_config_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search httpd configuration directories.
+##	Allow the specified domain to read
+##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`apache_search_config',`
+interface(`apache_read_config',`
 	gen_require(`
 		type httpd_config_t;
 	')
 
 	files_search_etc($1)
-	allow $1 httpd_config_t:dir search_dir_perms;
+	allow $1 httpd_config_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_config_t, httpd_config_t)
+	read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd configuration files.
+##	Allow the specified domain to manage
+##	apache configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -570,8 +741,8 @@ interface(`apache_manage_config',`
 
 ########################################
 ## <summary>
-##	Execute the Apache helper program
-##	with a domain transition.
+##	Execute the Apache helper program with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -608,16 +779,38 @@ interface(`apache_domtrans_helper',`
 #
 interface(`apache_run_helper',`
 	gen_require(`
-		attribute_role httpd_helper_roles;
+		type httpd_helper_t;
 	')
 
 	apache_domtrans_helper($1)
-	roleattribute $2 httpd_helper_roles;
+	role $2 types httpd_helper_t;
 ')
 
 ########################################
 ## <summary>
-##	Read httpd log files.
+##	dontaudit attempts to read
+##	apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_dontaudit_read_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	dontaudit $1 httpd_log_t:file read_file_perms;
+	dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -639,7 +832,8 @@ interface(`apache_read_log',`
 
 ########################################
 ## <summary>
-##	Append httpd log files.
+##	Allow the specified domain to append
+##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -657,10 +851,29 @@ interface(`apache_append_log',`
 	append_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
+#######################################
+## <summary>
+##  Allow the specified domain to write
+##  to apache log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`apache_write_log',`
+    gen_require(`
+        type httpd_log_t;
+    ')
+
+	allow $1 httpd_log_t:file write;
+')
+
 ########################################
 ## <summary>
-##	Do not audit attempts to append
-##	httpd log files.
+##	Do not audit attempts to append to the
+##	Apache logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -678,8 +891,8 @@ interface(`apache_dontaudit_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd log files.
+##	Allow the specified domain to manage
+##	to apache var lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -687,20 +900,21 @@ interface(`apache_dontaudit_append_log',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_manage_log',`
+interface(`apache_manage_lib',`
 	gen_require(`
-		type httpd_log_t;
+		type httpd_var_lib_t;
 	')
 
-	logging_search_logs($1)
-	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
-	manage_files_pattern($1, httpd_log_t, httpd_log_t)
-	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+	manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
+	read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Write apache log files.
+##	Allow the specified domain to manage
+##	to apache log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -708,19 +922,21 @@ interface(`apache_manage_log',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_write_log',`
+interface(`apache_manage_log',`
 	gen_require(`
 		type httpd_log_t;
 	')
 
 	logging_search_logs($1)
-	write_files_pattern($1, httpd_log_t, httpd_log_t)
+	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+	manage_files_pattern($1, httpd_log_t, httpd_log_t)
+	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search
-##	httpd module directories.
+##	Do not audit attempts to search Apache
+##	module directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -738,7 +954,8 @@ interface(`apache_dontaudit_search_modules',`
 
 ########################################
 ## <summary>
-##	List httpd module directories.
+##	Allow the specified domain to read
+##	the apache module directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -746,17 +963,19 @@ interface(`apache_dontaudit_search_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_list_modules',`
+interface(`apache_read_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
-	allow $1 httpd_modules_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute httpd module files.
+##	Allow the specified domain to list
+##	the contents of the apache modules
+##	directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -764,19 +983,19 @@ interface(`apache_list_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_exec_modules',`
+interface(`apache_list_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
 	allow $1 httpd_modules_t:dir list_dir_perms;
-	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
-	can_exec($1, httpd_modules_t)
+	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Read httpd module files.
+##	Allow the specified domain to execute
+##	apache modules.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -784,19 +1003,19 @@ interface(`apache_exec_modules',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_read_module_files',`
+interface(`apache_exec_modules',`
 	gen_require(`
 		type httpd_modules_t;
 	')
 
-	libs_search_lib($1)
-	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+	allow $1 httpd_modules_t:dir list_dir_perms;
+	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+	can_exec($1, httpd_modules_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run httpd_rotatelogs.
+##	Execute a domain transition to run httpd_rotatelogs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -809,13 +1028,50 @@ interface(`apache_domtrans_rotatelogs',`
 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
 ')
 
+#######################################
+## <summary>
+##  Execute httpd_rotatelogs in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_rotatelogs',`
+    gen_require(`
+        type httpd_rotatelogs_exec_t;
+    ')
+
+	can_exec($1, httpd_rotatelogs_exec_t)
+')
+
+#######################################
+## <summary>
+##  Execute httpd system scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`apache_exec_sys_script',`
+	gen_require(`
+		type httpd_sys_script_exec_t;
+	')
+
+	allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+	can_exec($1, httpd_sys_script_exec_t)
+')
+
 ########################################
 ## <summary>
-##	List httpd system content directories.
+##	Allow the specified domain to list
+##	apache system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -829,13 +1085,14 @@ interface(`apache_list_sys_content',`
 	')
 
 	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+	read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 	files_search_var($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd system content files.
+##	Allow the specified domain to manage
+##	apache system content files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -844,6 +1101,7 @@ interface(`apache_list_sys_content',`
 ## </param>
 ## <rolecap/>
 #
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
 interface(`apache_manage_sys_content',`
 	gen_require(`
 		type httpd_sys_content_t;
@@ -855,32 +1113,98 @@ interface(`apache_manage_sys_content',`
 	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
-########################################
+######################################
 ## <summary>
-##	Create, read, write, and delete
-##	httpd system rw content.
+##	Allow the specified domain to read
+##	apache system content rw files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_read_sys_content_rw_files',`
 	gen_require(`
 		type httpd_sys_rw_content_t;
 	')
 
-	apache_search_sys_content($1)
+	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to read
+##	apache system content rw dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+##	Allow the specified domain to manage
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_sys_content_rw',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	files_search_var($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute all httpd scripts in the
-##	system script domain.
+##	Allow the specified domain to delete
+##	apache system content rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+	gen_require(`
+		type httpd_sys_rw_content_t;
+	')
+
+	files_search_tmp($1)
+	delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+##	Execute all web scripts in the system
+##	script domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -888,10 +1212,17 @@ interface(`apache_manage_sys_rw_content',`
 ##	</summary>
 ## </param>
 #
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
 interface(`apache_domtrans_sys_script',`
 	gen_require(`
 		attribute httpdcontent;
-		type httpd_sys_script_t;
+		type httpd_sys_script_exec_t;
+		type httpd_sys_script_t, httpd_sys_content_t;
+	')
+
+	tunable_policy(`httpd_enable_cgi',`
+		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1232,8 @@ interface(`apache_domtrans_sys_script',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write httpd system script unix
-##	domain stream sockets.
+##	Do not audit attempts to read and write Apache
+##	system script unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -916,7 +1246,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
 		type httpd_sys_script_t;
 	')
 
-	dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+	dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
 ')
 
 ########################################
@@ -941,7 +1271,7 @@ interface(`apache_domtrans_all_scripts',`
 ########################################
 ## <summary>
 ##	Execute all user scripts in the user
-##	script domain. Add user script domains
+##	script domain.  Add user script domains
 ##	to the specified role.
 ## </summary>
 ## <param name="domain">
@@ -954,6 +1284,7 @@ interface(`apache_domtrans_all_scripts',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_all_scripts',`
 	gen_require(`
@@ -966,7 +1297,8 @@ interface(`apache_run_all_scripts',`
 
 ########################################
 ## <summary>
-##	Read httpd squirrelmail data files.
+##	Allow the specified domain to read
+##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -979,12 +1311,13 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file read_file_perms;
+	read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
 ')
 
 ########################################
 ## <summary>
-##	Append httpd squirrelmail data files.
+##	Allow the specified domain to append
+##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1002,7 +1335,7 @@ interface(`apache_append_squirrelmail_data',`
 
 ########################################
 ## <summary>
-##	Search httpd system content.
+##	Search apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1015,13 +1348,12 @@ interface(`apache_search_sys_content',`
 		type httpd_sys_content_t;
 	')
 
-	files_search_var($1)
 	allow $1 httpd_sys_content_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read httpd system content.
+##	Read apache system content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1041,7 +1373,7 @@ interface(`apache_read_sys_content',`
 
 ########################################
 ## <summary>
-##	Search httpd system CGI directories.
+##	Search apache system CGI directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1059,8 +1391,7 @@ interface(`apache_search_sys_scripts',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete all
-##	user httpd content.
+##	Create, read, write, and delete all user web content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1071,18 +1402,21 @@ interface(`apache_search_sys_scripts',`
 #
 interface(`apache_manage_all_user_content',`
 	gen_require(`
-		type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
-		type httpd_user_htaccess_t, httpd_user_script_exec_t;
+		attribute httpd_user_content_type, httpd_user_script_exec_type;
 	')
 
-	manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
-	manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
-	manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+	manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+	manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
 ')
 
 ########################################
 ## <summary>
-##	Search system script state directories.
+##	Search system script state directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1100,7 +1434,8 @@ interface(`apache_search_sys_script_state',`
 
 ########################################
 ## <summary>
-##	Read httpd tmp files.
+##	Allow the specified domain to read
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1117,10 +1452,29 @@ interface(`apache_read_tmp_files',`
 	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
 
+######################################
+## <summary>
+##	Dontaudit attempts to read and write
+##	apache tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+	gen_require(`
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_tmp_t:file { read write };
+')
+
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	httpd tmp files.
+##	Dontaudit attempts to write
+##	apache tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1133,7 +1487,7 @@ interface(`apache_dontaudit_write_tmp_files',`
 		type httpd_tmp_t;
 	')
 
-	dontaudit $1 httpd_tmp_t:file write_file_perms;
+	dontaudit $1 httpd_tmp_t:file write;
 ')
 
 ########################################
@@ -1142,6 +1496,9 @@ interface(`apache_dontaudit_write_tmp_files',`
 ## </summary>
 ##	<desc>
 ##	<p>
+##	Execute CGI in the specified domain.
+##	</p>
+##	<p>
 ##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an apache environment.
+##	Execute httpd server in the httpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apache_systemctl',`
+	gen_require(`
+		type httpd_t;
+		type httpd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 httpd_unit_file_t:file read_file_perms;
+	allow $1 httpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, httpd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an apache environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',`
 interface(`apache_admin',`
 	gen_require(`
 		attribute httpdcontent, httpd_script_exec_type;
-		attribute httpd_script_domains, httpd_htaccess_type;
 		type httpd_t, httpd_config_t, httpd_log_t;
-		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
-		type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
-		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
-		type httpd_initrc_exec_t, httpd_keytab_t;
+		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+		type httpd_suexec_tmp_t, httpd_tmp_t;
+		type httpd_unit_file_t;
 	')
 
-	allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
-	allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
-	ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+	allow $1 httpd_t:process signal_perms;
+	ps_process_pattern($1, httpd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 httpd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -1210,10 +1591,10 @@ interface(`apache_admin',`
 	apache_manage_all_content($1)
 	miscfiles_manage_public_files($1)
 
-	files_search_etc($1)
-	admin_pattern($1, { httpd_keytab_t httpd_config_t })
+	files_list_etc($1)
+	admin_pattern($1, httpd_config_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, httpd_log_t)
 
 	admin_pattern($1, httpd_modules_t)
@@ -1224,9 +1605,182 @@ interface(`apache_admin',`
 	admin_pattern($1, httpd_var_run_t)
 	files_pid_filetrans($1, httpd_var_run_t, file)
 
-	admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
-	admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+	admin_pattern($1, httpdcontent)
+	admin_pattern($1, httpd_script_exec_type)
+
+	seutil_domtrans_setfiles($1)
+
+	files_list_tmp($1)
+	admin_pattern($1, httpd_tmp_t)
+	admin_pattern($1, httpd_php_tmp_t)
+	admin_pattern($1, httpd_suexec_tmp_t)
+
+	apache_systemctl($1)
+	admin_pattern($1, httpd_unit_file_t)
+	allow $1 httpd_unit_file_t:service all_service_perms;
+
+	apache_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+	gen_require(`
+		type httpd_t;
+		type httpd_tmp_t;
+	')
+
+	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+	dontaudit $1 httpd_t:tcp_socket { read write };
+	dontaudit $1 httpd_t:unix_dgram_socket { read write };
+	dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+	dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+##	Transition to apache named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_filetrans_named_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+		type httpd_tmp_t;
+	')
+
+
+	apache_filetrans_home_content($1)
+	files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
+	files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
+	files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
+	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+## <summary>
+##	Allow any httpd_exec_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_entrypoint',`
+	gen_require(`
+		type httpd_exec_t;
+	')
+	allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+## <summary>
+##	Execute a httpd_exec_t in the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`apache_exec_domtrans',`
+	gen_require(`
+		type httpd_exec_t;
+	')
+
+	domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Transition to apache home content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_filetrans_home_content',`
+	gen_require(`
+		type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+		type httpd_user_content_ra_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+	userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+	filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+	filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
+')
 
-	apache_run_all_scripts($1, $2)
-	apache_run_helper($1, $2)
+########################################
+## <summary>
+##	Read apache pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_read_pid_files',`
+	gen_require(`
+		type httpd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+')
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      httpd over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`apache_dbus_chat',`
+        gen_require(`
+                type httpd_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 httpd_t:dbus send_msg;
+        allow httpd_t $1:dbus send_msg;
+		ps_process_pattern(httpd_t, $1)
 ')
diff --git a/apache.te b/apache.te
index 6649962..84717e1 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
 # Declarations
 #
 
+selinux_genbool(httpd_bool_t)
+
 ## <desc>
-##	<p>
-##	Determine whether httpd can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
 ## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use mod_auth_pam.
-##	</p>
+## <p>
+## Dontaudit Apache to search dirs.
+## </p>
 ## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use built in scripting.
-##	</p>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
 ## </desc>
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_pam, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can check spam.
-##	</p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
 ## </desc>
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and modules
-##	can connect to the network using TCP.
-##	</p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
+gen_tunable(httpd_manage_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to run IPA helper.
+## </p>
+## </desc>
+gen_tunable(httpd_run_ipa, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and modules
-##	can connect to cobbler over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect_cobbler, false)
 
 ## <desc>
-##	<p>
-##	Determine whether scripts and modules can
-##	connect to databases over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to server cobbler files.
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect to
-##	ldap over the network.
-##	</p>
+## <p>
+## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect
-##	to memcache server over the network.
-##	</p>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_memcache, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can act as a relay.
-##	</p>
+## <p>
+## Allow httpd to act as a relay
+## </p>
 ## </desc>
 gen_tunable(httpd_can_network_relay, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd daemon can
-##	connect to zabbix over the network.
-##	</p>
+##  <p>
+##  Allow http daemon to connect to zabbix
+##  </p>
 ## </desc>
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_connect_zabbix, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can send mail.
-##	</p>
+##  <p>
+##  Allow http daemon to connect to mythtv
+##  </p>
+## </desc>
+gen_tunable(httpd_can_connect_mythtv, false)
+
+## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
+## <desc>
+## <p>
+## Allow http daemon to send mail
+## </p>
 ## </desc>
 gen_tunable(httpd_can_sendmail, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can communicate
-##	with avahi service via dbus.
-##	</p>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
 ## </desc>
 gen_tunable(httpd_dbus_avahi, false)
 
 ## <desc>
-##	<p>
-##	Determine wether httpd can use support.
-##	</p>
+## <p>
+## Allow Apache to communicate with sssd service via dbus
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_dbus_sssd, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can act as a
-##	FTP server by listening on the ftp port.
-##	</p>
+## <p>
+## Allow httpd cgi support
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_enable_cgi, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can traverse
-##	user home directories.
-##	</p>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
 ## </desc>
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_enable_ftp_server, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd gpg can modify
-##	public files used for public file
-##	transfer services. Directories/Files must
-##	be labeled public_content_rw_t.
-##	</p>
+## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
 ## </desc>
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_can_connect_ftp, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can execute
-##	its temporary content.
-##	</p>
+##  <p>
+##  Allow httpd to connect to the ldap port 
+##  </p>
 ## </desc>
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_can_connect_ldap, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd scripts and
-##	modules can use execmem and execstack.
-##	</p>
+## <p>
+## Allow httpd to read home directories
+## </p>
 ## </desc>
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_enable_homedirs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can connect
-##	to port 80 for graceful shutdown.
-##	</p>
+## <p>
+## Allow httpd to read user content 
+## </p>
 ## </desc>
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_read_user_content, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can
-##	manage IPA content files.
-##	</p>
+## <p>
+## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
 ## </desc>
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_run_stickshift, false)
+
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use mod_auth_ntlm_winbind.
-##	</p>
+## <p>
+## Allow Apache to run preupgrade
+## </p>
 ## </desc>
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_run_preupgrade, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can read
-##	generic user home content files.
-##	</p>
+## <p>
+## Allow Apache to query NS records
+## </p>
 ## </desc>
-gen_tunable(httpd_read_user_content, false)
+gen_tunable(httpd_verify_dns, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can change
-##	its resource limits.
-##	</p>
+## <p>
+## Allow httpd daemon to change its resource limits
+## </p>
 ## </desc>
 gen_tunable(httpd_setrlimit, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can run
-##	SSI executables in the same domain
-##	as system CGI scripts.
-##	</p>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
 ## </desc>
 gen_tunable(httpd_ssi_exec, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can communicate
-##	with the terminal. Needed for entering the
-##	passphrase for certificates at the terminal.
-##	</p>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
 ## </desc>
 gen_tunable(httpd_tty_comm, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can have full access
-##	to its content types.
-##	</p>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
 ## </desc>
 gen_tunable(httpd_unified, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use
-##	cifs file systems.
-##	</p>
+## <p>
+## Allow httpd to access openstack ports
+## </p>
+## </desc>
+gen_tunable(httpd_use_openstack, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
 ## </desc>
 gen_tunable(httpd_use_cifs, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether httpd can
-##	use fuse file systems.
+##	Allow httpd to access FUSE file systems
 ##	</p>
 ## </desc>
 gen_tunable(httpd_use_fusefs, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use gpg.
-##	</p>
+## <p>
+## Allow httpd to run gpg
+## </p>
 ## </desc>
 gen_tunable(httpd_use_gpg, false)
 
 ## <desc>
-##	<p>
-##	Determine whether httpd can use
-##	nfs file systems.
-##	</p>
+## <p>
+## Allow httpd to connect to  sasl
+## </p>
+## </desc>
+gen_tunable(httpd_use_sasl, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
 
+## <desc>
+## <p>
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(httpd_sys_script_anon_write, false)
+
 attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
 
-# domains that can exec all scripts
+# domains that can exec all users scripts
 attribute httpd_exec_scripts;
 
+attribute httpd_script_type;
 attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
 
-# all script domains
+# user script domains
 attribute httpd_script_domains;
 
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
 type httpd_t;
 type httpd_exec_t;
+ifdef(`distro_redhat',`
+	typealias httpd_t alias phpfpm_t;
+	typealias httpd_exec_t alias phpfpm_exec_t;
+')
 init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
 
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
 type httpd_cache_t;
 files_type(httpd_cache_t)
 
+# httpd_config_t is the type given to the configuration files
 type httpd_config_t;
 files_config_file(httpd_config_t)
 
 type httpd_helper_t;
 type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
 
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t)
 type httpd_keytab_t;
 files_type(httpd_keytab_t)
 
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+	typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
 type httpd_log_t;
+ifdef(`distro_redhat',`
+	typealias httpd_log_t alias phpfpm_log_t;
+')
 logging_log_file(httpd_log_t)
 
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
 type httpd_modules_t;
 files_type(httpd_modules_t)
 
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
 type httpd_rotatelogs_t;
 type httpd_rotatelogs_exec_t;
 init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
 type httpd_squirrelmail_t;
 files_type(httpd_squirrelmail_t)
 
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
 type httpd_suexec_exec_t;
 domain_type(httpd_suexec_t)
 domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t;
 type httpd_suexec_tmp_t;
 files_tmp_file(httpd_suexec_tmp_t)
 
-apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+# setup the system domain for system CGI scripts
+apache_content_template(httpd_sys)
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
 
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
@@ -324,14 +418,21 @@ files_tmp_file(httpd_tmp_t)
 type httpd_tmpfs_t;
 files_tmpfs_file(httpd_tmpfs_t)
 
-apache_content_template(user)
+apache_user_content_template(httpd_user)
 ubac_constrained(httpd_user_script_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
 userdom_user_home_content(httpd_user_content_t)
 userdom_user_home_content(httpd_user_htaccess_t)
 userdom_user_home_content(httpd_user_script_exec_t)
 userdom_user_home_content(httpd_user_ra_content_t)
 userdom_user_home_content(httpd_user_rw_content_t)
+typeattribute httpd_user_script_t httpd_script_domains;
 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +447,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
 typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
 typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
 
+# for apache2 memory mapped files
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
 
 type httpd_var_run_t;
+ifdef(`distro_redhat',`
+	typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
 files_pid_file(httpd_var_run_t)
 
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
 
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
 
 optional_policy(`
 	prelink_object_file(httpd_modules_t)
 ')
 
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
 ########################################
 #
-# Local policy
+# Apache server local policy
 #
 
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
 allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +489,39 @@ allow httpd_t self:shm create_shm_perms;
 allow httpd_t self:sem create_sem_perms;
 allow httpd_t self:msgq create_msgq_perms;
 allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
 
+# Allow httpd_t to put files in /var/cache/httpd etc
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
 
+# Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
+can_exec(httpd_t, httpd_exec_t)
+
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
 allow httpd_t httpd_lock_t:file manage_file_perms;
 files_lock_filetrans(httpd_t, httpd_lock_t, file)
 
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
 create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
 allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,13 +529,20 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
 allow httpd_t httpd_rotatelogs_t:process signal_perms;
 
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 
-allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_suexec_t:process { signal signull };
+allow httpd_t httpd_suexec_t:file read_file_perms;
+
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
 
 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 
@@ -438,6 +562,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
 kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
 kernel_search_network_sysctl(httpd_t)
 
-corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
 corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
 corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+	corenet_tcp_connect_http_port(httpd_t)
+')
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
 dev_read_urand(httpd_t)
 dev_rw_crypto(httpd_t)
 
-domain_use_interactive_fds(httpd_t)
+files_dontaudit_write_all_mountpoints(httpd_t)
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
 fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
 
+files_dontaudit_search_all_pids(httpd_t)
 files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
 files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
+files_search_all(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
 files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
 files_read_var_lib_symlinks(httpd_t)
 
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
 libs_read_lib_files(httpd_t)
 
+ifdef(`hide_broken_symptoms',`
+	libs_exec_lib_files(httpd_t)
+')
+
 logging_send_syslog_msg(httpd_t)
 
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
 miscfiles_read_fonts(httpd_t)
 miscfiles_read_public_files(httpd_t)
 miscfiles_read_generic_certs(httpd_t)
 miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
 
 userdom_use_unpriv_users_fds(httpd_t)
 
-ifdef(`TODO',`
-	tunable_policy(`allow_httpd_mod_auth_pam',`
-		auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+	allow httpd_t self:process setrlimit;
+	allow httpd_t self:capability sys_resource;
+')
 
-		logging_send_audit_msgs(httpd_t)
-	')
+tunable_policy(`httpd_anon_write',`
+	miscfiles_manage_public_files(httpd_t)
 ')
 
-ifdef(`hide_broken_symptoms',`
-	libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+    files_dontaudit_search_non_security_dirs(httpd_t)
 ')
 
-tunable_policy(`allow_httpd_anon_write',`
-	miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+	auth_domtrans_chkpwd(httpd_t)
+	logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+		samba_domtrans_winbind_helper(httpd_t)
+	')
 ')
 
 tunable_policy(`httpd_can_network_connect',`
-	corenet_sendrecv_all_client_packets(httpd_t)
 	corenet_tcp_connect_all_ports(httpd_t)
-	corenet_tcp_sendrecv_all_ports(httpd_t)
 ')
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_t)
 	corenet_tcp_connect_gds_db_port(httpd_t)
-	corenet_tcp_sendrecv_gds_db_port(httpd_t)
-	corenet_sendrecv_mssql_client_packets(httpd_t)
 	corenet_tcp_connect_mssql_port(httpd_t)
-	corenet_tcp_sendrecv_mssql_port(httpd_t)
-	corenet_sendrecv_oracledb_client_packets(httpd_t)
-	corenet_tcp_connect_oracledb_port(httpd_t)
-	corenet_tcp_sendrecv_oracledb_port(httpd_t)
+	corenet_tcp_connect_mongod_port(httpd_t)
+	corenet_sendrecv_mssql_client_packets(httpd_t)
+	corenet_tcp_connect_oracle_port(httpd_t)
+	corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+	corenet_tcp_connect_memcache_port(httpd_t)
 ')
 
 tunable_policy(`httpd_can_network_relay',`
-	corenet_sendrecv_gopher_client_packets(httpd_t)
+	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
-	corenet_tcp_sendrecv_gopher_port(httpd_t)
-	corenet_sendrecv_ftp_client_packets(httpd_t)
 	corenet_tcp_connect_ftp_port(httpd_t)
-	corenet_tcp_sendrecv_ftp_port(httpd_t)
-	corenet_sendrecv_http_client_packets(httpd_t)
 	corenet_tcp_connect_http_port(httpd_t)
-	corenet_tcp_sendrecv_http_port(httpd_t)
-	corenet_sendrecv_http_cache_client_packets(httpd_t)
 	corenet_tcp_connect_http_cache_port(httpd_t)
-	corenet_tcp_sendrecv_http_cache_port(httpd_t)
-	corenet_sendrecv_squid_client_packets(httpd_t)
 	corenet_tcp_connect_squid_port(httpd_t)
-	corenet_tcp_sendrecv_squid_port(httpd_t)
+	corenet_tcp_connect_memcache_port(httpd_t)
+	corenet_sendrecv_gopher_client_packets(httpd_t)
+	corenet_sendrecv_ftp_client_packets(httpd_t)
+	corenet_sendrecv_http_client_packets(httpd_t)
+	corenet_sendrecv_http_cache_client_packets(httpd_t)
+	corenet_sendrecv_squid_client_packets(httpd_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_builtin_scripting',`
-	exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+	allow httpd_t self:process { execmem execstack };
+	allow httpd_sys_script_t self:process { execmem execstack };
+	allow httpd_suexec_t self:process { execmem execstack };
+')
 
-	allow httpd_t httpdcontent:dir list_dir_perms;
-	allow httpd_t httpdcontent:file read_file_perms;
-	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+	filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+	can_exec(httpd_sys_script_t, httpd_sys_content_t)
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
-	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+	miscfiles_manage_public_files(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
 ')
 
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-#	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+	manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+	manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+	manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+	corenet_tcp_connect_ftp_port(httpd_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+	corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+	corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+	corenet_tcp_connect_zabbix_port(httpd_t)
 ')
 
 tunable_policy(`httpd_enable_ftp_server',`
-	corenet_sendrecv_ftp_server_packets(httpd_t)
 	corenet_tcp_bind_ftp_port(httpd_t)
-	corenet_tcp_sendrecv_ftp_port(httpd_t)
+	corenet_tcp_bind_all_ephemeral_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+	can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+	can_exec(httpd_sys_script_t, httpd_tmp_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_t)
+tunable_policy(`httpd_use_nfs',`
+	fs_list_auto_mountpoints(httpd_t)
+	fs_manage_nfs_dirs(httpd_t)
+	fs_manage_nfs_files(httpd_t)
+	fs_manage_nfs_symlinks(httpd_t)
+')
+
+
+optional_policy(`
+    tunable_policy(`httpd_use_nfs',`
+	    automount_search_tmp_dirs(httpd_t)
+    ')
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_t)
 	fs_read_cifs_files(httpd_t)
 	fs_read_cifs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
+tunable_policy(`httpd_can_sendmail',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
+	corenet_tcp_connect_pop_port(httpd_t)
+	corenet_sendrecv_pop_client_packets(httpd_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_t)
-	corenet_tcp_connect_smtp_port(httpd_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_t)
-	corenet_sendrecv_pop_client_packets(httpd_t)
-	corenet_tcp_connect_pop_port(httpd_t)
-	corenet_tcp_sendrecv_pop_port(httpd_t)
-
-	mta_send_mail(httpd_t)
-	mta_signal_system_mail(httpd_t)
+optional_policy(`
+    tunable_policy(`httpd_can_sendmail',`
+	    mta_send_mail(httpd_t)
+	    mta_signal_system_mail(httpd_t)
+    ')
 ')
 
 optional_policy(`
-	tunable_policy(`httpd_can_network_connect_zabbix',`
-		zabbix_tcp_connect(httpd_t)
-	')
-')
-
-optional_policy(`
-	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-		spamassassin_domtrans_client(httpd_t)
-	')
+    tunable_policy(`httpd_can_sendmail',`
+    postfix_rw_spool_maildrop_files(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_graceful_shutdown',`
-	corenet_sendrecv_http_client_packets(httpd_t)
-	corenet_tcp_connect_http_port(httpd_t)
-	corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
-	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-		gpg_spec_domtrans(httpd_t, httpd_gpg_t)
-	')
-')
-
-optional_policy(`
-	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
-		samba_domtrans_winbind_helper(httpd_t)
-	')
+tunable_policy(`httpd_use_cifs',`
+	fs_manage_cifs_dirs(httpd_t)
+	fs_manage_cifs_files(httpd_t)
+	fs_manage_cifs_symlinks(httpd_t)
 ')
 
-tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+	fs_manage_fusefs_dirs(httpd_t)
+	fs_manage_fusefs_files(httpd_t)
+	fs_manage_fusefs_symlinks(httpd_t)
 ')
 
 tunable_policy(`httpd_setrlimit',`
@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+	allow httpd_sys_script_t httpd_t:fd use;
+	allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+	allow httpd_sys_script_t httpd_t:process sigchld;
 ')
 
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
-	can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_t)
+	userdom_use_inherited_user_terminals(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_cifs_dirs(httpd_t)
-	fs_manage_cifs_files(httpd_t)
-	fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+	cobbler_list_config(httpd_t)
+	cobbler_read_config(httpd_t)
 
-tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_fusefs_dirs(httpd_t)
-	fs_manage_fusefs_files(httpd_t)
-	fs_read_fusefs_symlinks(httpd_t)
-')
+    tunable_policy(`httpd_serve_cobbler_files',`
+        cobbler_manage_lib_files(httpd_t)
+',`
+	    cobbler_read_lib_files(httpd_t)
+	    cobbler_search_lib(httpd_t)
+    ')
 
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_t)
+    tunable_policy(`httpd_can_network_connect_cobbler',`
+        corenet_tcp_connect_cobbler_port(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_t)
-	fs_manage_nfs_dirs(httpd_t)
-	fs_manage_nfs_files(httpd_t)
-	fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+    tunable_policy(`httpd_use_sasl',`
+        sasl_connect(httpd_t)
+    ')
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_t)
+optional_policy(`
+	# Support for ABRT retrace server
+	# mod_wsgi
+	abrt_manage_spool_retrace(httpd_t)
+	abrt_domtrans_retrace_worker(httpd_t)
+	abrt_read_config(httpd_t)
 ')
 
 optional_policy(`
@@ -749,24 +919,32 @@ optional_policy(`
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(httpd_t)
+	cron_system_entry(httpd_t, httpd_exec_t)
 ')
 
 optional_policy(`
-	cobbler_read_config(httpd_t)
-	cobbler_read_lib_files(httpd_t)
+	cvs_read_data(httpd_t)
 ')
 
 optional_policy(`
-	cron_system_entry(httpd_t, httpd_exec_t)
+	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
 
 optional_policy(`
-	cvs_read_data(httpd_t)
+	#needed by FreeIPA 
+	dirsrv_stream_connect(httpd_t)
 ')
 
 optional_policy(`
-	daemontools_service_domain(httpd_t, httpd_exec_t)
+	dirsrv_manage_config(httpd_t)
+	dirsrv_manage_log(httpd_t)
+	dirsrv_manage_var_run(httpd_t)
+	dirsrv_read_share(httpd_t)
+	dirsrv_signal(httpd_t)
+	dirsrv_signull(httpd_t)
+	dirsrvadmin_manage_config(httpd_t)
+	dirsrvadmin_manage_tmp(httpd_t)
+	dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
 ')
 
 optional_policy(`
@@ -775,6 +953,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
+
+    tunable_policy(`httpd_dbus_sssd',
+        sssd_dbus_chat(httpd_t)
+    ')
 ')
 
 optional_policy(`
@@ -786,35 +968,60 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_manage_host_rcache(httpd_t)
-	kerberos_read_keytab(httpd_t)
-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
-	kerberos_use(httpd_t)
+	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+		gpg_domtrans_web(httpd_t)
+	')
 ')
 
 optional_policy(`
-	ldap_stream_connect(httpd_t)
+	gssproxy_stream_connect(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_ldap',`
-		ldap_tcp_connect(httpd_t)
-	')
+optional_policy(`
+    ipa_search_lib(httpd_t)
+')
+
+optional_policy(`
+	mirrormanager_manage_pid_files(httpd_t)
+    mirrormanager_manage_pid_sock_files(httpd_t)
+	mirrormanager_read_lib_files(httpd_t)
+	mirrormanager_read_log(httpd_t)
+')
+
+optional_policy(`
+	jetty_admin(httpd_t)
+')
+
+optional_policy(`
+    kerberos_manage_host_rcache(httpd_t)
+    kerberos_read_keytab(httpd_t)
+    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
+    kerberos_use(httpd_t)
+')
+
+optional_policy(`
+	# needed by FreeIPA
+	ldap_stream_connect(httpd_t)
+	ldap_read_certs(httpd_t)
 ')
 
 optional_policy(`
 	mailman_signal_cgi(httpd_t)
 	mailman_domtrans_cgi(httpd_t)
 	mailman_read_data_files(httpd_t)
+	# should have separate types for public and private archives
 	mailman_search_data(httpd_t)
 	mailman_read_archive(httpd_t)
 ')
 
 optional_policy(`
-	memcached_stream_connect(httpd_t)
+	mediawiki_read_tmp_files(httpd_t)
+	mediawiki_delete_tmp_files(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_memcache',`
-		memcached_tcp_connect(httpd_t)
-	')
+optional_policy(`
+	memcached_stream_connect(httpd_t)
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
@@ -822,8 +1029,30 @@ optional_policy(`
 ')
 
 optional_policy(`
+    tunable_policy(`httpd_run_ipa',`
+        oddjob_dbus_chat(httpd_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`httpd_run_ipa',`
+        ipa_domtrans_helper(httpd_t)
+    ')
+')
+
+optional_policy(`
+	munin_read_config(httpd_t)
+')
+
+optional_policy(`
+	# Allow httpd to work with mysql
 	mysql_read_config(httpd_t)
 	mysql_stream_connect(httpd_t)
+	mysql_rw_db_sockets(httpd_t)
+
+	optional_policy(`
+		postgresql_stream_connect(httpd_t)
+	')
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
@@ -832,6 +1061,8 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
+    nagios_read_lib(httpd_t)
+	nagios_read_log(httpd_t)
 ')
 
 optional_policy(`
@@ -842,20 +1073,44 @@ optional_policy(`
 ')
 
 optional_policy(`
+	openshift_search_lib(httpd_t)
+	openshift_initrc_signull(httpd_t)
+	openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+	passenger_exec(httpd_t)
+	passenger_kill(httpd_t)
+	passenger_manage_pid_content(httpd_t)
+')
+
+optional_policy(`
 	pcscd_read_pid_files(httpd_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(httpd_t)
-	postgresql_unpriv_client(httpd_t)
+        pkcs11proxyd_stream_connect(httpd_t)
+')
 
-	tunable_policy(`httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_t)
-	')
+optional_policy(`
+	pki_apache_domain_signal(httpd_t)
+	pki_manage_apache_config_files(httpd_t)
+	pki_manage_apache_lib(httpd_t)
+	pki_manage_apache_log_files(httpd_t)
+	pki_manage_apache_run(httpd_t)
+	pki_read_tomcat_cert(httpd_t)
+')
+
+optional_policy(`
+	puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+	pwauth_domtrans(httpd_t)
 ')
 
 optional_policy(`
-	puppet_read_lib_files(httpd_t)
+	rpm_dontaudit_read_db(httpd_t)
 ')
 
 optional_policy(`
@@ -863,16 +1118,31 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Allow httpd to work with postgresql
+	postgresql_stream_connect(httpd_t)
+	postgresql_unpriv_client(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_t)
+	')
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(httpd_t)
 ')
 
 optional_policy(`
 	smokeping_read_lib_files(httpd_t)
+    smokeping_read_pid_files(httpd_t)
 ')
 
 optional_policy(`
-	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
-	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+	files_dontaudit_rw_usr_dirs(httpd_t)
+    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
+')
+
+optional_policy(`
+    thin_stream_connect(httpd_t)
 ')
 
 optional_policy(`
@@ -883,65 +1153,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
+optional_policy(`
+	zarafa_manage_lib_files(httpd_t)
+	zarafa_stream_connect_server(httpd_t)
+	zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+    zoneminder_append_log(httpd_t)
+    zoneminder_manage_lib_dirs(httpd_t)
+    zoneminder_manage_lib_files(httpd_t)
+    zoneminder_stream_connect(httpd_t)
+    zoneminder_exec(httpd_t)
+')
+
 ########################################
 #
-# Helper local policy
+# Apache helper local policy
 #
 
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
 
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
 
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
 
-logging_search_logs(httpd_helper_t)
 logging_send_syslog_msg(httpd_helper_t)
 
+tunable_policy(`httpd_verify_dns',`
+	corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+	allow httpd_t self:capability { fowner fsetid sys_resource };
+	dontaudit httpd_t self:capability sys_ptrace;
+	allow httpd_t self:process setexec;
+
+	files_dontaudit_getattr_all_files(httpd_t)
+	domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`httpd_run_stickshift', `
+		passenger_manage_lib_files(httpd_t)
+		passenger_getattr_log_files(httpd_t)
+	',`
+		passenger_domtrans(httpd_t)
+		passenger_read_lib_files(httpd_t)
+		passenger_stream_connect(httpd_t)
+		passenger_manage_tmp_files(httpd_t)
+	')
+')
+
+optional_policy(`
+	tunable_policy(`httpd_run_stickshift', `
+		oddjob_dbus_chat(httpd_t)
+	')
+')
+
+optional_policy(`
+    tunable_policy(`httpd_run_preupgrade', `
+        anaconda_manage_lib_files_preupgrade(httpd_t)
+        anaconda_domtrans_preupgrade(httpd_t)
+    ',`
+        anaconda_read_lib_files_preupgrade(httpd_t)
+        anaconda_exec_preupgrade(httpd_t)
+    ')
+')
+
+optional_policy(`
+    tunable_policy(`httpd_run_preupgrade', `
+        corenet_tcp_bind_preupgrade_port(httpd_t)
+    ')
+') 
+
 tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_helper_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_helper_t)
+	userdom_use_inherited_user_terminals(httpd_helper_t)
 ')
 
 ########################################
 #
-# Suexec local policy
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(httpd_php_t)
+	corenet_tcp_connect_mssql_port(httpd_php_t)
+	corenet_sendrecv_mssql_client_packets(httpd_php_t)
+	corenet_tcp_connect_oracle_port(httpd_php_t)
+	corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(httpd_php_t)
+	mysql_rw_db_sockets(httpd_php_t)
+	mysql_read_config(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_php_t)
+	')
+')
+
+optional_policy(`
+	postgresql_stream_connect(httpd_php_t)
+	postgresql_unpriv_client(httpd_php_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_php_t)
+	')
+')
+
+########################################
+#
+# Apache suexec local policy
 #
 
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
 
 manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
 
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
 dev_read_urand(httpd_suexec_t)
 
 fs_read_iso9660_files(httpd_suexec_t)
 fs_search_auto_mountpoints(httpd_suexec_t)
 
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
-miscfiles_read_localization(httpd_suexec_t)
 miscfiles_read_public_files(httpd_suexec_t)
 
-tunable_policy(`httpd_builtin_scripting',`
-	exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
-	allow httpd_suexec_t httpdcontent:dir list_dir_perms;
-	allow httpd_suexec_t httpdcontent:file read_file_perms;
-	allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
 
 tunable_policy(`httpd_can_network_connect',`
+	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+	corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
 	corenet_tcp_connect_all_ports(httpd_suexec_t)
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
-	corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
 	corenet_tcp_connect_gds_db_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
-	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
 	corenet_tcp_connect_mssql_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
-	corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_oracledb_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+	corenet_tcp_connect_oracle_port(httpd_suexec_t)
+	corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
 ')
 
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
 tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_smtp_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
-	corenet_sendrecv_pop_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_pop_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
 	mta_send_mail(httpd_suexec_t)
-	mta_signal_system_mail(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_sys_script_t httpdcontent:file entrypoint;
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_read_cifs_files(httpd_suexec_t)
-	fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_suexec_t)
+	manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
+        fs_list_auto_mountpoints(httpd_suexec_t)
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_execmem',`
-	allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
-	can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
-	userdom_use_user_terminals(httpd_suexec_t)
-',`
-	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_cifs_dirs(httpd_suexec_t)
-	fs_manage_cifs_files(httpd_suexec_t)
-	fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_suexec_t)
+	fs_read_cifs_symlinks(httpd_suexec_t)
 	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_fusefs_dirs(httpd_suexec_t)
-	fs_manage_fusefs_files(httpd_suexec_t)
-	fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_suexec_t)
-	fs_manage_nfs_dirs(httpd_suexec_t)
-	fs_manage_nfs_files(httpd_suexec_t)
-	fs_manage_nfs_symlinks(httpd_suexec_t)
+optional_policy(`
+    	apache_rw_stream_sockets(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+	mailman_domtrans_cgi(httpd_suexec_t)
 ')
 
 optional_policy(`
-	mailman_domtrans_cgi(httpd_suexec_t)
+	mta_stub(httpd_suexec_t)
 ')
 
 optional_policy(`
 	mysql_stream_connect(httpd_suexec_t)
+	mysql_rw_db_sockets(httpd_suexec_t)
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1429,107 @@ optional_policy(`
 	')
 ')
 
-tunable_policy(`httpd_read_user_content',`
-	userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
 ########################################
 #
-# Common script local policy
+# Apache system script local policy
 #
 
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+allow httpd_sys_script_t self:process getsched;
 
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
 
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
 
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
 
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
 
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_send_syslog_msg(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
 
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
-	allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
 
-	manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-	manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
-	manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
 
-	can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
 
-tunable_policy(`httpd_enable_cgi',`
-	allow httpd_script_domains self:process { setsched signal_perms };
-	allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
-	kernel_read_system_state(httpd_script_domains)
-
-	fs_getattr_all_fs(httpd_script_domains)
-
-	files_read_etc_runtime_files(httpd_script_domains)
-	files_read_usr_files(httpd_script_domains)
-
-	libs_read_lib_files(httpd_script_domains)
-
-	miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+	mta_send_mail(httpd_sys_script_t)
 ')
 
 optional_policy(`
-	tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-		nis_use_ypbind_uncond(httpd_script_domains)
+	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+		spamassassin_domtrans_client(httpd_t)
 	')
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-	corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
-	corenet_tcp_connect_gds_db_port(httpd_script_domains)
-	corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
-	corenet_sendrecv_mssql_client_packets(httpd_script_domains)
-	corenet_tcp_connect_mssql_port(httpd_script_domains)
-	corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
-	corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
-	corenet_tcp_connect_oracledb_port(httpd_script_domains)
-	corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
-	mysql_read_config(httpd_script_domains)
-	mysql_stream_connect(httpd_script_domains)
-
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		mysql_tcp_connect(httpd_script_domains)
-	')
+tunable_policy(`httpd_can_network_connect_db',`
+	corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+	corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+	corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
 ')
 
-optional_policy(`
-	postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
 
-	tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_script_domains)
-	')
-')
+tunable_policy(`httpd_use_nfs',`
+        fs_list_auto_mountpoints(httpd_sys_script_t)
+	fs_manage_nfs_dirs(httpd_sys_script_t)
+	fs_manage_nfs_files(httpd_sys_script_t)
+	fs_manage_nfs_symlinks(httpd_sys_script_t)
+	fs_exec_nfs_files(httpd_sys_script_t)
 
-optional_policy(`
-	nscd_use(httpd_script_domains)
+        fs_list_auto_mountpoints(httpd_suexec_t)
+	fs_manage_nfs_dirs(httpd_suexec_t)
+	fs_manage_nfs_files(httpd_suexec_t)
+	fs_manage_nfs_symlinks(httpd_suexec_t)
+	fs_exec_nfs_files(httpd_suexec_t)
 ')
 
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
-	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_pop_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
-	mta_send_mail(httpd_sys_script_t)
-	mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+	corenet_tcp_bind_generic_node(httpd_sys_script_t)
+	corenet_udp_bind_generic_node(httpd_sys_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+	corenet_tcp_connect_all_ports(httpd_sys_script_t)
+	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_search_user_home_dirs(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
-	allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+        fs_list_auto_mountpoints(httpd_sys_script_t)
+	fs_read_nfs_files(httpd_sys_script_t)
+	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
 	fs_manage_cifs_dirs(httpd_sys_script_t)
 	fs_manage_cifs_files(httpd_sys_script_t)
 	fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_sys_script_t)
+	fs_manage_cifs_dirs(httpd_suexec_t)
+	fs_manage_cifs_files(httpd_suexec_t)
+	fs_manage_cifs_symlinks(httpd_suexec_t)
+	fs_exec_cifs_files(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_use_fusefs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
 	fs_manage_fusefs_dirs(httpd_sys_script_t)
 	fs_manage_fusefs_files(httpd_sys_script_t)
-	fs_read_fusefs_symlinks(httpd_sys_script_t)
+	fs_manage_fusefs_symlinks(httpd_sys_script_t)
+	fs_manage_fusefs_dirs(httpd_suexec_t)
+	fs_manage_fusefs_files(httpd_suexec_t)
+	fs_manage_fusefs_symlinks(httpd_suexec_t)
+	fs_exec_fusefs_files(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-	fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+	fs_read_cifs_files(httpd_sys_script_t)
+	fs_read_cifs_symlinks(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_use_nfs',`
-	fs_list_auto_mountpoints(httpd_sys_script_t)
-	fs_manage_nfs_dirs(httpd_sys_script_t)
-	fs_manage_nfs_files(httpd_sys_script_t)
-	fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+	clamav_domtrans_clamscan(httpd_sys_script_t)
+	clamav_domtrans_clamscan(httpd_t)
 ')
 
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+	mysql_stream_connect(httpd_sys_script_t)
+	mysql_rw_db_sockets(httpd_sys_script_t)
+	mysql_read_config(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		mysql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(httpd_sys_script_t)
+	postgresql_stream_connect(httpd_sys_script_t)
+	postgresql_unpriv_client(httpd_sys_script_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_sys_script_t)
+	')
 ')
 
 optional_policy(`
-	postgresql_unpriv_client(httpd_sys_script_t)
+    snmp_read_snmp_var_lib_files(httpd_sys_script_t)
 ')
 
 ########################################
 #
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
 #
 
 allow httpd_rotatelogs_t self:capability dac_override;
 
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
 kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
 
-files_read_etc_files(httpd_rotatelogs_t)
 
 logging_search_logs(httpd_rotatelogs_t)
 
-miscfiles_read_localization(httpd_rotatelogs_t)
 
 ########################################
 #
@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
-	apache_content_template(unconfined)
+	type httpd_unconfined_script_t;
+	type httpd_unconfined_script_exec_t;
+	domain_type(httpd_unconfined_script_t)
+	domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+	domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
 	unconfined_domain(httpd_unconfined_script_t)
+
+	role system_r types httpd_unconfined_script_t;
+	allow httpd_t httpd_unconfined_script_t:process signal_perms;
 ')
 
 ########################################
@@ -1330,49 +1628,40 @@ optional_policy(`
 # User content local policy
 #
 
-tunable_policy(`httpd_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
 
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-	fs_list_auto_mountpoints(httpd_user_script_t)
-	fs_read_cifs_files(httpd_user_script_t)
-	fs_read_cifs_symlinks(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_user_script_t httpdcontent:file entrypoint;
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+	manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+	manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+	manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
 ')
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-	fs_list_auto_mountpoints(httpd_user_script_t)
-	fs_read_nfs_files(httpd_user_script_t)
-	fs_read_nfs_symlinks(httpd_user_script_t)
-')
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_search_user_home_content(httpd_t)
+	userdom_search_user_home_content(httpd_suexec_t)
+	userdom_search_user_home_content(httpd_user_script_t)
 
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
-	fs_exec_nfs_files(httpd_user_script_t)
+	read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type)
 ')
 
 tunable_policy(`httpd_read_user_content',`
+	userdom_read_user_home_content_files(httpd_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
 	userdom_read_user_home_content_files(httpd_user_script_t)
 ')
 
-optional_policy(`
-	postgresql_unpriv_client(httpd_user_script_t)
-')
-
 ########################################
 #
-# Passwd local policy
+# httpd_passwd local policy
 #
 
 allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
 allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
 
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
+
 auth_use_nsswitch(httpd_passwd_t)
 
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
 
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
 
-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
+
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
+
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
 
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
 
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
 
-files_read_usr_files(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
 
-miscfiles_read_localization(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
 
-tunable_policy(`httpd_gpg_anon_write',`
-	miscfiles_manage_public_files(httpd_gpg_t)
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+	nis_use_ypbind_uncond(httpd_script_type)
 ')
 
 optional_policy(`
-	apache_manage_sys_rw_content(httpd_gpg_t)
+	nscd_socket_use(httpd_script_type)
+')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
+	allow httpd_t httpd_content_type:dir search_dir_perms;
+	allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+	allow httpd_t httpd_content_type:dir list_dir_perms;
+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+	corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+	corenet_tcp_connect_glance_port(httpd_sys_script_t)
+	corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+    corenet_tcp_connect_osapi_compute_port(httpd_t)
+    corenet_tcp_bind_commplex_main_port(httpd_t)
 ')
 
 optional_policy(`
-	gpg_entry_type(httpd_gpg_t)
-	gpg_exec(httpd_gpg_t)
+    tunable_policy(`httpd_use_openstack',`
+        keystone_read_log(httpd_t)
+    ')
 ')
+
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..97c204f 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,18 +1,23 @@
+/etc/apcupsd/powerfail	--	gen_context(system_u:object_r:apcupsd_power_t,s0)
+
 /etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/apcupsd.*  -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
 /sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /usr/sbin/apcupsd	--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /var/lock/subsys/apcupsd	--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK..			--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
 
 /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 
 /var/run/apcupsd\.pid	--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
 
-/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/multimon\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
+/var/www/cgi-bin/apcgui(/.*)?	gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0aba..f6e25ed 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',`
 ########################################
 ## <summary>
 ##	Execute a domain transition to
-##	run httpd_apcupsd_cgi_script.
+##	run apcupsd_cgi_script.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',`
 #
 interface(`apcupsd_cgi_script_domtrans',`
 	gen_require(`
-		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+		type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
 	')
 
 	files_search_var($1)
-	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+	domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
 
 	optional_policy(`
 		apache_search_sys_content($1)
@@ -125,6 +125,50 @@ interface(`apcupsd_cgi_script_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_systemctl',`
+	gen_require(`
+		type apcupsd_t;
+		type apcupsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 apcupsd_unit_file_t:file read_file_perms;
+	allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+## <summary>
+##	Create configuration files in /var/lock 
+##	with a named file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_filetrans_named_content',`
+	gen_require(`
+		type apcupsd_lock_t;
+	')
+
+	files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+	files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an apcupsd environment.
 ## </summary>
@@ -144,11 +188,17 @@ interface(`apcupsd_admin',`
 	gen_require(`
 		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
 		type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+		type apcupsd_unit_file_t;
+		type apcupsd_power_t;
 	')
 
-	allow $1 apcupsd_t:process { ptrace signal_perms };
+	allow $1 apcupsd_t:process signal_perms;
 	ps_process_pattern($1, apcupsd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 apcupsd_t:process ptrace;
+	')
+
 	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +215,11 @@ interface(`apcupsd_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, apcupsd_var_run_t)
+
+	apcupsd_systemctl($1)
+	admin_pattern($1, apcupsd_unit_file_t)
+	allow $1 apcupsd_unit_file_t:service all_service_perms;
+
+	manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
+	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
 ')
diff --git a/apcupsd.te b/apcupsd.te
index 080bc4d..f46078f 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
 type apcupsd_var_run_t;
 files_pid_file(apcupsd_var_run_t)
 
+type apcupsd_power_t;
+files_type(apcupsd_power_t)
+
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
 allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
 files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
 
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
 logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
 
 manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -50,11 +57,11 @@ manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
 files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
 
 kernel_read_system_state(apcupsd_t)
+kernel_read_network_state(apcupsd_t)
 
 corecmd_exec_bin(apcupsd_t)
 corecmd_exec_shell(apcupsd_t)
 
-corenet_all_recvfrom_unlabeled(apcupsd_t)
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,26 +74,41 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
 corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
 corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
 
 corenet_udp_bind_snmp_port(apcupsd_t)
 corenet_sendrecv_snmp_server_packets(apcupsd_t)
 corenet_udp_sendrecv_snmp_port(apcupsd_t)
 
+corenet_tcp_connect_smtp_port(apcupsd_t)
+
+fs_getattr_xattr_fs(apcupsd_t)
+
+dev_read_sysfs(apcupsd_t)
+dev_read_urand(apcupsd_t)
+
 dev_rw_generic_usb_dev(apcupsd_t)
 
-files_read_etc_files(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
 files_manage_etc_runtime_files(apcupsd_t)
 files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
 
-term_use_unallocated_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
 
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+auth_use_nsswitch(apcupsd_t)
 
-miscfiles_read_localization(apcupsd_t)
+logging_send_syslog_msg(apcupsd_t)
 
 sysnet_dns_name_resolve(apcupsd_t)
 
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
 
 optional_policy(`
 	hostname_exec(apcupsd_t)
@@ -101,6 +123,11 @@ optional_policy(`
 	shutdown_domtrans(apcupsd_t)
 ')
 
+optional_policy(`
+	systemd_start_power_services(apcupsd_t)
+	systemd_status_power_services(apcupsd_t)
+')
+
 ########################################
 #
 # CGI local policy
@@ -108,20 +135,20 @@ optional_policy(`
 
 optional_policy(`
 	apache_content_template(apcupsd_cgi)
-
-	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
-	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-
-	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
-	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-	corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t)
-	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
-	corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
-	corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
-	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-
-	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+	apache_content_alias_template(apcupsd_cgi, apcupsd_cgi)
+
+	allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+	allow apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t)
+	corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t)
+	corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)
+
+	sysnet_dns_name_resolve(apcupsd_cgi_script_t)
 ')
diff --git a/apm.fc b/apm.fc
index ce27d2f..b2ba16a 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.*  --              gen_context(system_u:object_r:apmd_unit_file_t,s0)
 /etc/rc\.d/init\.d/acpid	--	gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
 
 /usr/bin/apm	--	gen_context(system_u:object_r:apm_exec_t,s0)
@@ -7,6 +8,8 @@
 /usr/sbin/powersaved	--	gen_context(system_u:object_r:apmd_exec_t,s0)
 
 /var/lock/subsys/acpid	--	gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/subsys/lmt-req\.lock	--	gen_context(system_u:object_r:apmd_lock_t,s0)
+/var/lock/lmt-req\.lock	--	gen_context(system_u:object_r:apmd_lock_t,s0)
 
 /var/log/acpid.*	--	gen_context(system_u:object_r:apmd_log_t,s0)
 
diff --git a/apm.if b/apm.if
index 1a7a97e..2c7252a 100644
--- a/apm.if
+++ b/apm.if
@@ -141,6 +141,30 @@ interface(`apm_stream_connect',`
 
 ########################################
 ## <summary>
+##	Execute apmd server in the apmd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`apmd_systemctl',`
+	gen_require(`
+		type apmd_t;
+		type apmd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 apmd_unit_file_t:file read_file_perms;
+	allow $1 apmd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, apmd_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an apm environment.
 ## </summary>
@@ -163,9 +187,13 @@ interface(`apm_admin',`
 		type apmd_tmp_t;
 	')
 
-	allow $1 apmd_t:process { ptrace signal_perms };
+	allow $1 apmd_t:process { signal_perms };
 	ps_process_pattern($1, apmd_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 apmd_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, apmd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 7fd431b..41f2a57 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
 type apmd_var_run_t;
 files_pid_file(apmd_var_run_t)
 
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
 ########################################
 #
 # Client local policy
 #
 
-allow apm_t self:capability { dac_override sys_admin };
+allow apm_t self:capability { dac_override sys_admin sys_resource };
 
 kernel_read_system_state(apm_t)
 
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
 
 fs_getattr_xattr_fs(apm_t)
 
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
 
 domain_use_interactive_fds(apm_t)
 
@@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t)
 # Server local policy
 #
 
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
 allow apmd_t self:process { signal_perms getsession };
 allow apmd_t self:fifo_file rw_fifo_file_perms;
 allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:netlink_generic_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket { accept listen };
 
 allow apmd_t apmd_lock_t:file manage_file_perms;
@@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t)
 kernel_rw_all_sysctls(apmd_t)
 kernel_read_system_state(apmd_t)
 kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
 
 dev_read_input(apmd_t)
 dev_read_mouse(apmd_t)
@@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
 fs_dontaudit_getattr_all_symlinks(apmd_t)
 fs_dontaudit_getattr_all_pipes(apmd_t)
 fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
 
 corecmd_exec_all_executables(apmd_t)
 
@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
 auth_use_nsswitch(apmd_t)
 
 init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
 
 libs_exec_ld_so(apmd_t)
 libs_exec_lib_files(apmd_t)
@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t)
 logging_send_audit_msgs(apmd_t)
 logging_send_syslog_msg(apmd_t)
 
-miscfiles_read_localization(apmd_t)
 miscfiles_read_hwdata(apmd_t)
 
 modutils_domtrans_insmod(apmd_t)
 modutils_read_module_config(apmd_t)
 
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
 userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
 
 optional_policy(`
 	automount_domtrans(apmd_t)
@@ -206,11 +211,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(apmd_t)
+	shutdown_domtrans(apmd_t)
 ')
 
 optional_policy(`
-	shutdown_domtrans(apmd_t)
+	sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(apmd_t)
 ')
 
 optional_policy(`
diff --git a/apt.if b/apt.if
index cde81d2..2fe0201 100644
--- a/apt.if
+++ b/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+	dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
 	allow $1 apt_var_cache_t:file read_file_perms;
 ')
 
diff --git a/apt.te b/apt.te
index efa8530..f928b63 100644
--- a/apt.te
+++ b/apt.te
@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
 corecmd_exec_bin(apt_t)
 corecmd_exec_shell(apt_t)
 
-corenet_all_recvfrom_unlabeled(apt_t)
 corenet_all_recvfrom_netlabel(apt_t)
 corenet_tcp_sendrecv_generic_if(apt_t)
 corenet_tcp_sendrecv_generic_node(apt_t)
@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
 domain_use_interactive_fds(apt_t)
 
 files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
 term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
 
 libs_exec_ld_so(apt_t)
 libs_exec_lib_files(apt_t)
 
 logging_send_syslog_msg(apt_t)
 
-miscfiles_read_localization(apt_t)
-
 seutil_use_newrole_fds(apt_t)
 
 sysnet_read_config(apt_t)
 
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
 
 optional_policy(`
 	backup_manage_store_files(apt_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/arpwatch	--	gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/arpwatch.* --	gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
 /usr/sbin/arpwatch	--	gen_context(system_u:object_r:arpwatch_exec_t,s0)
 
 /var/arpwatch(/.*)?	gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c..533a555 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -119,6 +119,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
 
 ########################################
 ## <summary>
+##	Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`arpwatch_systemctl',`
+	gen_require(`
+		type arpwatch_t;
+		type arpwatch_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 arpwatch_unit_file_t:file read_file_perms;
+	allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, arpwatch_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an arpwatch environment.
 ## </summary>
@@ -138,11 +162,16 @@ interface(`arpwatch_admin',`
 	gen_require(`
 		type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
 		type arpwatch_data_t, arpwatch_var_run_t;
+		type arpwatch_unit_file_t;
 	')
 
-	allow $1 arpwatch_t:process { ptrace signal_perms };
+	allow $1 arpwatch_t:process signal_perms;
 	ps_process_pattern($1, arpwatch_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 arpwatch_t:process ptrace;
+	')
+
 	arpwatch_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +185,8 @@ interface(`arpwatch_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, arpwatch_var_run_t)
+
+	arpwatch_systemctl($1)
+	admin_pattern($1, arpwatch_unit_file_t)
+	allow $1 arpwatch_unit_file_t:service all_service_perms;
 ')
diff --git a/arpwatch.te b/arpwatch.te
index 2d7bf34..766a91a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
 type arpwatch_var_run_t;
 files_pid_file(arpwatch_var_run_t)
 
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
 allow arpwatch_t self:tcp_socket { accept listen };
 allow arpwatch_t self:packet_socket create_socket_perms;
 allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
+allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
 
 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
 files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
 
-kernel_read_kernel_sysctls(arpwatch_t)
 kernel_read_network_state(arpwatch_t)
+# meminfo
 kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
 kernel_request_load_module(arpwatch_t)
 
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
 dev_read_sysfs(arpwatch_t)
 dev_read_usbmon_dev(arpwatch_t)
 dev_rw_generic_usb_dev(arpwatch_t)
@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t)
 
 domain_use_interactive_fds(arpwatch_t)
 
-files_read_usr_files(arpwatch_t)
 files_search_var_lib(arpwatch_t)
 
 auth_use_nsswitch(arpwatch_t)
 
 logging_send_syslog_msg(arpwatch_t)
 
-miscfiles_read_localization(arpwatch_t)
-
 userdom_dontaudit_search_user_home_dirs(arpwatch_t)
 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
 
diff --git a/asterisk.if b/asterisk.if
index 2077053..198a02a 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
 		type asterisk_var_lib_t, asterisk_initrc_exec_t;
 	')
 
-	allow $1 asterisk_t:process { ptrace signal_perms };
+	allow $1 asterisk_t:process signal_perms;
 	ps_process_pattern($1, asterisk_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 asterisk_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 7e41350..e8e1672 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
 logging_log_file(asterisk_log_t)
 
 type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
 
 type asterisk_tmp_t;
 files_tmp_file(asterisk_tmp_t)
@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
 
 manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
 
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
 can_exec(asterisk_t, asterisk_exec_t)
 
 kernel_read_kernel_sysctls(asterisk_t)
@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
 corecmd_exec_bin(asterisk_t)
 corecmd_exec_shell(asterisk_t)
 
-corenet_all_recvfrom_unlabeled(asterisk_t)
 corenet_all_recvfrom_netlabel(asterisk_t)
 corenet_tcp_sendrecv_generic_if(asterisk_t)
 corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
 
 corenet_sendrecv_sip_client_packets(asterisk_t)
 corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_http_port(asterisk_t)
 
 dev_rw_generic_usb_dev(asterisk_t)
 dev_read_sysfs(asterisk_t)
@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
 
 domain_use_interactive_fds(asterisk_t)
 
-files_read_usr_files(asterisk_t)
 files_search_spool(asterisk_t)
 files_dontaudit_search_home(asterisk_t)
 
@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
 logging_search_logs(asterisk_t)
 logging_send_syslog_msg(asterisk_t)
 
-miscfiles_read_localization(asterisk_t)
-
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
 userdom_dontaudit_search_user_home_dirs(asterisk_t)
 
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..4579cfe
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py		--	gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)?		gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 0000000..316c324
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## <summary>policy for authconfig</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the authconfig domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`authconfig_domtrans',`
+	gen_require(`
+		type authconfig_t, authconfig_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+## <summary>
+##	Search authconfig lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_search_lib',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	allow $1 authconfig_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read authconfig lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_read_lib_files',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage authconfig lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_manage_lib_files',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage authconfig lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_manage_lib_dirs',`
+	gen_require(`
+		type authconfig_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an authconfig environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authconfig_admin',`
+	gen_require(`
+		type authconfig_t;
+		type authconfig_var_lib_t;
+	')
+
+	allow $1 authconfig_t:process { ptrace signal_perms };
+	ps_process_pattern($1, authconfig_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, authconfig_var_lib_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 0000000..362a049
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
index 92adb37..0a2ffc6 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
 /etc/apm/event\.d/autofs	--	gen_context(system_u:object_r:automount_exec_t,s0)
 /etc/rc\.d/init\.d/autofs	--	gen_context(system_u:object_r:automount_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/autofs.*	--	gen_context(system_u:object_r:automount_unit_file_t,s0)
+
 /usr/sbin/automount	--	gen_context(system_u:object_r:automount_exec_t,s0)
 
 /var/lock/subsys/autofs	--	gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index f24e369..4484a98 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`automount_signal',`
 	gen_require(`
 		type automount_t;
@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
 
 ########################################
 ## <summary>
+##	Allow domain to search of automount temporary
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`automount_search_tmp_dirs',`
+	gen_require(`
+		type automount_tmp_t;
+	')
+    
+    search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get
 ##	attributes of automount temporary
 ##	directories.
@@ -134,6 +152,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
 
 ########################################
 ## <summary>
+##	Execute automount server in the automount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`automount_systemctl',`
+	gen_require(`
+		type automount_t;
+		type automount_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 automount_unit_file_t:file read_file_perms;
+	allow $1 automount_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, automount_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an automount environment.
 ## </summary>
@@ -153,12 +195,16 @@ interface(`automount_admin',`
 	gen_require(`
 		type automount_t, automount_lock_t, automount_tmp_t;
 		type automount_var_run_t, automount_initrc_exec_t;
-		type automount_keytab_t;
+		type automount_unit_file_t, automount_keytab_t;
 	')
 
-	allow $1 automount_t:process { ptrace signal_perms };
+	allow $1 automount_t:process signal_perms;
 	ps_process_pattern($1, automount_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 automount_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, automount_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 automount_initrc_exec_t system_r;
@@ -175,4 +221,8 @@ interface(`automount_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, automount_var_run_t)
+
+	automount_systemctl($1)
+	admin_pattern($1, automount_unit_file_t)
+	allow $1 automount_unit_file_t:service all_service_perms;
 ')
diff --git a/automount.te b/automount.te
index 27d2f40..daed3ef 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
 files_tmp_file(automount_tmp_t)
 files_mountpoint(automount_tmp_t)
 
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
 type automount_var_run_t;
 files_pid_file(automount_var_run_t)
 
@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
 # Local policy
 #
 
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability {  setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability2 block_suspend;
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
 corecmd_exec_bin(automount_t)
 corecmd_exec_shell(automount_t)
 
-corenet_all_recvfrom_unlabeled(automount_t)
 corenet_all_recvfrom_netlabel(automount_t)
 corenet_tcp_sendrecv_generic_if(automount_t)
 corenet_udp_sendrecv_generic_if(automount_t)
@@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
 files_getattr_default_dirs(automount_t)
 files_getattr_home_dir(automount_t)
 files_getattr_isid_type_dirs(automount_t)
@@ -101,7 +105,6 @@ files_mount_all_file_type_fs(automount_t)
 files_mounton_all_mountpoints(automount_t)
 files_mounton_mnt(automount_t)
 files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
 files_search_boot(automount_t)
 files_search_all(automount_t)
 files_unmount_all_file_type_fs(automount_t)
@@ -113,6 +116,7 @@ fs_manage_autofs_symlinks(automount_t)
 fs_mount_all_fs(automount_t)
 fs_mount_autofs(automount_t)
 fs_read_nfs_files(automount_t)
+fs_read_nfs_symlinks(automount_t)
 fs_search_all(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_unmount_all_fs(automount_t)
@@ -135,15 +139,18 @@ auth_use_nsswitch(automount_t)
 logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 
-miscfiles_read_localization(automount_t)
 miscfiles_read_generic_certs(automount_t)
 
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
 
 optional_policy(`
+	# Run mount in the mount_t domain.
+	mount_domtrans(automount_t)
+	mount_domtrans_showmount(automount_t)
+	mount_signal(automount_t)
+')
+
+optional_policy(`
 	fstools_domtrans(automount_t)
 ')
 
@@ -166,3 +173,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(automount_t)
 ')
+
+tunable_policy(`mount_anyfile',`
+	files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2ca..4c2d076 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/avahi.*    --  gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
 /usr/sbin/avahi-daemon	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-dnsconfd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-autoipd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index 9078c3d..2f6b250 100644
--- a/avahi.if
+++ b/avahi.if
@@ -211,6 +211,30 @@ interface(`avahi_dontaudit_search_pid',`
 
 ########################################
 ## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`avahi_systemctl',`
+	gen_require(`
+		type avahi_t;
+		type avahi_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 avahi_unit_file_t:file read_file_perms;
+	allow $1 avahi_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, avahi_t)
+')
+
+########################################
+## <summary>
 ##	Create specified objects in generic
 ##	pid directories with the avahi pid file type.
 ## </summary>
@@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',`
 interface(`avahi_admin',`
 	gen_require(`
 		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+		type avahi_unit_file_t;
 		type avahi_var_lib_t;
 	')
 
-	allow $1 avahi_t:process { ptrace signal_perms };
+	allow $1 avahi_t:process signal_perms;
 	ps_process_pattern($1, avahi_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 avahi_t:process ptrace;
+	')
+
 	avahi_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 avahi_initrc_exec_t system_r;
@@ -274,4 +303,8 @@ interface(`avahi_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, avahi_var_lib_t)
+
+	avahi_systemctl($1)
+	admin_pattern($1, avahi_unit_file_t)
+	allow $1 avahi_unit_file_t:service all_service_perms;
 ')
diff --git a/avahi.te b/avahi.te
index b8355b3..ad2aa45 100644
--- a/avahi.te
+++ b/avahi.te
@@ -13,10 +13,14 @@ type avahi_initrc_exec_t;
 init_script_file(avahi_initrc_exec_t)
 
 type avahi_var_lib_t;
-files_pid_file(avahi_var_lib_t)
+files_type(avahi_var_lib_t)
 
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
 
 ########################################
 #
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
 corecmd_exec_bin(avahi_t)
 corecmd_exec_shell(avahi_t)
 
-corenet_all_recvfrom_unlabeled(avahi_t)
 corenet_all_recvfrom_netlabel(avahi_t)
 corenet_tcp_sendrecv_generic_if(avahi_t)
 corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
 fs_list_inotifyfs(avahi_t)
 
 domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
 
 files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
 
 auth_use_nsswitch(avahi_t)
 
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
 
 logging_send_syslog_msg(avahi_t)
 
-miscfiles_read_localization(avahi_t)
 miscfiles_read_generic_certs(avahi_t)
 
 sysnet_domtrans_ifconfig(avahi_t)
 sysnet_manage_config(avahi_t)
 sysnet_etc_filetrans_config(avahi_t)
 
+systemd_login_signull(avahi_t)
+
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
 
diff --git a/awstats.fc b/awstats.fc
index 11e6d5f..73b4ea4 100644
--- a/awstats.fc
+++ b/awstats.fc
@@ -1,5 +1,5 @@
 /usr/share/awstats/tools/.+\.pl	--	gen_context(system_u:object_r:awstats_exec_t,s0)
-/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:httpd_awstats_content_t,s0)
-/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)?	gen_context(system_u:object_r:awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)?	gen_context(system_u:object_r:awstats_script_exec_t,s0)
 
 /var/lib/awstats(/.*)?	gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/awstats.te b/awstats.te
index c1b16c3..ffbf2cb 100644
--- a/awstats.te
+++ b/awstats.te
@@ -26,6 +26,7 @@ type awstats_var_lib_t;
 files_type(awstats_var_lib_t)
 
 apache_content_template(awstats)
+apache_content_alias_template(awstats, awstats)
 
 ########################################
 #
@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
 
 manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
 
-allow awstats_t { httpd_awstats_content_t  httpd_awstats_script_exec_t }:dir search_dir_perms;
+allow awstats_t { awstats_content_t  awstats_script_exec_t }:dir search_dir_perms;
 
-can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t })
 
 kernel_dontaudit_read_system_state(awstats_t)
 
@@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t)
 dev_read_urand(awstats_t)
 
 files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
 
 fs_list_inotifyfs(awstats_t)
 
@@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t)
 
 logging_read_generic_logs(awstats_t)
 
-miscfiles_read_localization(awstats_t)
-
 sysnet_dns_name_resolve(awstats_t)
 
 tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +87,13 @@ optional_policy(`
 # CGI local policy
 #
 
-allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+apache_read_log(awstats_script_t)
+
+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file })
 
-read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-files_search_var_lib(httpd_awstats_script_t)
+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms;
 
-apache_read_log(httpd_awstats_script_t)
+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(awstats_script_t)
diff --git a/backup.te b/backup.te
index 7811450..d8a8bd6 100644
--- a/backup.te
+++ b/backup.te
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
 corecmd_exec_bin(backup_t)
 corecmd_exec_shell(backup_t)
 
-corenet_all_recvfrom_unlabeled(backup_t)
 corenet_all_recvfrom_netlabel(backup_t)
 corenet_tcp_sendrecv_generic_if(backup_t)
 corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
 
 sysnet_read_config(backup_t)
 
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
 
 optional_policy(`
 	cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.fc b/bacula.fc
index 27ec3d5..65aa71b 100644
--- a/bacula.fc
+++ b/bacula.fc
@@ -8,6 +8,8 @@
 /usr/sbin/bat	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
 /usr/sbin/bconsole	--	gen_context(system_u:object_r:bacula_admin_exec_t,s0)
 
+/var/bacula(/.*)?   gen_context(system_u:object_r:bacula_store_t,s0)
+
 /var/lib/bacula.*	gen_context(system_u:object_r:bacula_var_lib_t,s0)
 
 /var/log/bacula.*	gen_context(system_u:object_r:bacula_log_t,s0)
diff --git a/bacula.if b/bacula.if
index dcd774e..c240ffa 100644
--- a/bacula.if
+++ b/bacula.if
@@ -69,6 +69,7 @@ interface(`bacula_admin',`
 		type bacula_t, bacula_etc_t, bacula_log_t;
 		type bacula_spool_t, bacula_var_lib_t;
 		type bacula_var_run_t, bacula_initrc_exec_t;
+        attribute_role bacula_admin_roles;
 	')
 
 	allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index f16b000..1a7c80f 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
 files_type(bacula_store_t)
 files_mountpoint(bacula_store_t)
 
+type bacula_tmp_t;
+files_tmp_file(bacula_tmp_t)
+
 type bacula_var_lib_t;
 files_type(bacula_var_lib_t)
 
@@ -38,21 +41,30 @@ type bacula_admin_exec_t;
 application_domain(bacula_admin_t, bacula_admin_exec_t)
 role bacula_admin_roles types bacula_admin_t;
 
+type bacula_unconfined_script_exec_t;
+application_executable_file(bacula_unconfined_script_exec_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
 allow bacula_t self:process signal;
 allow bacula_t self:fifo_file rw_fifo_file_perms;
 allow bacula_t self:tcp_socket { accept listen };
 
 read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t)
 
+manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t)
+files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file })
+
+manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t)
 append_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
 create_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
 setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t)
+logging_log_filetrans(bacula_t, bacula_log_t, { file dir })
 
 manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
 manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t)
@@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t)
 corenet_sendrecv_generic_server_packets(bacula_t)
 corenet_udp_bind_generic_port(bacula_t)
 
+
+#TODO: check port labels for hplip a bacula
+corenet_tcp_bind_bacula_port(bacula_t)
+
 corenet_sendrecv_hplip_server_packets(bacula_t)
 corenet_tcp_bind_hplip_port(bacula_t)
 corenet_udp_bind_hplip_port(bacula_t)
@@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t)
 dev_getattr_all_blk_files(bacula_t)
 dev_getattr_all_chr_files(bacula_t)
 
+files_getattr_all_pipes(bacula_t)
+files_getattr_all_sockets(bacula_t)
+
 files_dontaudit_getattr_all_sockets(bacula_t)
+files_dontaudit_getattr_all_pipes(bacula_t)
 files_read_all_files(bacula_t)
 files_read_all_symlinks(bacula_t)
 
 fs_getattr_xattr_fs(bacula_t)
 fs_list_all(bacula_t)
 
+storage_raw_read_fixed_disk(bacula_t)
+storage_read_tape(bacula_t)
+storage_write_tape(bacula_t)
+
+auth_use_nsswitch(bacula_t)
 auth_read_shadow(bacula_t)
 
 logging_send_syslog_msg(bacula_t)
 
 sysnet_dns_name_resolve(bacula_t)
 
+userdom_home_manager(bacula_t)
+
 optional_policy(`
 	mysql_stream_connect(bacula_t)
 	mysql_tcp_connect(bacula_t)
@@ -125,6 +152,12 @@ optional_policy(`
 	ldap_stream_connect(bacula_t)
 ')
 
+optional_policy(`
+    postgresql_tcp_connect(bacula_t)
+    postgresql_stream_connect(bacula_t)
+')
+
+
 ########################################
 #
 # Client local policy
@@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
 
 domain_use_interactive_fds(bacula_admin_t)
 
-files_read_etc_files(bacula_admin_t)
-
-miscfiles_read_localization(bacula_admin_t)
-
 sysnet_dns_name_resolve(bacula_admin_t)
 
 userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
 userdom_use_user_ptys(bacula_admin_t)
+
+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+         type bacula_unconfined_script_t;
+         domain_type(bacula_unconfined_script_t)
+
+         domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t)
+         role system_r types bacula_unconfined_script_t;
+ 
+         allow bacula_t bacula_unconfined_script_t:process signal_perms;
+
+         domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t)
+
+         allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir search_dir_perms;
+         allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir read_file_perms;
+         allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:file ioctl;
+
+         optional_policy(`
+            unconfined_domain(bacula_unconfined_script_t)
+        ')
+')
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e35..8af0e14 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/bcfg2-server.*		--	gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
 /usr/sbin/bcfg2-server	--	gen_context(system_u:object_r:bcfg2_exec_t,s0)
 
 /var/lib/bcfg2(/.*)?	gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d36..186271b 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -117,6 +117,32 @@ interface(`bcfg2_manage_lib_dirs',`
 
 ########################################
 ## <summary>
+##	Execute bcfg2 server in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_systemctl',`
+	gen_require(`
+		type bcfg2_t;
+		type bcfg2_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 bcfg2_unit_file_t:file read_file_perms;
+	allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bcfg2_t)
+')
+
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bcfg2 environment.
 ## </summary>
@@ -136,11 +162,16 @@ interface(`bcfg2_admin',`
 	gen_require(`
 		type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
 		type bcfg2_var_run_t;
+		type bcfg2_unit_file_t;
 	')
 
-	allow $1 bcfg2_t:process { ptrace signal_perms };
+	allow $1 bcfg2_t:process { signal_perms };
 	ps_process_pattern($1, bcfg2_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 bcfg2_t:process ptrace;
+    ')
+
 	bcfg2_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +182,13 @@ interface(`bcfg2_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, bcfg2_var_lib_t)
+
+	bcfg2_systemctl($1)
+	admin_pattern($1, bcfg2_unit_file_t)
+	allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/bcfg2.te b/bcfg2.te
index c3fd7b1..e189593 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
 type bcfg2_var_lib_t;
 files_type(bcfg2_var_lib_t)
 
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
 type bcfg2_var_run_t;
 files_pid_file(bcfg2_var_run_t)
 
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
 
 domain_use_interactive_fds(bcfg2_t)
 
-files_read_usr_files(bcfg2_t)
 
 auth_use_nsswitch(bcfg2_t)
 
 logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a1..982ce9b 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,78 @@
-/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named-sdb --     gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 
-/etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.*	--	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key 	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key 	--	gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* --  gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.*	--	gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named-sdb.* --	gen_context(system_u:object_r:named_unit_file_t,s0)
 
 /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named	--	gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf	--	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-pkcs11	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
 /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor --	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf --	gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-control   --  gen_context(system_u:object_r:named_exec_t,s0)
 
-/var/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 
-/var/cache/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc		-s	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)?		gen_context(system_u:object_r:named_var_run_t,s0)
 
-/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)?			gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+')
 
-/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/softhsm(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
+/var/lib/unbound(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)?		gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/proc(/.*)?	<<none>>
-/var/named/chroot/var/run/named.*	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/chroot/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca	--	gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc	-s	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)?	gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 531a8f2..3fcf187 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bind_systemctl',`
+	gen_require(`
+		type named_unit_file_t;
+		type named_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 named_unit_file_t:file read_file_perms;
+	allow $1 named_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
 ##	Execute ndc in the ndc domain.
 ## </summary>
 ## <param name="domain">
@@ -169,6 +193,7 @@ interface(`bind_read_config',`
 		type named_conf_t;
 	')
 
+	allow $1 named_conf_t:dir  list_dir_perms;
 	read_files_pattern($1, named_conf_t, named_conf_t)
 ')
 
@@ -212,6 +237,25 @@ interface(`bind_manage_config_dirs',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete
+##	BIND configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_config',`
+	gen_require(`
+		type named_conf_t;
+	')
+
+	manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
 ##	Search bind cache directories.
 ## </summary>
 ## <param name="domain">
@@ -310,6 +354,47 @@ interface(`bind_read_zone',`
 
 ########################################
 ## <summary>
+##	Read BIND zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_log',`
+	gen_require(`
+		type named_zone_t;
+		type named_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 named_zone_t:dir search_dir_perms;
+	read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	bind zone files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_manage_zone_dirs',`
+	gen_require(`
+		type named_zone_t;
+	')
+
+	files_search_var($1)
+	allow $1  named_zone_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	bind zone files.
 ## </summary>
@@ -344,6 +429,25 @@ interface(`bind_udp_chat_named',`
 
 ########################################
 ## <summary>
+##	Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_state',`
+	gen_require(`
+		type named_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bind environment.
 ## </summary>
@@ -364,11 +468,17 @@ interface(`bind_admin',`
 		type named_t, named_tmp_t, named_log_t;
 		type named_cache_t, named_zone_t, named_initrc_exec_t;
 		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
-		type named_keytab_t;
+		type named_keytab_t, named_unit_file_t;
 	')
 
-	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { named_t ndc_t })
+	allow $1 named_t:process signal_perms;
+	ps_process_pattern($1, named_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 named_t:process ptrace;
+	')
+
+	bind_run_ndc($1, $2)
 
 	init_labeled_script_domtrans($1, named_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -384,11 +494,15 @@ interface(`bind_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { named_keytab_t named_conf_t })
 
+	admin_pattern($1, named_keytab_t)
+
 	files_list_var($1)
 	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
 
 	files_list_pids($1)
 	admin_pattern($1, named_var_run_t)
 
-	bind_run_ndc($1, $2)
+	admin_pattern($1, named_unit_file_t)
+	bind_systemctl($1)
+	allow $1 named_unit_file_t:service all_service_perms;
 ')
diff --git a/bind.te b/bind.te
index 1241123..ab9ec30 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
 init_system_domain(named_t, named_checkconf_exec_t)
 
 type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
 files_mountpoint(named_conf_t)
 
 # for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
 type named_initrc_exec_t;
 init_script_file(named_initrc_exec_t)
 
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
 type named_keytab_t;
 files_type(named_keytab_t)
 
@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
 # Local policy
 #
 
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
 allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
 read_files_pattern(named_t, named_conf_t, named_conf_t)
 read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
 
+manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
 manage_files_pattern(named_t, named_cache_t, named_cache_t)
 manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
 
 allow named_t named_keytab_t:file read_file_perms;
 
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
 logging_log_filetrans(named_t, named_log_t, file)
 
 manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 kernel_read_kernel_sysctls(named_t)
 kernel_read_system_state(named_t)
 kernel_read_network_state(named_t)
+kernel_read_net_sysctls(named_t)
 
 corecmd_search_bin(named_t)
 
-corenet_all_recvfrom_unlabeled(named_t)
 corenet_all_recvfrom_netlabel(named_t)
 corenet_tcp_sendrecv_generic_if(named_t)
 corenet_udp_sendrecv_generic_if(named_t)
@@ -141,9 +144,13 @@ corenet_sendrecv_all_client_packets(named_t)
 corenet_tcp_connect_all_ports(named_t)
 corenet_tcp_sendrecv_all_ports(named_t)
 
+corenet_tcp_bind_all_ephemeral_ports(named_t)
+corenet_udp_bind_all_ephemeral_ports(named_t)
+
 dev_read_sysfs(named_t)
 dev_read_rand(named_t)
 dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
 
 domain_use_interactive_fds(named_t)
 
@@ -175,6 +182,19 @@ tunable_policy(`named_write_master_zones',`
 ')
 
 optional_policy(`
+	cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
+	# needed by FreeIPA with DNS support
+	dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+	dnssec_trigger_manage_pid_files(named_t)
+')
+
+optional_policy(`
 	dbus_system_domain(named_t, named_exec_t)
 
 	init_dbus_chat_script(named_t)
@@ -187,7 +207,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+    ipa_manage_lib(named_t)
+')
+
+optional_policy(`
+    ipsec_rw_inherited_pipes(named_t)
+')
+
+optional_policy(`
+    kerberos_filetrans_named_content(named_t)
 	kerberos_read_keytab(named_t)
+    kerberos_read_host_rcache(named_t)
 	kerberos_use(named_t)
 ')
 
@@ -215,7 +245,8 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
@@ -229,10 +260,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
-kernel_read_kernel_sysctls(ndc_t)
 kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
 
-corenet_all_recvfrom_unlabeled(ndc_t)
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)
 corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -242,6 +272,9 @@ corenet_tcp_bind_generic_node(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
 corenet_sendrecv_rndc_client_packets(ndc_t)
 
+dev_read_rand(ndc_t)
+dev_read_urand(ndc_t)
+
 domain_use_interactive_fds(ndc_t)
 
 files_search_pids(ndc_t)
@@ -257,7 +290,7 @@ init_use_script_ptys(ndc_t)
 
 logging_send_syslog_msg(ndc_t)
 
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
 
 userdom_use_user_terminals(ndc_t)
 
diff --git a/bird.te b/bird.te
index 1d60c27..f8bb700 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
 corenet_tcp_sendrecv_bgp_port(bird_t)
 
 # /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
 
 logging_send_syslog_msg(bird_t)
 
diff --git a/bitlbee.fc b/bitlbee.fc
index e9708d6..61362d0 100644
--- a/bitlbee.fc
+++ b/bitlbee.fc
@@ -7,7 +7,7 @@
 
 /var/lib/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_t,s0)
 
-/var/log/bip(/.*)?	gen_context(system_u:object_r:bitlbee_log_t,s0)
+/var/log/bip.*	gen_context(system_u:object_r:bitlbee_log_t,s0)
 
 /var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
 /var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/bitlbee.if b/bitlbee.if
index e73fb79..2badfc0 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
 		type bitlbee_log_t, bitlbee_tmp_t;
 	')
 
-	allow $1 bitlbee_t:process { ptrace signal_perms };
+	allow $1 bitlbee_t:process signal_perms;
 	ps_process_pattern($1, bitlbee_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bitlbee_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index f5c1a48..d8e7d55 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
 
 allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
 allow bitlbee_t self:process { setsched signal };
+
 allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
 allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
 manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
 setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
 
 manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
 manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
 files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
 
 manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
-files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file})
 
 manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
 files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
 
-kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
 
 corenet_sendrecv_ircd_server_packets(bitlbee_t)
 corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
 corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_interwise_port(bitlbee_t)
 corenet_tcp_connect_ircd_port(bitlbee_t)
 corenet_tcp_sendrecv_ircd_port(bitlbee_t)
 
@@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
 dev_read_rand(bitlbee_t)
 dev_read_urand(bitlbee_t)
 
-files_read_usr_files(bitlbee_t)
-
 libs_legacy_use_shared_libs(bitlbee_t)
 
 auth_use_nsswitch(bitlbee_t)
 
 logging_send_syslog_msg(bitlbee_t)
 
-miscfiles_read_localization(bitlbee_t)
+optional_policy(`
+    dbus_system_bus_client(bitlbee_t)
+')
 
 optional_policy(`
 	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
 ')
+
diff --git a/blkmapd.fc b/blkmapd.fc
new file mode 100644
index 0000000..5e59fb4
--- /dev/null
+++ b/blkmapd.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/blkmapd	--	gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
+
+/usr/sbin/blkmapd		--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
+
+/var/run/blkmapd\.pid		--	gen_context(system_u:object_r:blkmapd_var_run_t,s0)
diff --git a/blkmapd.if b/blkmapd.if
new file mode 100644
index 0000000..7666379
--- /dev/null
+++ b/blkmapd.if
@@ -0,0 +1,121 @@
+
+## <summary>The blkmapd daemon performs device discovery and mapping for pNFS block layout client.</summary>
+
+########################################
+## <summary>
+##	Execute blkmapd_exec_t in the blkmapd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`blkmapd_domtrans',`
+	gen_require(`
+		type blkmapd_t, blkmapd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
+')
+
+######################################
+## <summary>
+##	Execute blkmapd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blkmapd_exec',`
+	gen_require(`
+		type blkmapd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, blkmapd_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute blkmapd server in the blkmapd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blkmapd_initrc_domtrans',`
+	gen_require(`
+		type blkmapd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
+')
+########################################
+## <summary>
+##	Read blkmapd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`blkmapd_read_pid_files',`
+	gen_require(`
+		type blkmapd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an blkmapd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`blkmapd_admin',`
+	gen_require(`
+		type blkmapd_t;
+		type blkmapd_initrc_exec_t;
+		type blkmapd_var_run_t;
+	')
+
+	allow $1 blkmapd_t:process { signal_perms };
+	ps_process_pattern($1, blkmapd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 blkmapd_t:process ptrace;
+    ')
+
+	blkmapd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 blkmapd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_pids($1)
+	admin_pattern($1, blkmapd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/blkmapd.te b/blkmapd.te
new file mode 100644
index 0000000..6cfb355
--- /dev/null
+++ b/blkmapd.te
@@ -0,0 +1,44 @@
+policy_module(blkmapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type blkmapd_t;
+type blkmapd_exec_t;
+init_daemon_domain(blkmapd_t, blkmapd_exec_t)
+
+type blkmapd_initrc_exec_t;
+init_script_file(blkmapd_initrc_exec_t)
+
+type blkmapd_var_run_t;
+files_pid_file(blkmapd_var_run_t)
+
+
+########################################
+#
+# blkmapd local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+
+manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
+files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
+
+kernel_read_system_state(blkmapd_t)
+
+dev_list_sysfs(blkmapd_t)
+
+fs_list_rpc(blkmapd_t)
+fs_rw_rpc_named_pipes(blkmapd_t)
+
+storage_raw_read_fixed_disk(blkmapd_t)
+storage_raw_read_removable_device(blkmapd_t)
+
+
+logging_send_syslog_msg(blkmapd_t)
+
+optional_policy(`
+   rpc_read_nfs_state_data(blkmapd_t)
+')
diff --git a/blueman.fc b/blueman.fc
index c295d2e..4f84e9c 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
 /usr/libexec/blueman-mechanism	--	gen_context(system_u:object_r:blueman_exec_t,s0)
 
 /var/lib/blueman(/.*)?	gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec525..1dd4059 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
 
 	allow $1 blueman_t:dbus send_msg;
 	allow blueman_t $1:dbus send_msg;
+	ps_process_pattern(blueman_t, $1)
 ')
 
 ########################################
diff --git a/blueman.te b/blueman.te
index 3a5032e..3facb71 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
 
 type blueman_t;
 type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
 
 type blueman_var_lib_t;
 files_type(blueman_var_lib_t)
@@ -15,13 +15,17 @@ files_type(blueman_var_lib_t)
 type blueman_var_run_t;
 files_pid_file(blueman_var_run_t)
 
+type blueman_tmp_t;
+files_tmp_file(blueman_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
 allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
 allow blueman_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +36,12 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
 manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
 files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
 
-kernel_read_net_sysctls(blueman_t)
+manage_dirs_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+manage_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+exec_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+files_tmp_filetrans(blueman_t, blueman_tmp_t, { file dir })
+
+kernel_rw_net_sysctls(blueman_t)
 kernel_read_system_state(blueman_t)
 kernel_request_load_module(blueman_t)
 
@@ -41,29 +50,45 @@ corecmd_exec_bin(blueman_t)
 dev_read_rand(blueman_t)
 dev_read_urand(blueman_t)
 dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
 
 domain_use_interactive_fds(blueman_t)
 
 files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
+files_dontaudit_write_all_mountpoints(blueman_t)
 
 auth_use_nsswitch(blueman_t)
 
 logging_send_syslog_msg(blueman_t)
 
-miscfiles_read_localization(blueman_t)
-
 sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
 
 optional_policy(`
 	avahi_domtrans(blueman_t)
 ')
 
 optional_policy(`
+    bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+	dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
+optional_policy(`
 	dnsmasq_domtrans(blueman_t)
 	dnsmasq_read_pid_files(blueman_t)
 ')
 
 optional_policy(`
+	gnome_search_gconf(blueman_t)
+')
+
+optional_policy(`
 	iptables_domtrans(blueman_t)
 ')
+
+optional_policy(`
+	xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f3..0086b95 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,14 @@
 /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/bluetooth.*  -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
 /usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
 /usr/bin/dund	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/hidd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
 /usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0a..1c29d21 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
 	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
 
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+	allow $2 bluetooth_helper_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 bluetooth_helper_t:process ptrace;
+	')
 
 	allow $2 bluetooth_t:socket rw_socket_perms;
 
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
 	allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 	allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
+	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	bluetooth_stream_connect($2)
 	stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
-	files_search_pids($2)
 ')
 
 #####################################
@@ -63,11 +70,13 @@ interface(`bluetooth_role',`
 interface(`bluetooth_stream_connect',`
 	gen_require(`
 		type bluetooth_t, bluetooth_var_run_t;
+		type bluetooth_tmp_t;
 	')
 
 	files_search_pids($1)
 	allow $1 bluetooth_t:socket rw_socket_perms;
 	stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+	stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
 ')
 
 ########################################
@@ -130,6 +139,27 @@ interface(`bluetooth_dbus_chat',`
 
 ########################################
 ## <summary>
+##	dontaudit Send and receive messages from
+##	bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+	gen_require(`
+		type bluetooth_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 bluetooth_t:dbus send_msg;
+	dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
 ## </summary>
 ## <param name="domain">
@@ -190,6 +220,30 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 
 ########################################
 ## <summary>
+##	Execute bluetooth server in the bluetooth domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_systemctl',`
+	gen_require(`
+		type bluetooth_t;
+		type bluetooth_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 bluetooth_unit_file_t:file read_file_perms;
+	allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bluetooth_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bluetooth environment.
 ## </summary>
@@ -210,12 +264,16 @@ interface(`bluetooth_admin',`
 		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
 		type bluetooth_var_lib_t, bluetooth_var_run_t;
 		type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
-		type bluetooth_initrc_exec_t;
+		type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
 	')
 
-	allow $1 bluetooth_t:process { ptrace signal_perms };
+	allow $1 bluetooth_t:process signal_perms;
 	ps_process_pattern($1, bluetooth_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bluetooth_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +293,8 @@ interface(`bluetooth_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, bluetooth_var_run_t)
+
+	bluetooth_systemctl($1)
+	admin_pattern($1, bluetooth_unit_file_t)
+	allow $1 bluetooth_unit_file_t:service all_service_perms;
 ')
diff --git a/bluetooth.te b/bluetooth.te
index 851769e..3dc3f36 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
 type bluetooth_var_run_t;
 files_pid_file(bluetooth_var_run_t)
 
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 
 manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
 
 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
 manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
@@ -90,27 +94,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)
 kernel_request_load_module(bluetooth_t)
 kernel_search_debugfs(bluetooth_t)
 
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
-
-dev_read_sysfs(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_rw_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
 dev_rw_generic_usb_dev(bluetooth_t)
 dev_read_urand(bluetooth_t)
 dev_rw_input_dev(bluetooth_t)
 dev_rw_wireless(bluetooth_t)
+dev_rw_uhid_dev(bluetooth_t)
 
 domain_use_interactive_fds(bluetooth_t)
 domain_dontaudit_search_all_domains_state(bluetooth_t)
 
 files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t)
 
 logging_send_syslog_msg(bluetooth_t)
 
-miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
 
@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t)
 domain_read_all_domains_state(bluetooth_helper_t)
 
 files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
 files_dontaudit_list_default(bluetooth_helper_t)
 
 term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad..bda740a 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/boinc-client	--	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
-/usr/bin/boinc_client	--	gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client	-- 		gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 
-/var/lib/boinc(/.*)?	gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)?	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client			--		gen_context(system_u:object_r:boinc_exec_t,s0)
 
-/var/log/boinc\.log.*	--	gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service        --  gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)?				gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.*				--		gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaa..308616e 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,166 @@
-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an boinc environment.
+##	Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+	gen_require(`
+		type boinc_t, boinc_exec_t;
+	')
+
+	domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+##	Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+	gen_require(`
+		type boinc_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Dontaudit getattr on boinc lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`boinc_dontaudit_getattr_lib',`
+    gen_require(`
+        type boinc_var_lib_t;
+    ')
+
+    dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Search boinc lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	allow $1 boinc_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read boinc lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	boinc lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+	gen_require(`
+		type boinc_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+	manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`boinc_systemctl',`
+    gen_require(`
+        type boinc_t;
+        type boinc_unit_file_t;
+    ')
+
+    systemd_exec_systemctl($1)
+	init_reload_services($1)
+    allow $1 boinc_unit_file_t:file read_file_perms;
+    allow $1 boinc_unit_file_t:service manage_service_perms;
+
+    ps_process_pattern($1, boinc_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an boinc environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -19,26 +176,32 @@
 #
 interface(`boinc_admin',`
 	gen_require(`
-
-		type boinc_t, boinc_project_t, boinc_log_t;
-		type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
-		type boinc_project_var_lib_t, boinc_project_tmp_t;
+		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+		type boinc_unit_file_t;
 	')
 
-	allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { boinc_t boinc_project_t })
+	allow $1 boinc_t:process signal_perms;
+	ps_process_pattern($1, boinc_t)
 
-	init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 boinc_t:process ptrace;
+	')
+
+	boinc_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 boinc_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	logging_search_logs($1)
-	admin_pattern($1, boinc_log_t)
+	files_list_var_lib($1)
+	admin_pattern($1, boinc_var_lib_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+	boinc_systemctl($1)
+	admin_pattern($1, boinc_unit_file_t)
 
-	files_search_var_lib($1)
-	admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+	allow $1 boinc_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/boinc.te b/boinc.te
index 687d4c4..f668033 100644
--- a/boinc.te
+++ b/boinc.te
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
 ## </desc>
 gen_tunable(boinc_execmem, true)
 
-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
 type boinc_exec_t;
 init_daemon_domain(boinc_t, boinc_exec_t)
 
@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
 type boinc_var_lib_t;
 files_type(boinc_var_lib_t)
 
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
 type boinc_log_t;
 logging_log_file(boinc_log_t)
 
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
 type boinc_project_t;
 domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
 role system_r types boinc_project_t;
 
 type boinc_project_tmp_t;
 files_tmp_file(boinc_project_tmp_t)
 
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+    allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+	sysnet_dns_name_resolve(boinc_domain)
+')
+
 ########################################
 #
-# Local policy
+# boinc local policy
 #
 
 allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
 allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
 
 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
 manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
 manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
 fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
 
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
 filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
 
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
 
+# needs read /proc/interrupts
 kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+dev_rw_dri(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
 corenet_all_recvfrom_netlabel(boinc_t)
 corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
 corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
 corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
 corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
 corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
 corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
 corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
 corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
 
 files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
 
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
 
 term_getattr_all_ptys(boinc_t)
 term_getattr_unallocated_ttys(boinc_t)
@@ -137,8 +152,9 @@ init_read_utmp(boinc_t)
 
 logging_send_syslog_msg(boinc_t)
 
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
+
+xserver_stream_connect(boinc_t)
 
 tunable_policy(`boinc_execmem',`
 	allow boinc_t self:process { execstack execmem };
@@ -148,48 +164,61 @@ optional_policy(`
 	mta_send_mail(boinc_t)
 ')
 
-optional_policy(`
-	sysnet_dns_name_resolve(boinc_t)
-')
-
 ########################################
 #
-# Project local policy
+# boinc-projects local policy
 #
 
 allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+	allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
 
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
 
 allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
 
 allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
 kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
 
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
 corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
 
 files_dontaudit_search_home(boinc_project_t)
 
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+	gnome_read_gconf_config(boinc_project_t)	
+')
+
 optional_policy(`
 	java_exec(boinc_project_t)
 ')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+	unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
index c5a9113..1919abd 100644
--- a/brctl.te
+++ b/brctl.te
@@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms;
 allow brctl_t self:tcp_socket create_socket_perms;
 
 kernel_request_load_module(brctl_t)
+kernel_read_system_state(brctl_t)
 kernel_read_network_state(brctl_t)
 kernel_read_sysctl(brctl_t)
 
@@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t)
 
 domain_use_interactive_fds(brctl_t)
 
-files_read_etc_files(brctl_t)
-
 term_dontaudit_use_console(brctl_t)
 
-miscfiles_read_localization(brctl_t)
-
 optional_policy(`
 	xen_append_log(brctl_t)
 	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/brltty.fc b/brltty.fc
new file mode 100644
index 0000000..05e3528
--- /dev/null
+++ b/brltty.fc
@@ -0,0 +1,10 @@
+/tmp/brltty\.log.*	 			--	gen_context(system_u:object_r:brltty_log_t,s0)
+
+/usr/lib/systemd/system/brltty.*		--	gen_context(system_u:object_r:brltty_unit_file_t,s0)
+
+/usr/bin/brltty		--	gen_context(system_u:object_r:brltty_exec_t,s0)
+
+/var/lib/BrlAPI(/.*)?		gen_context(system_u:object_r:brltty_var_lib_t,s0)
+
+/var/run/brltty(/.*)?		gen_context(system_u:object_r:brltty_var_run_t,s0)
+
diff --git a/brltty.if b/brltty.if
new file mode 100644
index 0000000..968c957
--- /dev/null
+++ b/brltty.if
@@ -0,0 +1,80 @@
+
+## <summary>brltty is refreshable braille display driver for Linux/Unix</summary>
+
+########################################
+## <summary>
+##	Execute brltty in the brltty domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brltty_domtrans',`
+	gen_require(`
+		type brltty_t, brltty_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, brltty_exec_t, brltty_t)
+')
+########################################
+## <summary>
+##	Execute brltty server in the brltty domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`brltty_systemctl',`
+	gen_require(`
+		type brltty_t;
+		type brltty_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 brltty_unit_file_t:file read_file_perms;
+	allow $1 brltty_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, brltty_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an brltty environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`brltty_admin',`
+	gen_require(`
+		type brltty_t;
+	type brltty_unit_file_t;
+	')
+
+	allow $1 brltty_t:process { signal_perms };
+	ps_process_pattern($1, brltty_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 brltty_t:process ptrace;
+    ')
+
+	brltty_systemctl($1)
+	admin_pattern($1, brltty_unit_file_t)
+	allow $1 brltty_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
index 0000000..c167267
--- /dev/null
+++ b/brltty.te
@@ -0,0 +1,70 @@
+policy_module(brltty, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type brltty_t;
+type brltty_exec_t;
+init_daemon_domain(brltty_t, brltty_exec_t)
+
+type brltty_var_lib_t;
+files_type(brltty_var_lib_t)
+
+type brltty_var_run_t;
+files_pid_file(brltty_var_run_t)
+
+type brltty_log_t;
+logging_log_file(brltty_log_t)
+
+type brltty_unit_file_t;
+systemd_unit_file(brltty_unit_file_t)
+
+########################################
+#
+# brltty local policy
+#
+allow brltty_t self:capability { sys_admin  sys_tty_config mknod };
+allow brltty_t self:process { fork signal_perms };
+
+allow brltty_t self:fifo_file rw_fifo_file_perms;
+allow brltty_t self:unix_stream_socket create_stream_socket_perms;
+allow brltty_t self:tcp_socket listen;
+
+manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
+files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
+
+manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
+manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
+files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir})
+
+manage_dirs_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+manage_chr_files_pattern(brltty_t, brltty_var_run_t, brltty_var_run_t)
+files_pid_filetrans(brltty_t, brltty_var_run_t, { dir file chr_file })
+allow brltty_t brltty_var_run_t:dir mounton;
+
+kernel_read_system_state(brltty_t)
+kernel_read_usermodehelper_state(brltty_t)
+
+auth_use_nsswitch(brltty_t)
+
+corenet_tcp_bind_brlp_port(brltty_t)
+
+dev_read_sysfs(brltty_t)
+dev_rw_generic_usb_dev(brltty_t)
+dev_rw_input_dev(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
+logging_send_syslog_msg(brltty_t)
+
+modutils_domtrans_insmod(brltty_t)
+
+sysnet_dns_name_resolve(brltty_t)
+
+term_use_unallocated_ttys(brltty_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6e..9efceac 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)?		gen_context(system_u:object_r:bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi	--	gen_context(system_u:object_r:bugzilla_script_exec_t,s0)
 
-/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+/var/lib/bugzilla(/.*)?	gen_context(system_u:object_r:bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262..d9ea246 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -12,10 +12,10 @@
 #
 interface(`bugzilla_search_content',`
 	gen_require(`
-		type httpd_bugzilla_content_t;
+		type bugzilla_content_t;
 	')
 
-	allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+	allow $1 bugzilla_content_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',`
 #
 interface(`bugzilla_dontaudit_rw_stream_sockets',`
 	gen_require(`
-		type httpd_bugzilla_script_t;
+		type bugzilla_script_t;
 	')
 
-	dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+	dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
 ')
 
 ########################################
@@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
 interface(`bugzilla_admin',`
 	gen_require(`
-		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
-		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-		type httpd_bugzilla_htaccess_t;
+		type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
+		type bugzilla_rw_content_t, bugzilla_script_exec_t;
+		type bugzilla_htaccess_t, bugzilla_tmp_t;
+	')
+
+	allow $1 bugzilla_script_t:process signal_perms;
+	ps_process_pattern($1, bugzilla_script_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 bugzilla_script_t:process ptrace;
 	')
 
-	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
-	ps_process_pattern($1, httpd_bugzilla_script_t)
+	files_list_tmp($1)
+	admin_pattern($1, bugzilla_tmp_t)
 
-	files_search_usr($1)
-	admin_pattern($1, httpd_bugzilla_script_exec_t)
-	admin_pattern($1, httpd_bugzilla_script_t)
-	admin_pattern($1, httpd_bugzilla_content_t)
-	admin_pattern($1, httpd_bugzilla_htaccess_t)
-	admin_pattern($1, httpd_bugzilla_ra_content_t)
+	files_list_var_lib(bugzilla_script_t)
+
+	admin_pattern($1, bugzilla_script_exec_t)
+	admin_pattern($1, bugzilla_script_t)
+	admin_pattern($1, bugzilla_content_t)
+	admin_pattern($1, bugzilla_htaccess_t)
+	admin_pattern($1, bugzilla_ra_content_t)
 
 	files_search_tmp($1)
 	files_search_var_lib($1)
-	admin_pattern($1, httpd_bugzilla_rw_content_t)
+	admin_pattern($1, bugzilla_rw_content_t)
 
-	apache_list_sys_content($1)
+	optional_policy(`
+		apache_list_sys_content($1)
+	')
 ')
diff --git a/bugzilla.te b/bugzilla.te
index 18623e3..c62f617 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0)
 #
 
 apache_content_template(bugzilla)
+apache_content_alias_template(bugzilla, bugzilla)
+
+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t;
+files_tmp_file(bugzilla_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
+allow bugzilla_script_t self:tcp_socket { accept listen };
+
+corenet_all_recvfrom_netlabel(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_if(bugzilla_script_t)
+corenet_tcp_sendrecv_generic_node(bugzilla_script_t)
+
+corenet_sendrecv_http_client_packets(bugzilla_script_t)
+corenet_tcp_connect_http_port(bugzilla_script_t)
+corenet_tcp_sendrecv_http_port(bugzilla_script_t)
+
+corenet_sendrecv_smtp_client_packets(bugzilla_script_t)
+corenet_tcp_connect_smtp_port(bugzilla_script_t)
+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t)
+
+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t)
+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir })
 
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
-corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+files_search_var_lib(bugzilla_script_t)
 
-corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t)
+auth_read_passwd(bugzilla_script_t)
 
-corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
-corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
-corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+dev_read_sysfs(bugzilla_script_t)
 
-files_search_var_lib(httpd_bugzilla_script_t)
+sysnet_read_config(bugzilla_script_t)
+sysnet_use_ldap(bugzilla_script_t)
 
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
-sysnet_use_ldap(httpd_bugzilla_script_t)
+miscfiles_read_certs(bugzilla_script_t)
 
 optional_policy(`
-	mta_send_mail(httpd_bugzilla_script_t)
+	mta_send_mail(bugzilla_script_t)
 ')
 
 optional_policy(`
-	mysql_stream_connect(httpd_bugzilla_script_t)
-	mysql_tcp_connect(httpd_bugzilla_script_t)
+	mysql_stream_connect(bugzilla_script_t)
+	mysql_tcp_connect(bugzilla_script_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(httpd_bugzilla_script_t)
-	postgresql_tcp_connect(httpd_bugzilla_script_t)
+	postgresql_stream_connect(bugzilla_script_t)
+	postgresql_tcp_connect(bugzilla_script_t)
 ')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 0000000..b5ee23b
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed		--	gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.*			gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 0000000..2d2e60c
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,122 @@
+## <summary>policy for bumblebee</summary>
+
+########################################
+## <summary>
+##	Execute bumblebee in the bumblebee domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bumblebee_domtrans',`
+	gen_require(`
+		type bumblebee_t, bumblebee_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	Read bumblebee PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_read_pid_files',`
+	gen_require(`
+		type bumblebee_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute bumblebee server in the bumblebee domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_systemctl',`
+	gen_require(`
+		type bumblebee_t;
+		type bumblebee_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 bumblebee_unit_file_t:file read_file_perms;
+	allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	Connect to bumblebee over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bumblebee_stream_connect',`
+	gen_require(`
+		type bumblebee_t, bumblebee_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an bumblebee environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bumblebee_admin',`
+	gen_require(`
+		type bumblebee_t;
+		type bumblebee_var_run_t;
+		type bumblebee_unit_file_t;
+	')
+
+	allow $1 bumblebee_t:process { signal_perms };
+	ps_process_pattern($1, bumblebee_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 bumblebee_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, bumblebee_var_run_t)
+
+	bumblebee_systemctl($1)
+	admin_pattern($1, bumblebee_unit_file_t)
+	allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 0000000..9aee6f3
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,63 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_read_network_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_use_nsswitch(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
+xserver_kill(bumblebee_t)
+xserver_signal(bumblebee_t)
+xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
+corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+    apm_stream_connect(bumblebee_t)
+')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_dev_t,s0)
 
 /sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
 
 /usr/sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
 
-/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)?		gen_context(system_u:object_r:cachefiles_var_t,s0)
 
-/var/run/cachefilesd\.pid	--	gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid --	gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9..3b41945 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## <summary>CacheFiles user-space management daemon.</summary>
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an cachefilesd environment.
+##	Execute a domain transition to run cachefilesd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
 #
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
 	gen_require(`
-		type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
-		type cachefilesd_var_run_t;
+		type cachefilesd_t, cachefilesd_exec_t;
 	')
 
-	allow $1 cachefilesd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, cachefilesd_t)
-
-	init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 cachefilesd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	files_search_var($1)
-	admin_pattern($1, cachefilesd_cache_t)
-
-	files_search_pids($1)
-	admin_pattern($1, cachefilesd_var_run_t)
+	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
 ')
diff --git a/cachefilesd.te b/cachefilesd.te
index a3760bc..660e5d3 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,125 @@
 policy_module(cachefilesd, 1.1.0)
 
-########################################
+###############################################################################
 #
 # Declarations
 #
 
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
 type cachefilesd_t;
 type cachefilesd_exec_t;
 init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
 
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
 type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)
 
-########################################
 #
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
 #
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+	rpm_use_script_fds(cachefilesd_t)
+')
 
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do.  This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache.  It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
 allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+allow cachefilesd_t self:process signal_perms;
 
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
 manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
 files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
 
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
 
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
 
+# Permit statfs on the backing filesystem
 fs_getattr_xattr_fs(cachefilesd_t)
 
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
 term_dontaudit_use_generic_ptys(cachefilesd_t)
 term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
 
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+#   (1) the security context used by the module to access files in the cache,
+#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
 
-miscfiles_read_localization(cachefilesd_t)
+#
+#   (2) the label that will be assigned to new files and directories created in
+#       the cache by the module, which will be the same as the label on the
+#       directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
 
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
 
-optional_policy(`
-	rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
index cd9c528..ba793b7 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
 		attribute_role calamaris_roles;
 	')
 
-	lightsquid_domtrans($1)
+	calamaris_domtrans($1)
 	roleattribute $2 calamaris_roles;
 ')
 
diff --git a/calamaris.te b/calamaris.te
index 7e57460..b0cf254 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
 
 corecmd_exec_bin(calamaris_t)
 
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
 dev_read_urand(calamaris_t)
 
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
 files_read_etc_runtime_files(calamaris_t)
 
-libs_read_lib_files(calamaris_t)
-
 auth_use_nsswitch(calamaris_t)
 
 logging_send_syslog_msg(calamaris_t)
 
-miscfiles_read_localization(calamaris_t)
-
 userdom_dontaudit_list_user_home_dirs(calamaris_t)
 
 optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 0e5be4c..b9a407f 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
 
 auth_use_nsswitch(callweaver_t)
 
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07..f416e22 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
 		type canna_var_run_t, canna_initrc_exec_t;
 	')
 
-	allow $1 canna_t:process { ptrace signal_perms };
+	allow $1 canna_t:process signal_perms;
 	ps_process_pattern($1, canna_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 canna_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, canna_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 9fe6162..5c505e7 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
 kernel_read_kernel_sysctls(canna_t)
 kernel_read_system_state(canna_t)
 
-corenet_all_recvfrom_unlabeled(canna_t)
 corenet_all_recvfrom_netlabel(canna_t)
 corenet_tcp_sendrecv_generic_if(canna_t)
 corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
 
 domain_use_interactive_fds(canna_t)
 
-files_read_etc_files(canna_t)
 files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
 files_search_tmp(canna_t)
 files_dontaudit_read_root_files(canna_t)
 
-logging_send_syslog_msg(canna_t)
+auth_use_nsswitch(canna_t)
 
-miscfiles_read_localization(canna_t)
+logging_send_syslog_msg(canna_t)
 
 sysnet_read_config(canna_t)
 
diff --git a/ccs.if b/ccs.if
index 5ded72d..cb94e5e 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
+		type ccs_var_lib_t, ccs_var_log_t;
 		type ccs_var_run_t, ccs_tmp_t;
 	')
 
-	allow $1 ccs_t:process { ptrace signal_perms };
+	allow $1 ccs_t:process { signal_perms };
 	ps_process_pattern($1, ccs_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ccs_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, ccs_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ccs_initrc_exec_t system_r;
 	allow $2 system_r;
 
 	files_search_etc($1)
-	admin_pattern($1, ccs_conf_t)
+	admin_pattern($1, cluster_conf_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index 658134d..58deece 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
 
 allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
 allow ccs_t self:fifo_file rw_fifo_file_perms;
 allow ccs_t self:unix_stream_socket { accept connectto listen };
 allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
 corecmd_list_bin(ccs_t)
 corecmd_exec_bin(ccs_t)
 
-corenet_all_recvfrom_unlabeled(ccs_t)
 corenet_all_recvfrom_netlabel(ccs_t)
 corenet_tcp_sendrecv_generic_if(ccs_t)
 corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
 
 dev_read_urand(ccs_t)
 
-files_read_etc_files(ccs_t)
 files_read_etc_runtime_files(ccs_t)
 
 init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
 
 logging_send_syslog_msg(ccs_t)
 
-miscfiles_read_localization(ccs_t)
-
 sysnet_dns_name_resolve(ccs_t)
 
 userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
-	aisexec_stream_connect(ccs_t)
-	corosync_stream_connect(ccs_t)
+	rhcs_stream_connect_cluster(ccs_t)
 ')
 
 optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f6..4de4a00 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
 
 	allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
 
-	allow $2 cdrecord_t:process { ptrace signal_perms };
+	allow $2 cdrecord_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 cdrecord_t:process ptrace;
+	')
 	ps_process_pattern($2, cdrecord_t)
 ')
diff --git a/cdrecord.te b/cdrecord.te
index 16883c9..0f4ccb0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
 domain_interactive_fd(cdrecord_t)
 domain_use_interactive_fds(cdrecord_t)
 
-files_read_etc_files(cdrecord_t)
-
 term_use_controlling_term(cdrecord_t)
 term_list_ptys(cdrecord_t)
 
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
 
 logging_send_syslog_msg(cdrecord_t)
 
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
 
 tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
 	fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
 	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs',`
-	files_search_mnt(cdrecord_t)
-	fs_read_nfs_files(cdrecord_t)
-	fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
 
 optional_policy(`
 	resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b18..ef29f6e 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
 interface(`certmaster_admin',`
 	gen_require(`
 		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-		type certmaster_etc_rw_t, certmaster_var_log_t;
-		type certmaster_initrc_exec_t;
+		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
 	')
 
-	allow $1 certmaster_t:process { ptrace signal_perms };
+	allow $1 certmaster_t:process signal_perms;
 	ps_process_pattern($1, certmaster_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 certmaster_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index 4a87873..113f3b3 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
 dev_read_urand(certmaster_t)
 
 files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
 
 auth_use_nsswitch(certmaster_t)
 
-miscfiles_read_localization(certmaster_t)
 miscfiles_manage_generic_cert_dirs(certmaster_t)
 miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8..cd8eb4d 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -2,6 +2,8 @@
 
 /usr/sbin/certmonger	--	gen_context(system_u:object_r:certmonger_exec_t,s0)
 
+/usr/lib/ipa/certmonger(/.*)?		gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
 /var/lib/certmonger(/.*)?	gen_context(system_u:object_r:certmonger_var_lib_t,s0)
 
 /var/run/certmonger.*	gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef..144c074 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
 	')
 
 	ps_process_pattern($1, certmonger_t)
-	allow $1 certmonger_t:process { ptrace signal_perms };
+	allow $1 certmonger_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 certmonger_t:process ptrace;
+	')
 
 	certmonger_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 certmonger_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, certmonger_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, certmonger_var_run_t)
 ')
diff --git a/certmonger.te b/certmonger.te
index 550b287..943af3b 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
 type certmonger_var_run_t;
 files_pid_file(certmonger_var_run_t)
 
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
 ########################################
 #
 # Local policy
@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
 allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
 dontaudit certmonger_t self:capability sys_tty_config;
 allow certmonger_t self:capability2 block_suspend;
+
 allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
 manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(certmonger_t)
 kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
 
 corenet_all_recvfrom_unlabeled(certmonger_t)
 corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
 
 corenet_sendrecv_certmaster_client_packets(certmonger_t)
 corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_ldap_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
 corenet_tcp_sendrecv_certmaster_port(certmonger_t)
 
 corecmd_exec_bin(certmonger_t)
 corecmd_exec_shell(certmonger_t)
 
+dev_read_rand(certmonger_t)
 dev_read_urand(certmonger_t)
 
 domain_use_interactive_fds(certmonger_t)
 
-files_read_usr_files(certmonger_t)
 files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
 
 fs_search_cgroup_dirs(certmonger_t)
 
@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t)
 
 init_getattr_all_script_files(certmonger_t)
 
+libs_exec_ldconfig(certmonger_t)
+
 logging_send_syslog_msg(certmonger_t)
 
-miscfiles_read_localization(certmonger_t)
-miscfiles_manage_generic_cert_files(certmonger_t)
+miscfiles_manage_all_certs(certmonger_t)
+
+systemd_exec_systemctl(certmonger_t)
 
 userdom_search_user_home_content(certmonger_t)
 
 optional_policy(`
-	apache_initrc_domtrans(certmonger_t)
 	apache_search_config(certmonger_t)
 	apache_signal(certmonger_t)
 	apache_signull(certmonger_t)
+	apache_systemctl(certmonger_t)
 ')
 
 optional_policy(`
@@ -92,11 +109,58 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_read_keytab(certmonger_t)
+	dirsrv_manage_config(certmonger_t)
+	dirsrv_signal(certmonger_t)
+	dirsrv_signull(certmonger_t)
+    dirsrv_stream_connect(certmonger_t)
+')
+
+optional_policy(`
+    ipa_manage_lib(certmonger_t)
+    ipa_manage_pid_files(certmonger_t)
+    ipa_filetrans_pid(certmonger_t,"renewal.lock")
+')
+
+optional_policy(`
 	kerberos_use(certmonger_t)
+	kerberos_read_keytab(certmonger_t)
 ')
 
 optional_policy(`
 	pcscd_read_pid_files(certmonger_t)
 	pcscd_stream_connect(certmonger_t)
 ')
+
+optional_policy(`
+	pki_rw_tomcat_cert(certmonger_t)
+	pki_read_tomcat_lib_files(certmonger_t)
+')
+
+optional_policy(`
+	sssd_delete_public_files(certmonger_t)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+	type certmonger_unconfined_t;
+	domain_type(certmonger_unconfined_t)
+
+	domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+	role system_r types certmonger_unconfined_t;
+
+	domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+	allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+	allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+	allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+	init_domtrans_script(certmonger_unconfined_t)
+
+	optional_policy(`
+		unconfined_domain(certmonger_unconfined_t)
+	')
+')
diff --git a/certwatch.te b/certwatch.te
index 171fafb..e88a026 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
 
 allow certwatch_t self:capability sys_nice;
 allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
 
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
 dev_read_urand(certwatch_t)
 
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
 files_read_usr_symlinks(certwatch_t)
 files_list_tmp(certwatch_t)
 
 fs_list_inotifyfs(certwatch_t)
 
 auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
 auth_var_filetrans_cache(certwatch_t)
 
 logging_send_syslog_msg(certwatch_t)
 
 miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
 
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
 
 optional_policy(`
+	apache_domtrans(certwatch_t)
 	apache_exec_modules(certwatch_t)
 	apache_read_config(certwatch_t)
 ')
 
 optional_policy(`
+    mta_send_mail(certwatch_t)
+')
+
+optional_policy(`
 	cron_system_entry(certwatch_t, certwatch_exec_t)
 ')
 
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
 template(`cfengine_domain_template',`
 	gen_require(`
 		attribute cfengine_domain;
-		type cfengine_log_t, cfengine_var_lib_t;
 	')
 
 	########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
 	# Policy
 	#
 
+	kernel_read_system_state(cfengine_$1_t)
+
 	auth_use_nsswitch(cfengine_$1_t)
+
+	logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+## <summary>
+##  Search cfengine lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cfengine_search_lib_files',`
+	gen_require(`
+		type cfengine_var_lib_t;
+	')
+
+	allow $1 cfengine_var_lib_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
 	dontaudit $1 cfengine_var_log_t:file write_file_perms;
 ')
 
+#####################################
+## <summary>
+##      Allow the specified domain to append cfengine's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cfengine_append_inherited_log',`
+        gen_require(`
+                type cfengine_var_log_t;
+        ')
+
+        cfengine_search_lib_files($1)
+		allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+## <summary>
+##      Dontaudit the specified domain to write cfengine's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cfengine_dontaudit_write_log',`
+        gen_require(`
+                type cfengine_var_log_t;
+        ')
+
+		dontaudit $1 cfengine_var_log_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
 		type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
 	')
 
-	allow $1 cfengine_domain:process { ptrace signal_perms };
+	allow $1 cfengine_domain:process { signal_perms };
 	ps_process_pattern($1, cfengine_domain)
 
 	init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
 ')
+
diff --git a/cfengine.te b/cfengine.te
index fbe3ad9..21ab8e1 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
 setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
 logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
 
-kernel_read_system_state(cfengine_domain)
-
 corecmd_exec_bin(cfengine_domain)
 corecmd_exec_shell(cfengine_domain)
 
 dev_read_urand(cfengine_domain)
 dev_read_sysfs(cfengine_domain)
 
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
 sysnet_domtrans_ifconfig(cfengine_domain)
 
 ########################################
@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t)
 # Monitord local policy
 #
 
-kernel_read_hotplug_sysctls(cfengine_monitord_t)
+kernel_read_usermodehelper_state(cfengine_monitord_t)
 kernel_read_network_state(cfengine_monitord_t)
 
 domain_read_all_domains_state(cfengine_monitord_t)
diff --git a/cgdcbxd.fc b/cgdcbxd.fc
new file mode 100644
index 0000000..7567038
--- /dev/null
+++ b/cgdcbxd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/cgdcbxd\.service		--	gen_context(system_u:object_r:cgdcbxd_unit_file_t,s0)
+
+/usr/sbin/cgdcbxd		--	gen_context(system_u:object_r:cgdcbxd_exec_t,s0)
+
+/var/run/cgdcbxd\.pid		--	gen_context(system_u:object_r:cgdcbxd_var_run_t,s0)
diff --git a/cgdcbxd.if b/cgdcbxd.if
new file mode 100644
index 0000000..1efacf1
--- /dev/null
+++ b/cgdcbxd.if
@@ -0,0 +1,99 @@
+
+## <summary>policy for cgdcbxd</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cgdcbxd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgdcbxd_domtrans',`
+	gen_require(`
+		type cgdcbxd_t, cgdcbxd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cgdcbxd_exec_t, cgdcbxd_t)
+')
+########################################
+## <summary>
+##	Read cgdcbxd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cgdcbxd_read_pid_files',`
+	gen_require(`
+		type cgdcbxd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute cgdcbxd server in the cgdcbxd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cgdcbxd_systemctl',`
+	gen_require(`
+		type cgdcbxd_t;
+		type cgdcbxd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 cgdcbxd_unit_file_t:file read_file_perms;
+	allow $1 cgdcbxd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cgdcbxd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cgdcbxd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgdcbxd_admin',`
+	gen_require(`
+		type cgdcbxd_t;
+		type cgdcbxd_var_run_t;
+    	type cgdcbxd_unit_file_t;
+	')
+
+	allow $1 cgdcbxd_t:process { signal_perms };
+	ps_process_pattern($1, cgdcbxd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 cgdcbxd_t:process ptrace;
+    ')
+
+	files_search_pids($1)
+	admin_pattern($1, cgdcbxd_var_run_t)
+
+	cgdcbxd_systemctl($1)
+	admin_pattern($1, cgdcbxd_unit_file_t)
+	allow $1 cgdcbxd_unit_file_t:service all_service_perms;
+
+')
diff --git a/cgdcbxd.te b/cgdcbxd.te
new file mode 100644
index 0000000..06ff1b0
--- /dev/null
+++ b/cgdcbxd.te
@@ -0,0 +1,36 @@
+policy_module(cgdcbxd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgdcbxd_t;
+type cgdcbxd_exec_t;
+init_daemon_domain(cgdcbxd_t, cgdcbxd_exec_t)
+
+type cgdcbxd_var_run_t;
+files_pid_file(cgdcbxd_var_run_t)
+
+type cgdcbxd_unit_file_t;
+systemd_unit_file(cgdcbxd_unit_file_t)
+
+########################################
+#
+# cgdcbxd local policy
+#
+
+allow cgdcbxd_t self:fifo_file rw_fifo_file_perms;
+allow cgdcbxd_t self:unix_stream_socket create_stream_socket_perms;
+
+dontaudit cgdcbxd_t self:capability sys_ptrace;
+allow cgdcbxd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_files_pattern(cgdcbxd_t, cgdcbxd_var_run_t, cgdcbxd_var_run_t)
+files_pid_filetrans(cgdcbxd_t, cgdcbxd_var_run_t, { file })
+
+kernel_read_system_state(cgdcbxd_t)
+kernel_read_network_state(cgdcbxd_t)
+kernel_search_network_sysctl(cgdcbxd_t)
+
+domain_dontaudit_read_all_domains_state(cgdcbxd_t)
diff --git a/cgroup.if b/cgroup.if
index 85ca63f..1d1c99c 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
 		type cgrules_etc_t, cgclear_t;
 	')
 
-	allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+	allow $1 cgclear_t:process signal_perms;
+	ps_process_pattern($1, cgclear_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgclear_t:process ptrace;
+	')
+
+	allow $1 cgconfig_t:process signal_perms;
+	ps_process_pattern($1, cgconfig_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgconfig_t:process ptrace;
+	')
+
+	allow $1 cgred_t:process signal_perms;
+	ps_process_pattern($1, cgred_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cgred_t:process ptrace;
+	')
 
 	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
 	files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index 80a88a2..ec869f5 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
 type cgrules_etc_t;
 files_config_file(cgrules_etc_t)
 
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
 init_daemon_domain(cgconfig_t, cgconfig_exec_t)
 
 type cgconfig_initrc_exec_t;
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
 
 allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
 
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
 
 kernel_read_system_state(cgclear_t)
 
+auth_use_nsswitch(cgclear_t)
+
 domain_setpriority_all_domains(cgclear_t)
 
 fs_manage_cgroup_dirs(cgclear_t)
@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 kernel_list_unlabeled(cgconfig_t)
 kernel_read_system_state(cgconfig_t)
 
-files_read_etc_files(cgconfig_t)
-
 fs_manage_cgroup_dirs(cgconfig_t)
 fs_manage_cgroup_files(cgconfig_t)
 fs_mount_cgroup(cgconfig_t)
 fs_mounton_cgroup(cgconfig_t)
 fs_unmount_cgroup(cgconfig_t)
 
+auth_use_nsswitch(cgconfig_t)
+
 ########################################
 #
 # cgred local policy
 #
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
 
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
 
+allow cgred_t cgconfig_etc_t:file read_file_perms;
 allow cgred_t cgrules_etc_t:file read_file_perms;
 
 allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
 files_getattr_all_files(cgred_t)
 files_getattr_all_sockets(cgred_t)
 files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
 
-fs_write_cgroup_files(cgred_t)
+fs_manage_cgroup_dirs(cgred_t)
+fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
 
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
 
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 0000000..5c6bdb6
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,11 @@
+/opt/google/chrome[^/]*/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/opt/google/chrome[^/]*/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/google-chrome-unstable(/.*)?	gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 0000000..aa308eb
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,137 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+	gen_require(`
+		type chrome_sandbox_t, chrome_sandbox_exec_t;
+	')
+
+	domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+	ps_process_pattern(chrome_sandbox_t, $1)
+
+	allow $1 chrome_sandbox_t:fd use;
+
+	dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+	allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
+	ifdef(`hide_broken_symptoms',`
+		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+	')
+')
+
+
+########################################
+## <summary>
+##	Execute chrome_sandbox in the chrome_sandbox domain, and
+##	allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the chrome_sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+	gen_require(`
+		type chrome_sandbox_t;
+		type chrome_sandbox_nacl_t;
+	')
+
+	chrome_domtrans_sandbox($1)
+	role $2 types chrome_sandbox_t;
+	role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+## <summary>
+##	Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chrome_role_notrans',`
+	gen_require(`
+		type chrome_sandbox_t;
+		type chrome_sandbox_tmpfs_t;
+		type chrome_sandbox_nacl_t;
+	')
+
+	role $1 types chrome_sandbox_t;
+	role $1 types chrome_sandbox_nacl_t;
+
+	ps_process_pattern($2, chrome_sandbox_t)
+	allow $2 chrome_sandbox_t:process signal_perms;
+
+	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+	allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
+	allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
+	allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
+	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+	allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+	allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chrome_role',`
+	chrome_role_notrans($1, $2)
+	chrome_domtrans_sandbox($2)
+')
+
+########################################
+## <summary>
+##	Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+	gen_require(`
+		type chrome_sandbox_t;
+	')
+
+	dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 0000000..5955ff0
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,256 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+auth_dontaudit_read_passwd(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+term_dontaudit_use_console(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_execute_user_tmp_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+	gnome_exec_config_home_files(chrome_sandbox_t)
+	gnome_read_generic_cache_files(chrome_sandbox_t)
+	gnome_rw_inherited_config(chrome_sandbox_t)
+	gnome_read_home_config(chrome_sandbox_t)
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
+	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
+')
+
+optional_policy(`
+	mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+	xserver_use_user_fonts(chrome_sandbox_t)
+	xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_search_nfs(chrome_sandbox_t)
+	fs_exec_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_files(chrome_sandbox_t)
+	fs_rw_inherited_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_symlinks(chrome_sandbox_t)
+	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(chrome_sandbox_t)
+	fs_exec_cifs_files(chrome_sandbox_t)
+	fs_rw_inherited_cifs_files(chrome_sandbox_t)
+	fs_read_cifs_files(chrome_sandbox_t)
+	fs_read_cifs_symlinks(chrome_sandbox_t)
+	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+    fs_search_fusefs(chrome_sandbox_t)
+    fs_read_fusefs_files(chrome_sandbox_t)
+    fs_exec_fusefs_files(chrome_sandbox_t)
+	fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+        fs_read_ecryptfs_files(chrome_sandbox_t)
+		fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+		fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+	bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+	cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+	sandbox_use_ptys(chrome_sandbox_t)
+')
+
+optional_policy(`
+    unconfined_dontaudit_write_state(chrome_sandbox_t)
+')
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+	gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143e..f03dba0 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -1,13 +1,18 @@
-/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
+/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
 /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/chrony.*	--      gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)
 
 /var/log/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_log_t,s0)
 
-/var/run/chronyd(/.*)	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony-helper(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 /var/run/chronyd\.pid	--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 /var/run/chronyd\.sock	-s	gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265..c5a2913 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -57,6 +57,24 @@ interface(`chronyd_exec',`
 	can_exec($1, chronyd_exec_t)
 ')
 
+########################################
+## <summary>
+##	Send generic signals to chronyd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`chronyd_signal',`
+	gen_require(`
+		type chronyd_t;
+	')
+
+	allow $1 chronyd_t:process signal;
+')
+
 #####################################
 ## <summary>
 ##	Read chronyd log files.
@@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',`
 
 ########################################
 ## <summary>
-##	Connect to chronyd using a unix
-##	domain stream socket.
+##	Read chronyd keys files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,19 +126,17 @@ interface(`chronyd_rw_shm',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',`
 	gen_require(`
-		type chronyd_t, chronyd_var_run_t;
+		type chronyd_keys_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 ')
 
 ########################################
 ## <summary>
-##	Send to chronyd using a unix domain
-##	datagram socket.
+##	Append chronyd keys files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -129,18 +144,62 @@ interface(`chronyd_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',`
+	gen_require(`
+		type chronyd_keys_t;
+	')
+
+	append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+##	Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`chronyd_systemctl',`
+	gen_require(`
+		type chronyd_t;
+		type chronyd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 chronyd_unit_file_t:file read_file_perms;
+	allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+## <summary>
+##  Connect to chronyd using a unix
+##  domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`chronyd_stream_connect',`
 	gen_require(`
 		type chronyd_t, chronyd_var_run_t;
 	')
 
 	files_search_pids($1)
-	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
 ########################################
 ## <summary>
-##	Read chronyd key files.
+##	Send to chronyd using a unix domain
+##	datagram socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -148,13 +207,13 @@ interface(`chronyd_dgram_send',`
 ##	</summary>
 ## </param>
 #
-interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',`
 	gen_require(`
-		type chronyd_keys_t;
+		type chronyd_t, chronyd_var_run_t;
 	')
 
-	files_search_etc($1)
-	read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+	files_search_pids($1)
+	dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 ')
 
 ####################################
@@ -176,28 +235,38 @@ interface(`chronyd_read_key_files',`
 #
 interface(`chronyd_admin',`
 	gen_require(`
-		type chronyd_t, chronyd_var_log_t;
-		type chronyd_var_run_t, chronyd_var_lib_t;
-		type chronyd_initrc_exec_t, chronyd_keys_t;
+		type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+		type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+		type chronyd_keys_t, chronyd_unit_file_t;
 	')
 
-	allow $1 chronyd_t:process { ptrace signal_perms };
+	allow $1 chronyd_t:process signal_perms;
 	ps_process_pattern($1, chronyd_t)
 
-	chronyd_initrc_domtrans($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 chronyd_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, chronyd_keys_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, chronyd_var_log_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, chronyd_var_lib_t)
 
-	files_search_pids($1)
+	files_list_pids($1)
 	admin_pattern($1, chronyd_var_run_t)
+
+	admin_pattern($1, chronyd_tmpfs_t)
+
+	admin_pattern($1, chronyd_unit_file_t)
+	chronyd_systemctl($1)
+	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
diff --git a/chronyd.te b/chronyd.te
index e5b621c..bc73da9 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
 type chronyd_tmpfs_t;
 files_tmpfs_file(chronyd_tmpfs_t)
 
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
 
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
 # Local policy
 #
 
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown };
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +83,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
+
 dev_rw_realtime_clock(chronyd_t)
 
 auth_use_nsswitch(chronyd_t)
 
+corecmd_exec_bin(chronyd_t)
+
 logging_send_syslog_msg(chronyd_t)
 
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
+
+sysnet_read_dhcpc_state(chronyd_t)
+
+systemd_exec_systemctl(chronyd_t)
+
+userdom_dgram_send(chronyd_t)
+
+optional_policy(`
+	dbus_system_bus_client(chronyd_t)
+')
 
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
 
 optional_policy(`
-	mta_send_mail(chronyd_t)
+    timemaster_stream_connect(chronyd_t)
+    timemaster_read_pid_files(chronyd_t)
+    timemaster_rw_shm(chronyd_t)
+')
+
+optional_policy(`
+    ptp4l_rw_shm(chronyd_t)
 ')
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
index 0000000..4b318b7
--- /dev/null
+++ b/cinder.fc
@@ -0,0 +1,16 @@
+
+/usr/bin/cinder-api             --  gen_context(system_u:object_r:cinder_api_exec_t,s0)
+/usr/bin/cinder-backup          --  gen_context(system_u:object_r:cinder_backup_exec_t,s0)     
+/usr/bin/cinder-scheduler       --  gen_context(system_u:object_r:cinder_scheduler_exec_t,s0)
+/usr/bin/cinder-volume          --  gen_context(system_u:object_r:cinder_volume_exec_t,s0)
+
+/usr/lib/systemd/system/openstack-cinder-api.*		--	gen_context(system_u:object_r:cinder_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-backup.*	--	gen_context(system_u:object_r:cinder_backup_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-scheduler.*	--	gen_context(system_u:object_r:cinder_scheduler_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-cinder-volume.*		--	gen_context(system_u:object_r:cinder_volume_unit_file_t,s0)
+
+/var/lib/cinder(/.*)?     gen_context(system_u:object_r:cinder_var_lib_t,s0)
+
+/var/log/cinder(/.*)?     gen_context(system_u:object_r:cinder_log_t,s0)
+
+/var/run/cinder(/.*)?     gen_context(system_u:object_r:cinder_var_run_t,s0)
diff --git a/cinder.if b/cinder.if
new file mode 100644
index 0000000..fc9cae7
--- /dev/null
+++ b/cinder.if
@@ -0,0 +1,57 @@
+## <summary>openstack-cinder</summary>
+
+######################################
+## <summary>
+##  Manage cinder lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cinder_manage_lib_files',`
+    gen_require(`
+                type cinder_var_lib_t;
+                                ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  openstack-cinder systemd daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`cinder_domain_template',`
+	gen_require(`
+		attribute cinder_domain;
+	')
+
+	type cinder_$1_t, cinder_domain;
+	type cinder_$1_exec_t;
+	init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
+
+	type cinder_$1_unit_file_t;
+	systemd_unit_file(cinder_$1_unit_file_t)
+
+	type cinder_$1_tmp_t;
+	files_tmp_file(cinder_$1_tmp_t)
+
+	manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+	manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
+	files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
+	can_exec(cinder_$1_t, cinder_$1_tmp_t)
+
+	kernel_read_system_state(cinder_$1_t)
+
+    logging_send_syslog_msg(cinder_$1_t)
+
+')
diff --git a/cinder.te b/cinder.te
new file mode 100644
index 0000000..488a7a6
--- /dev/null
+++ b/cinder.te
@@ -0,0 +1,169 @@
+policy_module(cinder, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# cinder-stack daemons contain security issue with using sudo in the code
+# we make this policy as unconfined until this issue is fixed
+#
+
+attribute cinder_domain;
+
+cinder_domain_template(api)
+cinder_domain_template(backup)
+cinder_domain_template(scheduler)
+cinder_domain_template(volume)
+
+type cinder_log_t;
+logging_log_file(cinder_log_t)
+
+type cinder_var_lib_t;
+files_type(cinder_var_lib_t)
+
+type cinder_var_run_t;
+files_pid_file(cinder_var_run_t)
+
+######################################
+#
+# cinder general domain local policy
+#
+
+allow cinder_domain self:process signal_perms;
+allow cinder_domain self:fifo_file rw_fifo_file_perms;
+allow cinder_domain self:tcp_socket create_stream_socket_perms;
+allow cinder_domain self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+manage_files_pattern(cinder_domain, cinder_log_t, cinder_log_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+manage_files_pattern(cinder_domain, cinder_var_lib_t, cinder_var_lib_t)
+
+manage_dirs_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+manage_files_pattern(cinder_domain, cinder_var_run_t, cinder_var_run_t)
+
+corenet_tcp_connect_amqp_port(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+kernel_read_network_state(cinder_domain)
+
+corecmd_exec_bin(cinder_domain)
+corecmd_exec_shell(cinder_domain)
+corenet_tcp_connect_mysqld_port(cinder_domain)
+
+auth_read_passwd(cinder_domain)
+
+dev_read_sysfs(cinder_domain)
+dev_read_urand(cinder_domain)
+
+fs_getattr_xattr_fs(cinder_domain)
+
+init_read_utmp(cinder_domain)
+
+libs_exec_ldconfig(cinder_domain)
+
+optional_policy(`
+    mysql_stream_connect(cinder_domain)
+    mysql_read_db_lnk_files(cinder_domain)
+')
+
+optional_policy(`
+	sysnet_read_config(cinder_domain)
+	sysnet_exec_ifconfig(cinder_domain)
+')
+
+#######################################
+#
+# cinder api local policy
+#
+
+allow cinder_api_t self:process setfscreate;
+allow cinder_api_t self:key write;
+allow cinder_api_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_api_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_api_t)
+
+corenet_tcp_bind_generic_node(cinder_api_t)
+corenet_udp_bind_generic_node(cinder_api_t)
+# should be add to booleans
+corenet_tcp_connect_all_ports(cinder_api_t)
+corenet_tcp_bind_all_unreserved_ports(cinder_api_t)
+
+auth_read_passwd(cinder_api_t)
+
+logging_send_syslog_msg(cinder_api_t)
+
+miscfiles_read_certs(cinder_api_t)
+
+optional_policy(`
+	iptables_domtrans(cinder_api_t)
+')
+
+optional_policy(`
+	ssh_exec_keygen(cinder_api_t)
+')
+
+optional_policy(`
+    gnome_dontaudit_search_config(cinder_api_t)
+')
+
+optional_policy(`
+	unconfined_domain(cinder_api_t)
+')
+
+#######################################
+#
+# cinder backup local policy
+#
+
+allow cinder_backup_t self:udp_socket create_socket_perms;
+
+auth_use_nsswitch(cinder_backup_t)
+
+systemd_dbus_chat_logind(cinder_backup_t)
+
+optional_policy(`
+    unconfined_domain(cinder_backup_t)
+')
+
+#######################################
+#
+# cinder scheduler local policy
+#
+
+allow cinder_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
+allow cinder_scheduler_t self:udp_socket create_socket_perms;
+
+auth_read_passwd(cinder_scheduler_t)
+
+init_read_utmp(cinder_scheduler_t)
+
+optional_policy(`
+    unconfined_domain(cinder_scheduler_t)
+')
+
+#######################################
+#
+# cinder volume local policy
+#
+
+allow cinder_volume_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow cinder_volume_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cinder_volume_t)
+
+logging_send_syslog_msg(cinder_volume_t)
+
+optional_policy(`
+	lvm_domtrans(cinder_volume_t)
+')
+
+optional_policy(`
+    unconfined_domain(cinder_volume_t)
+')
+
diff --git a/cipe.te b/cipe.te
index a0aa693..af571ed 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
 corecmd_exec_shell(ciped_t)
 corecmd_exec_bin(ciped_t)
 
-corenet_all_recvfrom_unlabeled(ciped_t)
 corenet_all_recvfrom_netlabel(ciped_t)
 corenet_udp_sendrecv_generic_if(ciped_t)
 corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
 
 domain_use_interactive_fds(ciped_t)
 
-files_read_etc_files(ciped_t)
 files_read_etc_runtime_files(ciped_t)
 files_dontaudit_search_var(ciped_t)
 
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
 
 logging_send_syslog_msg(ciped_t)
 
-miscfiles_read_localization(ciped_t)
-
 sysnet_read_config(ciped_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc..c53b80d 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
 /usr/bin/clamdscan	--	gen_context(system_u:object_r:clamscan_exec_t,s0)
 /usr/bin/freshclam	--	gen_context(system_u:object_r:freshclam_exec_t,s0)
 
+/usr/lib/systemd/system/clamd.*  --  gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
 /usr/sbin/clamd	--	gen_context(system_u:object_r:clamd_exec_t,s0)
 /usr/sbin/clamav-milter	--	gen_context(system_u:object_r:clamd_exec_t,s0)
 
diff --git a/clamav.if b/clamav.if
index 4cc4a5c..a6c6322 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## <summary>ClamAV Virus Scanner.</summary>
+## <summary>ClamAV Virus Scanner</summary>
 
 ########################################
 ## <summary>
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
 		type clamd_t, clamd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, clamd_exec_t, clamd_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to clamd using a unix
-##	domain stream socket.
+##	Connect to run clamd.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
 
 ########################################
 ## <summary>
-##	Append clamav log files.
+##	Allow the specified domain to append
+##	to clamav log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	clamav pid content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`clamav_manage_pid_content',`
-	gen_require(`
-		type clamd_var_run_t;
-	')
-
-	files_search_pids($1)
-	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
-########################################
-## <summary>
 ##	Read clamav configuration files.
 ## </summary>
 ## <param name="domain">
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
 
 ########################################
 ## <summary>
-##	Search clamav library directories.
+##	Search clamav libraries directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
 		type clamscan_t, clamscan_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, clamscan_exec_t, clamscan_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute clamscan in the caller domain.
+##	Execute clamscan without a transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
 		type clamscan_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, clamscan_exec_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Read clamd process state files.
+##	Manage clamd pid content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -166,21 +142,63 @@ interface(`clamav_exec_clamscan',`
 ##	</summary>
 ## </param>
 #
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
 	gen_require(`
-		type clamd_t;
+		type clamd_var_run_t;
 	')
 
-	kernel_search_proc($1)
-	allow $1 clamd_t:dir list_dir_perms;
-	read_files_pattern($1, clamd_t, clamd_t)
-	read_lnk_files_pattern($1, clamd_t, clamd_t)
+	manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+	manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+## <summary>
+##      Read clamd state files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`clamav_read_state_clamd',`
+        gen_require(`
+                type clamd_t;
+        ')
+
+        kernel_search_proc($1)
+        ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+## <summary>
+##      Execute clamd server in the clamd domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`clamd_systemctl',`
+        gen_require(`
+                type clamd_t;
+                type clamd_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+        allow $1 clamd_unit_file_t:file read_file_perms;
+        allow $1 clamd_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, clamd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an clamav environment.
+##	All of the rules required to administrate
+##	an clamav environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -189,7 +207,7 @@ interface(`clamav_read_state_clamd',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the clamav domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',`
 interface(`clamav_admin',`
 	gen_require(`
 		type clamd_t, clamd_etc_t, clamd_tmp_t;
-		type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
-		type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+		type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+		type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
 		type freshclam_t, freshclam_var_log_t;
+		type clamd_unit_file_t;
 	')
 
-	allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+	allow $1 clamd_t:process signal_perms;
+	ps_process_pattern($1, clamd_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 clamd_t:process ptrace;
+		allow $1 clamscan_t:process ptrace;
+		allow $1 freshclam_t:process ptrace;
+	')
+
+	allow $1 clamscan_t:process signal_perms;
+	ps_process_pattern($1, clamscan_t)
+
+	allow $1 freshclam_t:process signal_perms;
+	ps_process_pattern($1, freshclam_t)
 
 	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 clamd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	clamd_systemctl($1)
+	admin_pattern($1, clamd_unit_file_t)
+	allow $1 clamd_unit_file_t:service all_service_perms;
+
 	files_list_etc($1)
 	admin_pattern($1, clamd_etc_t)
 
@@ -217,11 +252,21 @@ interface(`clamav_admin',`
 	admin_pattern($1, clamd_var_lib_t)
 
 	logging_list_logs($1)
-	admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+	admin_pattern($1, clamd_var_log_t)
 
 	files_list_pids($1)
 	admin_pattern($1, clamd_var_run_t)
 
 	files_list_tmp($1)
-	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+	admin_pattern($1, clamd_tmp_t)
+
+	admin_pattern($1, clamscan_tmp_t)
+
+	admin_pattern($1, freshclam_var_log_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+
 ')
diff --git a/clamav.te b/clamav.te
index ce3836a..94aa8a6 100644
--- a/clamav.te
+++ b/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
 type clamd_initrc_exec_t;
 init_script_file(clamd_initrc_exec_t)
 
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)
 
@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
 allow clamd_t self:capability { kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
 allow clamd_t self:process signal;
+
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { accept connectto listen };
 allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
 
 corecmd_exec_shell(clamd_t)
 
-corenet_all_recvfrom_unlabeled(clamd_t)
 corenet_all_recvfrom_netlabel(clamd_t)
 corenet_tcp_sendrecv_generic_if(clamd_t)
 corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
 
 corenet_sendrecv_generic_client_packets(clamd_t)
 corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
 
 corenet_sendrecv_clamd_server_packets(clamd_t)
 corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
 
 logging_send_syslog_msg(clamd_t)
 
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
-	allow clamd_t self:process execmem;
-',`
-	dontaudit clamd_t self:process execmem;
-')
-
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
 	amavis_read_spool_files(clamd_t)
-	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+	amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
 	amavis_create_pid_files(clamd_t)
 ')
 
@@ -165,6 +161,31 @@ optional_policy(`
 	mta_send_mail(clamd_t)
 ')
 
+optional_policy(`
+	spamd_stream_connect(clamd_t)
+	spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+	allow clamd_t self:process execmem;
+	allow clamscan_t self:process execmem;
+',`
+	dontaudit clamd_t self:process execmem;
+	dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+    antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+    antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+    antivirus_domain_template(freshclam_t)
+')
+
 ########################################
 #
 # Freshclam local policy
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
 
 logging_send_syslog_msg(freshclam_t)
 
-miscfiles_read_localization(freshclam_t)
 
 tunable_policy(`clamd_use_jit',`
 	allow freshclam_t self:process execmem;
@@ -241,6 +261,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	clamd_systemctl(freshclam_t)
+')
+
+optional_policy(`
 	cron_system_entry(freshclam_t, freshclam_exec_t)
 ')
 
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
 kernel_read_kernel_sysctls(clamscan_t)
 kernel_read_system_state(clamscan_t)
 
-corenet_all_recvfrom_unlabeled(clamscan_t)
 corenet_all_recvfrom_netlabel(clamscan_t)
 corenet_tcp_sendrecv_generic_if(clamscan_t)
 corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
 
 corecmd_read_all_executables(clamscan_t)
 
-files_read_etc_files(clamscan_t)
 files_read_etc_runtime_files(clamscan_t)
 files_search_var_lib(clamscan_t)
 
 init_read_utmp(clamscan_t)
 init_dontaudit_write_utmp(clamscan_t)
 
-miscfiles_read_localization(clamscan_t)
 miscfiles_read_public_files(clamscan_t)
 
 sysnet_dns_name_resolve(clamscan_t)
@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
 ')
 
 optional_policy(`
-	amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
 	apache_read_sys_content(clamscan_t)
 ')
 
diff --git a/clockspeed.te b/clockspeed.te
index d3e2a67..f5b330c 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
 
 read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
 corenet_all_recvfrom_netlabel(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
 corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
 
 files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
 
-miscfiles_read_localization(clockspeed_cli_t)
 
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
 
 ########################################
 #
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
 manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
 
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
 corenet_all_recvfrom_netlabel(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
 corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
 
 files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
 
-miscfiles_read_localization(clockspeed_srv_t)
 
 optional_policy(`
 	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 4a5b3d1..cd146bd 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
 
 logging_send_syslog_msg(clogd_t)
 
-miscfiles_read_localization(clogd_t)
-
 optional_policy(`
-	aisexec_stream_connect(clogd_t)
-	corosync_stream_connect(clogd_t)
+	rhcs_stream_connect_cluster(clogd_t)
 ')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..3849f13
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,21 @@
+/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+
+/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-cloud-agent    --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/lib/min-cloud-agent(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init.*\.log.*  --  gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)?             gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)?	gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.*		--		gen_context(system_u:object_r:iwhd_log_t,s0)
+
+/var/run/iwhd\.pid               --      gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 0000000..a06f04b
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,60 @@
+## <summary>cloudform policy</summary>
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  cloudform daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`cloudform_domain_template',`
+    gen_require(`
+        attribute cloudform_domain;
+    ')
+
+    type $1_t, cloudform_domain;
+    type $1_exec_t;
+    init_daemon_domain($1_t, $1_exec_t)
+
+    kernel_read_system_state($1_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudform_exec_mongod',`
+    gen_require(`
+	type mongod_exec_t;
+    ')
+
+    can_exec($1, mongod_exec_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudform_dontaudit_write_cloud_log',`
+    gen_require(`
+	type cloud_log_t;
+    ')
+
+    dontaudit $1 cloud_log_t:file write_inherited_file_perms;
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000..af630a4
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,247 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+auth_use_nsswitch(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+    certmonger_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+	rhsmcertd_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+    networkmanager_dbus_chat(cloud_init_t)
+')
+
+optional_policy(`
+    dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+    mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+    # it check file context and run restorecon
+    seutil_read_file_contexts(cloud_init_t)
+    seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+    ssh_exec_keygen(cloud_init_t)
+    ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+    sysnet_domtrans_ifconfig(cloud_init_t)
+    sysnet_read_dhcpc_state(cloud_init_t)
+    sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+    rpm_run(cloud_init_t, system_r)
+')
+
+optional_policy(`
+    unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_override setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+kernel_read_network_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+	sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb..f348d27 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
 		type cmirrord_t, cmirrord_tmpfs_t;
 	')
 
-	allow $1 cmirrord_t:shm rw_shm_perms;
+	allow $1 cmirrord_t:shm { rw_shm_perms destroy };
 
 	allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
 	rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+	delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
 	fs_search_tmpfs($1)
 ')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
 		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
 	')
 
-	allow $1 cmirrord_t:process { ptrace signal_perms };
+	allow $1 cmirrord_t:process signal_perms;
 	ps_process_pattern($1, cmirrord_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cmirrord_t:process ptrace;
+	')
+
 	cmirrord_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index bbdd396..8328b95 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
 # Local policy
 #
 
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
 dontaudit cmirrord_t self:capability sys_tty_config;
 allow cmirrord_t self:process { setfscreate signal };
 allow cmirrord_t self:fifo_file rw_fifo_file_perms;
@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
 domain_use_interactive_fds(cmirrord_t)
 domain_obj_id_change_exemption(cmirrord_t)
 
-files_read_etc_files(cmirrord_t)
-
 storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
 
 seutil_read_file_contexts(cmirrord_t)
 
 logging_send_syslog_msg(cmirrord_t)
 
-miscfiles_read_localization(cmirrord_t)
-
 optional_policy(`
 	corosync_stream_connect(cmirrord_t)
 ')
+
+optional_policy(`
+    rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208..6ce8803 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,11 +4,15 @@
 
 /usr/bin/cobblerd	--	gen_context(system_u:object_r:cobblerd_exec_t,s0)
 
+/var/cache/cobbler(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/cobbler(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 
+/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/boot(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/etc(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/grub(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/images(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images2(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/memdisk	--	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/menu\.c32	--	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 /var/lib/tftpboot/ppc(/.*)?	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f81..8b567c1 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
 ')
 
+
+
+########################################
+## <summary>
+##	Read cobbler configuration dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cobbler_list_config',`
+	gen_require(`
+		type cobbler_etc_t;
+	')
+
+	list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+	files_search_etc($1)
+')
+
+
 ########################################
 ## <summary>
 ##	Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
 
 	files_search_var_lib($1)
 	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 
 ########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+    manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
 ')
 
 ########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
 interface(`cobbler_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t;
+		type cobbler_tmp_t;
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
 
 	logging_search_logs($1)
 	admin_pattern($1, cobbler_var_log_t)
-
-	apache_search_sys_content($1)
-	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
 ')
diff --git a/cobbler.te b/cobbler.te
index 5f306dd..e01156f 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
 
 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
 
 kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
 
 corecmd_exec_bin(cobblerd_t)
 corecmd_exec_shell(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
 corenet_tcp_connect_http_port(cobblerd_t)
 corenet_sendrecv_http_client_packets(cobblerd_t)
 
+dev_read_sysfs(cobblerd_t)
 dev_read_urand(cobblerd_t)
 
 files_list_boot(cobblerd_t)
 files_list_tmp(cobblerd_t)
 files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
 files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
 
 fs_getattr_all_fs(cobblerd_t)
 fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
 
 term_use_console(cobblerd_t)
 
+auth_use_nsswitch(cobblerd_t)
+
 logging_send_syslog_msg(cobblerd_t)
 
 miscfiles_read_localization(cobblerd_t)
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
 ')
 
 optional_policy(`
+	apache_domtrans(cobblerd_t)
 	apache_search_sys_content(cobblerd_t)
 ')
 
@@ -170,6 +173,7 @@ optional_policy(`
 	bind_domtrans(cobblerd_t)
 	bind_initrc_domtrans(cobblerd_t)
 	bind_manage_zone(cobblerd_t)
+	bind_systemctl(cobblerd_t)
 ')
 
 optional_policy(`
@@ -179,12 +183,22 @@ optional_policy(`
 optional_policy(`
 	dhcpd_domtrans(cobblerd_t)
 	dhcpd_initrc_domtrans(cobblerd_t)
+	dhcpd_systemctl(cobblerd_t)
 ')
 
 optional_policy(`
 	dnsmasq_domtrans(cobblerd_t)
 	dnsmasq_initrc_domtrans(cobblerd_t)
 	dnsmasq_write_config(cobblerd_t)
+	dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+    libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(cobblerd_t)
 ')
 
 optional_policy(`
@@ -192,13 +206,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rsync_exec(cobblerd_t)
 	rsync_read_config(cobblerd_t)
-	rsync_manage_config_files(cobblerd_t)
+	rsync_manage_config(cobblerd_t)
 	rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
 ')
 
 optional_policy(`
-	tftp_manage_config_files(cobblerd_t)
-	tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+	tftp_manage_config(cobblerd_t)
 	tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
 ')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 0000000..9ed6fdc
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,12 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.*	--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/var/lib/cockpit(/.*)?      gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit-ws(/.*)?   gen_context(system_u:object_r:cockpit_var_run_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000..d5920c0
--- /dev/null
+++ b/cockpit.if
@@ -0,0 +1,188 @@
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_ws_domtrans',`
+	gen_require(`
+		type cockpit_ws_t, cockpit_ws_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_session_domtrans',`
+	gen_require(`
+		type cockpit_session_t, cockpit_session_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+## <summary>
+##	Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	allow $1 cockpit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+	gen_require(`
+		type cockpit_ws_t;
+		type cockpit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 cockpit_unit_file_t:file read_file_perms;
+	allow $1 cockpit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cockpit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+	gen_require(`
+		type cockpit_ws_t;
+		type cockpit_session_t;
+		type cockpit_var_lib_t;
+		type cockpit_var_run_t;
+		type cockpit_unit_file_t;
+	')
+
+	allow $1 cockpit_ws_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_ws_t)
+
+	allow $1 cockpit_session_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_session_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cockpit_ws_t:process ptrace;
+		allow $1 cockpit_session_t:process ptrace;
+	')
+
+	files_search_var_lib($1)
+	admin_pattern($1, cockpit_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, cockpit_var_run_t)
+
+	cockpit_systemctl($1)
+	admin_pattern($1, cockpit_unit_file_t)
+	allow $1 cockpit_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 0000000..77cdd5e
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,111 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_var_run_t;
+files_pid_file(cockpit_var_run_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t)  # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t)
+files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file })
+
+read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+optional_policy(`
+    kerberos_use(cockpit_ws_t)
+    kerberos_etc_filetrans_keytab(cockpit_ws_t)
+')
+
+optional_policy(`
+	ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+#  cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
+allow cockpit_session_t self:process { setexec setsched signal_perms };
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file })
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+
+optional_policy(`
+    userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..3237fb0 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,9 +1,12 @@
 /etc/rc\.d/init\.d/collectd	--	gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/collectd.*  -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
 /usr/sbin/collectd	--	gen_context(system_u:object_r:collectd_exec_t,s0)
 
 /var/lib/collectd(/.*)?	gen_context(system_u:object_r:collectd_var_lib_t,s0)
 
 /var/run/collectd\.pid	--	gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd-unixsock  -s  gen_context(system_u:object_r:collectd_var_run_t,s0)
 
-/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:collectd_script_exec_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e..6780142 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,145 @@
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an collectd environment.
+##	Transition to collectd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`collectd_domtrans',`
+	gen_require(`
+		type collectd_t, collectd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+## <summary>
+##	Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_initrc_domtrans',`
+	gen_require(`
+		type collectd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search collectd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_search_lib',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	allow $1 collectd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read collectd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_read_lib_files',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_lib_files',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage collectd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`collectd_manage_lib_dirs',`
+	gen_require(`
+		type collectd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`collectd_systemctl',`
+	gen_require(`
+		type collectd_t;
+		type collectd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 collectd_unit_file_t:file read_file_perms;
+	allow $1 collectd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, collectd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an collectd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -20,13 +157,17 @@
 interface(`collectd_admin',`
 	gen_require(`
 		type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
-		type collectd_var_lib_t;
+        type collectd_var_lib_t, collectd_unit_file_t;
 	')
 
-	allow $1 collectd_t:process { ptrace signal_perms };
+	allow $1 collectd_t:process signal_perms;
 	ps_process_pattern($1, collectd_t)
 
-	init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 collectd_t:process ptrace;
+	')
+
+	collectd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 collectd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -36,4 +177,9 @@ interface(`collectd_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, collectd_var_lib_t)
+
+	collectd_systemctl($1)
+	admin_pattern($1, collectd_unit_file_t)
+	allow $1 collectd_unit_file_t:service all_service_perms;
 ')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8..3f5989f 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
 type collectd_var_run_t;
 files_pid_file(collectd_var_run_t)
 
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
 apache_content_template(collectd)
+apache_content_alias_template(collectd, collectd)
+
+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t;
+files_tmp_file(collectd_script_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override setuid setgid };
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
 allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
 
 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
 manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
 files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
 
 manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
 
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
 
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+auth_use_nsswitch(collectd_t)
+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
 
 dev_read_rand(collectd_t)
 dev_read_sysfs(collectd_t)
 dev_read_urand(collectd_t)
 
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
 files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
 
 fs_getattr_all_fs(collectd_t)
+fs_getattr_all_dirs(collectd_t)
 
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
 
 logging_send_syslog_msg(collectd_t)
 
@@ -74,17 +90,41 @@ tunable_policy(`collectd_tcp_network_connect',`
 	corenet_tcp_sendrecv_all_ports(collectd_t)
 ')
 
+
+optional_policy(`
+	pdns_stream_connect(collectd_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+    netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
+    snmp_read_snmp_var_lib_dirs(collectd_t)
+')
+
 optional_policy(`
 	virt_read_config(collectd_t)
+	virt_stream_connect(collectd_t)
 ')
 
 ########################################
 #
-# Web local policy
+# Web collectd local policy
 #
 
-optional_policy(`
-	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(collectd_script_t)	
+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(collectd_script_t)
+
+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t)
+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir })	
+
+auth_read_passwd(collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 71639eb..08ab891 100644
--- a/colord.fc
+++ b/colord.fc
@@ -7,5 +7,7 @@
 /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
 /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
 
+/usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
 /var/lib/color(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
 /var/lib/colord(/.*)?	gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37..c69be28 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## <summary>GNOME color manager.</summary>
+## <summary>GNOME color manager</summary>
 
 ########################################
 ## <summary>
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
 		type colord_t, colord_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, colord_exec_t, colord_t)
 ')
 
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
 
 	allow $1 colord_t:dbus send_msg;
 	allow colord_t $1:dbus send_msg;
+	ps_process_pattern(colord_t, $1)
 ')
 
 ######################################
@@ -58,3 +58,27 @@ interface(`colord_read_lib_files',`
 	files_search_var_lib($1)
 	read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Execute colord server in the colord domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`colord_systemctl',`
+	gen_require(`
+		type colord_t;
+		type colord_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 colord_unit_file_t:file read_file_perms;
+	allow $1 colord_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 9f2dfb2..def3424 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
 type colord_t;
 type colord_exec_t;
 dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
 
 type colord_tmp_t;
 files_tmp_file(colord_tmp_t)
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
 type colord_var_lib_t;
 files_type(colord_var_lib_t)
 
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
 allow colord_t self:capability { dac_read_search dac_override };
 dontaudit colord_t self:capability sys_admin;
 allow colord_t self:process signal;
+
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
 allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
 dev_write_video_dev(colord_t)
 dev_rw_printer(colord_t)
 dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
 dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
 dev_rw_generic_usb_dev(colord_t)
 
 domain_use_interactive_fds(colord_t)
 
 files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
 
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
 fs_list_noxattr_fs(colord_t)
 fs_read_noxattr_fs_files(colord_t)
 fs_search_all(colord_t)
 fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
 
 storage_getattr_fixed_disk_dev(colord_t)
 storage_getattr_removable_dev(colord_t)
@@ -100,19 +106,16 @@ init_read_state(colord_t)
 
 auth_use_nsswitch(colord_t)
 
-logging_send_syslog_msg(colord_t)
+init_read_state(colord_t)
 
-miscfiles_read_localization(colord_t)
+logging_send_syslog_msg(colord_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_getattr_nfs(colord_t)
-	fs_read_nfs_files(colord_t)
-')
+systemd_read_logind_sessions_files(colord_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_getattr_cifs(colord_t)
-	fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmp_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
 
 optional_policy(`
 	cups_read_config(colord_t)
@@ -120,6 +123,13 @@ optional_policy(`
 	cups_read_state(colord_t)
 	cups_stream_connect(colord_t)
 	cups_dbus_chat(colord_t)
+	cups_read_state(colord_t)
+')
+
+optional_policy(`
+	gnome_read_home_icc_data_content(colord_t)
+	# Fixes lots of breakage in F16 on upgrade
+	gnome_read_generic_data_home_files(colord_t)
 ')
 
 optional_policy(`
@@ -134,6 +144,23 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_hwdb_read_config(colord_t)
+')
+
+optional_policy(`
 	udev_read_db(colord_t)
 	udev_read_pid_files(colord_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(colord_t)
+	xserver_read_xdm_state(colord_t)
+	# /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+	xserver_read_inherited_xdm_lib_files(colord_t)
+    # allow to read /run/initial-setup-$username
+    xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
+	zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index c63cf85..dc6998b 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
 kernel_read_network_state(comsat_t)
 kernel_read_system_state(comsat_t)
 
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
 dev_read_urand(comsat_t)
 
 fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
 
 logging_send_syslog_msg(comsat_t)
 
-miscfiles_read_localization(comsat_t)
-
 userdom_dontaudit_getattr_user_ttys(comsat_t)
 
 mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index ad2b696..28d1af0 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,6 +1,7 @@
 /etc/condor(/.*)?	gen_context(system_u:object_r:condor_conf_t,s0)
 
 /etc/rc\.d/init\.d/condor	--	gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.*        --  gen_context(system_u:object_r:condor_unit_file_t,s0)
 
 /usr/sbin/condor_collector	--	gen_context(system_u:object_r:condor_collector_exec_t,s0)
 /usr/sbin/condor_master	--	gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if
index 881d92f..a2d588a 100644
--- a/condor.if
+++ b/condor.if
@@ -1,75 +1,391 @@
-## <summary>High-Throughput Computing System.</summary>
+
+## <summary>policy for condor</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  condor init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`condor_domain_template',`
+    gen_require(`
+        type condor_master_t;
+        attribute condor_domain;
+    ')
+
+    #############################
+    #
+    # Declarations
+    #
+
+    type condor_$1_t, condor_domain;
+    type condor_$1_exec_t;
+    init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+    role system_r types condor_$1_t;
+
+    domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+    allow condor_master_t condor_$1_exec_t:file ioctl;
+
+	kernel_read_system_state(condor_$1_t)
+
+	corenet_all_recvfrom_netlabel(condor_$1_t)
+	corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+    auth_use_nsswitch(condor_$1_t)
+
+    logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+## <summary>
+##	Transition to condor.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`condor_domtrans_master',`
+	gen_require(`
+		type condor_master_t, condor_master_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
+## <summary>
+##  Allows to start userland processes
+##  by transitioning to the specified domain,
+##  with a range transition.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The process type entered by condor_startd.
+##  </summary>
+## </param>
+## <param name="entrypoint">
+##  <summary>
+##  The executable type for the entrypoint.
+##  </summary>
+## </param>
+## <param name="range">
+##  <summary>
+##  Range for the domain.
+##  </summary>
+## </param>
+#
+interface(`condor_startd_ranged_domtrans_to',`
+    gen_require(`
+        type sshd_t;
+    ')
+    condor_startd_domtrans_to($1, $2)
+
+
+    ifdef(`enable_mcs',`
+        range_transition condor_startd_t $2:process $3;
+    ')
+
+')
 
 #######################################
 ## <summary>
-##	The template to define a condor domain.
+##  Allows to start userlandprocesses
+##  by transitioning to the specified domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="domain">
+##  <summary>
+##  The process type entered by condor_startd.
+##  </summary>
+## </param>
+## <param name="entrypoint">
+##  <summary>
+##  The executable type for the entrypoint.
+##  </summary>
+## </param>
+#
+interface(`condor_startd_domtrans_to',`
+    gen_require(`
+        type condor_startd_t;
+    ')
+
+    domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+## <summary>
+##	Read condor's log files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Domain prefix to be used.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-template(`condor_domain_template',`
+interface(`condor_read_log',`
 	gen_require(`
-		attribute condor_domain;
-		type condor_master_t;
+		type condor_log_t;
 	')
 
-	#############################
-	#
-	# Declarations
-	#
+	logging_search_logs($1)
+	read_files_pattern($1, condor_log_t, condor_log_t)
+')
 
-	type condor_$1_t, condor_domain;
-	type condor_$1_exec_t;
-	domain_type(condor_$1_t)
-	domain_entry_file(condor_$1_t, condor_$1_exec_t)
-	role system_r types condor_$1_t;
+########################################
+## <summary>
+##	Append to condor log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_append_log',`
+	gen_require(`
+		type condor_log_t;
+	')
 
-	#############################
-	#
-	# Policy
-	#
+	logging_search_logs($1)
+	append_files_pattern($1, condor_log_t, condor_log_t)
+')
 
-	domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-	allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+## <summary>
+##	Manage condor log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_log',`
+	gen_require(`
+		type condor_log_t;
+	')
 
-	auth_use_nsswitch(condor_$1_t)
+	logging_search_logs($1)
+	manage_dirs_pattern($1, condor_log_t, condor_log_t)
+	manage_files_pattern($1, condor_log_t, condor_log_t)
+	manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an condor environment.
+##	Search condor lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`condor_search_lib',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	allow $1 condor_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read condor lib files.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+## <summary>
+##  Read and write condor lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_lib_files',`
+    gen_require(`
+        type condor_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage condor lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_lib_files',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage condor lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_manage_lib_dirs',`
+	gen_require(`
+		type condor_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read condor PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_read_pid_files',`
 	gen_require(`
-		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
-		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
-		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
+		type condor_var_run_t;
 	')
 
-	allow $1 condor_domain:process { ptrace signal_perms };
+	files_search_pids($1)
+	allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute condor server in the condor domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`condor_systemctl',`
+	gen_require(`
+		type condor_domain;
+		type condor_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 condor_unit_file_t:file read_file_perms;
+	allow $1 condor_unit_file_t:service manage_service_perms;
+
 	ps_process_pattern($1, condor_domain)
+')
+
+#######################################
+## <summary>
+##  Read and write condor_startd server TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_startd',`
+	gen_require(`
+		type condor_startd_t;
+	')
 
-	init_labeled_script_domtrans($1, condor_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 condor_initrc_exec_t system_r;
-	allow $2 system_r;
+	allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+## <summary>
+##  Read and write condor_schedd server TCP sockets.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+    gen_require(`
+        type condor_schedd_t;
+    ')
+
+    allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an condor environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`condor_admin',`
+    gen_require(`
+        attribute condor_domain;
+        type condor_initrc_exec_t, condor_log_t, condor_conf_t;
+        type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+        type condor_var_run_t, condor_startd_tmp_t;
+		type condor_unit_file_t;
+    ')
+
+	allow $1 condor_domain:process { signal_perms };
+	ps_process_pattern($1, condor_domain)
+
+    init_labeled_script_domtrans($1, condor_initrc_exec_t)
+    domain_system_change_exemption($1)
+    role_transition $2 condor_initrc_exec_t system_r;
+    allow $2 system_r;
 
 	files_search_etc($1)
 	admin_pattern($1, condor_conf_t)
@@ -77,8 +393,8 @@ interface(`condor_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, condor_log_t)
 
-	files_search_locks($1)
-	admin_pattern($1, condor_var_lock_t)
+    files_search_locks($1)
+    admin_pattern($1, condor_var_lock_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, condor_var_lib_t)
@@ -88,4 +404,13 @@ interface(`condor_admin',`
 
 	files_search_tmp($1)
 	admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+	condor_systemctl($1)
+	admin_pattern($1, condor_unit_file_t)
+	allow $1 condor_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/condor.te b/condor.te
index ce9f040..dc29445 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
 type condor_startd_tmpfs_t;
 files_tmpfs_file(condor_startd_tmpfs_t)
 
-type condor_conf_t;
+type condor_conf_t alias condor_etc_rw_t;
 files_config_file(condor_conf_t)
 
 type condor_log_t;
@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
 type condor_var_run_t;
 files_pid_file(condor_var_run_t)
 
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
 condor_domain_template(collector)
 condor_domain_template(negotiator)
 condor_domain_template(procd)
@@ -60,10 +63,18 @@ condor_domain_template(startd)
 # Global local policy
 #
 
+allow condor_domain self:capability dac_override;
+allow condor_domain self:capability2 block_suspend;
+
 allow condor_domain self:process signal_perms;
 allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
 
 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
 
@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
 
 allow condor_domain condor_master_t:process signull;
 allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
 
 kernel_read_kernel_sysctls(condor_domain)
 kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
 
 corecmd_exec_bin(condor_domain)
 corecmd_exec_shell(condor_domain)
 
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
 corenet_tcp_sendrecv_generic_if(condor_domain)
 corenet_tcp_sendrecv_generic_node(condor_domain)
 
@@ -109,9 +118,9 @@ dev_read_rand(condor_domain)
 dev_read_sysfs(condor_domain)
 dev_read_urand(condor_domain)
 
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
 
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
 
 sysnet_dns_name_resolve(condor_domain)
 
@@ -130,7 +139,7 @@ optional_policy(`
 # Master local policy
 #
 
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { chown setuid setgid sys_ptrace };
 
 allow condor_master_t condor_domain:process { sigkill signal };
 
@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
 files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
 
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+
 corenet_udp_sendrecv_generic_if(condor_master_t)
 corenet_udp_sendrecv_generic_node(condor_master_t)
 corenet_tcp_bind_generic_node(condor_master_t)
@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t)
 
 auth_use_nsswitch(condor_master_t)
 
+logging_send_syslog_msg(condor_master_t)
+
 optional_policy(`
 	mta_send_mail(condor_master_t)
 	mta_read_config(condor_master_t)
@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
 
 kernel_read_network_state(condor_collector_t)
 
+corenet_tcp_bind_http_port(condor_collector_t)
+
 #####################################
 #
 # Negotiator local policy
@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
 allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
 allow condor_negotiator_t condor_master_t:udp_socket getattr;
 
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
 ######################################
 #
 # Procd local policy
@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
 
 allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
 
+allow condor_schedd_t condor_master_tmp_t:dir getattr;  
+
 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
 domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
 
@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
 files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
 
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
 #####################################
 #
 # Startd local policy
@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t)
 mcs_process_set_categories(condor_startd_t)
 
 init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
 
 libs_exec_lib_files(condor_startd_t)
 
-files_read_usr_files(condor_startd_t)
-
 optional_policy(`
 	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
 	ssh_domtrans(condor_startd_t)
@@ -254,3 +276,7 @@ optional_policy(`
 		kerberos_use(condor_startd_ssh_t)
 	')
 ')
+
+optional_policy(`
+    unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 0000000..d2f5c80
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/conman.*		--	gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand		--	gen_context(system_u:object_r:conman_exec_t,s0)
+
+/var/log/conman(/.*)?			gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)?		gen_context(system_u:object_r:conman_log_t,s0)
+
+/var/run/conmand.*      --      gen_context(system_u:object_r:conman_var_run_t,s0)
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000..1cc5fa4
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,143 @@
+## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
+
+########################################
+## <summary>
+##	Execute conman in the conman domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`conman_domtrans',`
+	gen_require(`
+		type conman_t, conman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+## <summary>
+##	Read conman's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_read_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Append to conman log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_append_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Manage conman log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`conman_manage_log',`
+	gen_require(`
+		type conman_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, conman_log_t, conman_log_t)
+	manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+## <summary>
+##	Execute conman server in the conman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`conman_systemctl',`
+	gen_require(`
+		type conman_t;
+		type conman_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 conman_unit_file_t:file read_file_perms;
+	allow $1 conman_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an conman environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`conman_admin',`
+	gen_require(`
+		type conman_t;
+		type conman_log_t;
+	    type conman_unit_file_t;
+	')
+
+	allow $1 conman_t:process { signal_perms };
+	ps_process_pattern($1, conman_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 conman_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, conman_log_t)
+
+	conman_systemctl($1)
+	admin_pattern($1, conman_unit_file_t)
+	allow $1 conman_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 0000000..3bc9494
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,78 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##	Determine whether conman can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(conman_can_network, false)
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_tmp_t;
+files_tmp_file(conman_tmp_t)
+
+type conman_var_run_t;
+files_pid_file(conman_var_run_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+manage_files_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+manage_dirs_pattern(conman_t, conman_tmp_t, conman_tmp_t)
+files_tmp_filetrans(conman_t, conman_tmp_t, { file dir })
+
+manage_files_pattern(conman_t, conman_var_run_t, conman_var_run_t)
+files_pid_filetrans(conman_t, conman_var_run_t, file)
+
+auth_use_nsswitch(conman_t)
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corenet_tcp_connect_all_ephemeral_ports(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+tunable_policy(`conman_can_network',`
+	corenet_sendrecv_all_client_packets(conman_t)
+	corenet_tcp_connect_all_ports(conman_t)
+	corenet_tcp_sendrecv_all_ports(conman_t)
+')
+
+optional_policy(`
+    freeipmi_stream_connect(conman_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
 /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
 
 /var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..78025c5 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
 
 ########################################
 ## <summary>
+##	dontaudit Send and receive messages from
+##	consolekit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+	gen_require(`
+		type consolekit_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 consolekit_t:dbus send_msg;
+	dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	consolekit over dbus.
 ## </summary>
@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+	gen_require(`
+		type consolekit_log_t;
+	')
+
+	dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read consolekit log files.
 ## </summary>
 ## <param name="domain">
@@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',`
 	allow $1 consolekit_var_run_t:dir list_dir_perms;
 	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 ')
+
+########################################
+## <summary>
+##	List consolekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+	gen_require(`
+		type consolekit_var_run_t;
+	')
+
+	files_search_pids($1)
+	list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the domain to read consolekit state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_read_state',`
+	gen_require(`
+		type consolekit_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+## <summary>
+##	Execute consolekit server in the consolekit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`consolekit_systemctl',`
+	gen_require(`
+		type consolekit_t;
+		type consolekit_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 consolekit_unit_file_t:file read_file_perms;
+	allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index bd18063..47c8fd0 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
 
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
 allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
 
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
 
 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
 
-files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
 files_read_var_lib_files(consolekit_t)
 files_search_all_mountpoints(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 
-mcs_ptrace_all(consolekit_t)
-
 term_use_all_terms(consolekit_t)
 
 auth_use_nsswitch(consolekit_t)
 auth_manage_pam_console_data(consolekit_t)
 auth_write_login_records(consolekit_t)
 auth_create_pam_console_data_dirs(consolekit_t)
-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
+
+init_read_utmp(consolekit_t)
 
 logging_send_syslog_msg(consolekit_t)
 logging_send_audit_msgs(consolekit_t)
 
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
 
+userdom_read_all_users_state(consolekit_t)
 userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
 userdom_read_user_tmp_files(consolekit_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(consolekit_t)
+optional_policy(`
+	cron_read_system_job_lib_files(consolekit_t)
 ')
 
 optional_policy(`
@@ -109,13 +110,6 @@ optional_policy(`
 	')
 ')
 
-optional_policy(`
-	hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
-	networkmanager_append_log_files(consolekit_t)
-')
 
 optional_policy(`
 	policykit_domtrans_auth(consolekit_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0f..6a96733 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/corosync	--	gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/corosync.*  -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
 /usr/sbin/corosync	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 /usr/sbin/corosync-notifyd	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 
diff --git a/corosync.if b/corosync.if
index 694a037..d859681 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
 	read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
 ')
 
+#######################################
+## <summary>
+##	Setattr corosync log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_setattr_log',`
+	gen_require(`
+		type corosync_var_log_t;
+	')
+
+	setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
 #####################################
 ## <summary>
 ##	Connect to corosync over a unix
@@ -91,29 +110,55 @@ interface(`corosync_read_log',`
 interface(`corosync_stream_connect',`
 	gen_require(`
 		type corosync_t, corosync_var_run_t;
+		type corosync_var_lib_t;
 	')
 
 	files_search_pids($1)
+	stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
 	stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
 ')
 
 ######################################
 ## <summary>
-##	Read and write corosync tmpfs files.
+##  Allow the specified domain to read/write corosync's tmpfs files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`corosync_rw_tmpfs',`
+    gen_require(`
+        type corosync_tmpfs_t;
+    ')
+
+	rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+## <summary>
+##	Execute corosync server in the corosync domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
 	gen_require(`
-		type corosync_tmpfs_t;
+		type corosync_t;
+		type corosync_unit_file_t;
 	')
 
-	fs_search_tmpfs($1)
-	rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 corosync_unit_file_t:file read_file_perms;
+	allow $1 corosync_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, corosync_t)
 ')
 
 ######################################
@@ -160,12 +205,17 @@ interface(`corosync_admin',`
 		type corosync_t, corosync_var_lib_t, corosync_var_log_t;
 		type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
 		type corosync_initrc_exec_t;
+		type corosync_unit_file_t;
 	')
 
-	allow $1 corosync_t:process { ptrace signal_perms };
+	allow $1 corosync_t:process signal_perms;
 	ps_process_pattern($1, corosync_t)
 
-	corosync_initrc_domtrans($1)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 corosync_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 corosync_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -183,4 +233,8 @@ interface(`corosync_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, corosync_var_run_t)
+
+	corosync_systemctl($1)
+	admin_pattern($1, corosync_unit_file_t)
+	allow $1 corosync_unit_file_t:service all_service_perms;
 ')
diff --git a/corosync.te b/corosync.te
index d5aa1e4..837e0a8 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
 type corosync_var_run_t;
 files_pid_file(corosync_var_run_t)
 
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
 domain_read_all_domains_state(corosync_t)
 
 files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
 
 auth_use_nsswitch(corosync_t)
 
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
 miscfiles_read_localization(corosync_t)
 
 userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmp_files(corosync_t)
+userdom_rw_user_tmp_files(corosync_t)
+
+optional_policy(`
+	fs_manage_tmpfs_files(corosync_t)
+	init_manage_script_status_files(corosync_t)
+')
 
 optional_policy(`
 	ccs_read_config(corosync_t)
@@ -129,20 +137,29 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lvm_rw_clvmd_tmpfs_files(corosync_t)
+	lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
 	qpidd_rw_shm(corosync_t)
 ')
 
 optional_policy(`
-	rhcs_getattr_fenced_exec_files(corosync_t)
+	rhcs_getattr_fenced(corosync_t)
+	# to communication with RHCS
 	rhcs_rw_cluster_shm(corosync_t)
 	rhcs_rw_cluster_semaphores(corosync_t)
 	rhcs_stream_connect_cluster(corosync_t)
+	rhcs_read_cluster_lib_files(corosync_t)
+	rhcs_manage_cluster_lib_files(corosync_t)
+	rhcs_relabel_cluster_lib_files(corosync_t)
 ')
 
 optional_policy(`
-	rgmanager_manage_tmpfs_files(corosync_t)
+	rpc_search_nfs_state_data(corosync_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+    wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c086302..5380ab6 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,8 +1,10 @@
-/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
-
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 
-/usr/bin/couchdb	--	gen_context(system_u:object_r:couchdb_exec_t,s0)
+/usr/lib/systemd/system/couchdb.*		--	gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
+/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
+
+/usr/libexec/couchdb    --  gen_context(system_u:object_r:couchdb_exec_t,s0)
 
 /var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
 
diff --git a/couchdb.if b/couchdb.if
index 715a826..a1cbdb2 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Read couchdb log files.
+##	Allow to read couchdb log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
 		type couchdb_log_t;
 	')
 
-	logging_search_logs($1)
+	files_search_var_lib($1)
 	read_files_pattern($1, couchdb_log_t, couchdb_log_t)
 ')
 
 ########################################
 ## <summary>
-##	Read, write, and create couchdb lib files.
+##	Allow to read couchdb lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`couchdb_manage_lib_files',`
+interface(`couchdb_read_lib_files',`
 	gen_require(`
 		type couchdb_var_lib_t;
 	')
@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
 
 ########################################
 ## <summary>
-##	Read couchdb config files.
+##	All of the rules required to
+##	administrate an couchdb environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_manage_lib_files',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage couchdb lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`couchdb_manage_lib_dirs',`
+	gen_require(`
+		type couchdb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow to read couchdb conf files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
 		type couchdb_conf_t;
 	')
 
-	files_search_etc($1)
+	files_search_var_lib($1)
 	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	Read couchdb pid files.
+##	Read couchdb PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',`
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+	allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##      Search couchdb PID dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`couchdb_search_pid_dirs',`
+        gen_require(`
+                type couchdb_var_run_t;
+        ')
+
+        files_search_pids($1)
+        allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##  Allow domain to manage couchdb content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`couchdb_manage_files',`
+        gen_require(`
+                type couchdb_var_run_t;
+                type couchdb_log_t;
+                type couchdb_var_lib_t;
+                type couchdb_conf_t;
+        ')
+
+    manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+    manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+    manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+    manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an couchdb environment.
+##	Execute couchdb server in the couchdb domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
+#
+interface(`couchdb_systemctl',`
+	gen_require(`
+		type couchdb_t;
+		type couchdb_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_read_fifo_file_passwd_run($1)
+	allow $1 couchdb_unit_file_t:file read_file_perms;
+	allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an couchdb environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## </summary>
+## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
@@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',`
 #
 interface(`couchdb_admin',`
 	gen_require(`
+		type couchdb_unit_file_t;
 		type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
 		type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
 		type couchdb_tmp_t;
 	')
 
-	allow $1 couchdb_t:process { ptrace signal_perms };
+	allow $1 couchdb_t:process { signal_perms };
 	ps_process_pattern($1, couchdb_t)
 
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 couchdb_t:process ptrace;
+    ')
+
 	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 couchdb_initrc_exec_t system_r;
@@ -122,4 +235,13 @@ interface(`couchdb_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, couchdb_var_run_t)
+
+	admin_pattern($1, couchdb_unit_file_t)
+	couchdb_systemctl($1)
+	allow $1 couchdb_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
 ')
diff --git a/couchdb.te b/couchdb.te
index ae1c1b1..9b3a328 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
 type couchdb_var_run_t;
 files_pid_file(couchdb_var_run_t)
 
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:process { execmem setsched signal signull sigkill };
 allow couchdb_t self:fifo_file rw_fifo_file_perms;
 allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
+allow couchdb_t self:unix_dgram_socket create_socket_perms;
 allow couchdb_t self:tcp_socket { accept listen };
 
-allow couchdb_t couchdb_conf_t:dir list_dir_perms;
-allow couchdb_t couchdb_conf_t:file read_file_perms;
+manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t)
 
 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
 append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
 
 manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
 manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir)
+files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir })
 
 can_exec(couchdb_t, couchdb_exec_t)
 
+kernel_read_network_state(couchdb_t)
 kernel_read_system_state(couchdb_t)
+kernel_read_fs_sysctls(couchdb_t)
+kernel_dgram_send(couchdb_t)
 
 corecmd_exec_bin(couchdb_t)
 corecmd_exec_shell(couchdb_t)
@@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
 corenet_tcp_bind_couchdb_port(couchdb_t)
 corenet_tcp_sendrecv_couchdb_port(couchdb_t)
 
+# disksup tries to monitor the local disks
+fs_getattr_all_files(couchdb_t)
+fs_getattr_all_dirs(couchdb_t)
+fs_getattr_all_fs(couchdb_t)
+files_getattr_all_mountpoints(couchdb_t)
+files_search_all_mountpoints(couchdb_t)
+files_getattr_lost_found_dirs(couchdb_t)
+files_dontaudit_list_var(couchdb_t)
+
 dev_list_sysfs(couchdb_t)
 dev_read_sysfs(couchdb_t)
 dev_read_urand(couchdb_t)
 
-files_read_usr_files(couchdb_t)
+auth_use_nsswitch(couchdb_t)
 
-fs_getattr_xattr_fs(couchdb_t)
+optional_policy(`
+    gnome_dontaudit_search_config(couchdb_t)
+')
+
+optional_policy(`
+    rpc_read_nfs_state_data(couchdb_t)
+')
 
-auth_use_nsswitch(couchdb_t)
 
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 2f017a0..defdc87 100644
--- a/courier.fc
+++ b/courier.fc
@@ -11,17 +11,18 @@
 /usr/sbin/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 
 /usr/lib/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 /usr/lib/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d		--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
 
 /var/lib/courier(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
 /var/lib/courier-imap(/.*)?	gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820f..acdb179 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## <summary>Courier IMAP and POP3 email servers.</summary>
+## <summary>Courier IMAP and POP3 email servers</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The template to define a courier domain.
+##	Template for creating courier server processes.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	Prefix name of the server process.
 ##	</summary>
 ## </param>
 #
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
 		attribute courier_domain;
 	')
 
-	########################################
+	##############################
 	#
 	# Declarations
 	#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
 	type courier_$1_exec_t;
 	init_daemon_domain(courier_$1_t, courier_$1_exec_t)
 
-	########################################
+	##############################
 	#
-	# Policy
+	# Declarations
 	#
 
 	can_exec(courier_$1_t, courier_$1_exec_t)
+
+	kernel_read_system_state(courier_$1_t)
+
+	corenet_all_recvfrom_netlabel(courier_$1_t)
+	corenet_tcp_sendrecv_generic_if(courier_$1_t)
+	corenet_udp_sendrecv_generic_if(courier_$1_t)
+	corenet_tcp_sendrecv_generic_node(courier_$1_t)
+	corenet_udp_sendrecv_generic_node(courier_$1_t)
+	corenet_tcp_sendrecv_all_ports(courier_$1_t)
+	corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+	logging_send_syslog_msg(courier_$1_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the courier authentication
-##	daemon with a domain transition.
+##	Execute the courier authentication daemon with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
 		type courier_authdaemon_t, courier_authdaemon_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
 ')
 
 #######################################
 ## <summary>
-##	Connect to courier-authdaemon over
-##	a unix stream socket.
+##  Connect to courier-authdaemon over a unix stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`courier_stream_connect_authdaemon',`
-	gen_require(`
-		type courier_authdaemon_t, courier_spool_t;
-	')
+    gen_require(`
+        type courier_authdaemon_t, courier_spool_t;
+    ')
 
 	files_search_spool($1)
-	stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+    stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the courier POP3 and IMAP
-##	server with a domain transition.
+##	Execute the courier POP3 and IMAP server with
+##	a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
 		type courier_pop_t, courier_pop_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
 
 ########################################
 ## <summary>
-##	Read courier config files.
+##	Read courier config files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
 ##	Create, read, write, and delete courier
 ##	spool files.
 ## </summary>
-## <param name="domain">
+## <param name="domains">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	manage_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
+	files_search_spool($1)
 	read_files_pattern($1, courier_spool_t, courier_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write courier spool pipes.
+##	Read and write to courier spool pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
 		type courier_spool_t;
 	')
 
-	files_search_var($1)
 	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
 ')
diff --git a/courier.te b/courier.te
index ae3bc70..9090d75 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
 files_config_file(courier_etc_t)
 
 type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
 
 type courier_var_lib_t;
 files_type(courier_var_lib_t)
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
 files_pid_filetrans(courier_domain, courier_var_run_t, dir)
 
 kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
 
 corecmd_exec_bin(courier_domain)
 
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
 
 domain_use_interactive_fds(courier_domain)
 
-files_read_etc_files(courier_domain)
 files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
 
 fs_getattr_xattr_fs(courier_domain)
 fs_search_auto_mountpoints(courier_domain)
 
-logging_send_syslog_msg(courier_domain)
-
 sysnet_read_config(courier_domain)
 
 userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -77,6 +72,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_stream_connect(courier_domain)
+')
+
+optional_policy(`
 	udev_read_db(courier_domain)
 ')
 
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
 create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
 
 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
 
 libs_read_lib_files(courier_authdaemon_t)
 
-miscfiles_read_localization(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
 dev_read_rand(courier_tcpd_t)
 dev_read_urand(courier_tcpd_t)
 
-miscfiles_read_localization(courier_tcpd_t)
 
 ########################################
 #
diff --git a/cpucontrol.te b/cpucontrol.te
index af72c4e..afab036 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
 init_use_fds(cpucontrol_domain)
 init_use_script_ptys(cpucontrol_domain)
 
-logging_send_syslog_msg(cpucontrol_domain)
-
 userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
 
 optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
 read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
 read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
 
-kernel_list_proc(cpucontrol_t)
 kernel_read_proc_symlinks(cpucontrol_t)
 
 dev_read_sysfs(cpucontrol_t)
 dev_rw_cpu_microcode(cpucontrol_t)
 
+logging_send_syslog_msg(cpucontrol_t)
+
 optional_policy(`
 	rhgb_use_ptys(cpucontrol_t)
 ')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
 
 domain_read_all_domains_state(cpuspeed_t)
 
-files_read_etc_files(cpuspeed_t)
 files_read_etc_runtime_files(cpuspeed_t)
 
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index 6cedb87..530e250 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
 # Local policy
 #
 
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
 allow cpufreqselector_t self:process getsched;
 allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
 
 kernel_read_system_state(cpufreqselector_t)
 
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
 dev_rw_sysfs(cpufreqselector_t)
 
-miscfiles_read_localization(cpufreqselector_t)
-
 userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
 
 optional_policy(`
 	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
 	policykit_read_lib(cpufreqselector_t)
 	policykit_read_reload(cpufreqselector_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cpuplug.fc b/cpuplug.fc
new file mode 100644
index 0000000..be203ff
--- /dev/null
+++ b/cpuplug.fc
@@ -0,0 +1,3 @@
+/etc/rc.d/init.d/cpuplugd	--	gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0)
+
+/usr/sbin/cpuplugd		--	gen_context(system_u:object_r:cpuplug_exec_t,s0)
diff --git a/cpuplug.if b/cpuplug.if
new file mode 100644
index 0000000..c68d1d3
--- /dev/null
+++ b/cpuplug.if
@@ -0,0 +1,20 @@
+## <summary>cpuplugd - Linux on System z CPU and memory hotplug daemon</summary>
+
+########################################
+## <summary>
+##	Execute cpuplug in the cpuplug domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cpuplug_domtrans',`
+	gen_require(`
+		type cpuplug_t, cpuplug_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
+')
diff --git a/cpuplug.te b/cpuplug.te
new file mode 100644
index 0000000..074f3e0
--- /dev/null
+++ b/cpuplug.te
@@ -0,0 +1,40 @@
+policy_module(cpuplug, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpuplug_t;
+type cpuplug_exec_t;
+init_daemon_domain(cpuplug_t, cpuplug_exec_t)
+
+type cpuplug_initrc_exec_t;
+init_script_file(cpuplug_initrc_exec_t)
+
+type cpuplug_lock_t;
+files_lock_file(cpuplug_lock_t)
+
+type cpuplug_var_run_t;
+files_pid_file(cpuplug_var_run_t)
+
+########################################
+#
+# cpuplug local policy
+#
+allow cpuplug_t self:fifo_file rw_fifo_file_perms;
+allow cpuplug_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t)
+files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file })
+
+manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t)
+files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
+
+kernel_read_system_state(cpuplug_t)
+kernel_rw_vm_sysctls(cpuplug_t)
+
+dev_rw_sysfs(cpuplug_t)
+
+logging_send_syslog_msg(cpuplug_t)
+
diff --git a/cron.fc b/cron.fc
index ad0bae9..615a947 100644
--- a/cron.fc
+++ b/cron.fc
@@ -1,66 +1,77 @@
-/etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
 
-/etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
-/usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
-/usr/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/lib/systemd/system/atd.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
 
-/usr/libexec/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/libexec/fcronsighup	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/usr/sbin/anacron	--	gen_context(system_u:object_r:anacron_exec_t,s0)
-/usr/sbin/atd	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/cron(d)?	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)
-/usr/sbin/fcronsighup	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/libexec/fcron  --  gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup    --  gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
+/usr/sbin/anacron		--	gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
 
-/var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
-/var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.*             gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 
-/var/run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/atd\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/cron(d)?\.reboot	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.fifo	-s	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/fcron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/.*cron.*	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/.*cron.*		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 
-/var/spool/anacron(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/at(/.*)?	gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)?	gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
 
-/var/spool/cron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
-#/var/spool/cron/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-/var/spool/cron/[^/]*	--	<<none>>
+/var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
+#/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]*		--	<<none>>
 
-/var/spool/cron/crontabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/crontabs/.*	--	<<none>>
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
-/var/spool/fcron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.*	<<none>>
+/var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.*			<<none>>
 /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/systab\.tmp	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/fcron/rm\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]*	--	<<none>>
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+')
 
 ifdef(`distro_debian',`
-/var/spool/cron/atjobs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.*		--	gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 /var/spool/cron/atjobs/[^/]*	--	<<none>>
-/var/spool/cron/atspool	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 ')
 
 ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
 ')
 
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 /var/spool/cron/lastrun/[^/]*	--	<<none>>
-/var/spool/cron/tabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 ')
diff --git a/cron.if b/cron.if
index 1303b30..f13c532 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
 
 #######################################
 ## <summary>
-##	The template to define a crontab domain.
+##	The common rules for a crontab domain.
 ## </summary>
-## <param name="domain_prefix">
+## <param name="userdomain_prefix">
 ##	<summary>
-##	Domain prefix to be used.
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
 ##	</summary>
 ## </param>
 #
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
 
+	kernel_read_system_state($1_t)
+
 	auth_domtrans_chk_passwd($1_t)
 	auth_use_nsswitch($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	userdom_home_reader($1_t)
+
 ')
 
 ########################################
 ## <summary>
-##	Role access for cron.
+##	Role access for cron
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -60,56 +68,66 @@ interface(`cron_role',`
 	gen_require(`
 		type cronjob_t, crontab_t, crontab_exec_t;
 		type user_cron_spool_t, crond_t;
-		bool cron_userdomain_transition;
+        bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+    ##############################
+    #
+    # Declarations
+    #
 
 	role $1 types { cronjob_t crontab_t };
 
-	##############################
-	#
-	# Local policy
-	#
+    ##############################
+    #
+    # Local policy
+    #
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 	allow $2 crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+    allow $2 user_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
+	# crontab shows up in user ps
+	allow $2 crontab_t:process signal_perms;
 	ps_process_pattern($2, crontab_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 crontab_t:process ptrace;
+	')
+
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
 	corecmd_exec_bin(crontab_t)
 	corecmd_exec_shell(crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
 
-		allow $2 user_cron_spool_t:file entrypoint;
+	    # needs to be authorized SELinux context for cron
+	    allow $2 user_cron_spool_t:file entrypoint;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+        allow $2 cronjob_t:process { signal_perms };
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+        ps_process_pattern($2, cronjob_t)
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+        dontaudit $2 user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
 
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
+        dontaudit $2 cronjob_t:process { signal_perms };
+    ')
 
 	optional_policy(`
 		gen_require(`
@@ -119,78 +137,75 @@ interface(`cron_role',`
 		dbus_stub(cronjob_t)
 
 		allow cronjob_t $2:dbus send_msg;
-	')
+	')		
 ')
 
 ########################################
 ## <summary>
-##	Role access for unconfined cron.
+##	Role access for unconfined cronjobs
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_unconfined_role',`
 	gen_require(`
 		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
+        type crond_t, user_cron_spool_t;
+        bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+    ##############################
+    #
+    # Declarations
+    #
+    
+    role $1 types unconfined_cronjob_t;
 
-	role $1 types { unconfined_cronjob_t crontab_t };
+    ##############################
+    #
+    # Local policy
+    #
 
-	##############################
-	#
-	# Local policy
-	#
+    dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
+    allow $2 crond_t:process sigchld;
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+    allow $2 user_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	# cronjob shows up in user ps
+	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process signal_perms;
 
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
-
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
-
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 unconfined_cronjob_t:process ptrace;
+	')
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
 
-		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, unconfined_cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+        allow $2 user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 user_cron_spool_t:file entrypoint;
 
-		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+    ')
 
 	optional_policy(`
 		gen_require(`
@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',`
 		')
 
 		dbus_stub(unconfined_cronjob_t)
-
 		allow unconfined_cronjob_t $2:dbus send_msg;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Role access for admin cron.
+##	Role access for cron
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	User domain for the role
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cron_admin_role',`
 	gen_require(`
-		type cronjob_t, crontab_exec_t, admin_crontab_t;
+		type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+		type user_cron_spool_t, crond_t;
 		class passwd crontab;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
+        bool cron_userdomain_transition;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
+    ##############################
+    #
+    # Declarations
+    #
 
-	role $1 types { cronjob_t admin_crontab_t };
+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
 
-	##############################
-	#
-	# Local policy
-	#
+    ##############################
+    #
+    # Local policy
+    #
 
+	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
 
 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2 crond_t:process sigchld;
 
-	allow $2 admin_crontab_t:process { ptrace signal_perms };
+	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
+	allow $2 admin_crontab_t:process signal_perms;
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 admin_crontab_t:process ptrace;
+	')
 
 	# Manipulate other users crontab.
 	allow $2 self:passwd crontab;
@@ -254,28 +274,26 @@ interface(`cron_admin_role',`
 	corecmd_exec_bin(admin_crontab_t)
 	corecmd_exec_shell(admin_crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
+    tunable_policy(`cron_userdomain_transition',`
+        allow crond_t $2:process transition;
+        allow crond_t $2:fd use;
+        allow crond_t $2:key manage_key_perms;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+        allow $2 user_cron_spool_t:file entrypoint;
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
 
-		dontaudit $2 user_cron_spool_t:file entrypoint;
+        allow $2 cronjob_t:process { signal_perms };
+        ps_process_pattern($2, cronjob_t)
+    ',`
+        dontaudit crond_t $2:process transition;
+        dontaudit crond_t $2:fd use;
+        dontaudit crond_t $2:key manage_key_perms;
 
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
+        dontaudit $2 user_cron_spool_t:file entrypoint;
+        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+        dontaudit $2 cronjob_t:process { signal_perms };
+    ')
 
 	optional_policy(`
 		gen_require(`
@@ -285,13 +303,13 @@ interface(`cron_admin_role',`
 		dbus_stub(admin_cronjob_t)
 
 		allow cronjob_t $2:dbus send_msg;
-	')
+	')		
 ')
 
 ########################################
 ## <summary>
-##	Make the specified program domain
-##	accessable from the system cron jobs.
+##	Make the specified program domain accessable
+##	from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -307,15 +325,15 @@ interface(`cron_admin_role',`
 interface(`cron_system_entry',`
 	gen_require(`
 		type crond_t, system_cronjob_t;
-		type user_cron_spool_log_t;
 	')
 
-	rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
 	domtrans_pattern(system_cronjob_t, $2, $1)
 	domtrans_pattern(crond_t, $2, $1)
 
 	role system_r types $1;
+
+	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -333,13 +351,12 @@ interface(`cron_domtrans',`
 		type system_cronjob_t, crond_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, crond_exec_t, system_cronjob_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute crond in the caller domain. 
+##	Execute crond_exec_t 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -352,7 +369,6 @@ interface(`cron_exec',`
 		type crond_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	can_exec($1, crond_exec_t)
 ')
 
@@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Use crond file descriptors.
+##	Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cron_systemctl',`
+	gen_require(`
+		type crond_unit_file_t;
+		type crond_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 crond_unit_file_t:file read_file_perms;
+	allow $1 crond_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, crond_t)
+')
+
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from the cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -394,7 +435,7 @@ interface(`cron_use_fds',`
 
 ########################################
 ## <summary>
-##	Send child terminated signals to crond.
+##	Send a SIGCHLD signal to the cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -412,7 +453,7 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
-##	Set the attributes of cron log files.
+##	Send a generic signal to cron daemon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -420,17 +461,17 @@ interface(`cron_sigchld',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	allow $1 cron_log_t:file setattr_file_perms;
+	allow $1 crond_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Create cron log files.
+##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -438,17 +479,17 @@ interface(`cron_setattr_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	create_files_pattern($1, cron_log_t, cron_log_t)
+	allow $1 crond_t:fifo_file read_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write to cron log files.
+##	Read crond state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -456,18 +497,20 @@ interface(`cron_create_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	allow $1 cron_log_t:file write_file_perms;
+	kernel_search_proc($1)
+	ps_process_pattern($1, crond_t)
 ')
 
+
 ########################################
 ## <summary>
-##	Create, read, write and delete
-##	cron log files.
+##	Send and receive messages from
+##	crond over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -475,48 +518,37 @@ interface(`cron_write_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
+		class dbus send_msg;
 	')
 
-	manage_files_pattern($1, cron_log_t, cron_log_t)
-
-	logging_search_logs($1)
+	allow $1 crond_t:dbus send_msg;
+	allow crond_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create specified objects in generic
-##	log directories with the cron log file type.
+##	Do not audit attempts to write cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
 	gen_require(`
-		type cron_log_t;
+		type crond_t;
 	')
 
-	logging_log_filetrans($1, cron_log_t, $2, $3)
+	dontaudit $1 crond_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read cron daemon unnamed pipes.
+##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -524,18 +556,17 @@ interface(`cron_generic_log_filetrans_log',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
 	gen_require(`
 		type crond_t;
 	')
 
-	allow $1 crond_t:fifo_file read_fifo_file_perms;
+	allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write
-##	cron daemon unnamed pipes.
+##	Do not audit attempts to setattr cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -543,17 +574,17 @@ interface(`cron_read_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_dontaudit_setattr_pipes',`
 	gen_require(`
 		type crond_t;
 	')
 
-	dontaudit $1 crond_t:fifo_file write;
+	dontaudit $1 crond_t:fifo_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write crond unnamed pipes.
+##	Read and write inherited user spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -561,17 +592,35 @@ interface(`cron_dontaudit_write_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
 	gen_require(`
-		type crond_t;
+		type user_cron_spool_t;
 	')
 
-	allow $1 crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+	gen_require(`
+		type cron_spool_t;
+	')
+
+	allow $1 cron_spool_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write crond TCP sockets.
+##	Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write cron daemon TCP sockets.
+##	Dontaudit Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
-##	Search cron spool directories.
+##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	crond pid files.
+##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_pid_files',`
+interface(`cron_manage_system_spool',`
 	gen_require(`
-		type crond_var_run_t;
+		type cron_system_spool_t;
 	')
 
-	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+	files_search_spool($1)
+	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute anacron in the cron
-##	system domain.
+##	Manage pid files used by cron
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`cron_anacron_domtrans_system_job',`
+interface(`cron_manage_pid_files',`
 	gen_require(`
-		type system_cronjob_t, anacron_exec_t;
+		type crond_var_run_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+	files_search_pids($1)
+	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Use system cron job file descriptors.
+##	Read pid files used by cron
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_use_system_job_fds',`
+interface(`cron_read_pid_files',`
 	gen_require(`
-		type system_cronjob_t;
+		type crond_var_run_t;
 	')
 
-	allow $1 system_cronjob_t:fd use;
+	files_search_pids($1)
+	read_files_pattern($1, crond_var_run_t, crond_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Read system cron job lib files.
+##	Execute anacron in the cron system domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_anacron_domtrans_system_job',`
 	gen_require(`
-		type system_cronjob_var_lib_t;
+		type system_cronjob_t, anacron_exec_t;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	system cron job lib files.
+##	Inherit and use a file descriptor
+##	from system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_use_system_job_fds',`
 	gen_require(`
-		type system_cronjob_var_lib_t;
+		type system_cronjob_t;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+	allow $1 system_cronjob_t:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Write system cron job unnamed pipes.
+##	Write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:file write;
+	allow $1 system_cronjob_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read and write system cron job
-##	unnamed pipes.
+##	Read and write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
 		type system_cronjob_t;
 	')
 
-	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write inherited system cron
-##	job unix domain stream sockets.
+##	Allow read/write unix stream sockets from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
 
 ########################################
 ## <summary>
-##	Read system cron job temporary files.
+##	Read temporary files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
-		type system_cronjob_tmp_t;
+		type system_cronjob_tmp_t, cron_var_run_t;
 	')
 
 	files_search_tmp($1)
 	allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+	files_search_pids($1)
+	allow $1 cron_var_run_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to append temporary
-##	system cron job files.
+##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to write temporary
-##	system cron job files.
+##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 interface(`cron_dontaudit_write_system_job_tmp_files',`
 	gen_require(`
 		type system_cronjob_tmp_t;
+		type cron_var_run_t;
 	')
 
 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+	dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+	gen_require(`
+		type system_cronjob_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+	gen_require(`
+		type system_cronjob_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+## <summary>
+##  Create, read, write and delete
+##  cron log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cron_manage_log_files',`
+    gen_require(`
+        type cron_log_t;
+    ')
+
+    manage_files_pattern($1, cron_log_t, cron_log_t)
+
+    logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##  Create specified objects in generic
+##  log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="object_class">
+##  <summary>
+##  Class of the object being created.
+##  </summary>
+## </param>
+## <param name="name" optional="true">
+##  <summary>
+##  The name of the object being created.
+##  </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+    gen_require(`
+        type cron_log_t;
+    ')
+
+    logging_log_filetrans($1, cron_log_t, $2, $3)
 ')
diff --git a/cron.te b/cron.te
index 7de3859..e8010ba 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
 
 ## <desc>
 ##	<p>
-##	Determine whether system cron jobs
-##	can relabel filesystem for
-##	restoring file contexts.
+##	Allow system cron jobs to relabel filesystem
+##	for restoring file contexts.
 ##	</p>
 ## </desc>
 gen_tunable(cron_can_relabel, false)
 
 ## <desc>
-##	<p>
-##	Determine whether crond can execute jobs
-##	in the user domain as opposed to the
-##	the generic cronjob domain.
-##	</p>
+##  <p>
+##  Determine whether crond can execute jobs
+##  in the user domain as opposed to the
+##  the generic cronjob domain.
+##  </p>
+## </desc>
+gen_tunable(cron_userdomain_transition, true)
+
+## <desc>
+##  <p>
+##  Allow system cronjob to be executed on
+##  on NFS, CIFS or FUSE filesystem.
+##  </p>
 ## </desc>
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_system_cronjob_use_shares, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether extra rules
-##	should be enabled to support fcron.
+##	Enable extra rules in the cron domain
+##	to support fcron.
 ##	</p>
 ## </desc>
 gen_tunable(fcron_crond, false)
 
-attribute cron_spool_type;
 attribute crontab_domain;
+attribute cron_spool_type;
 
 type anacron_exec_t;
 application_executable_file(anacron_exec_t)
 
 type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
 
+# var/lib files
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
 
 type cron_var_run_t;
 files_pid_file(cron_var_run_t)
 
+# var/log files
 type cron_log_t;
 logging_log_file(cron_log_t)
 
@@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
 type crond_initrc_exec_t;
 init_script_file(crond_initrc_exec_t)
 
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 files_poly_parent(crond_tmp_t)
@@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
 typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
 typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
 typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
 
 type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
 
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+corecmd_bin_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
 type system_cronjob_tmp_t alias system_crond_tmp_t;
 files_tmp_file(system_cronjob_tmp_t)
 
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
-
+# Type of user crontabs once moved to cron spool.
 type user_cron_spool_t, cron_spool_type;
 typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
 mta_system_content(user_cron_spool_t)
 
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
 ')
 
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
-	dontaudit crontab_domain crond_t:process signal;
-')
-
 ########################################
 #
-# Admin local policy
+# Admin crontab local policy
 #
 
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
 
+# Manipulate other users crontab.
 selinux_get_fs_mount(admin_crontab_t)
 selinux_validate_context(admin_crontab_t)
 selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
 selinux_compute_user_contexts(admin_crontab_t)
 
 tunable_policy(`fcron_crond',`
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
 	allow admin_crontab_t self:process setfscreate;
 ')
 
 ########################################
 #
-# Daemon local policy
+# Cron daemon local policy
 #
 
 allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
 allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
 allow crond_t self:shm create_shm_perms;
 allow crond_t self:sem create_sem_perms;
 allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
 logging_log_filetrans(crond_t, cron_log_t, file)
 
 manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
 
 list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
 
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
 
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
 
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
 
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
 
 corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
 corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
 domain_subj_id_change_exemption(crond_t)
 domain_role_change_exemption(crond_t)
 
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
 files_read_etc_runtime_files(crond_t)
 files_read_generic_spool(crond_t)
 files_list_usr(crond_t)
+# Read from /var/spool/cron.
 files_search_var_lib(crond_t)
 files_search_default(crond_t)
 files_read_all_locks(crond_t)
 
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
 mls_file_read_all_levels(crond_t)
 mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
 mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
 
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
 
 init_read_state(crond_t)
 init_rw_utmp(crond_t)
 init_spec_domtrans_script(crond_t)
 
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
 auth_use_nsswitch(crond_t)
 
 logging_send_audit_msgs(crond_t)
@@ -312,41 +264,49 @@ logging_set_loginuid(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
 
-miscfiles_read_localization(crond_t)
 
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
 userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
 
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit crond_t cronjob_t:process transition;
-	dontaudit crond_t cronjob_t:fd use;
-	dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
-	allow crond_t cronjob_t:process transition;
-	allow crond_t cronjob_t:fd use;
-	allow crond_t cronjob_t:key manage_key_perms;
+optional_policy(`
+	mta_send_mail(crond_t)
+	mta_filetrans_admin_home_content(crond_t)
+	mta_system_content(cron_spool_t)
 ')
 
 ifdef(`distro_debian',`
+	# pam_limits is used
 	allow crond_t self:process setrlimit;
 
-	optional_policy(`
-		logwatch_search_cache_dir(crond_t)
-	')
+')
+
+optional_policy(`
+	logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+	bind_read_config(crond_t)
 ')
 
 ifdef(`distro_redhat',`
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(crond_t)
 	')
 ')
 
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
 	files_polyinstantiate_all(crond_t)
 ')
 
-tunable_policy(`fcron_crond',`
-	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+	allow crond_t system_cron_spool_t:file manage_file_perms;
 ')
 
 optional_policy(`
@@ -354,103 +314,141 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client(crond_t)
-
-	optional_policy(`
-		hal_dbus_chat(crond_t)
-	')
-
-	optional_policy(`
-		unconfined_dbus_send(crond_t)
-	')
+	djbdns_search_tinydns_keys(crond_t)
+	djbdns_link_tinydns_keys(crond_t)
 ')
 
 optional_policy(`
-	amanda_search_var_lib(crond_t)
+	locallogin_search_keys(crond_t)
+	locallogin_link_keys(crond_t)
 ')
 
 optional_policy(`
-	amavis_search_lib(crond_t)
+	# these should probably be unconfined_crond_t
+	dbus_system_bus_client(crond_t)
+	init_dbus_send_script(crond_t)
+	init_dbus_chat(crond_t)
 ')
 
 optional_policy(`
-	djbdns_search_tinydns_keys(crond_t)
-	djbdns_link_tinydns_keys(crond_t)
+	amanda_search_var_lib(crond_t)
 ')
 
 optional_policy(`
-	hal_write_log(crond_t)
+	antivirus_search_db(crond_t)
 ')
 
 optional_policy(`
-	locallogin_search_keys(crond_t)
-	locallogin_link_keys(crond_t)
+	hal_dbus_chat(crond_t)
+	hal_write_log(crond_t)
+	hal_dbus_chat(system_cronjob_t)
 ')
 
 optional_policy(`
-	mta_send_mail(crond_t)
+	# cjp: why?
+	munin_search_lib(crond_t)
 ')
 
 optional_policy(`
-	munin_search_lib(crond_t)
+	rpc_search_nfs_state_data(crond_t)
 ')
 
 optional_policy(`
-	postgresql_search_db(crond_t)
+	# Commonly used from postinst scripts
+	rpm_read_pipes(crond_t)
 ')
 
 optional_policy(`
-	rpc_search_nfs_state_data(crond_t)
+	# allow crond to find /usr/lib/postgresql/bin/do.maintenance
+	postgresql_search_db(crond_t)
 ')
 
 optional_policy(`
-	rpm_read_pipes(crond_t)
+	systemd_use_fds_logind(crond_t)
+	systemd_write_inherited_logind_sessions_pipes(crond_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(crond_t)
+	udev_read_db(crond_t)
 ')
 
 optional_policy(`
-	udev_read_db(crond_t)
+	vnstatd_search_lib(crond_t)
 ')
 
 ########################################
 #
-# System local policy
+# System cron process domain
 #
 
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+#  Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
+# This is to handle /var/lib/misc directory.  Used currently
+# by prelink var/lib files for cron 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
 allow system_cronjob_t cron_var_run_t:file manage_file_perms;
 files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
 
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
 
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+tunable_policy(`cron_system_cronjob_use_shares',`
+    fs_fusefs_entrypoint(system_cronjob_t)
+    fs_nfs_entrypoint(system_cronjob_t)
+    fs_cifs_entrypoint(system_cronjob_t)
+')
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
 
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
 
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
+# ps does not need to access /boot when run from cron
 files_dontaudit_search_boot(system_cronjob_t)
 
 corecmd_exec_all_executables(system_cronjob_t)
 
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
 corenet_all_recvfrom_netlabel(system_cronjob_t)
 corenet_tcp_sendrecv_generic_if(system_cronjob_t)
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
 fs_getattr_all_pipes(system_cronjob_t)
 fs_getattr_all_sockets(system_cronjob_t)
 
+# quiet other ps operations
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
 files_getattr_all_symlinks(system_cronjob_t)
 files_getattr_all_pipes(system_cronjob_t)
 files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
 files_read_var_files(system_cronjob_t)
+# for nscd:
 files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)
 
 init_domtrans_script(system_cronjob_t)
-init_read_utmp(system_cronjob_t)
 init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
 
 auth_use_nsswitch(system_cronjob_t)
 
@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
-miscfiles_read_localization(system_cronjob_t)
-
 seutil_read_config(system_cronjob_t)
 
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
 ifdef(`distro_redhat',`
+	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+
+	# via redirection of standard out.
 	optional_policy(`
 		rpm_manage_log(system_cronjob_t)
 	')
 ')
 
+selinux_get_fs_mount(system_cronjob_t)
+
 tunable_policy(`cron_can_relabel',`
 	seutil_domtrans_setfiles(system_cronjob_t)
 ',`
-	selinux_get_fs_mount(system_cronjob_t)
 	selinux_validate_context(system_cronjob_t)
 	selinux_compute_access_vector(system_cronjob_t)
 	selinux_compute_create_context(system_cronjob_t)
@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',`
 ')
 
 optional_policy(`
+	# Needed for certwatch
 	apache_exec_modules(system_cronjob_t)
 	apache_read_config(system_cronjob_t)
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
+	apache_manage_lib(system_cronjob_t)
+	apache_delete_cache_dirs(system_cronjob_t)
+	apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+	bind_read_config(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -551,10 +569,6 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(system_cronjob_t)
-
-	optional_policy(`
-		networkmanager_dbus_chat(system_cronjob_t)
-	')
 ')
 
 optional_policy(`
@@ -567,6 +581,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	firewalld_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
 	ftp_read_log(system_cronjob_t)
 ')
 
@@ -591,6 +609,8 @@ optional_policy(`
 optional_policy(`
 	mta_read_config(system_cronjob_t)
 	mta_send_mail(system_cronjob_t)
+	mta_filetrans_admin_home_content(system_cronjob_t)
+	mta_system_content(system_cron_spool_t)
 ')
 
 optional_policy(`
@@ -598,7 +618,23 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
 	postfix_read_config(system_cronjob_t)
+')	
+
+optional_policy(`
+	prelink_delete_cache(system_cronjob_t)
+	prelink_manage_lib(system_cronjob_t)
+	prelink_manage_log(system_cronjob_t)
+	prelink_read_cache(system_cronjob_t)
+	prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+    rkhunter_manage_lib_files(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -607,7 +643,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+    snapper_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
+	spamassassin_manage_home_client(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -615,12 +656,27 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_dbus_chat_timedated(system_cronjob_t)
+	systemd_dbus_chat_hostnamed(system_cronjob_t)
+	systemd_dbus_chat_localed(system_cronjob_t)
+	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_domain(crond_t)
+	unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+	unconfined_shell_domtrans(crond_t)
+	unconfined_dbus_send(crond_t)
+	userdom_filetrans_home_content(crond_t)
 ')
 
 ########################################
 #
-# Cronjob local policy
+# User cronjobs local policy
 #
 
 allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
 allow cronjob_t self:unix_dgram_socket create_socket_perms;
 
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
 kernel_read_system_state(cronjob_t)
 kernel_read_kernel_sysctls(cronjob_t)
 
+# ps does not need to access /boot when run from cron
 files_dontaudit_search_boot(cronjob_t)
 
-corenet_all_recvfrom_unlabeled(cronjob_t)
 corenet_all_recvfrom_netlabel(cronjob_t)
 corenet_tcp_sendrecv_generic_if(cronjob_t)
 corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
 corenet_udp_sendrecv_generic_node(cronjob_t)
 corenet_tcp_sendrecv_all_ports(cronjob_t)
 corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
 corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
 
 dev_read_urand(cronjob_t)
 
 fs_getattr_all_fs(cronjob_t)
 
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
 domain_dontaudit_read_all_domains_state(cronjob_t)
 domain_dontaudit_getattr_all_domains(cronjob_t)
 
 files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
 files_dontaudit_search_pids(cronjob_t)
 
 libs_exec_lib_files(cronjob_t)
 libs_exec_ld_so(cronjob_t)
 
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
 logging_search_logs(cronjob_t)
 
 seutil_read_config(cronjob_t)
 
-miscfiles_read_localization(cronjob_t)
 
 userdom_manage_user_tmp_files(cronjob_t)
 userdom_manage_user_tmp_symlinks(cronjob_t)
 userdom_manage_user_tmp_pipes(cronjob_t)
 userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
 userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
 userdom_manage_user_home_content_files(cronjob_t)
 userdom_manage_user_home_content_symlinks(cronjob_t)
 userdom_manage_user_home_content_pipes(cronjob_t)
 userdom_manage_user_home_content_sockets(cronjob_t)
 
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit cronjob_t crond_t:fd use;
-	dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-	dontaudit cronjob_t crond_t:process sigchld;
-
-	dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
-	allow cronjob_t crond_t:fd use;
-	allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-	allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
 
-	allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')
 
+# need a per-role version of this:
+#optional_policy(`
+#	mono_domtrans(cronjob_t)
+#')
+
 optional_policy(`
 	nis_use_ypbind(cronjob_t)
 ')
 
+##############################
+#
+# crontab common policy
+#
+
+# dac_override is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+corecmd_exec_bin(crontab_domain)
+corecmd_exec_shell(crontab_domain)
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
+	dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+	ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+	openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+	openshift_transition(system_cronjob_t)
+')
+
 ########################################
 #
-# Unconfined local policy
+# Unconfined cronjobs local policy
 #
 
 type unconfined_cronjob_t;
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6..84ece3e 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -1,12 +1,20 @@
 /etc/rc\.d/init\.d/ctdb	--	gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
 
+/etc/ctdb/events\.d/.*       --  gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
 /usr/sbin/ctdbd	--	gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/usr/sbin/ctdbd_wrapper --  gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdb(/.*)?    gen_context(system_u:object_r:ctdbd_var_t,s0)
 
+/var/lib/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
 /var/lib/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
 
 /var/log/ctdb\.log.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
 /var/log/log\.ctdb.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
 
+
+/var/run/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
 /var/run/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
 
 /var/spool/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d..06895f3 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,178 @@
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
+
+## <summary>policy for ctdbd</summary>
+
+########################################
+## <summary>
+##	Transition to ctdbd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ctdbd_domtrans',`
+	gen_require(`
+		type ctdbd_t, ctdbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+## <summary>
+##	Execute ctdbd server in the ctdbd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_initrc_domtrans',`
+	gen_require(`
+		type ctdbd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##  Allow domain to signal ctdbd.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_signal',`
+    gen_require(`
+        type ctdbd_t;
+    ')
+        allow $1 ctdbd_t:process signal;
+')
+
+#######################################
+## <summary>
+##  Allow domain to sigchld ctdbd.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_sigchld',`
+    gen_require(`
+        type ctdbd_t;
+    ')
+        allow $1 ctdbd_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read ctdbd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ctdbd_read_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to ctdbd log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`ctdbd_append_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Manage ctdbd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_manage_log',`
+	gen_require(`
+		type ctdbd_log_t;
+	')
+
+	logging_search_logs($1)
+        manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+        manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+        manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
+##	Search ctdbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_search_lib',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read ctdbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_read_lib_files',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	ctdbd lib files.
+##	Manage ctdbd lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+        manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Connect to ctdbd with a unix
-##	domain stream socket.
+##	Manage ctdbd lib directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,19 +199,58 @@ interface(`ctdbd_manage_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_lib_dirs',`
+	gen_require(`
+		type ctdbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read ctdbd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ctdbd_read_pid_files',`
 	gen_require(`
-		type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+		type ctdbd_var_run_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+	allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Connect to ctdbd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ctdbd_stream_connect',`
+    gen_require(`
+        type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+    stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an ctdb environment.
+##	All of the rules required to administrate
+##	an ctdbd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,16 +264,19 @@ interface(`ctdbd_stream_connect',`
 ## </param>
 ## <rolecap/>
 #
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
 	gen_require(`
-		type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+		type ctdbd_t, ctdbd_initrc_exec_t;
 		type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
 	')
 
-	allow $1 ctdbd_t:process { ptrace signal_perms };
+	allow $1 ctdbd_t:process signal_perms;
 	ps_process_pattern($1, ctdbd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ctdbd_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+	ctdbd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 ctdbd_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -74,12 +284,10 @@ interface(`ctdb_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, ctdbd_log_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, ctdbd_tmp_t)
-
 	files_search_var_lib($1)
 	admin_pattern($1, ctdbd_var_lib_t)
 
 	files_search_pids($1)
 	admin_pattern($1, ctdbd_var_run_t)
 ')
+
diff --git a/ctdb.te b/ctdb.te
index 001b502..47199aa 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
 type ctdbd_var_lib_t;
 files_type(ctdbd_var_lib_t)
 
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
 type ctdbd_var_run_t;
 files_pid_file(ctdbd_var_run_t)
 
@@ -33,12 +36,15 @@ files_pid_file(ctdbd_var_run_t)
 #
 
 allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+allow ctdbd_t self:capability2 block_suspend;
 allow ctdbd_t self:process { setpgid signal_perms setsched };
 allow ctdbd_t self:fifo_file rw_fifo_file_perms;
 allow ctdbd_t self:unix_stream_socket { accept connectto listen };
 allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
 allow ctdbd_t self:packet_socket create_socket_perms;
 allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
+allow ctdbd_t self:rawip_socket create_socket_perms;
 
 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
 create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -57,12 +63,23 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
 exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
 manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
 manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
 
 manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
 manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
 files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
 
+setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t)
+
+can_exec(ctdbd_t, ctdbd_exec_t)
+
 kernel_read_network_state(ctdbd_t)
 kernel_read_system_state(ctdbd_t)
 kernel_rw_net_sysctls(ctdbd_t)
@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
 corenet_tcp_sendrecv_generic_if(ctdbd_t)
 corenet_tcp_sendrecv_generic_node(ctdbd_t)
 corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
 
 corenet_sendrecv_ctdb_server_packets(ctdbd_t)
 corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_bind_smbd_port(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
 corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
 
 corecmd_exec_bin(ctdbd_t)
@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t)
 
 domain_dontaudit_read_all_domains_state(ctdbd_t)
 
-files_read_etc_files(ctdbd_t)
 files_search_all_mountpoints(ctdbd_t)
 
+fs_getattr_all_fs(ctdbd_t)
+
+auth_use_nsswitch(ctdbd_t)
+
 logging_send_syslog_msg(ctdbd_t)
 
-miscfiles_read_localization(ctdbd_t)
 miscfiles_read_public_files(ctdbd_t)
 
+userdom_home_manager(ctdbd_t)
+
 optional_policy(`
 	consoletype_exec(ctdbd_t)
 ')
@@ -106,9 +131,16 @@ optional_policy(`
 ')
 
 optional_policy(`
+    samba_signull_smbd(ctdbd_t)
 	samba_initrc_domtrans(ctdbd_t)
 	samba_domtrans_net(ctdbd_t)
 	samba_rw_var_files(ctdbd_t)
+	samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
+    samba_signull_winbind(ctdbd_t)
+    samba_signull_unconfined_net(ctdbd_t)
 ')
 
 optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011e..8f8bc20 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,92 @@
-/etc/alchemist/namespace/printconf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/etc/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
 
 /etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
 
-/etc/hp(/.*)?	gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
 
-/lib/udev/udev-configure-printer	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/opt/brother/Printers(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.*	--	gen_context(system_u:object_r:cupsd_unit_file_t,s0)
 
-/usr/bin/cups-config-daemon	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
-/usr/Brother/fax/.*\.log.*	gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd	--	gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.*	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/usr/libexec/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* --	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/usr/local/linuxprinter/ppd(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 
-/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed 	--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
-/usr/share/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:cupsd_exec_t,s0)
 
-/var/cache/alchemist/printconf.*	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 
 /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 
-/var/lib/hp(/.*)?	gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)?		gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
-/var/log/cups(/.*)?	gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.*	gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 
-/var/ccpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)?       gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*)		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/ecblp0		--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)?	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)?	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)?        gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 3023be7..0317731 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
 interface(`cups_read_config',`
 	gen_require(`
 		type cupsd_etc_t, cupsd_rw_etc_t;
+		type hplip_etc_t;
 	')
 
 	files_search_etc($1)
-	read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+	read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+	read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+	read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
 ')
 
 ########################################
@@ -306,6 +309,30 @@ interface(`cups_stream_connect_ptal',`
 
 ########################################
 ## <summary>
+##	Execute cupsd server in the cupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cupsd_systemctl',`
+	gen_require(`
+		type cupsd_t;
+		type cupsd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 cupsd_unit_file_t:file read_file_perms;
+	allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, cupsd_t)
+')
+
+########################################
+## <summary>
 ##	Read the process state (/proc/pid) of cupsd.
 ## </summary>
 ## <param name="domain">
@@ -344,18 +371,23 @@ interface(`cups_read_state',`
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
 		type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
 		type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
 		type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-		type hplip_t, ptal_t;
+		type ptal_t;
+		type cupsd_unit_file_t;
 	')
 
-	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-	allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+	allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+	ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -368,13 +400,45 @@ interface(`cups_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
 
-	files_list_spool($1)
-	admin_pattern($1, cupsd_spool_t)
-
 	files_list_tmp($1)
 	admin_pattern($1, { cupsd_tmp_t  cupsd_lpd_tmp_t })
-
-	files_list_pids($1)
 	admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
 	admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+	cupsd_systemctl($1)
+	admin_pattern($1, cupsd_unit_file_t)
+	allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+## <summary>
+##	Transition to cups named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cups_filetrans_named_content',`
+	gen_require(`
+		type cupsd_rw_etc_t;
+		type cupsd_etc_t;
+	')
+
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+	filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+	files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 ')
diff --git a/cups.te b/cups.te
index c91813c..8aececf 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
 # Declarations
 #
 
-type cupsd_config_t;
+## <desc>
+## <p>
+## Allow cups execmem/execstack
+## </p>
+## </desc>
+gen_tunable(cups_execmem, false)
+
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
 type cupsd_config_exec_t;
 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
 
 type cupsd_config_var_run_t;
 files_pid_file(cupsd_config_var_run_t)
 
-type cupsd_t;
+type cupsd_t, cups_domain;
 type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
 init_daemon_domain(cupsd_t, cupsd_exec_t)
 mls_trusted_object(cupsd_t)
 
 type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
 files_config_file(cupsd_etc_t)
 
 type cupsd_initrc_exec_t;
@@ -33,13 +45,15 @@ type cupsd_lock_t;
 files_lock_file(cupsd_lock_t)
 
 type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
 logging_log_file(cupsd_log_t)
 
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
 type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 
 type cupsd_lpd_tmp_t;
 files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
 type cupsd_lpd_var_run_t;
 files_pid_file(cupsd_lpd_var_run_t)
 
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
 type cups_pdf_exec_t;
 cups_backend(cups_pdf_t, cups_pdf_exec_t)
 
@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
 files_tmp_file(cups_pdf_tmp_t)
 
 type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
 files_tmp_file(cupsd_tmp_t)
 
 type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
 files_pid_file(cupsd_var_run_t)
 init_daemon_run_dir(cupsd_var_run_t, "cups")
 mls_trusted_object(cupsd_var_run_t)
 
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
 
 type ptal_t;
 type ptal_exec_t;
@@ -97,21 +99,50 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
 
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+    lpd_manage_spool(cups_domain)
+')
+
 ########################################
 #
 # Cups local policy
 #
 
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched };
 allow cupsd_t self:unix_stream_socket { accept connectto listen };
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:socket connect;
 allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
 allow cupsd_t self:appletalk_socket create_socket_perms;
 
 allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,11 +151,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 
 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
+can_exec(cupsd_t, cupsd_rw_etc_t)
 
 allow cupsd_t cupsd_exec_t:dir search_dir_perms;
 allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -136,22 +170,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
 
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
 manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
 
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
 
-allow cupsd_t hplip_t:process { signal sigkill };
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
 
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
-allow cupsd_t hplip_var_run_t:file read_file_perms;
 
 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
 allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
 
 kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)
 kernel_request_load_module(cupsd_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_t)
 corenet_all_recvfrom_netlabel(cupsd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_t)
 corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_bind_all_rpc_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
 
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
 
 dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
 dev_rw_input_dev(cupsd_t)
 dev_rw_generic_usb_dev(cupsd_t)
 dev_rw_usbfs(cupsd_t)
@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t)
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
 files_read_var_files(cupsd_t)
 files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
 files_dontaudit_getattr_all_tmp_files(cupsd_t)
 files_dontaudit_list_home(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
 
-fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 fs_search_fusefs(cupsd_t)
 fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
 
+mls_dbus_send_all_levels(cupsd_t)
 mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_all_levels(cupsd_t)
@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t)
 
 term_search_ptys(cupsd_t)
 term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
 
 selinux_compute_access_vector(cupsd_t)
 selinux_validate_context(cupsd_t)
@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 auth_rw_faillog(cupsd_t)
 auth_use_nsswitch(cupsd_t)
 
-libs_read_lib_files(cupsd_t)
 libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
+libs_exec_ld_so(cupsd_t)
 
 logging_send_audit_msgs(cupsd_t)
 logging_send_syslog_msg(cupsd_t)
 
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-
 seutil_read_config(cupsd_t)
 
 sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
 userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
+tunable_policy(`cups_execmem',`
+	allow cupsd_t self:process { execmem execstack };
+')
+
 
 optional_policy(`
 	apm_domtrans_client(cupsd_t)
@@ -272,6 +322,8 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(cupsd_t)
 
+	init_dbus_chat(cupsd_t)
+
 	userdom_dbus_send_all_users(cupsd_t)
 
 	optional_policy(`
@@ -279,11 +331,17 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		colord_read_lib_files(cupsd_t)
+	')
+
+	optional_policy(`
 		hal_dbus_chat(cupsd_t)
 	')
 
+	# talk to processes that do not have policy
 	optional_policy(`
 		unconfined_dbus_chat(cupsd_t)
+		files_write_generic_pid_pipes(cupsd_t)
 	')
 ')
 
@@ -296,8 +354,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
 	kerberos_manage_host_rcache(cupsd_t)
-	kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
 ')
 
 optional_policy(`
@@ -306,7 +364,6 @@ optional_policy(`
 
 optional_policy(`
 	lpd_exec_lpr(cupsd_t)
-	lpd_manage_spool(cupsd_t)
 	lpd_read_config(cupsd_t)
 	lpd_relabel_spool(cupsd_t)
 ')
@@ -316,6 +373,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(cupsd_t)
+')
+
+optional_policy(`
 	samba_read_config(cupsd_t)
 	samba_rw_var_files(cupsd_t)
 	samba_stream_connect_nmbd(cupsd_t)
@@ -326,7 +387,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	snmp_read_snmp_var_lib_files(cupsd_t)
+	snmp_manage_var_lib_files(cupsd_t)
 ')
 
 optional_policy(`
@@ -334,7 +395,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	virt_rw_all_image_chr_files(cupsd_t)
+	virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+    vmware_read_system_config(cupsd_t)
 ')
 
 ########################################
@@ -342,12 +407,11 @@ optional_policy(`
 # Configuration daemon local policy
 #
 
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
 dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
 
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
 allow cupsd_config_t cupsd_t:process signal;
 ps_process_pattern(cupsd_config_t, cupsd_t)
 
@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
 
 manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+manage_sock_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
 
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
 
 stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
 
 kernel_read_system_state(cupsd_config_t)
 kernel_read_all_sysctls(cupsd_config_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
 corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_generic_if(cupsd_config_t)
 corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
 corenet_sendrecv_all_client_packets(cupsd_config_t)
 corenet_tcp_connect_all_ports(cupsd_config_t)
 
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
 dev_rw_generic_usb_dev(cupsd_config_t)
 
 files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
 files_read_var_symlinks(cupsd_config_t)
 files_search_all_mountpoints(cupsd_config_t)
 
-fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
 
 domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t)
 
 logging_send_syslog_msg(cupsd_config_t)
 
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 userdom_read_all_users_state(cupsd_config_t)
@@ -449,9 +499,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+    gnome_dontaudit_read_config(cupsd_config_t)
+')
+
+optional_policy(`
 	hal_domtrans(cupsd_config_t)
 	hal_read_tmp_files(cupsd_config_t)
-	hal_dontaudit_use_fds(hplip_t)
 ')
 
 optional_policy(`
@@ -467,6 +520,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	libs_exec_ldconfig(cupsd_config_t)
+')
+
+optional_policy(`
 	rpm_read_db(cupsd_config_t)
 ')
 
@@ -487,10 +544,6 @@ optional_policy(`
 # Lpd local policy
 #
 
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
 allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
 
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
 
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
 corenet_all_recvfrom_netlabel(cupsd_lpd_t)
 corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
 corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
 
 corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
 corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
 
 corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t)
 
 logging_send_syslog_msg(cupsd_lpd_t)
 
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
 ')
@@ -550,7 +600,6 @@ optional_policy(`
 #
 
 allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
 
 append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
 
 kernel_read_system_state(cups_pdf_t)
 
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
 auth_use_nsswitch(cups_pdf_t)
 
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
 userdom_manage_user_home_content_dirs(cups_pdf_t)
 userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
 	fs_manage_nfs_files(cups_pdf_t)
 ')
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(cups_pdf_t)
-	fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
 
 optional_policy(`
-	lpd_manage_spool(cups_pdf_t)
+	gnome_read_config(cups_pdf_t)
 ')
 
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
-	dbus_system_bus_client(hplip_t)
-
-	optional_policy(`
-		userdom_dbus_send_all_users(hplip_t)
-	')
-')
-
-optional_policy(`
-	lpd_read_config(hplip_t)
-	lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
-	seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
-	snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
-	udev_read_db(hplip_t)
-')
 
 ########################################
 #
@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)
 
-corenet_all_recvfrom_unlabeled(ptal_t)
 corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_generic_if(ptal_t)
 corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
 corenet_tcp_bind_ptal_port(ptal_t)
 corenet_tcp_sendrecv_ptal_port(ptal_t)
 
-dev_read_sysfs(ptal_t)
 dev_read_usbfs(ptal_t)
 dev_rw_printer(ptal_t)
 
 domain_use_interactive_fds(ptal_t)
 
-files_read_etc_files(ptal_t)
 files_read_etc_runtime_files(ptal_t)
 
 fs_getattr_all_fs(ptal_t)
@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t)
 
 logging_send_syslog_msg(ptal_t)
 
-miscfiles_read_localization(ptal_t)
-
 sysnet_read_config(ptal_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +692,4 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ptal_t)
 ')
+
diff --git a/cvs.fc b/cvs.fc
index 75c8be9..4c1a965 100644
--- a/cvs.fc
+++ b/cvs.fc
@@ -1,13 +1,16 @@
+HOME_DIR/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
+/root/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
+
 /etc/rc\.d/init\.d/cvs	--	gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
 
 /opt/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
 
 /usr/bin/cvs	--	gen_context(system_u:object_r:cvs_exec_t,s0)
 
-/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/usr/share/cvsweb/cvsweb\.cgi	--	gen_context(system_u:object_r:cvs_script_exec_t,s0)
 
 /var/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
 
 /var/run/cvs\.pid	--	gen_context(system_u:object_r:cvs_var_run_t,s0)
 
-/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi	--	gen_context(system_u:object_r:cvs_script_exec_t,s0)
diff --git a/cvs.if b/cvs.if
index 64775fd..91a6056 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
 ## <summary>Concurrent versions system.</summary>
 
+######################################
+## <summary>
+##  Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
+##  <summary>
+##	Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`cvs_dontaudit_list_data',`
+    gen_require(`
+        type cvs_data_t;
+    ')
+
+    dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read CVS data and metadata content.
@@ -41,6 +59,24 @@ interface(`cvs_exec',`
 
 ########################################
 ## <summary>
+##	Transition to cvs named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cvs_filetrans_home_content',`
+	gen_require(`
+		type cvs_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an cvs environment
 ## </summary>
@@ -60,11 +96,17 @@ interface(`cvs_admin',`
 	gen_require(`
 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
 		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+		type cvs_home_t;
 	')
 
-	allow $1 cvs_t:process { ptrace signal_perms };
+	allow $1 cvs_t:process signal_perms;
 	ps_process_pattern($1, cvs_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cvs_t:process ptrace;
+	')
+
+	# Allow cvs_t to restart the apache service
 	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 cvs_initrc_exec_t system_r;
@@ -81,4 +123,7 @@ interface(`cvs_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, cvs_var_run_t)
+
+	userdom_search_user_home_dirs($1)
+	admin_pattern($1, cvs_home_t)
 ')
diff --git a/cvs.te b/cvs.te
index 0f77550..cd608bc 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
 ##	password files.
 ##	</p>
 ## </desc>
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
 
 type cvs_t;
 type cvs_exec_t;
@@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t)
 type cvs_var_run_t;
 files_pid_file(cvs_var_run_t)
 
+type cvs_home_t;
+userdom_user_home_content(cvs_home_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow cvs_t self:tcp_socket { accept listen };
 
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
+
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
 corecmd_exec_bin(cvs_t)
 corecmd_exec_shell(cvs_t)
 
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
 dev_read_urand(cvs_t)
 
 files_read_etc_runtime_files(cvs_t)
@@ -86,18 +101,16 @@ auth_use_nsswitch(cvs_t)
 
 init_read_utmp(cvs_t)
 
+init_dontaudit_read_utmp(cvs_t)
+
 logging_send_syslog_msg(cvs_t)
 logging_send_audit_msgs(cvs_t)
 
-miscfiles_read_localization(cvs_t)
-
 mta_send_mail(cvs_t)
 
-userdom_dontaudit_search_user_home_dirs(cvs_t)
-
 # cjp: typeattribute doesnt work in conditionals yet
 auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
+tunable_policy(`cvs_read_shadow',`
 	allow cvs_t self:capability dac_override;
 	auth_tunable_read_shadow(cvs_t)
 ')
@@ -116,8 +129,10 @@ optional_policy(`
 
 optional_policy(`
 	apache_content_template(cvs)
+	apache_content_alias_template(cvs, cvs)
 
-	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
-	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t)
+	manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+	files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir })
 ')
diff --git a/cyphesis.te b/cyphesis.te
index 77ffc73..86e11f5 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
 corecmd_search_bin(cyphesis_t)
 corecmd_getattr_bin_files(cyphesis_t)
 
-corenet_all_recvfrom_unlabeled(cyphesis_t)
 corenet_tcp_sendrecv_generic_if(cyphesis_t)
 corenet_tcp_sendrecv_generic_node(cyphesis_t)
 corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
 
 domain_use_interactive_fds(cyphesis_t)
 
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
 
 logging_send_syslog_msg(cyphesis_t)
 
-miscfiles_read_localization(cyphesis_t)
-
 sysnet_dns_name_resolve(cyphesis_t)
 
 optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 83bfda6..92d9fb2 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
 	manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##  Allow write cyrus data files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`cyrus_write_data',`
+    gen_require(`
+        type cyrus_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Connect to Cyrus using a unix
@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
 		type cyrus_keytab_t;
 	')
 
-	allow $1 cyrus_t:process { ptrace signal_perms };
+	allow $1 cyrus_t:process signal_perms;
 	ps_process_pattern($1, cyrus_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cyrus_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 4283f2d..21a3620 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
 # Local policy
 #
 
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
 dontaudit cyrus_t self:capability sys_tty_config;
 allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow cyrus_t self:process setrlimit;
@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
 kernel_read_system_state(cyrus_t)
 kernel_read_all_sysctls(cyrus_t)
 
-corenet_all_recvfrom_unlabeled(cyrus_t)
 corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_generic_if(cyrus_t)
 corenet_tcp_sendrecv_generic_node(cyrus_t)
 corenet_tcp_sendrecv_all_ports(cyrus_t)
 corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_cyrus_imapd_port(cyrus_t)
 
 corenet_sendrecv_mail_server_packets(cyrus_t)
 corenet_tcp_bind_mail_port(cyrus_t)
@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
 corenet_sendrecv_lmtp_server_packets(cyrus_t)
 corenet_tcp_bind_lmtp_port(cyrus_t)
 
+corenet_sendrecv_innd_server_packets(cyrus_t)
+corenet_tcp_bind_innd_port(cyrus_t)
+
 corenet_sendrecv_pop_server_packets(cyrus_t)
 corenet_tcp_bind_pop_port(cyrus_t)
 
@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
 
 files_list_var_lib(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
-files_read_usr_files(cyrus_t)
-files_dontaudit_write_usr_dirs(cyrus_t)
 
 fs_getattr_all_fs(cyrus_t)
 fs_search_auto_mountpoints(cyrus_t)
@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
 
 logging_send_syslog_msg(cyrus_t)
 
-miscfiles_read_localization(cyrus_t)
 miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
@@ -121,6 +121,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dirsrv_stream_connect(cyrus_t)
+')
+
+optional_policy(`
 	kerberos_read_keytab(cyrus_t)
 	kerberos_use(cyrus_t)
 ')
@@ -134,8 +138,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	snmp_read_snmp_var_lib_files(cyrus_t)
-	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+	files_dontaudit_write_usr_dirs(cyrus_t)
+    snmp_manage_var_lib_files(cyrus_t)
 	snmp_stream_connect(cyrus_t)
 ')
 
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0..6c8106a 100644
--- a/daemontools.if
+++ b/daemontools.if
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
 	allow $1 svc_svc_t:file manage_file_perms;
 	allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
 ')
+
diff --git a/daemontools.te b/daemontools.te
index ee1b4aa..2fd746e 100644
--- a/daemontools.te
+++ b/daemontools.te
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
 allow svc_multilog_t svc_start_t:fd use;
 allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
 
+term_write_console(svc_multilog_t)
+
 init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
 
 logging_manage_generic_logs(svc_multilog_t)
 
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
 corecmd_exec_bin(svc_run_t)
 corecmd_exec_shell(svc_run_t)
 
-files_read_etc_files(svc_run_t)
+term_write_console(svc_run_t)
+
 files_read_etc_runtime_files(svc_run_t)
 files_search_pids(svc_run_t)
 files_search_var_lib(svc_run_t)
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
 
 can_exec(svc_start_t, svc_start_exec_t)
 
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
 domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
 
 kernel_read_kernel_sysctls(svc_start_t)
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
 corecmd_exec_bin(svc_start_t)
 corecmd_exec_shell(svc_start_t)
 
-files_read_etc_files(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
 files_read_etc_runtime_files(svc_start_t)
 files_search_var(svc_start_t)
 files_search_pids(svc_start_t)
 
 logging_send_syslog_msg(svc_start_t)
-
-miscfiles_read_localization(svc_start_t)
diff --git a/dante.te b/dante.te
index 5a5e290..6321a1d 100644
--- a/dante.te
+++ b/dante.te
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
 
 domain_use_interactive_fds(dante_t)
 
-files_read_etc_files(dante_t)
 files_read_etc_runtime_files(dante_t)
 
 fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
index b60c464..3a5246a 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
 
 role dbadm_r;
 
-userdom_base_user_template(dbadm)
+userdom_confined_admin_template(dbadm)
 
 ########################################
 #
 # Local policy
 #
 
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
 
 files_dontaudit_search_all_dirs(dbadm_t)
 files_delete_generic_locks(dbadm_t)
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)
 
 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
 
 userdom_dontaudit_search_user_home_dirs(dbadm_t)
 
@@ -60,3 +61,7 @@ optional_policy(`
 optional_policy(`
 	postgresql_admin(dbadm_t, dbadm_r)
 ')
+
+optional_policy(`
+	sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/dbskk.te b/dbskk.te
index f55c420..e9d64ab 100644
--- a/dbskk.te
+++ b/dbskk.te
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
 kernel_read_system_state(dbskkd_t)
 kernel_read_network_state(dbskkd_t)
 
-corenet_all_recvfrom_unlabeled(dbskkd_t)
 corenet_all_recvfrom_netlabel(dbskkd_t)
 corenet_tcp_sendrecv_generic_if(dbskkd_t)
 corenet_udp_sendrecv_generic_if(dbskkd_t)
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
 
 fs_getattr_xattr_fs(dbskkd_t)
 
-files_read_etc_files(dbskkd_t)
 
 auth_use_nsswitch(dbskkd_t)
 
 logging_send_syslog_msg(dbskkd_t)
-
-miscfiles_read_localization(dbskkd_t)
diff --git a/dbus.fc b/dbus.fc
index dda905b..5587295 100644
--- a/dbus.fc
+++ b/dbus.fc
@@ -1,20 +1,29 @@
-HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:session_dbusd_home_t,s0)
+/etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
-/etc/dbus-.*(/.*)?	gen_context(system_u:object_r:dbusd_etc_t,s0)
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/bin/dbus-daemon	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat',`
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/libexec/dbus-1/dbus-daemon-launch-helper   --  gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/usr/bin/dbus-daemon(-1)?	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
-/usr/lib/dbus-.*/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/usr/libexec/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
 
-/var/lib/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+/var/cache/ibus(/.*)?     gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 
-/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-/var/run/messagebus\.pid	--	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+/var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 
+ifdef(`distro_redhat',`
 /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index 62d22cb..f8ab4af 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
-## <summary>Desktop messaging bus.</summary>
+## <summary>Desktop messaging bus</summary>
 
 ########################################
 ## <summary>
@@ -19,7 +19,24 @@ interface(`dbus_stub',`
 
 ########################################
 ## <summary>
-##	Role access for dbus.
+##	Execute dbus-daemon in the caller domain.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`dbus_exec_dbusd',`
+	gen_require(`
+        type dbusd_exec_t;
+	')
+    can_exec($1, dbusd_exec_t)
+')
+
+########################################
+## <summary>
+##	Role access for dbus
 ## </summary>
 ## <param name="role_prefix">
 ##	<summary>
@@ -41,59 +58,68 @@ interface(`dbus_stub',`
 template(`dbus_role_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
-		attribute session_bus_type;
-		type system_dbusd_t, dbusd_exec_t;
-		type session_dbusd_tmp_t, session_dbusd_home_t;
+		attribute dbusd_unconfined, session_bus_type;
+		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+		type $1_t;
 	')
 
 	##############################
 	#
-	# Declarations
+	# Delcarations
 	#
 
 	type $1_dbusd_t, session_bus_type;
-	domain_type($1_dbusd_t)
-	domain_entry_file($1_dbusd_t, dbusd_exec_t)
+	application_domain($1_dbusd_t, dbusd_exec_t)
 	ubac_constrained($1_dbusd_t)
-
 	role $2 types $1_dbusd_t;
 
+	kernel_read_system_state($1_dbusd_t)
+
+	selinux_get_fs_mount($1_dbusd_t)
+
+	userdom_home_manager($1_dbusd_t)
+
 	##############################
 	#
 	# Local policy
 	#
 
-	allow $3 $1_dbusd_t:unix_stream_socket connectto;
-	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
-	allow $3 $1_dbusd_t:fd use;
-	
-	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+	# For connecting to the bus
+	allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms };
 
-	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
+	# SE-DBus specific permissions
+	allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
 
 	ps_process_pattern($3, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { ptrace signal_perms };
+	allow $3 $1_dbusd_t:process signal_perms;
 
-	allow $1_dbusd_t $3:process sigkill;
+	tunable_policy(`deny_ptrace',`',`
+		allow $3 $1_dbusd_t:process ptrace;
+	')
 
-	corecmd_bin_domtrans($1_dbusd_t, $3)
-	corecmd_shell_domtrans($1_dbusd_t, $3)
+	# cjp: this seems very broken
+	corecmd_bin_domtrans($1_dbusd_t, $1_t)
+	corecmd_shell_domtrans($1_dbusd_t, $1_t)
+	allow $1_dbusd_t $3:process sigkill;
+	allow $3 $1_dbusd_t:fd use;
+	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
 
 	auth_use_nsswitch($1_dbusd_t)
 
-	ifdef(`hide_broken_symptoms',`
-		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+	logging_send_syslog_msg($1_dbusd_t)
+
+	optional_policy(`
+		mozilla_domtrans_spec($1_dbusd_t, $1_t)
 	')
 ')
 
 #######################################
 ## <summary>
 ##	Template for creating connections to
-##	the system bus.
+##	the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,91 +129,88 @@ template(`dbus_role_template',`
 #
 interface(`dbus_system_bus_client',`
 	gen_require(`
-		attribute dbusd_system_bus_client;
-		type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
+		type system_dbusd_t, system_dbusd_t;
+		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
+		attribute dbusd_unconfined;
 	')
 
-	typeattribute $1 dbusd_system_bus_client;
-
+	# SE-DBus specific permissions
 	allow $1 { system_dbusd_t self }:dbus send_msg;
-	allow system_dbusd_t $1:dbus send_msg;
+	allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
 
-	files_search_var_lib($1)
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	files_search_var_lib($1)
+
+	dev_read_urand($1)
 
+	# For connecting to the bus
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-
 	dbus_read_config($1)
+
+    optional_policy(`
+        unconfined_server_dbus_chat($1)
+    ')
 ')
 
 #######################################
 ## <summary>
-##	Acquire service on DBUS
-##	session bus.
+##	Creating connections to specified
+##	DBUS sessions.
 ## </summary>
-## <param name="domain">
+## <param name="role_prefix">
 ##	<summary>
-##	Domain allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-#
-interface(`dbus_connect_session_bus',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
-	dbus_connect_all_session_bus($1)
-')
-
-#######################################
-## <summary>
-##	Acquire service on all DBUS
-##	session busses.
-## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_all_session_bus',`
+interface(`dbus_session_client',`
 	gen_require(`
-		attribute session_bus_type;
-		class dbus acquire_svc;
+		class dbus send_msg;
+		type $1_dbusd_t;
 	')
 
-	allow $1 session_bus_type:dbus acquire_svc;
+	allow $2 $1_dbusd_t:fd use;
+	allow $2 { $1_dbusd_t self }:dbus send_msg;
+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 ')
 
 #######################################
 ## <summary>
-##	Acquire service on specified
-##	DBUS session bus.
+##	Template for creating connections to
+##	a user DBUS.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_spec_session_bus',`
+interface(`dbus_session_bus_client',`
 	gen_require(`
-		type $1_dbusd_t;
-		class dbus acquire_svc;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus acquire_svc;
+	# SE-DBus specific permissions
+	allow $1 { session_bus_type self }:dbus send_msg;
+
+	# For connecting to the bus
+	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	allow session_bus_type $1:process sigkill;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to DBUS
-##	session bus.
+##	Send a message the session DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -195,15 +218,18 @@ interface(`dbus_connect_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_session_bus_client',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
-	dbus_all_session_bus_client($1)
+interface(`dbus_send_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+		class dbus send_msg;
+	')
+
+	allow $1 session_bus_type:dbus send_msg;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to all
-##	DBUS session busses.
+##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -211,57 +237,39 @@ interface(`dbus_session_bus_client',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_all_session_bus_client',`
+interface(`dbus_read_config',`
 	gen_require(`
-		attribute session_bus_type, dbusd_session_bus_client;
-		class dbus send_msg;
+		type dbusd_etc_t;
 	')
 
-	typeattribute $1 dbusd_session_bus_client;
-
-	allow $1 { session_bus_type self }:dbus send_msg;
-	allow session_bus_type $1:dbus send_msg;
-	
-	allow $1 session_bus_type:unix_stream_socket connectto;
-	allow $1 session_bus_type:fd use;
+	allow $1 dbusd_etc_t:dir list_dir_perms;
+	allow $1 dbusd_etc_t:file read_file_perms;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Creating connections to specified
-##	DBUS session bus.
+##	Read system dbus lib files.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_spec_session_bus_client',`
+interface(`dbus_read_lib_files',`
 	gen_require(`
-		attribute dbusd_session_bus_client;
-		type $1_dbusd_t;
-		class dbus send_msg;
+		type system_dbusd_var_lib_t;
 	')
 
-	typeattribute $2 dbusd_session_bus_client;
-
-	allow $2 { $1_dbusd_t self }:dbus send_msg;
-	allow $1_dbusd_t $2:dbus send_msg;
-
-	allow $2 $1_dbusd_t:unix_stream_socket connectto;
-	allow $2 $1_dbusd_t:fd use;
+	files_search_var_lib($1)
+	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to DBUS session bus.
+##	Create, read, write, and delete
+##	system dbus lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -269,15 +277,19 @@ interface(`dbus_spec_session_bus_client',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_session_bus',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
-	dbus_send_all_session_bus($1)
+interface(`dbus_manage_lib_files',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to all DBUS
-##	session busses.
+##	Connect to the system DBUS
+##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -285,44 +297,52 @@ interface(`dbus_send_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_all_session_bus',`
+interface(`dbus_connect_session_bus',`
 	gen_require(`
 		attribute session_bus_type;
-		class dbus send_msg;
+		class dbus acquire_svc;
 	')
 
-	allow $1 dbus_session_bus_type:dbus send_msg;
+	allow $1 session_bus_type:dbus acquire_svc;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Send messages to specified
-##	DBUS session busses.
+##	Allow a application domain to be started
+##	by the session dbus.
 ## </summary>
-## <param name="role_prefix">
+## <param name="domain_prefix">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	User domain prefix to be used.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an
+##	entry point to this domain.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_spec_session_bus',`
+interface(`dbus_session_domain',`
 	gen_require(`
 		type $1_dbusd_t;
-		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus send_msg;
+	domtrans_pattern($1_dbusd_t, $2, $3)
+
+	dbus_session_bus_client($3)
+	dbus_connect_session_bus($3)
 ')
 
 ########################################
 ## <summary>
-##	Read dbus configuration content.
+##	Connect to the system DBUS
+##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -330,18 +350,18 @@ interface(`dbus_send_spec_session_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_read_config',`
+interface(`dbus_connect_system_bus',`
 	gen_require(`
-		type dbusd_etc_t;
+		type system_dbusd_t;
+		class dbus acquire_svc;
 	')
 
-	allow $1 dbusd_etc_t:dir list_dir_perms;
-	allow $1 dbusd_etc_t:file read_file_perms;
+	allow $1 system_dbusd_t:dbus acquire_svc;
 ')
 
 ########################################
 ## <summary>
-##	Read system dbus lib files.
+##	Send a message on the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -349,20 +369,18 @@ interface(`dbus_read_config',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_read_lib_files',`
+interface(`dbus_send_system_bus',`
 	gen_require(`
-		type system_dbusd_var_lib_t;
+		type system_dbusd_t;
+		class dbus send_msg;
 	')
 
-	files_search_var_lib($1)
-	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	allow $1 system_dbusd_t:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	system dbus lib files.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -370,26 +388,20 @@ interface(`dbus_read_lib_files',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_manage_lib_files',`
+interface(`dbus_system_bus_unconfined',`
 	gen_require(`
-		type system_dbusd_var_lib_t;
+		type system_dbusd_t;
+		class dbus all_dbus_perms;
 	')
 
-	files_search_var_lib($1)
-	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	allow $1 system_dbusd_t:dbus *;
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Create a domain for processes
+##	which can be started by the system dbus
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
@@ -397,81 +409,67 @@ interface(`dbus_manage_lib_files',`
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Type of the program to be used as an entry point to this domain.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_session_domain',`
-	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
-	dbus_all_session_domain($1, $2)
+interface(`dbus_system_domain',`
+	gen_require(`
+		attribute system_bus_type;
+		type system_dbusd_t;
+		role system_r;
+	')
+	typeattribute $1  system_bus_type;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	domtrans_pattern(system_dbusd_t, $2, $1)
+	init_system_domain($1, $2)
+
+	ps_process_pattern($1, system_dbusd_t)
+
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Use and inherit system DBUS file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
-##	</summary>
-## </param>
-## <param name="entry_point">
-##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_all_session_domain',`
+interface(`dbus_use_system_bus_fds',`
 	gen_require(`
-		type session_bus_type;
+		type system_dbusd_t;
 	')
 
-	domtrans_pattern(session_bus_type, $2, $1)
-
-	dbus_all_session_bus_client($1)
-	dbus_connect_all_session_bus($1)
+	allow $1 system_dbusd_t:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Allow a application domain to be
-##	started by the specified session bus.
+##	Allow unconfined access to the system DBUS.
 ## </summary>
-## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
-##	</summary>
-## </param>
-## <param name="entry_point">
-##	<summary>
-##	Type of the program to be used as an
-##	entry point to this domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_spec_session_domain',`
+interface(`dbus_unconfined',`
 	gen_require(`
-		type $1_dbusd_t;
+		attribute dbusd_unconfined;
 	')
 
-	domtrans_pattern($1_dbusd_t, $2, $3)
-
-	dbus_spec_session_bus_client($1, $2)
-	dbus_connect_spec_session_bus($1, $2)
+	typeattribute $1 dbusd_unconfined;
 ')
 
 ########################################
 ## <summary>
-##	Acquire service on the DBUS system bus.
+##	Delete all dbus pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -479,18 +477,18 @@ interface(`dbus_spec_session_domain',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_connect_system_bus',`
+interface(`dbus_delete_pid_files',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus acquire_svc;
+		type system_dbusd_var_run_t;
 	')
 
-	allow $1 system_dbusd_t:dbus acquire_svc;
+	files_search_pids($1)
+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Send messages to the DBUS system bus.
+##	Read all dbus pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -498,98 +496,100 @@ interface(`dbus_connect_system_bus',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_send_system_bus',`
+interface(`dbus_read_pid_files',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus send_msg;
+		type system_dbusd_var_run_t;
 	')
 
-	allow $1 system_dbusd_t:dbus send_msg;
+	files_search_pids($1)
+	read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to DBUS system bus.
+##	Do not audit attempts to connect to
+##	session bus types with a unix
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_system_bus_unconfined',`
+interface(`dbus_dontaudit_stream_connect_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
-		class dbus all_dbus_perms;
+		attribute session_bus_type;
 	')
 
-	allow $1 system_dbusd_t:dbus *;
+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Create a domain for processes which
-##	can be started by the DBUS system bus.
+##	Allow attempts to connect to
+##	session bus types with a unix
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Type to be used as a domain.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
-## <param name="entry_point">
+#
+interface(`dbus_stream_connect_session_bus',`
+	gen_require(`
+		attribute session_bus_type;
+	')
+
+	allow $1 session_bus_type:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Type of the program to be used as an entry point to this domain.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_system_domain',`
+interface(`dbus_chat_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
-		role system_r;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	domain_type($1)
-	domain_entry_file($1, $2)
-
-	role system_r types $1;
-
-	domtrans_pattern(system_dbusd_t, $2, $1)
-
-	dbus_system_bus_client($1)
-	dbus_connect_system_bus($1)
-
-	ps_process_pattern(system_dbusd_t, $1)
-
-	userdom_read_all_users_state($1)
-
-	ifdef(`hide_broken_symptoms', `
-		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-	')
+	allow $1 session_bus_type:dbus send_msg;
+	allow session_bus_type $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Use and inherit DBUS system bus
-##	file descriptors.
+##	Do not audit attempts to send dbus
+##	messages to session bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_use_system_bus_fds',`
+interface(`dbus_dontaudit_chat_session_bus',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute session_bus_type;
+		class dbus send_msg;
 	')
 
-	allow $1 system_dbusd_t:fd use;
+	dontaudit $1 session_bus_type:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write DBUS system bus TCP sockets.
+##	Do not audit attempts to send dbus
+##	messages to system bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -597,28 +597,50 @@ interface(`dbus_use_system_bus_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+interface(`dbus_dontaudit_chat_system_bus',`
 	gen_require(`
-		type system_dbusd_t;
+		attribute system_bus_type;
+		class dbus send_msg;
 	')
 
-	dontaudit $1 system_dbusd_t:tcp_socket { read write };
+	dontaudit $1 system_bus_type:dbus send_msg;
+	dontaudit system_bus_type $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Unconfined access to DBUS.
+##	Allow attempts to send dbus
+##	messages to system bus types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`dbus_unconfined',`
+interface(`dbus_chat_system_bus',`
 	gen_require(`
-		attribute dbusd_unconfined;
+		attribute system_bus_type;
+		class dbus send_msg;
 	')
 
-	typeattribute $1 dbusd_unconfined;
+	allow $1 system_bus_type:dbus send_msg;
+	allow system_bus_type $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##      Transition to dbus named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dbus_filetrans_named_content_system',`
+    gen_require(`
+        type system_dbusd_var_lib_t;
+    ')
+    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
 ')
diff --git a/dbus.te b/dbus.te
index c9998c8..44c6283 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
 	class dbus all_dbus_perms;
 ')
 
-########################################
+##############################
 #
-# Declarations
+# Delcarations
 #
 
 attribute dbusd_unconfined;
+attribute system_bus_type;
 attribute session_bus_type;
 
-attribute dbusd_system_bus_client;
-attribute dbusd_session_bus_client;
-
 type dbusd_etc_t;
 files_config_file(dbusd_etc_t)
 
@@ -22,9 +20,6 @@ type dbusd_exec_t;
 corecmd_executable_file(dbusd_exec_t)
 typealias dbusd_exec_t alias system_dbusd_exec_t;
 
-type session_dbusd_home_t;
-userdom_user_home_content(session_dbusd_home_t)
-
 type session_dbusd_tmp_t;
 typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
 typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
 
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
+init_sock_file(system_dbusd_var_run_t)
+mls_trusted_object(system_dbusd_var_run_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
 ')
 
-########################################
+##############################
 #
-# Local policy
+# System bus local policy
 #
 
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
 allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
+can_exec(system_dbusd_t, dbusd_exec_t)
+
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 
 manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 
 manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
-
-can_exec(system_dbusd_t, dbusd_exec_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
-
-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_shell(system_dbusd_t)
+kernel_stream_connect(system_dbusd_t)
 
 dev_read_urand(system_dbusd_t)
 dev_read_sysfs(system_dbusd_t)
 
-domain_use_interactive_fds(system_dbusd_t)
-domain_read_all_domains_state(system_dbusd_t)
+dev_rw_inherited_input_dev(system_dbusd_t)
+dev_rw_inherited_dri(system_dbusd_t)
 
-files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_rw_inherited_non_security_files(system_dbusd_t)
 
 fs_getattr_all_fs(system_dbusd_t)
 fs_list_inotifyfs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
-fs_search_cgroup_dirs(system_dbusd_t)
 fs_dontaudit_list_nfs(system_dbusd_t)
 
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
+storage_rw_inherited_removable_device(system_dbusd_t)
+
+mls_trusted_object(system_dbusd_t)
 mls_fd_use_all_levels(system_dbusd_t)
 mls_rangetrans_target(system_dbusd_t)
 mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t)
 auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_list_home(system_dbusd_t)
+
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
-miscfiles_read_localization(system_dbusd_t)
 miscfiles_read_generic_certs(system_dbusd_t)
 
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
+userdom_home_reader(system_dbusd_t)
+
+optional_policy(`
+	bind_domtrans(system_dbusd_t)
+')
+
 optional_policy(`
 	bluetooth_stream_connect(system_dbusd_t)
 ')
 
 optional_policy(`
-	policykit_read_lib(system_dbusd_t)
+	cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+	getty_start_services(system_dbusd_t)
+')
+
+optional_policy(`
+	gnome_exec_gconf(system_dbusd_t)
+	gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
+    nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
+	networkmanager_initrc_domtrans(system_dbusd_t)
+	networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(system_dbusd_t)
+	policykit_domtrans_auth(system_dbusd_t)
+	policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+    snapper_read_inherited_pipe(system_dbusd_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_dhcpc(system_dbusd_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(system_dbusd_t)
+	systemd_use_fds_logind(system_dbusd_t)
+	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+	systemd_write_inhibit_pipes(system_dbusd_t)
+# These are caused by broken systemd patch
+	systemd_start_power_services(system_dbusd_t)
+	systemd_config_all_services(system_dbusd_t)
+	files_config_all_files(system_dbusd_t)
 ')
 
 optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
 
+optional_policy(`
+	# /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+	xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
+optional_policy(`
+    unconfined_server_domtrans(system_dbusd_t)
+')
+
 ########################################
 #
-# Common session bus local policy
+# system_bus_type rules
 #
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
+
+allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
+
+fs_search_all(system_bus_type)
+
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
+init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
+
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
+	abrt_stream_connect(system_bus_type)
+')
+
+optional_policy(`
+	rpm_script_dbus_chat(system_bus_type)
+')
+
+optional_policy(`
+	unconfined_dbus_send(system_bus_type)
+')
+
+ifdef(`hide_broken_symptoms',`
+	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
 
+########################################
+#
+# session_bus_type rules
+#
+allow session_bus_type self:capability2 block_suspend;
 dontaudit session_bus_type self:capability sys_resource;
 allow session_bus_type self:process { getattr sigkill signal };
-dontaudit session_bus_type self:process { ptrace setrlimit };
+dontaudit session_bus_type self:process setrlimit;
 allow session_bus_type self:file { getattr read write };
 allow session_bus_type self:fifo_file rw_fifo_file_perms;
 allow session_bus_type self:dbus { send_msg acquire_svc };
-allow session_bus_type self:unix_stream_socket { accept listen };
-allow session_bus_type self:tcp_socket { accept listen };
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
 allow session_bus_type self:netlink_selinux_socket create_socket_perms;
 
 allow session_bus_type dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
 
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
-
 manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
 
-kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)
 
 corecmd_list_bin(session_bus_type)
@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type)
 corecmd_read_bin_pipes(session_bus_type)
 corecmd_read_bin_sockets(session_bus_type)
 
-corenet_all_recvfrom_unlabeled(session_bus_type)
-corenet_all_recvfrom_netlabel(session_bus_type)
 corenet_tcp_sendrecv_generic_if(session_bus_type)
 corenet_tcp_sendrecv_generic_node(session_bus_type)
 corenet_tcp_sendrecv_all_ports(session_bus_type)
 corenet_tcp_bind_generic_node(session_bus_type)
-
-corenet_sendrecv_all_server_packets(session_bus_type)
 corenet_tcp_bind_reserved_port(session_bus_type)
 
 dev_read_urand(session_bus_type)
 
-domain_read_all_domains_state(session_bus_type)
 domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
 
 files_list_home(session_bus_type)
-files_read_usr_files(session_bus_type)
 files_dontaudit_search_var(session_bus_type)
 
 fs_getattr_romfs(session_bus_type)
@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type)
 fs_list_inotifyfs(session_bus_type)
 fs_dontaudit_list_nfs(session_bus_type)
 
-selinux_get_fs_mount(session_bus_type)
 selinux_validate_context(session_bus_type)
 selinux_compute_access_vector(session_bus_type)
 selinux_compute_create_context(session_bus_type)
@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type)
 auth_read_pam_console_data(session_bus_type)
 
 logging_send_audit_msgs(session_bus_type)
-logging_send_syslog_msg(session_bus_type)
-
-miscfiles_read_localization(session_bus_type)
 
 seutil_read_config(session_bus_type)
 seutil_read_default_contexts(session_bus_type)
 
-term_use_all_terms(session_bus_type)
+term_use_all_inherited_terms(session_bus_type)
+
+userdom_dontaudit_search_admin_dir(session_bus_type)
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_manage_tmpfs_files(session_bus_type, file)
+userdom_tmpfs_filetrans(session_bus_type, file)
 
 optional_policy(`
-	xserver_use_xdm_fds(session_bus_type)
+	gnome_read_config(session_bus_type)
+	gnome_read_gconf_home_files(session_bus_type)
+')
+
+optional_policy(`
+	hal_dbus_chat(session_bus_type)
+')
+
+optional_policy(`
+	thumb_domtrans(session_bus_type)
+')
+
+optional_policy(`
+	xserver_search_xdm_lib(session_bus_type)
 	xserver_rw_xdm_pipes(session_bus_type)
+	xserver_use_xdm_fds(session_bus_type)
+	xserver_append_xdm_home_files(session_bus_type)
 ')
 
 ########################################
@@ -244,5 +359,9 @@ optional_policy(`
 # Unconfined access to this module
 #
 
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+kernel_stream_connect(session_bus_type)
+systemd_login_read_pid_files(session_bus_type)
diff --git a/dcc.fc b/dcc.fc
index 62d3c4e..cef59a7 100644
--- a/dcc.fc
+++ b/dcc.fc
@@ -10,6 +10,8 @@
 /usr/libexec/dcc/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 /usr/libexec/dcc/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
 
+/usr/libexec/dcc/start-dccifd   --  gen_context(system_u:object_r:dccifd_exec_t,s0)
+
 /usr/sbin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
 /usr/sbin/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
 /usr/sbin/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
diff --git a/dcc.if b/dcc.if
index a5c21e0..4639421 100644
--- a/dcc.if
+++ b/dcc.if
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
 		type dcc_var_t, dccifd_var_run_t, dccifd_t;
 	')
 
-	files_search_var($1)
+	files_search_pids($1)
 	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
 ')
diff --git a/dcc.te b/dcc.te
index 353fa4a..a5e912f 100644
--- a/dcc.te
+++ b/dcc.te
@@ -45,7 +45,7 @@ type dcc_var_t;
 files_type(dcc_var_t)
 
 type dcc_var_run_t;
-files_type(dcc_var_run_t)
+files_pid_file(dcc_var_run_t)
 
 type dccd_t;
 type dccd_exec_t;
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
 
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
 files_read_etc_runtime_files(cdcc_t)
 
 auth_use_nsswitch(cdcc_t)
 
 logging_send_syslog_msg(cdcc_t)
 
-miscfiles_read_localization(cdcc_t)
-
-userdom_use_user_terminals(cdcc_t)
+userdom_use_inherited_user_terminals(cdcc_t)
 
 ########################################
 #
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
 
 allow dcc_client_t dcc_client_map_t:file rw_file_perms;
 
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
+
 manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
 manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
 files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_client_t)
 
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
 files_read_etc_runtime_files(dcc_client_t)
 
 fs_getattr_all_fs(dcc_client_t)
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
 
 logging_send_syslog_msg(dcc_client_t)
 
-miscfiles_read_localization(dcc_client_t)
-
-userdom_use_user_terminals(dcc_client_t)
+userdom_use_inherited_user_terminals(dcc_client_t)
 
 optional_policy(`
-	amavis_read_spool_files(dcc_client_t)
+	antivirus_read_db(dcc_client_t)
 ')
 
 optional_policy(`
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
 
 kernel_read_system_state(dcc_dbclean_t)
 
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
 files_read_etc_runtime_files(dcc_dbclean_t)
 
 auth_use_nsswitch(dcc_dbclean_t)
 
 logging_send_syslog_msg(dcc_dbclean_t)
 
-miscfiles_read_localization(dcc_dbclean_t)
-
-userdom_use_user_terminals(dcc_dbclean_t)
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
 
 ########################################
 #
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
 kernel_read_system_state(dccd_t)
 kernel_read_kernel_sysctls(dccd_t)
 
-corenet_all_recvfrom_unlabeled(dccd_t)
 corenet_all_recvfrom_netlabel(dccd_t)
 corenet_udp_sendrecv_generic_if(dccd_t)
 corenet_udp_sendrecv_generic_node(dccd_t)
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
 
 logging_send_syslog_msg(dccd_t)
 
-miscfiles_read_localization(dccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
 userdom_dontaudit_search_user_home_dirs(dccd_t)
 
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
 kernel_read_system_state(dccifd_t)
 kernel_read_kernel_sysctls(dccifd_t)
 
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
 dev_read_sysfs(dccifd_t)
 
 domain_use_interactive_fds(dccifd_t)
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
 
 logging_send_syslog_msg(dccifd_t)
 
-miscfiles_read_localization(dccifd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
 userdom_dontaudit_search_user_home_dirs(dccifd_t)
 
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
 kernel_read_system_state(dccm_t)
 kernel_read_kernel_sysctls(dccm_t)
 
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
 dev_read_sysfs(dccm_t)
 
 domain_use_interactive_fds(dccm_t)
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
 
 logging_send_syslog_msg(dccm_t)
 
-miscfiles_read_localization(dccm_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
 userdom_dontaudit_search_user_home_dirs(dccm_t)
 
diff --git a/ddclient.if b/ddclient.if
index 5606b40..cd18cf2 100644
--- a/ddclient.if
+++ b/ddclient.if
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
 		type ddclient_var_run_t, ddclient_initrc_exec_t;
 	')
 
-	allow $1 ddclient_t:process { ptrace signal_perms };
+	allow $1 ddclient_t:process signal_perms;
 	ps_process_pattern($1, ddclient_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 ddclient_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
index a4caa1b..42f3066 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
 # Declarations
 #
 
+
 dontaudit ddclient_t self:capability sys_tty_config;
 allow ddclient_t self:process signal_perms;
 allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
 
 read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
 setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
 corecmd_exec_shell(ddclient_t)
 corecmd_exec_bin(ddclient_t)
 
-corenet_all_recvfrom_unlabeled(ddclient_t)
 corenet_all_recvfrom_netlabel(ddclient_t)
 corenet_tcp_sendrecv_generic_if(ddclient_t)
 corenet_udp_sendrecv_generic_if(ddclient_t)
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
 corenet_udp_sendrecv_generic_node(ddclient_t)
 corenet_tcp_sendrecv_all_ports(ddclient_t)
 corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
 
 corenet_sendrecv_all_client_packets(ddclient_t)
 corenet_tcp_connect_all_ports(ddclient_t)
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
 
 domain_use_interactive_fds(ddclient_t)
 
-files_read_etc_files(ddclient_t)
 files_read_etc_runtime_files(ddclient_t)
-files_read_usr_files(ddclient_t)
 
 fs_getattr_all_fs(ddclient_t)
 fs_search_auto_mountpoints(ddclient_t)
 
+auth_read_passwd(ddclient_t)
+
 logging_send_syslog_msg(ddclient_t)
 
-miscfiles_read_localization(ddclient_t)
+mta_send_mail(ddclient_t)
 
 sysnet_exec_ifconfig(ddclient_t)
 sysnet_dns_name_resolve(ddclient_t)
diff --git a/ddcprobe.te b/ddcprobe.te
index 8fa4bb9..8f5ffb0 100644
--- a/ddcprobe.te
+++ b/ddcprobe.te
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
 dev_read_raw_memory(ddcprobe_t)
 dev_wx_raw_memory(ddcprobe_t)
 
-files_read_etc_files(ddcprobe_t)
 files_read_etc_runtime_files(ddcprobe_t)
-files_read_usr_files(ddcprobe_t)
 
 term_use_all_ttys(ddcprobe_t)
 term_use_all_ptys(ddcprobe_t)
diff --git a/denyhosts.if b/denyhosts.if
index a7326da..c87b5b7 100644
--- a/denyhosts.if
+++ b/denyhosts.if
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`denyhosts_admin',`
 	gen_require(`
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
 	')
 
-	allow $1 denyhosts_t:process { ptrace signal_perms };
+	allow $1 denyhosts_t:process signal_perms;
 	ps_process_pattern($1, denyhosts_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 denyhosts_t:process ptrace;
+	')
+
 	denyhosts_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 denyhosts_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, denyhosts_var_lib_t)
 
-	logging_search_logs($1)
+	logging_list_logs($1)
 	admin_pattern($1, denyhosts_var_log_t)
 
-	files_search_locks($1)
+	files_list_locks($1)
 	admin_pattern($1, denyhosts_var_lock_t)
 ')
diff --git a/denyhosts.te b/denyhosts.te
index 583a527..91c4104 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
 #
 # Local policy
 #
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
 
 allow denyhosts_t self:capability sys_tty_config;
 allow denyhosts_t self:fifo_file rw_fifo_file_perms;
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
 corecmd_exec_bin(denyhosts_t)
 corecmd_exec_shell(denyhosts_t)
 
-corenet_all_recvfrom_unlabeled(denyhosts_t)
 corenet_all_recvfrom_netlabel(denyhosts_t)
 corenet_tcp_sendrecv_generic_if(denyhosts_t)
 corenet_tcp_sendrecv_generic_node(denyhosts_t)
@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
 corenet_tcp_connect_smtp_port(denyhosts_t)
 corenet_tcp_sendrecv_smtp_port(denyhosts_t)
 
+corenet_sendrecv_sype_transport_client_packets(denyhosts_t)
+corenet_tcp_connect_sype_transport_port(denyhosts_t)
+corenet_tcp_sendrecv_sype_transport_port(denyhosts_t)
+
 dev_read_urand(denyhosts_t)
 
+auth_use_nsswitch(denyhosts_t)
+
+iptables_domtrans(denyhosts_t)
+
 logging_read_generic_logs(denyhosts_t)
 logging_send_syslog_msg(denyhosts_t)
 
-miscfiles_read_localization(denyhosts_t)
-
 sysnet_dns_name_resolve(denyhosts_t)
 sysnet_manage_config(denyhosts_t)
 sysnet_etc_filetrans_config(denyhosts_t)
@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
 optional_policy(`
 	cron_system_entry(denyhosts_t, denyhosts_exec_t)
 ')
+
+optional_policy(`
+	gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/devicekit.if b/devicekit.if
index 8ce99ff..1bc5d3a 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -1,4 +1,4 @@
-## <summary>Devicekit modular hardware abstraction layer.</summary>
+## <summary>Devicekit modular hardware abstraction layer</summary>
 
 ########################################
 ## <summary>
@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',`
 		type devicekit_t, devicekit_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, devicekit_exec_t, devicekit_t)
 ')
 
 ########################################
 ## <summary>
+##	Execute a domain transition to run devicekit_disk.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`devicekit_domtrans_disk',`
+	gen_require(`
+		type devicekit_disk_t, devicekit_disk_exec_t;
+	')
+
+	domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
+########################################
+## <summary>
 ##	Send to devicekit over a unix domain
 ##	datagram socket.
 ## </summary>
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
 #
 interface(`devicekit_dgram_send',`
 	gen_require(`
-		type devicekit_t, devicekit_var_run_t;
+		type devicekit_t;
 	')
 
-	files_search_pids($1)
-	dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
+	allow $1 devicekit_t:unix_dgram_socket sendto;
 ')
 
 ########################################
@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
 
 ########################################
 ## <summary>
-##	Send generic signals to devicekit power.
+##	Use file descriptors for devicekit_disk.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_signal_power',`
+interface(`devicekit_use_fds_disk',`
 	gen_require(`
-		type devicekit_power_t;
+		type devicekit_disk_t;
 	')
 
-	allow $1 devicekit_power_t:process signal;
+	allow $1 devicekit_disk_t:fd use; 
 ')
 
 ########################################
 ## <summary>
-##	Send and receive messages from
-##	devicekit power over dbus.
+##	Dontaudit Send and receive messages from
+##	devicekit disk over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_dbus_chat_power',`
+interface(`devicekit_dontaudit_dbus_chat_disk',`
 	gen_require(`
-		type devicekit_power_t;
+		type devicekit_disk_t;
 		class dbus send_msg;
 	')
 
-	allow $1 devicekit_power_t:dbus send_msg;
-	allow devicekit_power_t $1:dbus send_msg;
+	dontaudit $1 devicekit_disk_t:dbus send_msg;
+	dontaudit devicekit_disk_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Use and inherit devicekit power
-##	file descriptors.
+##	Send signal devicekit power
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_use_fds_power',`
+interface(`devicekit_signal_power',`
 	gen_require(`
 		type devicekit_power_t;
 	')
 
-	allow $1 devicekit_power_t:fd use;
+	allow $1 devicekit_power_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Append inherited devicekit log files.
+##	Send and receive messages from
+##	devicekit power over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -149,40 +165,97 @@ interface(`devicekit_use_fds_power',`
 ##	</summary>
 ## </param>
 #
+interface(`devicekit_dbus_chat_power',`
+	gen_require(`
+		type devicekit_power_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_power_t:dbus send_msg;
+	allow devicekit_power_t $1:dbus send_msg;
+')
+
+#######################################
+## <summary>
+##  Use and inherit devicekit power
+##  file descriptors.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_use_fds_power',`
+    gen_require(`
+        type devicekit_power_t;
+    ')
+
+        allow $1 devicekit_power_t:fd use;
+')
+
+#######################################
+## <summary>
+##  Append inherited devicekit log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
 interface(`devicekit_append_inherited_log_files',`
 	gen_require(`
 		type devicekit_var_log_t;
 	')
 
 	logging_search_logs($1)
-	allow $1 devicekit_var_log_t:file { getattr_file_perms append };
+	allow $1 devicekit_var_log_t:file append_inherited_file_perms;
 
 	devicekit_use_fds_power($1)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Create, read, write, and delete
-##	devicekit log files.
+##  Allow read devicekit log files.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
-interface(`devicekit_manage_log_files',`
+interface(`devicekit_read_log_files',`
 	gen_require(`
 		type devicekit_var_log_t;
 	')
 
 	logging_search_logs($1)
-	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	allow $1 devicekit_var_log_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to write the devicekit
+##  log files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	dontaudit $1 devicekit_var_log_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel devicekit log files.
+##	Allow the domain to read devicekit_power state files in /proc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -190,13 +263,13 @@ interface(`devicekit_manage_log_files',`
 ##	</summary>
 ## </param>
 #
-interface(`devicekit_relabel_log_files',`
+interface(`devicekit_read_state_power',`
 	gen_require(`
-		type devicekit_var_log_t;
+		type devicekit_power_t;
 	')
 
-	logging_search_logs($1)
-	relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	kernel_search_proc($1)
+	ps_process_pattern($1, devicekit_power_t)
 ')
 
 ########################################
@@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
+##	Do not audit attempts to read
 ##	devicekit PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+	gen_require(` 
+		type devicekit_var_run_t;
+	')
+
+	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
+##	Manage devicekit PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',`
 	')
 
 	files_search_pids($1)
+	manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
 	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+## <summary>
+##  Relabel devicekit LOG files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`devicekit_relabel_log_files',`
+    gen_require(`
+        type devicekit_var_log_t;
+    ')
+
+    logging_search_logs($1)
+    relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an devicekit environment.
+##	Manage devicekit LOG files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+#
+interface(`devicekit_manage_log_files',`
+	gen_require(`
+		type devicekit_var_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
+	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an devicekit environment
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	Role allowed access.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -259,21 +388,48 @@ interface(`devicekit_admin',`
 	gen_require(`
 		type devicekit_t, devicekit_disk_t, devicekit_power_t;
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
-		type devicekit_var_log_t;
 	')
 
-	allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
-	ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
+	allow $1 devicekit_t:process signal_perms;
+	ps_process_pattern($1, devicekit_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 devicekit_t:process ptrace;
+		allow $1 devicekit_disk_t:process ptrace;
+		allow $1 devicekit_power_t:process ptrace;
+	')
+
+	allow $1 devicekit_disk_t:process signal_perms;
+	ps_process_pattern($1, devicekit_disk_t)
+
+	allow $1 devicekit_power_t:process signal_perms;
+	ps_process_pattern($1, devicekit_power_t)
 
-	files_search_tmp($1)
 	admin_pattern($1, devicekit_tmp_t)
+	files_list_tmp($1)
 
-	files_search_var_lib($1)
 	admin_pattern($1, devicekit_var_lib_t)
+	files_list_var_lib($1)
 
-	logging_search_logs($1)
-	admin_pattern($1, devicekit_var_log_t)
-
-	files_search_pids($1)
 	admin_pattern($1, devicekit_var_run_t)
+	files_list_pids($1)
+')
+
+########################################
+## <summary>
+##	Transition to devicekit named content
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_filetrans_named_content',`
+	gen_require(`
+		type devicekit_var_run_t, devicekit_var_log_t;
+	')
+
+	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
+	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 ')
diff --git a/devicekit.te b/devicekit.te
index 77a5003..b605240 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
 
 type devicekit_t;
 type devicekit_exec_t;
-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
 
 type devicekit_power_t;
 type devicekit_power_exec_t;
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
 
 type devicekit_disk_t;
 type devicekit_disk_exec_t;
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
 
 type devicekit_tmp_t;
 files_tmp_file(devicekit_tmp_t)
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
 dev_read_sysfs(devicekit_t)
 dev_read_urand(devicekit_t)
 
-files_read_etc_files(devicekit_t)
-
-miscfiles_read_localization(devicekit_t)
-
 optional_policy(`
+	dbus_system_domain(devicekit_t, devicekit_exec_t)
 	dbus_system_bus_client(devicekit_t)
 
 	allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
@@ -64,7 +61,8 @@ optional_policy(`
 # Disk local policy
 #
 
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
 allow devicekit_disk_t self:process { getsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
+files_filetrans_named_content(devicekit_disk_t)
 
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
 kernel_read_system_state(devicekit_disk_t)
 kernel_read_vm_sysctls(devicekit_disk_t)
 kernel_request_load_module(devicekit_disk_t)
-kernel_setsched(devicekit_disk_t)
+kernel_dontaudit_setsched(devicekit_disk_t)
 
 corecmd_exec_bin(devicekit_disk_t)
 corecmd_exec_shell(devicekit_disk_t)
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 
 dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
+dev_rw_loop_control(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
+files_manage_etc_files(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
-files_read_usr_files(devicekit_disk_t)
 
 fs_getattr_all_fs(devicekit_disk_t)
 fs_list_inotifyfs(devicekit_disk_t)
@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)
 storage_raw_write_removable_device(devicekit_disk_t)
 
-term_use_all_terms(devicekit_disk_t)
+term_use_all_inherited_terms(devicekit_disk_t)
 
 auth_use_nsswitch(devicekit_disk_t)
 
 logging_send_syslog_msg(devicekit_disk_t)
 
-miscfiles_read_localization(devicekit_disk_t)
-
 userdom_read_all_users_state(devicekit_disk_t)
 userdom_search_user_home_dirs(devicekit_disk_t)
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
 
 optional_policy(`
+	dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
 	dbus_system_bus_client(devicekit_disk_t)
 
 	allow devicekit_disk_t devicekit_t:dbus send_msg;
@@ -170,6 +171,7 @@ optional_policy(`
 
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
+	mount_read_pid_files(devicekit_disk_t)
 ')
 
 optional_policy(`
@@ -183,6 +185,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_sessions_files(devicekit_disk_t)
+	systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
 	udev_domtrans(devicekit_disk_t)
 	udev_read_db(devicekit_disk_t)
 	udev_read_pid_files(devicekit_disk_t)
@@ -192,12 +199,19 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
+optional_policy(`
+	unconfined_domain(devicekit_t)
+	unconfined_domain(devicekit_power_t)
+	unconfined_domain(devicekit_disk_t)
+')
+
 ########################################
 #
 # Power local policy
 #
 
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
+allow devicekit_power_t self:capability2 compromise_kernel;
 allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
 
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
 
 manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file })
 kernel_read_fs_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
-kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_usermodehelper_state(devicekit_power_t)
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_rw_vm_sysctls(devicekit_power_t)
 kernel_search_debugfs(devicekit_power_t)
 kernel_write_proc_files(devicekit_power_t)
-kernel_setsched(devicekit_power_t)
+kernel_dontaudit_setsched(devicekit_power_t)
 
 corecmd_exec_bin(devicekit_power_t)
 corecmd_exec_shell(devicekit_power_t)
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_runtime_files(devicekit_power_t)
-files_read_usr_files(devicekit_power_t)
 files_dontaudit_list_mnt(devicekit_power_t)
 
 fs_getattr_all_fs(devicekit_power_t)
 fs_list_inotifyfs(devicekit_power_t)
 
-term_use_all_terms(devicekit_power_t)
+term_use_all_inherited_terms(devicekit_power_t)
 
 auth_use_nsswitch(devicekit_power_t)
 
 init_all_labeled_script_domtrans(devicekit_power_t)
 init_read_utmp(devicekit_power_t)
 
-miscfiles_read_localization(devicekit_power_t)
-
 sysnet_domtrans_ifconfig(devicekit_power_t)
 sysnet_domtrans_dhcpc(devicekit_power_t)
 
@@ -277,6 +286,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_initrc_domtrans(devicekit_power_t)
+	cron_systemctl(devicekit_power_t)
+')
+
+optional_policy(`
+	dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
 	dbus_system_bus_client(devicekit_power_t)
 
 	allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -307,8 +322,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_manage_home_config(devicekit_power_t)
+')
+
+optional_policy(`
 	hal_domtrans_mac(devicekit_power_t)
-	hal_manage_log(devicekit_power_t)
 	hal_manage_pid_dirs(devicekit_power_t)
 	hal_manage_pid_files(devicekit_power_t)
 ')
@@ -347,3 +365,9 @@ optional_policy(`
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
+
+optional_policy(`
+	corenet_tcp_connect_xserver_port(devicekit_power_t)
+	xserver_stream_connect(devicekit_power_t)
+')
+
diff --git a/dhcp.fc b/dhcp.fc
index 8182c48..0b9bb97 100644
--- a/dhcp.fc
+++ b/dhcp.fc
@@ -1,6 +1,13 @@
 /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcrelay(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
-/usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcpd6.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+/usr/lib/systemd/system/dhcrelay.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
+
+/usr/sbin/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/dhcrelay(6)?	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp(3)?/dhcpd\.leases.*	--	gen_context(system_u:object_r:dhcpd_state_t,s0)
diff --git a/dhcp.if b/dhcp.if
index c697edb..954c090 100644
--- a/dhcp.if
+++ b/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
 	')
 
 	sysnet_search_dhcp_state($1)
-	allow $1 dhcpd_state_t:file setattr;
+	allow $1 dhcpd_state_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -60,6 +60,31 @@ interface(`dhcpd_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute dhcpd server in the dhcpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dhcpd_systemctl',`
+	gen_require(`
+		type dhcpd_unit_file_t;
+		type dhcpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	systemd_search_unit_dirs($1)
+	allow $1 dhcpd_unit_file_t:file read_file_perms;
+	allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dhcpd_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an dhcpd environment.
 ## </summary>
@@ -79,11 +104,16 @@ interface(`dhcpd_admin',`
 	gen_require(`
 		type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+		type dhcpd_unit_file_t;
 	')
 
-	allow $1 dhcpd_t:process { ptrace signal_perms };
+	allow $1 dhcpd_t:process signal_perms;
 	ps_process_pattern($1, dhcpd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dhcpd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dhcpd_initrc_exec_t system_r;
@@ -97,4 +127,8 @@ interface(`dhcpd_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, dhcpd_var_run_t)
+
+	dhcpd_systemctl($1)
+	admin_pattern($1, dhcpd_unit_file_t)
+	allow $1 dhcpd_unit_file_t:service all_service_perms;
 ')
diff --git a/dhcp.te b/dhcp.te
index 98a24b9..cb5795e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 type dhcpd_initrc_exec_t;
 init_script_file(dhcpd_initrc_exec_t)
 
+type dhcpd_unit_file_t;
+systemd_unit_file(dhcpd_unit_file_t)
+
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw kill setgid setuid setpcap sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
 allow dhcpd_t self:process { getcap setcap signal_perms };
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
 kernel_read_network_state(dhcpd_t)
 
-corenet_all_recvfrom_unlabeled(dhcpd_t)
 corenet_all_recvfrom_netlabel(dhcpd_t)
 corenet_tcp_sendrecv_generic_if(dhcpd_t)
 corenet_udp_sendrecv_generic_if(dhcpd_t)
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
 
 domain_use_interactive_fds(dhcpd_t)
 
-files_read_usr_files(dhcpd_t)
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t)
 
 logging_send_syslog_msg(dhcpd_t)
 
-miscfiles_read_localization(dhcpd_t)
-
+sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
 userdom_dontaudit_search_user_home_dirs(dhcpd_t)
 
 tunable_policy(`dhcpd_use_ldap',`
-	sysnet_use_ldap(dhcpd_t)
+    allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+    corenet_tcp_sendrecv_generic_if(dhcpd_t)
+    corenet_tcp_sendrecv_generic_node(dhcpd_t)
+    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+    corenet_tcp_connect_ldap_port(dhcpd_t)
+    corenet_sendrecv_ldap_client_packets(dhcpd_t)
 ')
 
 optional_policy(`
+    tunable_policy(`dhcpd_use_ldap',`
+	    ldap_read_certs(dhcpd_t)
+    ')
+')
+
+ifdef(`distro_gentoo',`
+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+optional_policy(`
+	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
 ')
 
 optional_policy(`
+	cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(dhcpd_t)
 	dbus_connect_system_bus(dhcpd_t)
 ')
diff --git a/dictd.if b/dictd.if
index 3cc3494..cb0a1f4 100644
--- a/dictd.if
+++ b/dictd.if
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
 		type dictd_var_run_t, dictd_initrc_exec_t;
 	')
 
-	allow $1 dictd_t:process { ptrace signal_perms };
+	allow $1 dictd_t:process signal_perms;
 	ps_process_pattern($1, dictd_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dictd_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
index 433d3c5..0dccebf 100644
--- a/dictd.te
+++ b/dictd.te
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
 kernel_read_system_state(dictd_t)
 kernel_read_kernel_sysctls(dictd_t)
 
-corenet_all_recvfrom_unlabeled(dictd_t)
 corenet_all_recvfrom_netlabel(dictd_t)
 corenet_tcp_sendrecv_generic_if(dictd_t)
 corenet_tcp_sendrecv_generic_node(dictd_t)
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
 domain_use_interactive_fds(dictd_t)
 
 files_read_etc_runtime_files(dictd_t)
-files_read_usr_files(dictd_t)
 files_search_var_lib(dictd_t)
 
 fs_getattr_xattr_fs(dictd_t)
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
 
 logging_send_syslog_msg(dictd_t)
 
-miscfiles_read_localization(dictd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
diff --git a/dirmngr.te b/dirmngr.te
index b3b2188..5f91705 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
 
 kernel_read_crypto_sysctls(dirmngr_t)
 
-files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
index 0000000..38b17f8
--- /dev/null
+++ b/dirsrv-admin.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/dirsrv-admin\.service	--	gen_context(system_u:object_r:dirsrvadmin_unit_file_t,s0)
+
+/etc/dirsrv/admin-serv(/.*)?		gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)?	gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/usr/sbin/restart-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/start-ds-admin	--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin		--	gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin(/.*)?	gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?	gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0)
+
+/usr/lib/dirsrv/cgi-bin/ds_create    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv-admin      --  gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
index 0000000..0d4e704
--- /dev/null
+++ b/dirsrv-admin.if
@@ -0,0 +1,157 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
+##	Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_run_exec',`
+	gen_require(`
+		type dirsrvadmin_exec_t;
+	')
+
+	allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+	can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
+##	Exec cgi programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_run_script_exec',`
+	gen_require(`
+		type dirsrvadmin_script_exec_t;
+	')
+
+	allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
+	can_exec($1, dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_read_config',`
+	gen_require(`
+		type dirsrvadmin_config_t;
+	')
+
+	read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+## <summary>
+##	Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_config',`
+	gen_require(`
+		type dirsrvadmin_config_t;
+	')
+
+	allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+	allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Read dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrvadmin_read_tmp',`
+        gen_require(`
+                type dirsrvadmin_tmp_t;
+        ')
+
+        read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+##      Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_tmp',`
+        gen_require(`
+                type dirsrvadmin_tmp_t;
+        ')
+
+	manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
+########################################
+## <summary>
+##	Execute dirsrv-admin server in the dirsrv-admin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dirsrvadmin_systemctl',`
+	gen_require(`
+		type dirsrvadmin_t;
+		type dirsrvadmin_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 dirsrvadmin_unit_file_t:file read_file_perms;
+	allow $1 dirsrvadmin_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dirsrvadmin_t)
+')
+
+#######################################
+## <summary>
+##  Execute admin cgi programs in caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
+    gen_require(`
+       type dirsrvadmin_unconfined_script_t;
+        type dirsrvadmin_unconfined_script_exec_t;
+    ')
+
+   domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
+   allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
index 0000000..18491fa
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,167 @@
+policy_module(dirsrv-admin,1.0.0) 
+
+########################################
+#
+# Declarations for the daemon
+#
+
+type dirsrvadmin_t;
+type dirsrvadmin_exec_t;
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+type dirsrvadmin_unit_file_t;
+systemd_unit_file(dirsrvadmin_unit_file_t)
+
+type dirsrvadmin_unconfined_script_t;
+type dirsrvadmin_unconfined_script_exec_t;
+domain_type(dirsrvadmin_unconfined_script_t)
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
+role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
+# Local policy for the daemon
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+
+kernel_read_system_state(dirsrvadmin_t)
+
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+
+files_exec_etc_files(dirsrvadmin_t)
+
+libs_exec_ld_so(dirsrvadmin_t)
+
+logging_search_logs(dirsrvadmin_t)
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
+optional_policy(`
+	apache_domtrans(dirsrvadmin_t)
+	apache_signal(dirsrvadmin_t)
+')
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+
+optional_policy(`
+	apache_content_template(dirsrvadmin)
+	apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
+	allow dirsrvadmin_script_t self:process { getsched getpgid };
+	allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+	allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+	allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
+	allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
+	allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+	allow dirsrvadmin_script_t self:sem create_sem_perms;
+
+
+	manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+	files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
+	kernel_read_kernel_sysctls(dirsrvadmin_script_t)
+
+    auth_read_passwd(dirsrvadmin_script_t)
+
+	corenet_tcp_bind_generic_node(dirsrvadmin_script_t)
+	corenet_udp_bind_generic_node(dirsrvadmin_script_t)
+	corenet_all_recvfrom_netlabel(dirsrvadmin_script_t)
+
+	corenet_tcp_bind_http_port(dirsrvadmin_script_t)
+	corenet_tcp_connect_generic_port(dirsrvadmin_script_t)
+	corenet_tcp_connect_ldap_port(dirsrvadmin_script_t)
+	corenet_tcp_connect_http_port(dirsrvadmin_script_t)
+
+	files_search_var_lib(dirsrvadmin_script_t)
+
+	sysnet_read_config(dirsrvadmin_script_t)
+
+	manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+	files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+    optional_policy(`
+        dirsrvadmin_systemctl(dirsrvadmin_script_t)
+    ')
+
+	optional_policy(`
+        apache_read_pid_files(dirsrvadmin_script_t)
+		apache_read_modules(dirsrvadmin_script_t)
+		apache_read_config(dirsrvadmin_script_t)
+		apache_signal(dirsrvadmin_script_t)
+		apache_signull(dirsrvadmin_script_t)
+	')
+
+	optional_policy(`
+		# The CGI scripts must be able to manage dirsrv-admin
+		dirsrvadmin_run_exec(dirsrvadmin_script_t)
+		dirsrvadmin_manage_config(dirsrvadmin_script_t)
+		dirsrv_domtrans(dirsrvadmin_script_t)
+		dirsrv_signal(dirsrvadmin_script_t)
+		dirsrv_signull(dirsrvadmin_script_t)
+		dirsrv_manage_log(dirsrvadmin_script_t)
+		dirsrv_manage_var_lib(dirsrvadmin_script_t)
+		dirsrv_pid_filetrans(dirsrvadmin_script_t)
+		dirsrv_manage_var_run(dirsrvadmin_script_t)
+		dirsrv_manage_config(dirsrvadmin_script_t)
+		dirsrv_read_share(dirsrvadmin_script_t)
+	')
+')
+
+#######################################
+#
+# Local policy for the admin CGIs
+#
+#
+
+
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# needed because of filetrans rules
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+
+optional_policy(`
+   unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
+
+
diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
index 0000000..5d30dab
--- /dev/null
+++ b/dirsrv.fc
@@ -0,0 +1,23 @@
+/etc/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_config_t,s0)
+
+/usr/sbin/ns-slapd			--	gen_context(system_u:object_r:dirsrv_exec_t,s0)
+/usr/sbin/ldap-agent			--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/ldap-agent-bin		--	gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
+/usr/sbin/start-dirsrv			--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/restart-dirsrv		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_share_t,s0)
+
+/var/run/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+/var/run/ldap-agent\.pid	gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
+
+# BZ:
+/var/run/slapd.*    -s  gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+
+/var/lib/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+
+/var/lock/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+
+/var/log/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+
+/var/log/dirsrv/ldap-agent.log.*	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/dirsrv.if b/dirsrv.if
new file mode 100644
index 0000000..b214253
--- /dev/null
+++ b/dirsrv.if
@@ -0,0 +1,208 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrv_domtrans',`
+	gen_require(`
+		type dirsrv_t, dirsrv_exec_t;
+	')
+
+	domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+
+########################################
+## <summary>
+##  Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+##      Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+	gen_require(`
+		type dirsrv_var_log_t;
+	')
+
+	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_log_t:file manage_file_perms;
+	allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##		Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+        gen_require(`
+                type dirsrv_var_lib_t;
+        ')
+        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+        allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to dirsrv over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirsrv_stream_connect',`
+	gen_require(`
+		type dirsrv_t, dirsrv_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+	gen_require(`
+		type dirsrv_var_run_t;
+	')
+	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_run_t:file manage_file_perms;
+	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
+######################################
+## <summary>
+##      Allow a domain to create dirsrv pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_pid_filetrans',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        # Allow creating a dir in /var/run with this type
+        files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#######################################
+## <summary>
+##      Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        allow $1 dirsrv_var_run_t:dir list_dir_perms;
+        allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+	gen_require(`
+		type dirsrv_config_t;
+	')
+
+	allow $1 dirsrv_config_t:dir manage_dir_perms;
+	allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Read dirsrv share files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+	gen_require(`
+		type dirsrv_share_t;
+	')
+
+	allow $1 dirsrv_share_t:dir list_dir_perms;
+	allow $1 dirsrv_share_t:file read_file_perms;
+	allow $1 dirsrv_share_t:lnk_file read;
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000..73d1b46
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,196 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+type dirsrv_snmp_t;
+type dirsrv_snmp_exec_t;
+domain_type(dirsrv_snmp_t)
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+type dirsrv_snmp_var_log_t;
+logging_log_file(dirsrv_snmp_var_log_t)
+
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+type dirsrv_snmp_var_run_t;
+files_pid_file(dirsrv_snmp_var_run_t)
+
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
+files_setattr_lock_dirs(dirsrv_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+
+dev_read_sysfs(dirsrv_t)
+dev_read_urand(dirsrv_t)
+
+files_read_usr_symlinks(dirsrv_t)
+
+fs_getattr_all_fs(dirsrv_t)
+
+auth_use_pam(dirsrv_t)
+
+logging_send_syslog_msg(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
+
+optional_policy(`
+	apache_dontaudit_leaks(dirsrv_t)
+')
+
+optional_policy(`
+	dirsrvadmin_read_tmp(dirsrv_t)
+')
+
+optional_policy(`
+	kerberos_use(dirsrv_t)
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
+	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
+# FIPS mode
+optional_policy(`
+	prelink_exec(dirsrv_t)
+')
+
+optional_policy(`
+	rpcbind_stream_connect(dirsrv_t)
+')
+
+optional_policy(`
+    uuidd_stream_connect_manager(dirsrv_t)
+')
+
+########################################
+#
+# dirsrv-snmp local policy
+#
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
+dev_read_urand(dirsrv_snmp_t)
+
+domain_use_interactive_fds(dirsrv_snmp_t)
+
+#files_manage_var_files(dirsrv_snmp_t)
+
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
+	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+	snmp_manage_var_lib_dirs(dirsrv_snmp_t)
+	snmp_manage_var_lib_files(dirsrv_snmp_t)
+	snmp_stream_connect(dirsrv_snmp_t)
+')
diff --git a/distcc.if b/distcc.if
index 24d8c74..1790ec5 100644
--- a/distcc.if
+++ b/distcc.if
@@ -19,7 +19,7 @@
 #
 interface(`distcc_admin',`
 	gen_require(`
-		type distccd_t, distccd_t, distccd_log_t;
+		type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
 		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
diff --git a/distcc.te b/distcc.te
index 898b2f4..8a1725b 100644
--- a/distcc.te
+++ b/distcc.te
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
 kernel_read_system_state(distccd_t)
 kernel_read_kernel_sysctls(distccd_t)
 
-corenet_all_recvfrom_unlabeled(distccd_t)
 corenet_all_recvfrom_netlabel(distccd_t)
 corenet_tcp_sendrecv_generic_if(distccd_t)
 corenet_tcp_sendrecv_generic_node(distccd_t)
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
 
 logging_send_syslog_msg(distccd_t)
 
-miscfiles_read_localization(distccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(distccd_t)
 userdom_dontaudit_search_user_home_dirs(distccd_t)
 
diff --git a/djbdns.if b/djbdns.if
index 671d3c0..6d36c95 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
 
 	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
 	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+	corenet_all_recvfrom_netlabel(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+	corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+	corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+	corenet_tcp_bind_generic_node(djbdns_$1_t)
+	corenet_udp_bind_generic_node(djbdns_$1_t)
+	corenet_tcp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_dns_port(djbdns_$1_t)
+	corenet_udp_bind_generic_port(djbdns_$1_t)
+	corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+	corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+	files_search_var(djbdns_$1_t)
 ')
 
 #####################################
diff --git a/djbdns.te b/djbdns.te
index 87ca536..ebd327a 100644
--- a/djbdns.te
+++ b/djbdns.te
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
 
 files_search_var(djbdns_domain)
 
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+
 ########################################
 #
 # axfrdns local policy
diff --git a/dkim.fc b/dkim.fc
index 5818418..674367b 100644
--- a/dkim.fc
+++ b/dkim.fc
@@ -9,7 +9,6 @@
 
 /var/lib/dkim-milter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
-/var/run/dkim-filter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/dkim-milter(/.*)?	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/dkim-milter\.pid	--	gen_context(system_u:object_r:dkim_milter_data_t,s0)
 
diff --git a/dmidecode.if b/dmidecode.if
index 41c3f67..653a1ec 100644
--- a/dmidecode.if
+++ b/dmidecode.if
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
 	domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
 ')
 
+######################################
+## <summary>
+##	Execute dmidecode in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dmidecode_exec',`
+	gen_require(`
+		type dmidecode_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dmidecode_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index aa0ef6e..02bdb68 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
 
 locallogin_use_fds(dmidecode_t)
 
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+    rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808..84735a8 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,13 +1,16 @@
 /etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)?		gen_context(system_u:object_r:dnsmasq_etc_t,s0)
 
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
 /usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
-/var/log/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
-/var/run/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 /var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b8..45c70c1 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_domtrans',`
 	gen_require(`
 		type dnsmasq_exec_t, dnsmasq_t;
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
 	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
 ')
 
+#######################################
+## <summary>
+##  Execute dnsmasq server in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`dnsmasq_exec',`
+    gen_require(`
+        type dnsmasq_exec_t;
+    ')
+
+    can_exec($1, dnsmasq_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write dnsmasq pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_rw_inherited_pipes',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute the dnsmasq init script in
@@ -42,6 +77,49 @@ interface(`dnsmasq_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dnsmasq_systemctl',`
+	gen_require(`
+		type dnsmasq_unit_file_t;
+		type dnsmasq_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 dnsmasq_unit_file_t:file read_file_perms;
+	allow $1 dnsmasq_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Send sigchld to dnsmasq.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_sigchld',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+    allow $1 dnsmasq_t:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to dnsmasq.
 ## </summary>
 ## <param name="domain">
@@ -145,15 +223,16 @@ interface(`dnsmasq_write_config',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_delete_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
@@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',`
 
 ########################################
 ## <summary>
-##	Read dnsmasq pid files.
+##	Read dnsmasq pid files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,12 +263,12 @@ interface(`dnsmasq_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
-#
 interface(`dnsmasq_read_pid_files',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
+	files_search_pids($1)
 	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 ')
 
@@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',`
 
 ########################################
 ## <summary>
-##	Create specified objects in specified
-##	directories with a type transition to
-##	the dnsmasq pid file type.
+##	Create dnsmasq pid directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="file_type">
-##	<summary>
-##	Directory to transition on.
-##	</summary>
-## </param>
-## <param name="object">
+#
+interface(`dnsmasq_read_state',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+    ps_process_pattern($1, dnsmasq_t)
+')
+
+########################################
+## <summary>
+##	Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
 ##	<summary>
-##	The object class of the object being created.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
+## <param name="private type">
 ##	<summary>
-##	The name of the object being created.
+##	The type of the directory for the object to be created.
 ##	</summary>
 ## </param>
 #
-interface(`dnsmasq_spec_filetrans_pid',`
+interface(`dnsmasq_filetrans_named_content_fromdir',`
 	gen_require(`
 		type dnsmasq_var_run_t;
 	')
 
-	filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
+	filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+	filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
+
+#######################################
+## <summary>
+##      Transition to dnsmasq named content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dnsmasq_filetrans_named_content',`
+		gen_require(`
+            type dnsmasq_etc_t;
+			type dnsmasq_var_run_t;
+	')
+
+	files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+	files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+	virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+	files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+	files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
 ')
 
 ########################################
@@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
 interface(`dnsmasq_admin',`
 	gen_require(`
 		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
-		type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+        type dnsmasq_var_log_t;
+		type dnsmasq_initrc_exec_t;
+		type dnsmasq_unit_file_t;
 	')
 
-	allow $1 dnsmasq_t:process { ptrace signal_perms };
+	allow $1 dnsmasq_t:process signal_perms;
 	ps_process_pattern($1, dnsmasq_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dnsmasq_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, dnsmasq_lease_t)
 
-	logging_seearch_logs($1)
+	logging_search_logs($1)
 	admin_pattern($1, dnsmasq_var_log_t)
 
 	files_list_pids($1)
 	admin_pattern($1, dnsmasq_var_run_t)
+
+	dnsmasq_systemctl($1)
+	admin_pattern($1, dnsmasq_unit_file_t)
+	allow $1 dnsmasq_unit_file_t:service all_service_perms;
 ')
diff --git a/dnsmasq.te b/dnsmasq.te
index 37a3b7b..921056a 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
 type dnsmasq_var_run_t;
 files_pid_file(dnsmasq_var_run_t)
 
+type dnsmasq_unit_file_t;
+systemd_unit_file(dnsmasq_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
 read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
 
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_net_sysctls(dnsmasq_t)
 kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
 kernel_request_load_module(dnsmasq_t)
 
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corecmd_exec_bin(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
 corenet_all_recvfrom_netlabel(dnsmasq_t)
 corenet_tcp_sendrecv_generic_if(dnsmasq_t)
 corenet_udp_sendrecv_generic_if(dnsmasq_t)
@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
 
 auth_use_nsswitch(dnsmasq_t)
 
-logging_send_syslog_msg(dnsmasq_t)
+libs_exec_ldconfig(dnsmasq_t)
 
-miscfiles_read_localization(dnsmasq_t)
+logging_send_syslog_msg(dnsmasq_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -98,12 +105,21 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
 	dbus_connect_system_bus(dnsmasq_t)
 	dbus_system_bus_client(dnsmasq_t)
 ')
 
 optional_policy(`
-	networkmanager_read_pid_files(dnsmasq_t)
+	dnsmasq_domtrans(dnsmasq_t)
+')
+
+optional_policy(`
+	networkmanager_read_conf(dnsmasq_t)
+	networkmanager_manage_pid_files(dnsmasq_t)
 ')
 
 optional_policy(`
@@ -124,6 +140,14 @@ optional_policy(`
 
 optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
+	virt_read_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
 	virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 ')
+
+optional_policy(`
+    neutron_manage_lib_files(dnsmasq_t)
+    neutron_stream_connect(dnsmasq_t)
+    neutron_rw_fifo_file(dnsmasq_t)
+    neutron_sigchld(dnsmasq_t)
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..1714fa6
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/dnssec-triggerd.*    --  gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
+
+/usr/sbin/dnssec-triggerd	--	gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+/usr/libexec/dnssec-trigger-script  --  gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.*			gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
index 0000000..d22ed69
--- /dev/null
+++ b/dnssec.if
@@ -0,0 +1,123 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
+########################################
+## <summary>
+##	Transition to dnssec_trigger.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dnssec_trigger_domtrans',`
+	gen_require(`
+		type dnssec_trigger_t, dnssec_trigger_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
+########################################
+## <summary>
+##	Read dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_read_pid_files',`
+	gen_require(`
+		type dnssec_trigger_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_manage_pid_files',`
+	gen_require(`
+		type dnssec_trigger_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+	manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+	manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	Send signull to dnssec_trigger.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnssec_trigger_signull',`
+	gen_require(`
+		type dnssec_trigger_t;
+	')
+
+    allow $1 dnssec_trigger_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send sigkill to dnssec_trigger.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`dnssec_trigger_sigkill',`
+	gen_require(`
+		type dnssec_trigger_t;
+	')
+
+    allow $1 dnssec_trigger_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an dnssec_trigger environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dnssec_trigger_admin',`
+	gen_require(`
+		type dnssec_trigger_t;
+		type dnssec_trigger_var_run_t;
+	')
+
+	allow $1 dnssec_trigger_t:process { ptrace signal_perms };
+	ps_process_pattern($1, dnssec_trigger_t)
+
+	files_search_pids($1)
+	admin_pattern($1, dnssec_trigger_var_run_t)
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 0000000..f186d85
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,88 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnssec_trigger_t;
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_unit_file_t;
+systemd_unit_file(dnssec_trigger_unit_file_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
+type dnssec_trigger_tmp_t;
+files_tmp_file(dnssec_trigger_tmp_t)
+
+########################################
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability { net_admin linux_immutable sys_ptrace };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file  relabelfrom_file_perms;
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir })
+
+kernel_read_system_state(dnssec_trigger_t)
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+corecmd_read_all_executables(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+corenet_tcp_connect_http_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+domain_read_all_domains_state(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
+auth_use_nsswitch(dnssec_trigger_t)
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+sysnet_filetrans_named_content(dnssec_trigger_t)
+sysnet_relabelfrom_net_conf(dnssec_trigger_t)
+sysnet_relabelto_net_conf(dnssec_trigger_t)
+
+optional_policy(`
+    dbus_system_bus_client(dnssec_trigger_t)
+')
+
+optional_policy(`
+    bind_domtrans(dnssec_trigger_t)
+	bind_read_config(dnssec_trigger_t)
+	bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+optional_policy(`
+    networkmanager_stream_connect(dnssec_trigger_t)
+    networkmanager_signal(dnssec_trigger_t)
+    networkmanager_sigchld(dnssec_trigger_t)
+    networkmanager_sigkill(dnssec_trigger_t)
+    networkmanager_signull(dnssec_trigger_t)
+    networkmanager_read_conf(dnssec_trigger_t)
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
--- a/dnssectrigger.te
+++ b/dnssectrigger.te
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
 
 logging_send_syslog_msg(dnssec_triggerd_t)
 
-miscfiles_read_localization(dnssec_triggerd_t)
-
 sysnet_dns_name_resolve(dnssec_triggerd_t)
 sysnet_manage_config(dnssec_triggerd_t)
 sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
+++ b/dovecot.fc
@@ -1,36 +1,48 @@
-/etc/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot/passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
-/etc/dovecot\.conf.*	gen_context(system_u:object_r:dovecot_etc_t,s0)
-/etc/dovecot\.passwd.*	gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-/etc/pki/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /etc
+#
+/etc/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.*			gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
 
+/etc/pki/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_cert_t,s0)
 /etc/rc\.d/init\.d/dovecot	--	gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
 
-/usr/sbin/dovecot	--	gen_context(system_u:object_r:dovecot_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian',`
+/etc/dovecot/passwd.*			gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
 
-/usr/share/ssl/certs/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
-/usr/share/ssl/private/dovecot\.pem	--	gen_context(system_u:object_r:dovecot_cert_t,s0)
+#
+# /usr
+#
+/usr/sbin/dovecot		--	gen_context(system_u:object_r:dovecot_exec_t,s0)
 
-/etc/ssl/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/certs/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
 
-/usr/lib/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ifdef(`distro_debian', `
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/dovecot-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
 
-/usr/libexec/dovecot/auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/libexec/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
 
-/var/run/dovecot(-login)?(/.*)?	gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat	--	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/lib/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
-/var/log/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_var_log_t,s0)
-/var/log/dovecot\.log.*	gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
 
-/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
+/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/dovecot.if b/dovecot.if
index d5badb7..c2431fc 100644
--- a/dovecot.if
+++ b/dovecot.if
@@ -1,29 +1,49 @@
-## <summary>POP and IMAP mail server.</summary>
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+######################################
+## <summary>
+##  Creates types and rules for a basic
+##  dovecot daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`dovecot_basic_types_template',`
+	gen_require(`
+		attribute dovecot_domain;
+	')
+
+	type $1_t, dovecot_domain;
+	type $1_exec_t;
+
+	kernel_read_system_state($1_t)
+')
 
 #######################################
 ## <summary>
-##	Connect to dovecot using a unix
-##	domain stream socket.
+##  Connect to dovecot unix domain stream socket.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain allowed access.
+##  </summary>
 ## </param>
 #
 interface(`dovecot_stream_connect',`
-	gen_require(`
-		type dovecot_t, dovecot_var_run_t;
-	')
+    gen_require(`
+        type dovecot_t, dovecot_var_run_t;
+    ')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+    files_search_pids($1)
+    stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
 ')
 
 ########################################
 ## <summary>
-##	Connect to dovecot using a unix
-##	domain stream socket.
+##	Connect to dovecot auth unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
 
 ########################################
 ## <summary>
-##	Execute dovecot_deliver in the
-##	dovecot_deliver domain.
+##	Execute dovecot_deliver in the dovecot_deliver domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
 		type dovecot_deliver_t, dovecot_deliver_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	dovecot spool files.
+##	Create, read, write, and delete the dovecot spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
 	')
 
 	files_search_spool($1)
-	allow $1 dovecot_spool_t:dir manage_dir_perms;
-	allow $1 dovecot_spool_t:file manage_file_perms;
-	allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
+	manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+	manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to delete
-##	dovecot lib files.
+##	Do not audit attempts to delete dovecot lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 		type dovecot_var_lib_t;
 	')
 
-	dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
+	dontaudit $1 dovecot_var_lib_t:file unlink;
 ')
 
 ######################################
 ## <summary>
-##	Write inherited dovecot tmp files.
+##	Allow attempts to write inherited
+##	dovecot tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
 	allow $1 dovecot_tmp_t:file write;
 ')
 
+####################################
+## <summary>
+##	Read dovecot configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dovecot_read_config',`
+	gen_require(`
+		type dovecot_etc_t;
+	')
+
+	files_search_etc($1)
+	list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
+	read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
+')
+
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an dovecot environment.
+##	All of the rules required to administrate
+##	an dovecot environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -132,7 +168,7 @@ interface(`dovecot_write_inherited_tmp_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the dovecot domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -146,9 +182,13 @@ interface(`dovecot_admin',`
 		type dovecot_keytab_t;
 	')
 
-	allow $1 dovecot_t:process { ptrace signal_perms };
+	allow $1 dovecot_t:process signal_perms;
 	ps_process_pattern($1, dovecot_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dovecot_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 dovecot_initrc_exec_t system_r;
@@ -157,20 +197,25 @@ interface(`dovecot_admin',`
 	files_list_etc($1)
 	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
 
-	logging_list_logs($1)
-	admin_pattern($1, dovecot_var_log_t)
+	files_list_tmp($1)
+	admin_pattern($1, dovecot_auth_tmp_t)
+	admin_pattern($1, dovecot_tmp_t)
+
+	admin_pattern($1, dovecot_keytab_t)
 
 	files_list_spool($1)
 	admin_pattern($1, dovecot_spool_t)
 
-	files_search_tmp($1)
-	admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
-
 	files_list_var_lib($1)
 	admin_pattern($1, dovecot_var_lib_t)
 
+	logging_search_logs($1)
+	admin_pattern($1, dovecot_var_log_t)
+
 	files_list_pids($1)
 	admin_pattern($1, dovecot_var_run_t)
 
-	admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
+	admin_pattern($1, dovecot_cert_t)
+
+	admin_pattern($1, dovecot_passwd_t)
 ')
diff --git a/dovecot.te b/dovecot.te
index 0aabc7e..315aa2f 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
 
 attribute dovecot_domain;
 
-type dovecot_t, dovecot_domain;
-type dovecot_exec_t;
+dovecot_basic_types_template(dovecot)
 init_daemon_domain(dovecot_t, dovecot_exec_t)
 
-type dovecot_auth_t, dovecot_domain;
-type dovecot_auth_exec_t;
+dovecot_basic_types_template(dovecot_auth)
 domain_type(dovecot_auth_t)
 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
 role system_r types dovecot_auth_t;
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
 type dovecot_cert_t;
 miscfiles_cert_type(dovecot_cert_t)
 
-type dovecot_deliver_t, dovecot_domain;
-type dovecot_deliver_exec_t;
+dovecot_basic_types_template(dovecot_deliver)
 domain_type(dovecot_deliver_t)
 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
 role system_r types dovecot_deliver_t;
@@ -45,11 +42,12 @@ type dovecot_passwd_t;
 files_type(dovecot_passwd_t)
 
 type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
 
 type dovecot_tmp_t;
 files_tmp_file(dovecot_tmp_t)
 
+# /var/lib/dovecot holds SSL parameters file
 type dovecot_var_lib_t;
 files_type(dovecot_var_lib_t)
 
@@ -59,20 +57,20 @@ logging_log_file(dovecot_var_log_t)
 type dovecot_var_run_t;
 files_pid_file(dovecot_var_run_t)
 
-########################################
+#######################################
 #
-# Common local policy
+# dovecot domain local policy
 #
 
-allow dovecot_domain self:capability2 block_suspend;
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
+allow dovecot_domain self:capability sys_resource;
+dontaudit dovecot_domain self:capability2 block_suspend;
+allow dovecot_domain self:process signal_perms;
 
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
 
 kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
+kernel_read_network_state(dovecot_domain)
 
 corecmd_exec_bin(dovecot_domain)
 corecmd_exec_shell(dovecot_domain)
@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain)
 dev_read_rand(dovecot_domain)
 dev_read_urand(dovecot_domain)
 
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
 files_read_etc_runtime_files(dovecot_domain)
 
-logging_send_syslog_msg(dovecot_domain)
-
-miscfiles_read_localization(dovecot_domain)
-
 ########################################
 #
-# Local policy
+# dovecot local policy
 #
 
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
 dontaudit dovecot_t self:capability sys_tty_config;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
 
 allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-allow dovecot_t dovecot_cert_t:file read_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
 
 allow dovecot_t dovecot_keytab_t:file read_file_perms;
 
@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
 
+# Allow dovecot to create and read SSL parameters file
 manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
 
 manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
 
 manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-allow dovecot_t dovecot_auth_t:process signal;
-
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
 
-corenet_all_recvfrom_unlabeled(dovecot_t)
 corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_generic_if(dovecot_t)
 corenet_tcp_sendrecv_generic_node(dovecot_t)
 corenet_tcp_sendrecv_all_ports(dovecot_t)
 corenet_tcp_bind_generic_node(dovecot_t)
-
-corenet_sendrecv_mail_server_packets(dovecot_t)
 corenet_tcp_bind_mail_port(dovecot_t)
-corenet_sendrecv_pop_server_packets(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
-corenet_sendrecv_sieve_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
 corenet_tcp_bind_sieve_port(dovecot_t)
-
-corenet_sendrecv_all_client_packets(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
 
 domain_use_interactive_fds(dovecot_t)
 
-files_read_var_lib_files(dovecot_t)
-files_read_var_symlinks(dovecot_t)
 files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
 files_dontaudit_list_default(dovecot_t)
 files_dontaudit_search_all_dirs(dovecot_t)
 files_search_all_mountpoints(dovecot_t)
-
-fs_getattr_all_fs(dovecot_t)
-fs_getattr_all_dirs(dovecot_t)
-fs_search_auto_mountpoints(dovecot_t)
-fs_list_inotifyfs(dovecot_t)
+files_read_var_lib_files(dovecot_t)
 
 init_getattr_utmp(dovecot_t)
 
@@ -171,45 +168,44 @@ auth_use_nsswitch(dovecot_t)
 
 miscfiles_read_generic_certs(dovecot_t)
 
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_use_user_terminals(dovecot_t)
+logging_send_syslog_msg(dovecot_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(dovecot_t)
-	fs_manage_nfs_files(dovecot_t)
-	fs_manage_nfs_symlinks(dovecot_t)
-')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(dovecot_t)
-	fs_manage_cifs_files(dovecot_t)
-	fs_manage_cifs_symlinks(dovecot_t)
+optional_policy(`
+	mta_manage_home_rw(dovecot_t)
+	mta_manage_spool(dovecot_t)
 ')
 
 optional_policy(`
 	kerberos_manage_host_rcache(dovecot_t)
 	kerberos_read_keytab(dovecot_t)
-	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
+	kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
 	kerberos_use(dovecot_t)
 ')
 
 optional_policy(`
-	mta_manage_spool(dovecot_t)
-	mta_manage_mail_home_rw_content(dovecot_t)
-	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
-	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	gnome_manage_data(dovecot_t)
 ')
 
 optional_policy(`
-	postgresql_stream_connect(dovecot_t)
+	postfix_manage_private_sockets(dovecot_t)
+	postfix_search_spool(dovecot_t)
 ')
 
 optional_policy(`
-	postfix_manage_private_sockets(dovecot_t)
-	postfix_search_spool(dovecot_t)
+	postgresql_stream_connect(dovecot_t)
 ')
 
 optional_policy(`
+	# Handle sieve scripts
 	sendmail_domtrans(dovecot_t)
 ')
 
@@ -227,46 +223,69 @@ optional_policy(`
 
 ########################################
 #
-# Auth local policy
+# dovecot auth local policy
 #
 
 allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
 allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
 read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
 
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+
 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
 
 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
 
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+dovecot_stream_connect_auth(dovecot_auth_t)
 
-files_search_pids(dovecot_auth_t)
-files_read_usr_files(dovecot_auth_t)
-files_read_var_lib_files(dovecot_auth_t)
+corecmd_exec_bin(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
 
 auth_domtrans_chk_passwd(dovecot_auth_t)
 auth_use_nsswitch(dovecot_auth_t)
 
-init_rw_utmp(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
 
-logging_send_audit_msgs(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
 
-seutil_dontaudit_search_config(dovecot_auth_t)
+fs_getattr_xattr_fs(dovecot_auth_t)
+
+init_rw_utmp(dovecot_auth_t)
 
 sysnet_use_ldap(dovecot_auth_t)
 
+systemd_login_read_pid_files(dovecot_auth_t)
+systemd_dbus_chat_logind(dovecot_auth_t)
+systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t)
+
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
 optional_policy(`
+	kerberos_use(dovecot_auth_t)
+
+	# for gssapi (kerberos)
 	userdom_list_user_tmp(dovecot_auth_t)
 	userdom_read_user_tmp_files(dovecot_auth_t)
 	userdom_read_user_tmp_symlinks(dovecot_auth_t)
 ')
 
 optional_policy(`
+	mysql_search_db(dovecot_auth_t)
 	mysql_stream_connect(dovecot_auth_t)
 	mysql_read_config(dovecot_auth_t)
 	mysql_tcp_connect(dovecot_auth_t)
@@ -277,53 +296,79 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(dovecot_auth_t)
+	optional_policy(`
+		oddjob_dbus_chat(dovecot_auth_t)
+		oddjob_domtrans_mkhomedir(dovecot_auth_t)
+	')
+')
+
+optional_policy(`
 	postfix_manage_private_sockets(dovecot_auth_t)
+	postfix_rw_inherited_master_pipes(dovecot_deliver_t)
 	postfix_search_spool(dovecot_auth_t)
 ')
 
 ########################################
 #
-# Deliver local policy
+# dovecot deliver local policy
 #
 
+allow dovecot_deliver_t dovecot_t:process signull;
+
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
 
-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir })
 
 manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
 manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
 files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
 
 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
-
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
 
 can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 
-allow dovecot_deliver_t dovecot_t:process signull;
+auth_use_nsswitch(dovecot_deliver_t)
 
-fs_getattr_all_fs(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+logging_send_syslog_msg(dovecot_deliver_t)
 
-auth_use_nsswitch(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
 
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+files_search_all_mountpoints(dovecot_deliver_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(dovecot_deliver_t)
-	fs_manage_nfs_files(dovecot_deliver_t)
-	fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_filetrans_home_content(dovecot_deliver_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(dovecot_deliver_t)
-	fs_manage_cifs_files(dovecot_deliver_t)
-	fs_manage_cifs_symlinks(dovecot_deliver_t)
+userdom_home_manager(dovecot_deliver_t)
+
+optional_policy(`
+	gnome_manage_data(dovecot_deliver_t)
 ')
 
 optional_policy(`
 	mta_mailserver_delivery(dovecot_deliver_t)
+	mta_manage_spool(dovecot_deliver_t)
 	mta_read_queue(dovecot_deliver_t)
 ')
 
@@ -332,5 +377,6 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Handle sieve scripts
 	sendmail_domtrans(dovecot_deliver_t)
 ')
diff --git a/drbd.fc b/drbd.fc
index 671a3fb..47b4958 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
 /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
 /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
@@ -11,3 +11,5 @@
 /var/lib/drbd(/.*)?	gen_context(system_u:object_r:drbd_var_lib_t,s0)
 
 /var/lock/subsys/drbd	--	gen_context(system_u:object_r:drbd_lock_t,s0)
+
+/var/run/drbd(/.*)?		gen_context(system_u:object_r:drbd_var_run_t,s0)
diff --git a/drbd.if b/drbd.if
index 9a21639..26c5986 100644
--- a/drbd.if
+++ b/drbd.if
@@ -2,12 +2,11 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run drbd.
+##	Execute a domain transition to run drbd.
 ## </summary>
 ## <param name="domain">
 ## <summary>
-##	Domain allowed to transition.
+##	Domain allowed access.
 ## </summary>
 ## </param>
 #
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
 		type drbd_t, drbd_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, drbd_exec_t, drbd_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an drbd environment.
+##	Search drbd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_search_lib',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	allow $1 drbd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read drbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_read_lib_files',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	drbd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_manage_lib_files',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage drbd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`drbd_manage_lib_dirs',`
+	gen_require(`
+		type drbd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an drbd environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`drbd_admin',`
 	gen_require(`
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
 		type drbd_var_lib_t;
 	')
 
-	allow $1 drbd_t:process { ptrace signal_perms };
+	allow $1 drbd_t:process signal_perms;
 	ps_process_pattern($1, drbd_t)
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 drbd_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, drbd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 drbd_initrc_exec_t system_r;
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, drbd_var_lib_t)
 ')
+
diff --git a/drbd.te b/drbd.te
index f2516cc..6b232ae 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,38 +18,71 @@ files_type(drbd_var_lib_t)
 type drbd_lock_t;
 files_lock_file(drbd_lock_t)
 
+type drbd_var_run_t;
+files_pid_file(drbd_var_run_t)
+
+type drbd_tmp_t;
+files_tmp_file(drbd_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow drbd_t self:capability { kill net_admin };
+allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin };
 dontaudit drbd_t self:capability sys_tty_config;
 allow drbd_t self:fifo_file rw_fifo_file_perms;
 allow drbd_t self:unix_stream_socket create_stream_socket_perms;
 allow drbd_t self:netlink_socket create_socket_perms;
-allow drbd_t self:netlink_route_socket nlmsg_write;
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
 
 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
 files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
 
+manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t)
+files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir })
+
 manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
 files_lock_filetrans(drbd_t, drbd_lock_t, file)
 
-can_exec(drbd_t, drbd_exec_t)
+manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
+files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
 
 kernel_read_system_state(drbd_t)
 
+auth_use_nsswitch(drbd_t)
+
+can_exec(drbd_t, drbd_exec_t)
+
+corecmd_exec_bin(drbd_t)
+
+corenet_tcp_connect_http_port(drbd_t)
+
 dev_read_rand(drbd_t)
 dev_read_sysfs(drbd_t)
 dev_read_urand(drbd_t)
 
-files_read_etc_files(drbd_t)
+files_read_kernel_modules(drbd_t)
 
-storage_raw_read_fixed_disk(drbd_t)
+logging_send_syslog_msg(drbd_t)
+
+fs_getattr_xattr_fs(drbd_t)
 
-miscfiles_read_localization(drbd_t)
+modutils_read_module_config(drbd_t)
+modutils_exec_insmod(drbd_t)
+
+storage_raw_read_fixed_disk(drbd_t)
+storage_raw_write_fixed_disk(drbd_t)
 
 sysnet_dns_name_resolve(drbd_t)
+
+optional_policy(`
+    rhcs_read_log_cluster(drbd_t)
+    rhcs_rw_cluster_tmpfs(drbd_t)
+    rhcs_manage_cluster_lib_files(drbd_t)
+')
diff --git a/dspam.fc b/dspam.fc
index 5eddac5..b5fcb77 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -2,11 +2,16 @@
 
 /usr/bin/dspam	--	gen_context(system_u:object_r:dspam_exec_t,s0)
 
-/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:dspam_script_exec_t,s0)
 
 /var/lib/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_lib_t,s0)
-/var/lib/dspam/data(/.*)?	gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
 
 /var/log/dspam(/.*)?	gen_context(system_u:object_r:dspam_log_t,s0)
 
 /var/run/dspam(/.*)?	gen_context(system_u:object_r:dspam_var_run_t,s0)
+
+# web
+/var/www/dspam/.*\.cgi 	--	gen_context(system_u:object_r:dspam_script_exec_t,s0)
+/var/www/dspam(/.*?)		gen_context(system_u:object_r:dspam_content_t,s0)
+
+/var/lib/dspam/data(/.*)?			gen_context(system_u:object_r:dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f2452..a446210 100644
--- a/dspam.if
+++ b/dspam.if
@@ -1,13 +1,15 @@
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
+
+## <summary>policy for dspam</summary>
+
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run dspam.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed access.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`dspam_domtrans',`
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
 		type dspam_t, dspam_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, dspam_exec_t, dspam_t)
 ')
 
-#######################################
+
+########################################
 ## <summary>
-##	Connect to dspam using a unix
-##	domain stream socket.
+##	Execute dspam server in the dspam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`dspam_initrc_domtrans',`
+	gen_require(`
+		type dspam_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read dspam's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`dspam_stream_connect',`
+interface(`dspam_read_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	dspam log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`dspam_append_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        append_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage dspam log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_log',`
+	gen_require(`
+		type dspam_log_t;
+	')
+
+	logging_search_logs($1)
+        manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
+        manage_files_pattern($1, dspam_log_t, dspam_log_t)
+        manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
+##	Search dspam lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_search_lib',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	allow $1 dspam_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read dspam lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_read_lib_files',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	dspam lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_lib_files',`
+	gen_require(`
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage dspam lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_manage_lib_dirs',`
 	gen_require(`
-		type dspam_t, dspam_var_run_t, dspam_tmp_t;
+		type dspam_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	Read dspam PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dspam_read_pid_files',`
+	gen_require(`
+		type dspam_var_run_t;
 	')
 
 	files_search_pids($1)
+	allow $1 dspam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##  Connect to DSPAM using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dspam_stream_connect',`
+    gen_require(`
+        type dspam_t, dspam_var_run_t, dspam_tmp_t;
+    ')
+
+    files_search_pids($1)
 	files_search_tmp($1)
-	stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+    stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
+    stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an dspam environment.
+##	All of the rules required to administrate
+##	an dspam environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
 #
 interface(`dspam_admin',`
 	gen_require(`
-		type dspam_t, dspam_initrc_exec_t, dspam_log_t;
-		type dspam_var_lib_t, dspam_var_run_t;
+		type dspam_t;
+		type dspam_initrc_exec_t;
+		type dspam_log_t;
+		type dspam_var_lib_t;
+		type dspam_var_run_t;
 	')
 
-	allow $1 dspam_t:process { ptrace signal_perms };
+	allow $1 dspam_t:process signal_perms;
 	ps_process_pattern($1, dspam_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 dspam_t:process ptrace;
+	')
 
-	init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+	dspam_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 dspam_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, dspam_var_run_t)
+
 ')
diff --git a/dspam.te b/dspam.te
index ef62363..0841716 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
 
 allow dspam_t self:capability net_admin;
 allow dspam_t self:process signal;
+
+allow dspam_t self:tcp_socket { listen accept };
+
 allow dspam_t self:fifo_file rw_fifo_file_perms;
 allow dspam_t self:unix_stream_socket { accept listen };
 
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
 corenet_tcp_bind_spamd_port(dspam_t)
 corenet_tcp_connect_spamd_port(dspam_t)
 corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
 
 files_search_spool(dspam_t)
 
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
 
 logging_send_syslog_msg(dspam_t)
 
-miscfiles_read_localization(dspam_t)
-
 optional_policy(`
 	apache_content_template(dspam)
+	apache_content_alias_template(dspam, dspam)
+
+	read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
+
+    auth_read_passwd(dspam_script_t)
+
+	files_search_var_lib(dspam_script_t)
+
+	domain_dontaudit_read_all_domains_state(dspam_script_t)
+
+	term_dontaudit_search_ptys(dspam_script_t)
+	term_dontaudit_getattr_all_ttys(dspam_script_t)
+	term_dontaudit_getattr_all_ptys(dspam_script_t)
 
-	list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-	manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
-	manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+	init_read_utmp(dspam_script_t)
+
+	logging_send_syslog_msg(dspam_script_t)
+
+	mta_send_mail(dspam_script_t)
+
+	optional_policy(`
+	    mysql_tcp_connect(dspam_script_t)
+	    mysql_stream_connect(dspam_script_t)
+	')
 ')
 
 optional_policy(`
@@ -87,3 +114,12 @@ optional_policy(`
 
 	postgresql_tcp_connect(dspam_t)
 ')
+
+optional_policy(`
+    postfix_rw_inherited_master_pipes(dspam_t)
+    postfix_list_spool(dspam_t)
+')
+
+optional_policy(`
+    procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
index b8b8328..111084c 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
 ##	the entropy feeds.
 ##	</p>
 ## </desc>
-gen_tunable(entropyd_use_audio, false)
+gen_tunable(entropyd_use_audio, true)
 
 type entropyd_t;
 type entropyd_exec_t;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
 
-files_read_etc_files(entropyd_t)
-files_read_usr_files(entropyd_t)
-
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
 
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
 
 logging_send_syslog_msg(entropyd_t)
 
-miscfiles_read_localization(entropyd_t)
+auth_use_nsswitch(entropyd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)
diff --git a/etcd.fc b/etcd.fc
new file mode 100644
index 0000000..eac30a3
--- /dev/null
+++ b/etcd.fc
@@ -0,0 +1,5 @@
+/usr/lib/systemd/system/etcd.*  --  gen_context(system_u:object_r:etcd_unit_file_t,s0)
+
+/usr/bin/etcd                   --  gen_context(system_u:object_r:etcd_exec_t,s0)
+
+/var/lib/etcd(/.*)?                 gen_context(system_u:object_r:etcd_var_lib_t,s0)
diff --git a/etcd.if b/etcd.if
new file mode 100644
index 0000000..d1a05a6
--- /dev/null
+++ b/etcd.if
@@ -0,0 +1,161 @@
+## <summary>A highly-available key value store for shared configuration.</summary>
+
+########################################
+## <summary>
+##	Execute etcd in the etcd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`etcd_domtrans',`
+	gen_require(`
+		type etcd_t, etcd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, etcd_exec_t, etcd_t)
+')
+
+########################################
+## <summary>
+##	Search etcd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_search_lib',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	allow $1 etcd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read etcd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_read_lib_files',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage etcd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_manage_lib_files',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage etcd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`etcd_manage_lib_dirs',`
+	gen_require(`
+		type etcd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, etcd_var_lib_t, etcd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute etcd server in the etcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`etcd_systemctl',`
+	gen_require(`
+		type etcd_t;
+		type etcd_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 etcd_unit_file_t:file read_file_perms;
+	allow $1 etcd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, etcd_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an etcd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`etcd_admin',`
+	gen_require(`
+		type etcd_t;
+		type etcd_var_lib_t;
+	    type etcd_unit_file_t;
+	')
+
+	allow $1 etcd_t:process { signal_perms };
+	ps_process_pattern($1, etcd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 etcd_t:process ptrace;
+    ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, etcd_var_lib_t)
+
+	etcd_systemctl($1)
+	admin_pattern($1, etcd_unit_file_t)
+	allow $1 etcd_unit_file_t:service all_service_perms;
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/etcd.te b/etcd.te
new file mode 100644
index 0000000..7cee445
--- /dev/null
+++ b/etcd.te
@@ -0,0 +1,42 @@
+policy_module(etcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type etcd_t;
+type etcd_exec_t;
+init_daemon_domain(etcd_t,etcd_exec_t)
+
+permissive etcd_t;
+
+type etcd_unit_file_t;
+systemd_unit_file(etcd_unit_file_t)
+
+type etcd_var_lib_t;
+files_type(etcd_var_lib_t)
+
+########################################
+#
+# ectd local policy
+#
+
+allow etcd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+manage_lnk_files_pattern(etcd_t, etcd_var_lib_t, etcd_var_lib_t)
+files_var_lib_filetrans(etcd_t, etcd_var_lib_t, dir)
+
+kernel_read_unix_sysctls(etcd_t)
+kernel_read_net_sysctls(etcd_t)
+
+corenet_tcp_bind_generic_node(etcd_t)
+
+corenet_tcp_bind_kubernetes_port(etcd_t)
+corenet_tcp_bind_afs3_callback_port(etcd_t)
+
+fs_getattr_xattr_fs(etcd_t)
+
+logging_send_syslog_msg(etcd_t)
diff --git a/evolution.fc b/evolution.fc
index 597f305..8520653 100644
--- a/evolution.fc
+++ b/evolution.fc
@@ -1,5 +1,6 @@
 HOME_DIR/\.camel_certs(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
 HOME_DIR/\.evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.cache/evolution(/.*)?	gen_context(system_u:object_r:evolution_home_t,s0)
 
 /tmp/\.exchange-USER(/.*)?	gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
 
diff --git a/evolution.te b/evolution.te
index c99e07c..ab9dd9f 100644
--- a/evolution.te
+++ b/evolution.te
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
 
 domain_dontaudit_read_all_domains_state(evolution_t)
 
-files_read_usr_files(evolution_t)
 
 fs_search_auto_mountpoints(evolution_t)
 
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
 
 userdom_manage_user_home_content_dirs(evolution_t)
 userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_filetrans_home_content(evolution_t)
 
 userdom_write_user_tmp_sockets(evolution_t)
 
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
 
 dev_read_urand(evolution_alarm_t)
 
-files_read_usr_files(evolution_alarm_t)
 
 fs_search_auto_mountpoints(evolution_alarm_t)
 
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
 
 dev_read_urand(evolution_exchange_t)
 
-files_read_usr_files(evolution_exchange_t)
 
 fs_search_auto_mountpoints(evolution_exchange_t)
 
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
 
 dev_read_urand(evolution_server_t)
 
-files_read_usr_files(evolution_server_t)
 
 fs_search_auto_mountpoints(evolution_server_t)
 
diff --git a/exim.if b/exim.if
index 9bbc690..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute exim in the exim domain,
-##	and allow the specified role
-##	the exim domain.
+##     Execute the mailman program in the mailman domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##     <summary>
+##     The role to allow the mailman domain.
+##     </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`exim_run',`
+       gen_require(`
+               type exim_t;
+       ')
+
+       exim_domtrans($1)
+       role $2 types exim_t;
+')
+
+########################################
+## <summary>
+##	Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`exim_initrc_domtrans',`
 	gen_require(`
-		attribute_role exim_roles;
+		type exim_initrc_exec_t;
 	')
 
-	exim_domtrans($1)
-	roleattribute $2 exim_roles;
+	init_labeled_script_domtrans($1, exim_initrc_exec_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read exim
-##	temporary tmp files.
+##	Do not audit attempts to read, 
+##	exim tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read exim temporary files.
+##	Allow domain to read, exim tmp files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read exim pid files.
+##	Read exim PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
 
 ########################################
 ## <summary>
-##	Read exim log files.
+##	Allow the specified domain to read exim's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
 
 ########################################
 ## <summary>
-##	Append exim log files.
+##	Allow the specified domain to append
+##	exim log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	exim log files.
+##	Allow the specified domain to manage exim's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	exim spool directories.
+##	exim spool dirs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
 ##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
 interface(`exim_admin',`
 	gen_require(`
@@ -285,10 +300,14 @@ interface(`exim_admin',`
 		type exim_keytab_t;
 	')
 
-	allow $1 exim_t:process { ptrace signal_perms };
+	allow $1 exim_t:process signal_perms;
 	ps_process_pattern($1, exim_t)
 
-	init_labeled_script_domtrans($1, exim_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 exim_t:process ptrace;
+	')
+
+	exim_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
diff --git a/exim.te b/exim.te
index 4086c51..3e7a990 100644
--- a/exim.te
+++ b/exim.te
@@ -55,7 +55,7 @@ type exim_log_t;
 logging_log_file(exim_log_t)
 
 type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
 
 type exim_tmp_t;
 files_tmp_file(exim_tmp_t)
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
 kernel_read_crypto_sysctls(exim_t)
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
-kernel_dontaudit_read_system_state(exim_t)
+kernel_read_system_state(exim_t)
 
 corecmd_search_bin(exim_t)
 
-corenet_all_recvfrom_unlabeled(exim_t)
 corenet_all_recvfrom_netlabel(exim_t)
 corenet_tcp_sendrecv_generic_if(exim_t)
 corenet_udp_sendrecv_generic_if(exim_t)
@@ -151,10 +150,10 @@ fs_getattr_xattr_fs(exim_t)
 fs_list_inotifyfs(exim_t)
 
 auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
 
 logging_send_syslog_msg(exim_t)
 
-miscfiles_read_localization(exim_t)
 miscfiles_read_generic_certs(exim_t)
 
 userdom_dontaudit_search_user_home_dirs(exim_t)
@@ -170,9 +169,9 @@ tunable_policy(`exim_can_connect_db',`
 	corenet_sendrecv_mssql_client_packets(exim_t)
 	corenet_tcp_connect_mssql_port(exim_t)
 	corenet_tcp_sendrecv_mssql_port(exim_t)
-	corenet_sendrecv_oracledb_client_packets(exim_t)
-	corenet_tcp_connect_oracledb_port(exim_t)
-	corenet_tcp_sendrecv_oracledb_port(exim_t)
+	corenet_sendrecv_oracle_client_packets(exim_t)
+	corenet_tcp_connect_oracle_port(exim_t)
+	corenet_tcp_sendrecv_oracle_port(exim_t)
 ')
 
 tunable_policy(`exim_read_user_files',`
@@ -186,8 +185,8 @@ tunable_policy(`exim_manage_user_files',`
 ')
 
 optional_policy(`
-	clamav_domtrans_clamscan(exim_t)
-	clamav_stream_connect(exim_t)
+	antivirus_domtrans(exim_t)
+	antivirus_stream_connect(exim_t)
 ')
 
 optional_policy(`
@@ -210,11 +209,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mailman_read_data_files(exim_t)
-	mailman_domtrans(exim_t)
-')
-
-optional_policy(`
 	nagios_search_spool(exim_t)
 ')
 
@@ -236,6 +230,7 @@ optional_policy(`
 
 optional_policy(`
 	procmail_domtrans(exim_t)
+	procmail_read_home_files(exim_t)
 ')
 
 optional_policy(`
diff --git a/fail2ban.if b/fail2ban.if
index 50d0084..94e1936 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
 	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute the fail2ban client in
-##	the fail2ban client domain.
+##  Execute the fail2ban client in
+##  the fail2ban client domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 #
 interface(`fail2ban_domtrans_client',`
-	gen_require(`
-		type fail2ban_client_t, fail2ban_client_exec_t;
-	')
+    gen_require(`
+        type fail2ban_client_t, fail2ban_client_exec_t;
+    ')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+    corecmd_search_bin($1)
+    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Execute fail2ban client in the
-##	fail2ban client domain, and allow
-##	the specified role the fail2ban
-##	client domain.
+##  Execute fail2ban client in the
+##  fail2ban client domain, and allow
+##  the specified role the fail2ban
+##  client domain.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
 ## </param>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 #
 interface(`fail2ban_run_client',`
-	gen_require(`
-		attribute_role fail2ban_client_roles;
-	')
+    gen_require(`
+        attribute_role fail2ban_client_roles;
+    ')
 
-	fail2ban_domtrans_client($1)
-	roleattribute $2 fail2ban_client_roles;
+    fail2ban_domtrans_client($1)
+    roleattribute $2 fail2ban_client_roles;
 ')
 
 #####################################
 ## <summary>
-##	Connect to fail2ban over a
-##	unix domain stream socket.
+##	Connect to fail2ban over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
 	')
 
 	files_search_tmp($1)
-	allow $1 fail2ban_tmp_t:file { read write };
+	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use
-##	fail2ban file descriptors.
+##	Read and write to an fail2ba unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_use_fds',`
+interface(`fail2ban_rw_stream_sockets',`
 	gen_require(`
 		type fail2ban_t;
 	')
 
-	dontaudit $1 fail2ban_t:fd use;
+	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Do not audit attempts to read and
-##	write fail2ban unix stream sockets
+##  Do not audit attempts to use
+##  fail2ban file descriptors.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
+##  <summary>
+##  Domain to not audit.
+##  </summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
-	gen_require(`
-		type fail2ban_t;
-	')
+interface(`fail2ban_dontaudit_use_fds',`
+    gen_require(`
+        type fail2ban_t;
+    ')
 
-	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+    dontaudit $1 fail2ban_t:fd use;
 ')
 
-########################################
+#######################################
 ## <summary>
-##	Read and write fail2ban unix
-##	stream sockets.
+##  Do not audit attempts to read and
+##  write fail2ban unix stream sockets
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##  <summary>
+##  Domain to not audit.
+##  </summary>
 ## </param>
 #
-interface(`fail2ban_rw_stream_sockets',`
-	gen_require(`
-		type fail2ban_t;
-	')
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
 
-	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 
 ########################################
@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 fail2ban_var_lib_t:file read_file_perms;
+	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	Read fail2ban log files.
+##	Allow the specified domain to read fail2ban's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Append fail2ban log files.
+##	Allow the specified domain to append
+##	fail2ban log files.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
 	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read fail2ban pid files.
+##	Read fail2ban PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an fail2ban environment.
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+ 	dontaudit $1 fail2ban_t:tcp_socket { read write };
+	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fail2ban environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access.
+##	The role to be allowed to manage the fail2ban domain.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`fail2ban_admin',`
 	gen_require(`
-		type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
-		type fail2ban_var_run_t, fail2ban_initrc_exec_t;
-		type fail2ban_var_lib_t, fail2ban_client_t;
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+		type fail2ban_client_t;
 	')
 
-	allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
 
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fail2ban_initrc_exec_t system_r;
@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
 	files_list_pids($1)
 	admin_pattern($1, fail2ban_var_run_t)
 
-	files_search_var_lib($1)
+	files_list_var_lib($1)
 	admin_pattern($1, fail2ban_var_lib_t)
 
-	files_search_tmp($1)
+	files_list_tmp($1)
 	admin_pattern($1, fail2ban_tmp_t)
 
 	fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index cf0e567..7bebd26 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
 #
 
 allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
+allow fail2ban_t self:process { setsched signal };
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { accept connectto listen };
 allow fail2ban_t self:tcp_socket { accept listen };
@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
 
-corenet_all_recvfrom_unlabeled(fail2ban_t)
 corenet_all_recvfrom_netlabel(fail2ban_t)
 corenet_tcp_sendrecv_generic_if(fail2ban_t)
 corenet_tcp_sendrecv_generic_node(fail2ban_t)
@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
 domain_dontaudit_read_all_domains_state(fail2ban_t)
 
 files_read_etc_runtime_files(fail2ban_t)
-files_read_usr_files(fail2ban_t)
 files_list_var(fail2ban_t)
 files_dontaudit_list_tmp(fail2ban_t)
 
@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 
 logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
 
-miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
 
 sysnet_manage_config(fail2ban_t)
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
 
 optional_policy(`
 	apache_read_log(fail2ban_t)
 ')
 
 optional_policy(`
+	dbus_system_bus_client(fail2ban_t)
+	dbus_connect_system_bus(fail2ban_t)
+
+	optional_policy(`
+		firewalld_dbus_chat(fail2ban_t)
+	')
+')
+
+optional_policy(`
 	ftp_read_log(fail2ban_t)
 ')
 
 optional_policy(`
+	gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
 	iptables_domtrans(fail2ban_t)
 ')
 
@@ -118,6 +129,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpm_exec(fail2ban_t)
+')
+
+optional_policy(`
 	shorewall_domtrans(fail2ban_t)
 ')
 
@@ -126,27 +141,37 @@ optional_policy(`
 # Client Local policy
 #
 
-allow fail2ban_client_t self:capability dac_read_search;
+allow fail2ban_client_t self:capability { dac_read_search dac_override };
 allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
 stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 
 kernel_read_system_state(fail2ban_client_t)
 
 corecmd_exec_bin(fail2ban_client_t)
 
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
 domain_use_interactive_fds(fail2ban_client_t)
 
-files_read_etc_files(fail2ban_client_t)
-files_read_usr_files(fail2ban_client_t)
 files_search_pids(fail2ban_client_t)
 
+auth_use_nsswitch(fail2ban_client_t)
+
+libs_exec_ldconfig(fail2ban_client_t)
+
 logging_getattr_all_logs(fail2ban_client_t)
 logging_search_all_logs(fail2ban_client_t)
-
-miscfiles_read_localization(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
 
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
 userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+    apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
index ce358fb..8cc3ca2 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t)
 # Local policy
 #
 
-allow fcoemon_t self:capability { dac_override kill net_admin };
+allow fcoemon_t self:capability { net_admin net_raw dac_override };
 allow fcoemon_t self:fifo_file rw_fifo_file_perms;
 allow fcoemon_t self:unix_stream_socket { accept listen };
 allow fcoemon_t self:netlink_socket create_socket_perms;
 allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
+allow fcoemon_t self:netlink_scsitransport_socket create_socket_perms;
+allow fcoemon_t self:packet_socket create_socket_perms;
+allow fcoemon_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
 files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
 
-files_read_etc_files(fcoemon_t)
-
-dev_read_sysfs(fcoemon_t)
+dev_rw_sysfs(fcoemon_t)
 
 logging_send_syslog_msg(fcoemon_t)
 
 miscfiles_read_localization(fcoemon_t)
 
+userdom_dgram_send(fcoemon_t)
+
 optional_policy(`
 	lldpad_dgram_send(fcoemon_t)
 ')
+
+optional_policy(`
+    networkmanager_dgram_send(fcoemon_t)
+')
diff --git a/fetchmail.fc b/fetchmail.fc
index 133b8ee..a47a12f 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
 HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
 
 /etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
 
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
+++ b/fetchmail.if
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
 		type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
 	')
 
+	ps_process_pattern($1, fetchmail_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 fetchmail_t:process ptrace;
+	')
+
 	init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 fetchmail_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	allow $1 fetchmail_t:process { ptrace signal_perms };
-	ps_process_pattern($1, fetchmail_t)
-
 	files_list_etc($1)
 	admin_pattern($1, fetchmail_etc_t)
 
diff --git a/fetchmail.te b/fetchmail.te
index 742559a..fa51d09 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
 #
 # Local policy
 #
-
+allow fetchmail_t self:capability setuid;
 dontaudit fetchmail_t self:capability sys_tty_config;
 allow fetchmail_t self:process { signal_perms setrlimit };
 allow fetchmail_t self:unix_stream_socket { accept listen };
+allow fetchmail_t self:key manage_key_perms;
 
 allow fetchmail_t fetchmail_etc_t:file read_file_perms;
 
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
 read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
 
 manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
 corecmd_exec_bin(fetchmail_t)
 corecmd_exec_shell(fetchmail_t)
 
-corenet_all_recvfrom_unlabeled(fetchmail_t)
 corenet_all_recvfrom_netlabel(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
 corenet_tcp_sendrecv_generic_node(fetchmail_t)
@@ -84,15 +87,24 @@ fs_search_auto_mountpoints(fetchmail_t)
 
 domain_use_interactive_fds(fetchmail_t)
 
-auth_use_nsswitch(fetchmail_t)
+auth_read_passwd(fetchmail_t)
 
 logging_send_syslog_msg(fetchmail_t)
 
-miscfiles_read_localization(fetchmail_t)
 miscfiles_read_generic_certs(fetchmail_t)
 
+sysnet_dns_name_resolve(fetchmail_t)
+
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+    mta_send_mail(fetchmail_t)
+    mta_read_spool(fetchmail_t)
+')
+
+optional_policy(`
+	kerberos_use(fetchmail_t)
+')
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)
diff --git a/finger.te b/finger.te
index 35da09d..85f1e03 100644
--- a/finger.te
+++ b/finger.te
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
 kernel_read_kernel_sysctls(fingerd_t)
 kernel_read_system_state(fingerd_t)
 
-corenet_all_recvfrom_unlabeled(fingerd_t)
 corenet_all_recvfrom_netlabel(fingerd_t)
 corenet_tcp_sendrecv_generic_if(fingerd_t)
 corenet_tcp_sendrecv_generic_node(fingerd_t)
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
 domain_use_interactive_fds(fingerd_t)
 
 files_read_etc_runtime_files(fingerd_t)
+files_search_home(fingerd_t)
 
 fs_getattr_all_fs(fingerd_t)
 fs_search_auto_mountpoints(fingerd_t)
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
 term_getattr_all_ptys(fingerd_t)
 
 auth_read_lastlog(fingerd_t)
+auth_use_nsswitch(fingerd_t)
 
 init_read_utmp(fingerd_t)
 init_dontaudit_write_utmp(fingerd_t)
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
 
 mta_getattr_spool(fingerd_t)
 
-miscfiles_read_localization(fingerd_t)
+sysnet_read_config(fingerd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
 
diff --git a/firewalld.fc b/firewalld.fc
index 21d7b84..0e272bd 100644
--- a/firewalld.fc
+++ b/firewalld.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/firewalld.*  -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
 /etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
 
 /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
index c62c567..2d9e254 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Read firewalld configuration files.
+##	Read firewalld config
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -10,7 +10,7 @@
 ## </summary>
 ## </param>
 #
-interface(`firewalld_read_config_files',`
+interface(`firewalld_read_config',`
 	gen_require(`
 		type firewalld_etc_rw_t;
 	')
@@ -21,6 +21,48 @@ interface(`firewalld_read_config_files',`
 
 ########################################
 ## <summary>
+##	Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`firewalld_initrc_domtrans',`
+	gen_require(`
+		type firewalld_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`firewalld_systemctl',`
+	gen_require(`
+		type firewalld_t;
+		type firewalld_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 firewalld_unit_file_t:file read_file_perms;
+	allow $1 firewalld_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, firewalld_t)
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	firewalld over dbus.
 ## </summary>
@@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read, snd
-##	write firewalld temporary files.
+##	Dontaudit attempts to write
+##	firewalld tmp files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',`
 ##	</summary>
 ## </param>
 #
-interface(`firewalld_dontaudit_rw_tmp_files',`
+interface(`firewalld_dontaudit_write_tmp_files',`
 	gen_require(`
 		type firewalld_tmp_t;
 	')
 
-	dontaudit $1 firewalld_tmp_t:file { read write };
+	dontaudit $1 firewalld_tmp_t:file write;
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to
-##	administrate an firewalld environment.
+##	Read firewalld PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`firewalld_read_pid_files',`
+	gen_require(`
+		type firewalld_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 firewalld_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an firewalld environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',`
 interface(`firewalld_admin',`
 	gen_require(`
 		type firewalld_t, firewalld_initrc_exec_t;
-		type firewall_etc_rw_t, firewalld_var_run_t;
+		type firewalld_etc_rw_t, firewalld_var_run_t;
 		type firewalld_var_log_t;
 	')
 
-	allow $1 firewalld_t:process { ptrace signal_perms };
+	allow $1 firewalld_t:process signal_perms;
 	ps_process_pattern($1, firewalld_t)
 
-	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 firewalld_t:process ptrace;
+	')
+
+	firewalld_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 firewalld_initrc_exec_t system_r;
 	allow $2 system_r;
@@ -97,6 +162,9 @@ interface(`firewalld_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, firewalld_var_log_t)
 
-	files_search_etc($1)
-	admin_pattern($1, firewall_etc_rw_t)
+	admin_pattern($1, firewalld_etc_rw_t)
+
+	admin_pattern($1, firewalld_unit_file_t)
+	firewalld_systemctl($1)
+	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
diff --git a/firewalld.te b/firewalld.te
index 98072a3..af4b438 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
 type firewalld_tmp_t;
 files_tmp_file(firewalld_tmp_t)
 
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
 type firewalld_var_run_t;
 files_pid_file(firewalld_var_run_t)
 
+type firewalld_unit_file_t;
+systemd_unit_file(firewalld_unit_file_t)
+
 ########################################
 #
 # Local policy
@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
 files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
 
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
+
 manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir })
+can_exec(firewalld_t, firewalld_var_run_t)
 
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
 kernel_rw_net_sysctls(firewalld_t)
 
+files_list_kernel_modules(firewalld_t)
+
 corecmd_exec_bin(firewalld_t)
 corecmd_exec_shell(firewalld_t)
 
@@ -63,20 +79,23 @@ dev_search_sysfs(firewalld_t)
 
 domain_use_interactive_fds(firewalld_t)
 
-files_read_etc_files(firewalld_t)
-files_read_usr_files(firewalld_t)
+files_dontaudit_access_check_tmp(firewalld_t)
 files_dontaudit_list_tmp(firewalld_t)
 
 fs_getattr_xattr_fs(firewalld_t)
+fs_dontaudit_all_access_check(firewalld_t)
 
-logging_send_syslog_msg(firewalld_t)
+auth_use_nsswitch(firewalld_t)
 
-miscfiles_read_localization(firewalld_t)
+libs_exec_ldconfig(firewalld_t)
 
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
 
-sysnet_read_config(firewalld_t)
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_create_config(firewalld_t)
+sysnet_relabelfrom_net_conf(firewalld_t)
+sysnet_relabelto_net_conf(firewalld_t)
 
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -91,10 +110,15 @@ optional_policy(`
 
 	optional_policy(`
 		networkmanager_dbus_chat(firewalld_t)
+		networkmanager_stream_connect(firewalld_t)
 	')
 ')
 
 optional_policy(`
+	gnome_read_generic_data_home_dirs(firewalld_t)
+')
+
+optional_policy(`
 	iptables_domtrans(firewalld_t)
 ')
 
diff --git a/firewallgui.if b/firewallgui.if
index e6866d1..941f4ef 100644
--- a/firewallgui.if
+++ b/firewallgui.if
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
 		type firewallgui_t;
 	')
 
-	dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+	dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
 ')
diff --git a/firewallgui.te b/firewallgui.te
index 2094546..2481a97 100644
--- a/firewallgui.te
+++ b/firewallgui.te
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
 dev_read_sysfs(firewallgui_t)
 dev_read_urand(firewallgui_t)
 
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
 files_list_kernel_modules(firewallgui_t)
-files_read_usr_files(firewallgui_t)
 
 auth_use_nsswitch(firewallgui_t)
 
@@ -60,12 +62,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_read_generic_gconf_home_content(firewallgui_t)
+	gnome_read_gconf_home_files(firewallgui_t)
 ')
 
 optional_policy(`
 	iptables_domtrans(firewallgui_t)
 	iptables_initrc_domtrans(firewallgui_t)
+	iptables_systemctl(firewallgui_t)
 ')
 
 optional_policy(`
diff --git a/firstboot.fc b/firstboot.fc
index 12c782c..ba614e4 100644
--- a/firstboot.fc
+++ b/firstboot.fc
@@ -1,5 +1,3 @@
-/etc/rc\.d/init\.d/firstboot.*	--	gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
+/usr/sbin/firstboot		--	gen_context(system_u:object_r:firstboot_exec_t,s0)
 
-/usr/sbin/firstboot	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
-
-/usr/share/firstboot/firstboot\.py	--	gen_context(system_u:object_r:firstboot_exec_t,s0)
+/usr/share/firstboot/firstboot\.py --	gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/firstboot.if b/firstboot.if
index 280f875..f3a67c9 100644
--- a/firstboot.if
+++ b/firstboot.if
@@ -1,4 +1,7 @@
-## <summary>Initial system configuration utility.</summary>
+## <summary>
+##	Final system configuration run during the first boot
+##	after installation of Red Hat/Fedora systems.
+## </summary>
 
 ########################################
 ## <summary>
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
 		type firstboot_t, firstboot_exec_t;
 	')
 
-	corecmd_search_bin($1)
 	domtrans_pattern($1, firstboot_exec_t, firstboot_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute firstboot in the firstboot
-##	domain, and allow the specified role
-##	the firstboot domain.
+##	Execute firstboot in the firstboot domain, and
+##	allow the specified role the firstboot domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
 #
 interface(`firstboot_run',`
 	gen_require(`
-		attribute_role firstboot_roles;
+		type firstboot_t;
 	')
 
 	firstboot_domtrans($1)
-	roleattribute $2 firstboot_roles;
+	role $2 types firstboot_t;
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use firstboot file descriptors.
+##	Inherit and use a file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit
-##	firstboot file descriptors.
+##	Do not audit attempts to inherit a
+##	file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Write firstboot unnamed pipes.
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`firstboot_dontaudit_leaks',`
+	gen_require(`
+		type firstboot_t;
+	')
+
+	dontaudit $1 firstboot_t:socket_class_set { read write };
+	dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
 		type firstboot_t;
 	')
 
+	allow $1 firstboot_t:fd use;
 	allow $1 firstboot_t:fifo_file write;
 ')
 
 ########################################
 ## <summary>
-##	Read and Write firstboot unnamed pipes.
+##	Read and Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and
-##	write firstboot unnamed pipes.
+## 	Do not audit attemps to read and write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
 
 ########################################
 ## <summary>
-## 	Do not audit attemps to read and
-##	write firstboot unix domain
-##	stream sockets.
+## 	Do not audit attemps to read and write to a firstboot
+##	unix domain stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/firstboot.te b/firstboot.te
index 5010f04..3b73741 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
 policy_module(firstboot, 1.13.0)
 
 gen_require(`
-	class passwd { passwd chfn chsh rootok };
+	class passwd { passwd chfn chsh rootok crontab };
 ')
 
 ########################################
@@ -9,17 +9,12 @@ gen_require(`
 # Declarations
 #
 
-attribute_role firstboot_roles;
-
 type firstboot_t;
 type firstboot_exec_t;
 init_system_domain(firstboot_t, firstboot_exec_t)
 domain_obj_id_change_exemption(firstboot_t)
 domain_subj_id_change_exemption(firstboot_t)
-role firstboot_roles types firstboot_t;
-
-type firstboot_initrc_exec_t;
-init_script_file(firstboot_initrc_exec_t)
+role system_r types firstboot_t;
 
 type firstboot_etc_t;
 files_config_file(firstboot_etc_t)
@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t)
 allow firstboot_t self:capability { dac_override setgid };
 allow firstboot_t self:process setfscreate;
 allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
 allow firstboot_t self:passwd { rootok passwd chfn chsh };
 
 allow firstboot_t firstboot_etc_t:file read_file_perms;
 
+files_manage_generic_tmp_dirs(firstboot_t)
+files_manage_generic_tmp_files(firstboot_t)
+
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)
 
-corecmd_exec_all_executables(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
 
 dev_read_urand(firstboot_t)
 
-files_exec_etc_files(firstboot_t)
-files_manage_etc_files(firstboot_t)
-files_manage_etc_runtime_files(firstboot_t)
-files_read_usr_files(firstboot_t)
-files_manage_var_dirs(firstboot_t)
-files_manage_var_files(firstboot_t)
-files_manage_var_symlinks(firstboot_t)
-files_create_boot_flag(firstboot_t)
-files_delete_boot_flag(firstboot_t)
-
 selinux_get_fs_mount(firstboot_t)
 selinux_validate_context(firstboot_t)
 selinux_compute_access_vector(firstboot_t)
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
 
 auth_dontaudit_getattr_shadow(firstboot_t)
 
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+files_create_boot_flag(firstboot_t)
+files_delete_boot_flag(firstboot_t)
+
 init_domtrans_script(firstboot_t)
 init_rw_utmp(firstboot_t)
 
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
 
 logging_send_syslog_msg(firstboot_t)
 
-miscfiles_read_localization(firstboot_t)
-
 sysnet_dns_name_resolve(firstboot_t)
 
-userdom_use_user_terminals(firstboot_t)
+userdom_use_inherited_user_terminals(firstboot_t)
+
+# Add/remove user home directories
 userdom_manage_user_home_content_dirs(firstboot_t)
 userdom_manage_user_home_content_files(firstboot_t)
 userdom_manage_user_home_content_symlinks(firstboot_t)
 userdom_manage_user_home_content_pipes(firstboot_t)
 userdom_manage_user_home_content_sockets(firstboot_t)
 userdom_home_filetrans_user_home_dir(firstboot_t)
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_filetrans_home_content(firstboot_t)
 
 optional_policy(`
 	dbus_system_bus_client(firstboot_t)
@@ -102,20 +105,17 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_use_ypbind(firstboot_t)
-')
-
-optional_policy(`
 	samba_rw_config(firstboot_t)
 ')
 
 optional_policy(`
-	unconfined_domtrans(firstboot_t)
-	unconfined_domain(firstboot_t)
+	# The big hammer
+	unconfined_domain_noaudit(firstboot_t)
 ')
 
 optional_policy(`
-	gnome_manage_generic_home_content(firstboot_t)
+	gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+	gnome_manage_config(firstboot_t)
 ')
 
 optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index 92a6479..e45b03c 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -20,23 +20,26 @@ files_type(fprintd_var_lib_t)
 allow fprintd_t self:capability sys_nice;
 allow fprintd_t self:process { getsched setsched signal sigkill };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
 
 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 
 kernel_read_system_state(fprintd_t)
 
+corecmd_exec_bin(fprintd_t)
+
 dev_list_usbfs(fprintd_t)
 dev_read_sysfs(fprintd_t)
+dev_read_urand(fprintd_t)
 dev_rw_generic_usb_dev(fprintd_t)
 
-files_read_usr_files(fprintd_t)
-
 fs_getattr_all_fs(fprintd_t)
 
 auth_use_nsswitch(fprintd_t)
 
-miscfiles_read_localization(fprintd_t)
+logging_send_syslog_msg(fprintd_t)
 
 userdom_use_user_ptys(fprintd_t)
 userdom_read_all_users_state(fprintd_t)
@@ -54,8 +57,21 @@ optional_policy(`
 	')
 ')
 
+
 optional_policy(`
-	policykit_domtrans_auth(fprintd_t)
 	policykit_read_reload(fprintd_t)
 	policykit_read_lib(fprintd_t)
+	policykit_domtrans_auth(fprintd_t)
+')
+
+optional_policy(`
+	rhcs_dbus_chat_cluster(fprintd_t)
+')
+
+optional_policy(`
+	udev_read_db(fprintd_t)
+')
+
+optional_policy(`
+	xserver_read_state_xdm(fprintd_t)
 ')
diff --git a/freeipmi.fc b/freeipmi.fc
new file mode 100644
index 0000000..0942a2e
--- /dev/null
+++ b/freeipmi.fc
@@ -0,0 +1,17 @@
+/usr/lib/systemd/system/bmc-watchdog.*		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
+/usr/lib/systemd/system/ipmidetectd.*		--	gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
+/usr/lib/systemd/system/ipmiseld.*        --  gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
+
+/usr/sbin/bmc-watchdog		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
+/usr/sbin/ipmidetectd			--	gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
+/usr/sbin/ipmiseld		--	gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
+
+/var/cache/ipmiseld(/.*)?       			gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+/var/cache/ipmimonitoringsdrcache(/.*)?		gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
+
+/var/lib/freeipmi(/.*)?     gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
+
+
+/var/run/ipmidetectd\.pid	--	gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
+/var/run/ipmiseld\.pid	--	gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
+/var/run/bmc-watchdog\.pid	--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
diff --git a/freeipmi.if b/freeipmi.if
new file mode 100644
index 0000000..dc94853
--- /dev/null
+++ b/freeipmi.if
@@ -0,0 +1,71 @@
+## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
+
+#####################################
+## <summary>
+##  Creates types and rules for a basic
+##  freeipmi init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`freeipmi_domain_template',`
+    gen_require(`
+        attribute freeipmi_domain, freeipmi_pid;
+    ')
+
+    #############################
+    #
+    # Declarations
+    #
+
+    type freeipmi_$1_t, freeipmi_domain;
+    type freeipmi_$1_exec_t;
+    init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
+    role system_r types freeipmi_$1_t;
+
+	type freeipmi_$1_unit_file_t;
+	systemd_unit_file(freeipmi_$1_unit_file_t)
+
+	type freeipmi_$1_var_run_t, freeipmi_pid;
+	files_pid_file(freeipmi_$1_var_run_t)
+
+    #############################
+    #
+    # Local policy
+    #
+
+	manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
+
+	kernel_read_system_state(freeipmi_$1_t)
+
+	corenet_all_recvfrom_netlabel(freeipmi_$1_t)
+	corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
+
+    auth_use_nsswitch(freeipmi_$1_t)
+
+    logging_send_syslog_msg(freeipmi_$1_t)
+')
+
+####################################
+## <summary>
+##	Connect to cluster domains over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`freeipmi_stream_connect',`
+	gen_require(`
+		attribute freeipmi_domain, freeipmi_pid;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
+')
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
index 0000000..0ca4fc3
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,79 @@
+policy_module(freeipmi, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute freeipmi_domain;
+attribute freeipmi_pid;
+
+freeipmi_domain_template(ipmidetectd)
+freeipmi_domain_template(ipmiseld)
+freeipmi_domain_template(bmc_watchdog)
+
+type freeipmi_var_lib_t;
+files_type(freeipmi_var_lib_t)
+
+type freeipmi_var_cache_t;
+files_type(freeipmi_var_cache_t)
+
+########################################
+#
+# freeipmi_domain local policy
+#
+
+allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
+allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
+allow freeipmi_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
+files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
+
+manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
+files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
+
+dev_read_rand(freeipmi_domain)
+dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
+
+sysnet_dns_name_resolve(freeipmi_domain)
+
+#######################################
+#
+# bmc-watchdog local policy
+#
+
+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
+dev_read_raw_memory(freeipmi_bmc_watchdog_t)
+
+#######################################
+#
+# ipmidetectd local policy
+#
+
+allow freeipmi_ipmidetectd_t self:tcp_socket listen;
+
+files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
+
+corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
+
+#######################################
+#
+# ipmiseld local policy
+#
+
+allow freeipmi_ipmiseld_t self:capability sys_rawio;
+
+allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
+
+dev_read_raw_memory(freeipmi_ipmiseld_t)
+
+files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
diff --git a/freqset.fc b/freqset.fc
new file mode 100644
index 0000000..3cd9c38
--- /dev/null
+++ b/freqset.fc
@@ -0,0 +1 @@
+/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset		--	gen_context(system_u:object_r:freqset_exec_t,s0)
diff --git a/freqset.if b/freqset.if
new file mode 100644
index 0000000..190ccc0
--- /dev/null
+++ b/freqset.if
@@ -0,0 +1,76 @@
+
+## <summary>policy for freqset</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the freqset domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`freqset_domtrans',`
+	gen_require(`
+		type freqset_t, freqset_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, freqset_exec_t, freqset_t)
+')
+
+########################################
+## <summary>
+##	Execute freqset in the freqset domain, and
+##	allow the specified role the freqset domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the freqset domain.
+##	</summary>
+## </param>
+#
+interface(`freqset_run',`
+	gen_require(`
+		type freqset_t;
+		attribute_role freqset_roles;
+	')
+
+	freqset_domtrans($1)
+	roleattribute $2 freqset_roles;
+')
+
+########################################
+## <summary>
+##	Role access for freqset
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`freqset_role',`
+	gen_require(`
+		type freqset_t;
+		attribute_role freqset_roles;
+	')
+
+	roleattribute $1 freqset_roles;
+
+	freqset_domtrans($2)
+
+	ps_process_pattern($2, freqset_t)
+	allow $2 freqset_t:process { signull signal sigkill };
+')
diff --git a/freqset.te b/freqset.te
new file mode 100644
index 0000000..0d09fbd
--- /dev/null
+++ b/freqset.te
@@ -0,0 +1,34 @@
+policy_module(freqset, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role freqset_roles;
+roleattribute system_r freqset_roles;
+
+type freqset_t;
+type freqset_exec_t;
+application_domain(freqset_t, freqset_exec_t)
+
+role freqset_roles types freqset_t;
+
+########################################
+#
+# freqset local policy
+#
+allow freqset_t self:capability { setuid };
+
+allow freqset_t self:fifo_file manage_fifo_file_perms;
+allow freqset_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_rw_sysfs(freqset_t)
+
+domain_use_interactive_fds(freqset_t)
+
+files_read_etc_files(freqset_t)
+
+miscfiles_read_localization(freqset_t)
+
+userdom_use_inherited_user_terminals(freqset_t)
diff --git a/ftp.fc b/ftp.fc
index ddb75c1..f38075f 100644
--- a/ftp.fc
+++ b/ftp.fc
@@ -1,5 +1,8 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
 
+/usr/lib/systemd/system/vsftpd.* 	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.*	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
 /etc/rc\.d/init\.d/vsftpd	--	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
@@ -23,6 +26,7 @@
 
 /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd\.log	--		gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/ftp.if b/ftp.if
index 4498143..84a4858 100644
--- a/ftp.if
+++ b/ftp.if
@@ -1,5 +1,67 @@
 ## <summary>File transfer protocol service.</summary>
 
+######################################
+## <summary>
+##      Execute a domain transition to run ftpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans',`
+        gen_require(`
+                type ftpd_t, ftpd_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
+')
+
+#######################################
+## <summary>
+##  Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The type of the process performing this action.
+##  </summary>
+## </param>
+#
+interface(`ftp_initrc_domtrans',`
+    gen_require(`
+        type ftpd_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ftp_systemctl',`
+	gen_require(`
+		type ftpd_unit_file_t;
+		type ftpd_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+	allow $1 ftpd_unit_file_t:file read_file_perms;
+	allow $1 ftpd_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, ftpd_t)
+')
+
 #######################################
 ## <summary>
 ##	Execute a dyntransition to run anon sftpd.
@@ -179,8 +241,11 @@ interface(`ftp_admin',`
 		type ftpd_keytab_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 ftpd_t:process signal_perms;
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
 	domain_system_change_exemption($1)
@@ -204,5 +269,9 @@ interface(`ftp_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, xferlog_t)
 
+	ftp_systemctl($1)
+	admin_pattern($1, ftpd_unit_file_t)
+	allow $1 ftpd_unit_file_t:service all_service_perms;
+
 	ftp_run_ftpdctl($1, $2)
 ')
diff --git a/ftp.te b/ftp.te
index 36838c2..2812a63 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
 ##	be labeled public_content_rw_t.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_anon_write, false)
+gen_tunable(ftpd_anon_write, false)
 
 ## <desc>
 ##	<p>
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
 ##	all files on the system, governed by DAC.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_full_access, false)
+gen_tunable(ftpd_full_access, false)
 
 ## <desc>
 ##	<p>
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
 ##	used for public file transfer services.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow ftpd to use ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(ftpd_use_fusefs, false)
 
 ## <desc>
 ##	<p>
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
 ##	used for public file transfer services.
 ##	</p>
 ## </desc>
-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_use_nfs, false)
 
 ## <desc>
 ##	<p>
@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether ftpd can read and write
-##	files in user home directories.
-##	</p>
-## </desc>
-gen_tunable(ftp_home_dir, false)
-
-## <desc>
-##	<p>
 ##	Determine whether sftpd can modify
 ##	public files used for public file
 ##	transfer services. Directories/Files must
@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t)
 type ftpd_initrc_exec_t;
 init_script_file(ftpd_initrc_exec_t)
 
+type ftpd_unit_file_t;
+systemd_unit_file(ftpd_unit_file_t)
+
 type ftpd_keytab_t;
 files_type(ftpd_keytab_t)
 
@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
 allow ftpd_t ftpd_lock_t:file manage_file_perms;
 files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 
 allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 
-allow ftpd_t xferlog_t:dir setattr_dir_perms;
-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-logging_log_filetrans(ftpd_t, xferlog_t, file)
+manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
 
 kernel_read_kernel_sysctls(ftpd_t)
 kernel_read_system_state(ftpd_t)
-kernel_search_network_state(ftpd_t)
+kernel_read_network_state(ftpd_t)
 
 dev_read_sysfs(ftpd_t)
 dev_read_urand(ftpd_t)
 
 corecmd_exec_bin(ftpd_t)
 
-corenet_all_recvfrom_unlabeled(ftpd_t)
 corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_generic_if(ftpd_t)
 corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_sendrecv_ftp_data_server_packets(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
+
 domain_use_interactive_fds(ftpd_t)
 
-files_read_etc_files(ftpd_t)
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
 
@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
 logging_set_loginuid(ftpd_t)
 
-miscfiles_read_localization(ftpd_t)
 miscfiles_read_public_files(ftpd_t)
 
 seutil_dontaudit_search_config(ftpd_t)
@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
+userdom_filetrans_home_content(ftpd_t)
 
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_cifs',`
+tunable_policy(`ftpd_use_cifs',`
 	fs_read_cifs_files(ftpd_t)
 	fs_read_cifs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
 	fs_manage_cifs_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_nfs',`
+tunable_policy(`ftpd_use_fusefs',`
+        fs_manage_fusefs_dirs(ftpd_t)
+        fs_manage_fusefs_files(ftpd_t)
+        fs_manage_fusefs_symlinks(ftpd_t)
+',`
+        fs_search_fusefs(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_nfs',`
 	fs_read_nfs_files(ftpd_t)
 	fs_read_nfs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
 	fs_manage_nfs_files(ftpd_t)
 ')
 
-tunable_policy(`allow_ftpd_full_access',`
+tunable_policy(`ftpd_full_access',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
-	files_manage_non_auth_files(ftpd_t)
+	files_manage_non_security_dirs(ftpd_t)
+	files_manage_non_security_files(ftpd_t)
+')
+
+tunable_policy(`ftpd_use_passive_mode',`
+	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+')
+
+tunable_policy(`ftpd_connect_all_unreserved',`
+	corenet_tcp_connect_all_unreserved_ports(ftpd_t)
 ')
 
 tunable_policy(`ftpd_use_passive_mode',`
@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
-	corenet_sendrecv_oracledb_client_packets(ftpd_t)
-	corenet_tcp_connect_oracledb_port(ftpd_t)
-	corenet_tcp_sendrecv_oracledb_port(ftpd_t)
-')
-
-tunable_policy(`ftp_home_dir',`
-	allow ftpd_t self:capability { dac_override dac_read_search };
-
-	userdom_manage_user_home_content_dirs(ftpd_t)
-	userdom_manage_user_home_content_files(ftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
-	userdom_manage_user_tmp_dirs(ftpd_t)
-	userdom_manage_user_tmp_files(ftpd_t)
-	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
-',`
-	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
-	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+	corenet_sendrecv_oracle_client_packets(ftpd_t)
+	corenet_tcp_connect_oracle_port(ftpd_t)
+	corenet_tcp_sendrecv_oracle_port(ftpd_t)
 ')
 
-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(ftpd_t)
 	fs_manage_nfs_files(ftpd_t)
 	fs_manage_nfs_symlinks(ftpd_t)
 ')
 
-tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_dirs(ftpd_t)
 	fs_manage_cifs_files(ftpd_t)
 	fs_manage_cifs_symlinks(ftpd_t)
 ')
 
 optional_policy(`
-	tunable_policy(`ftp_home_dir',`
-		apache_search_sys_content(ftpd_t)
-	')
-')
-
-optional_policy(`
 	corecmd_exec_shell(ftpd_t)
 
 	files_read_usr_files(ftpd_t)
@@ -363,9 +365,8 @@ optional_policy(`
 
 optional_policy(`
 	selinux_validate_context(ftpd_t)
-
 	kerberos_read_keytab(ftpd_t)
-	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
+	kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
 	kerberos_use(ftpd_t)
 ')
 
@@ -416,21 +417,20 @@ optional_policy(`
 #
 
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
 
 allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 
-files_read_etc_files(ftpdctl_t)
 files_search_pids(ftpdctl_t)
 
-userdom_use_user_terminals(ftpdctl_t)
+userdom_use_inherited_user_terminals(ftpdctl_t)
 
 ########################################
 #
 # Anon sftpd local policy
 #
 
-files_read_etc_files(anon_sftpd_t)
 
 miscfiles_read_public_files(anon_sftpd_t)
 
@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',`
 # Sftpd local policy
 #
 
-files_read_etc_files(sftpd_t)
 
 userdom_read_user_home_content_files(sftpd_t)
 userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+	allow sftpd_t self:capability { dac_override dac_read_search };
+	fs_read_noxattr_fs_files(sftpd_t)
+	files_manage_non_security_dirs(sftpd_t)
+	files_manage_non_security_files(sftpd_t)
+')
+
+optional_policy(`
+	tunable_policy(`sftpd_write_ssh_home',`
+		ssh_manage_home_files(sftpd_t)
+	')
+')
+
+userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
 
 tunable_policy(`sftpd_enable_homedirs',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 
 	userdom_manage_user_home_content_dirs(sftpd_t)
 	userdom_manage_user_home_content_files(sftpd_t)
-	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
 	userdom_manage_user_tmp_dirs(sftpd_t)
 	userdom_manage_user_tmp_files(sftpd_t)
-	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
-',`
-	userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
-	userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
 ')
 
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
-	files_manage_non_auth_files(sftpd_t)
+	files_manage_non_security_files(sftpd_t)
 ')
 
-tunable_policy(`sftpd_write_ssh_home',`
-	ssh_manage_home_files(sftpd_t)
-')
+userdom_home_reader(sftpd_t)
 
-tunable_policy(`use_samba_home_dirs',`
-	fs_list_cifs(sftpd_t)
-	fs_read_cifs_files(sftpd_t)
-	fs_read_cifs_symlinks(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_list_nfs(sftpd_t)
-	fs_read_nfs_files(sftpd_t)
-	fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/games.if b/games.if
index e2a3e0d..50ebd40 100644
--- a/games.if
+++ b/games.if
@@ -58,3 +58,23 @@ interface(`games_rw_data',`
 	files_search_var_lib($1)
 	rw_files_pattern($1, games_data_t, games_data_t)
 ')
+
+########################################
+## <summary>
+##	Manage games data files.
+##	games data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_manage_data_files',`
+	gen_require(`
+		type games_data_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/games.te b/games.te
index e5b15fb..220622e 100644
--- a/games.te
+++ b/games.te
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
 
 logging_send_syslog_msg(games_srv_t)
 
-miscfiles_read_localization(games_srv_t)
-
 userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
 
 userdom_dontaudit_search_user_home_dirs(games_srv_t)
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
 
-corenet_all_recvfrom_unlabeled(games_t)
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
 corenet_tcp_sendrecv_generic_node(games_t)
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
 files_list_var(games_t)
 files_search_var_lib(games_t)
 files_dontaudit_search_var(games_t)
-files_read_etc_files(games_t)
-files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
 init_dontaudit_rw_utmp(games_t)
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
 logging_dontaudit_search_logs(games_t)
 
 miscfiles_read_man_pages(games_t)
-miscfiles_read_localization(games_t)
 
 sysnet_dns_name_resolve(games_t)
 
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
 userdom_manage_user_tmp_sockets(games_t)
 userdom_dontaudit_read_user_home_content_files(games_t)
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`deny_execmem',`', `
 	allow games_t self:process execmem;
 ')
 
diff --git a/gatekeeper.te b/gatekeeper.te
index 2820368..88c98f4 100644
--- a/gatekeeper.te
+++ b/gatekeeper.te
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
 
 corecmd_list_bin(gatekeeper_t)
 
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
 corenet_all_recvfrom_netlabel(gatekeeper_t)
 corenet_tcp_sendrecv_generic_if(gatekeeper_t)
 corenet_udp_sendrecv_generic_if(gatekeeper_t)
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
 
 domain_use_interactive_fds(gatekeeper_t)
 
-files_read_etc_files(gatekeeper_t)
-
 fs_getattr_all_fs(gatekeeper_t)
 fs_search_auto_mountpoints(gatekeeper_t)
 
 logging_send_syslog_msg(gatekeeper_t)
 
-miscfiles_read_localization(gatekeeper_t)
-
 sysnet_read_config(gatekeeper_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
index 0000000..98c012c
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,7 @@
+/usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
+
+/usr/lib/systemd/system/gear.service	--	gen_context(system_u:object_r:gear_unit_file_t,s0)
+
+/var/lib/containers(/.*)?			gen_context(system_u:object_r:gear_var_lib_t,s0)
+/var/lib/containers/units(/.*)?			gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
index 0000000..d745c67
--- /dev/null
+++ b/gear.if
@@ -0,0 +1,289 @@
+
+## <summary>The open-source application container engine.</summary>
+
+########################################
+## <summary>
+##	Execute gear in the gear domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gear_domtrans',`
+	gen_require(`
+		type gear_t, gear_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gear_exec_t, gear_t)
+')
+
+########################################
+## <summary>
+##	Search gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_search_lib',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	allow $1 gear_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Execute gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_exec_lib',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	allow $1 gear_var_lib_t:dir search_dir_perms;
+	can_exec($1, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read gear lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_read_lib_files',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gear lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_manage_lib_files',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+	manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gear lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_manage_lib_dirs',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create objects in a gear var lib directory
+##	with an automatic type transition to
+##	a specified private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`gear_lib_filetrans',`
+	gen_require(`
+		type gear_var_lib_t;
+	')
+
+	filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Read gear PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_read_pid_files',`
+	gen_require(`
+		type gear_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, gear_var_run_t, gear_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute gear server in the gear domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`gear_systemctl',`
+	gen_require(`
+		type gear_t;
+		type gear_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+	init_reload_services($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 gear_unit_file_t:file read_file_perms;
+	allow $1 gear_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, gear_t)
+')
+
+########################################
+## <summary>
+##	Read and write gear shared memory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_rw_sem',`
+	gen_require(`
+		type gear_t;
+	')
+
+	allow $1 gear_t:sem rw_sem_perms;
+')
+
+#######################################
+## <summary>
+##  Read and write the gear pty type.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gear_use_ptys',`
+    gen_require(`
+        type gear_devpts_t;
+    ')
+
+    allow $1 gear_devpts_t:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+##      Allow domain to create gear content
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gear_filetrans_named_content',`
+    gen_require(`
+            type gear_var_lib_t;
+	    type gear_var_run_t;
+    ')
+
+    files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
+    files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gear environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gear_admin',`
+	gen_require(`
+		type gear_t;
+		type gear_var_lib_t, gear_var_run_t;
+		type gear_unit_file_t;
+		type gear_lock_t;
+		type gear_log_t;
+	')
+
+	allow $1 gear_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gear_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, gear_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gear_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, gear_log_t)
+
+	gear_systemctl($1)
+	admin_pattern($1, gear_unit_file_t)
+	allow $1 gear_unit_file_t:service all_service_perms;
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000..0685927
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,136 @@
+policy_module(gear, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gear_t;
+type gear_exec_t;
+init_daemon_domain(gear_t, gear_exec_t)
+
+type gear_var_lib_t;
+files_type(gear_var_lib_t)
+
+type gear_log_t;
+logging_log_file(gear_log_t)
+
+type gear_var_run_t;
+files_pid_file(gear_var_run_t)
+
+type gear_unit_file_t;
+systemd_unit_file(gear_unit_file_t)
+
+########################################
+#
+# gear local policy
+#
+allow gear_t self:capability { chown net_admin fowner dac_override };
+dontaudit gear_t self:capability sys_ptrace;
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+allow gear_t gear_unit_file_t:file read_file_perms;
+allow gear_t gear_unit_file_t:service manage_service_perms;
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t)
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
+logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
+
+gear_filetrans_named_content(gear_t)
+
+manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
+
+manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(gear_t)
+kernel_read_network_state(gear_t)
+kernel_read_all_sysctls(gear_t)
+kernel_rw_net_sysctls(gear_t)
+
+domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
+
+corecmd_exec_bin(gear_t)
+corecmd_exec_shell(gear_t)
+
+corenet_tcp_bind_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_if(gear_t)
+corenet_tcp_sendrecv_generic_node(gear_t)
+corenet_tcp_sendrecv_generic_port(gear_t)
+corenet_tcp_bind_gear_port(gear_t)
+
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_list_cgroup_dirs(gear_t)
+fs_read_cgroup_files(gear_t)
+fs_read_tmpfs_symlinks(gear_t)
+fs_getattr_all_fs(gear_t)
+
+auth_use_nsswitch(gear_t)
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+logging_read_generic_logs(gear_t)
+
+miscfiles_read_localization(gear_t)
+
+mount_domtrans(gear_t)
+
+selinux_validate_context(gear_t)
+
+seutil_read_default_contexts(gear_t)
+seutil_read_config(gear_t)
+
+sysnet_dns_name_resolve(gear_t)
+
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+systemd_exec_systemctl(gear_t)
+
+usermanage_domtrans_useradd(gear_t)
+usermanage_domtrans_passwd(gear_t)
+
+optional_policy(`
+	hostname_exec(gear_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
+	openshift_manage_lib_dirs(gear_t)
+	openshift_manage_lib_files(gear_t)
+	openshift_relabelfrom_lib(gear_t)
+')
diff --git a/geoclue.fc b/geoclue.fc
new file mode 100644
index 0000000..a97f14f
--- /dev/null
+++ b/geoclue.fc
@@ -0,0 +1,4 @@
+
+/usr/libexec/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
+
+/var/lib/geoclue(/.*)?		gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/geoclue.if b/geoclue.if
new file mode 100644
index 0000000..cf9f7bf
--- /dev/null
+++ b/geoclue.if
@@ -0,0 +1,153 @@
+
+## <summary>Geoclue is a D-Bus service that provides location information</summary>
+
+########################################
+## <summary>
+##	Execute geoclue in the geoclue domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`geoclue_domtrans',`
+	gen_require(`
+		type geoclue_t, geoclue_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, geoclue_exec_t, geoclue_t)
+')
+
+########################################
+## <summary>
+##	Search geoclue lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_search_lib',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	allow $1 geoclue_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read geoclue lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_read_lib_files',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage geoclue lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_manage_lib_files',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage geoclue lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`geoclue_manage_lib_dirs',`
+	gen_require(`
+		type geoclue_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
+')
+
+########################################
+## <summary>
+##  Send and receive messages from
+##  geoclue over dbus.
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`geoclue_dbus_chat',`
+        gen_require(`
+                type geoclue_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 geoclue_t:dbus send_msg;
+        allow geoclue_t $1:dbus send_msg;
+	    ps_process_pattern(geoclue_t, $1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an geoclue environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`geoclue_admin',`
+	gen_require(`
+		type geoclue_t;
+		type geoclue_var_lib_t;
+	')
+
+	allow $1 geoclue_t:process { signal_perms };
+	ps_process_pattern($1, geoclue_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 geoclue_t:process ptrace;
+    ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, geoclue_var_lib_t)
+
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 0000000..cd197a6
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,66 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type geoclue_t;
+type geoclue_exec_t;
+application_domain(geoclue_t, geoclue_exec_t)
+role system_r types geoclue_t;
+
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+type geoclue_tmp_t;
+files_tmp_file(geoclue_tmp_t)
+
+########################################
+#
+# geoclue local policy
+#
+allow geoclue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
+
+manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
+kernel_read_network_state(geoclue_t)
+
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
+corenet_tcp_connect_http_cache_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
+
+dev_read_urand(geoclue_t)
+
+miscfiles_read_certs(geoclue_t)
+
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
+	kerberos_use(geoclue_t)
+')
+
+optional_policy(`
+	dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+	optional_policy(`
+		modemmanager_dbus_chat(geoclue_t)
+	')
+	optional_policy(`
+		networkmanager_dbus_chat(geoclue_t)
+	')
+')
+
+optional_policy(`
+	pcscd_stream_connect(geoclue_t)
+')
diff --git a/gift.te b/gift.te
index 8a820fa..996b30c 100644
--- a/gift.te
+++ b/gift.te
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
 
 userdom_dontaudit_read_user_home_content_files(gift_t)
 
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(gift_t)
-	fs_manage_nfs_files(gift_t)
-	fs_manage_nfs_symlinks(gift_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(gift_t)
-	fs_manage_cifs_files(gift_t)
-	fs_manage_cifs_symlinks(gift_t)
-')
+userdom_home_manager(gift_t)
 
 optional_policy(`
 	xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
 corenet_tcp_connect_all_ports(giftd_t)
 
 files_read_etc_runtime_files(giftd_t)
-files_read_usr_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
 
 sysnet_dns_name_resolve(giftd_t)
 
-userdom_use_user_terminals(giftd_t)
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(giftd_t)
-	fs_manage_nfs_files(giftd_t)
-	fs_manage_nfs_symlinks(giftd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(giftd_t)
-	fs_manage_cifs_files(giftd_t)
-	fs_manage_cifs_symlinks(giftd_t)
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
diff --git a/git.fc b/git.fc
index 24700f8..6561d56 100644
--- a/git.fc
+++ b/git.fc
@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)?	gen_context(system_u:object_r:git_user_content_t,s0)
 
 /usr/libexec/git-core/git-daemon	--	gen_context(system_u:object_r:gitd_exec_t,s0)
 
-/var/cache/cgit(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/cache/gitweb-caching(/.*)?	gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/cache/cgit(/.*)?	gen_context(system_u:object_r:git_rw_content_t,s0)
+/var/cache/gitweb-caching(/.*)?	gen_context(system_u:object_r:git_rw_content_t,s0)
 
 /var/lib/git(/.*)?	gen_context(system_u:object_r:git_sys_content_t,s0)
 
-/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/git(/.*)?	gen_context(system_u:object_r:httpd_git_content_t,s0)
-/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-/var/www/gitweb-caching/gitweb\.cgi	--	gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/cgi-bin/cgit	--	gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/git(/.*)?	gen_context(system_u:object_r:git_content_t,s0)
+/var/www/git/gitweb\.cgi	--	gen_context(system_u:object_r:git_script_exec_t,s0)
+/var/www/gitweb-caching/gitweb\.cgi	--	gen_context(system_u:object_r:git_script_exec_t,s0)
diff --git a/git.if b/git.if
index 1e29af1..6c64f55 100644
--- a/git.if
+++ b/git.if
@@ -37,7 +37,10 @@ template(`git_role',`
 	allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
 	userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
 
-	allow $2 git_session_t:process { ptrace signal_perms };
+	allow $2 git_session_t:process signal_perms;
+	tunable_policy(`deny_ptrace',`',`
+		allow $2 git_session_t:process ptrace;
+	')
 	ps_process_pattern($2, git_session_t)
 
 	tunable_policy(`git_session_users',`
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
 
 	list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
 	read_files_pattern($1, git_sys_content_t, git_sys_content_t)
+    read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
 
 	files_search_var_lib($1)
 
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
 		fs_read_nfs_files($1)
 	')
 ')
+
+#######################################
+## <summary>
+##      Create Git user content with a
+##      named file transition.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`git_filetrans_user_content',`
+		gen_require(`
+			type git_user_content_t;
+		')
+		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index dc49c71..54df5e3 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
 
 ## <desc>
 ##	<p>
-##	Determine whether Git session daemons
-##	can send syslog messages.
-##	</p>
-## </desc>
-gen_tunable(git_session_send_syslog_msg, false)
-
-## <desc>
-##	<p>
 ##	Determine whether Git system daemon
 ##	can search home directories.
 ##	</p>
@@ -83,6 +75,7 @@ attribute git_daemon;
 attribute_role git_session_roles;
 
 apache_content_template(git)
+apache_content_alias_template(git, git)
 
 type git_system_t, git_daemon;
 type gitd_exec_t;
@@ -93,12 +86,15 @@ type git_session_t, git_daemon;
 userdom_user_application_domain(git_session_t, gitd_exec_t)
 role git_session_roles types git_session_t;
 
-type git_sys_content_t;
+type git_sys_content_t alias git_system_content_t;
 files_type(git_sys_content_t)
 
-type git_user_content_t;
+type git_user_content_t alias git_session_content_t;
 userdom_user_home_content(git_user_content_t)
 
+type git_script_tmp_t;
+files_tmp_file(git_script_tmp_t)
+
 ########################################
 #
 # Session policy
@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
 read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
 userdom_search_user_home_dirs(git_session_t)
 
+kernel_read_system_state(git_session_t)
+
 corenet_all_recvfrom_netlabel(git_session_t)
 corenet_all_recvfrom_unlabeled(git_session_t)
 corenet_tcp_bind_generic_node(git_session_t)
@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
 	corenet_tcp_sendrecv_all_ports(git_session_t)
 ')
 
-tunable_policy(`git_session_send_syslog_msg',`
-	logging_send_syslog_msg(git_session_t)
-')
+logging_send_syslog_msg(git_session_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_getattr_nfs(git_session_t)
@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',`
 list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
 corenet_all_recvfrom_unlabeled(git_system_t)
 corenet_all_recvfrom_netlabel(git_system_t)
 corenet_tcp_sendrecv_generic_if(git_system_t)
@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs',`
 	userdom_search_user_home_dirs(git_system_t)
+	list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
+	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',`
 # CGI policy
 #
 
-list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-files_search_var_lib(httpd_git_script_t)
+manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })
 
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
+files_search_var_lib(git_script_t)
 
-auth_use_nsswitch(httpd_git_script_t)
+auth_use_nsswitch(git_script_t)
 
 tunable_policy(`git_cgi_enable_homedirs',`
-	userdom_search_user_home_dirs(httpd_git_script_t)
+	userdom_search_user_home_dirs(git_script_t)
 ')
 
+fs_getattr_tmpfs(git_script_t)
 tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
-	fs_getattr_nfs(httpd_git_script_t)
-	fs_list_nfs(httpd_git_script_t)
-	fs_read_nfs_files(httpd_git_script_t)
+	fs_getattr_nfs(git_script_t)
+	fs_list_nfs(git_script_t)
+	fs_read_nfs_files(git_script_t)
 ',`
-	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+	fs_dontaudit_read_nfs_files(git_script_t)
 ')
 
 tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',`
-	fs_getattr_cifs(httpd_git_script_t)
-	fs_list_cifs(httpd_git_script_t)
-	fs_read_cifs_files(httpd_git_script_t)
+	fs_getattr_cifs(git_script_t)
+	fs_list_cifs(git_script_t)
+	fs_read_cifs_files(git_script_t)
 ',`
-	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+	fs_dontaudit_read_cifs_files(git_script_t)
 ')
 
 tunable_policy(`git_cgi_use_cifs',`
-	fs_getattr_cifs(httpd_git_script_t)
-	fs_list_cifs(httpd_git_script_t)
-	fs_read_cifs_files(httpd_git_script_t)
+	fs_getattr_cifs(git_script_t)
+	fs_list_cifs(git_script_t)
+	fs_read_cifs_files(git_script_t)
 ',`
-	fs_dontaudit_read_cifs_files(httpd_git_script_t)
+	fs_dontaudit_read_cifs_files(git_script_t)
 ')
 
 tunable_policy(`git_cgi_use_nfs',`
-	fs_getattr_nfs(httpd_git_script_t)
-	fs_list_nfs(httpd_git_script_t)
-	fs_read_nfs_files(httpd_git_script_t)
+	fs_getattr_nfs(git_script_t)
+	fs_list_nfs(git_script_t)
+	fs_read_nfs_files(git_script_t)
 ',`
-	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+	fs_dontaudit_read_nfs_files(git_script_t)
 ')
 
 ########################################
@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',`
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
 
-kernel_read_system_state(git_daemon)
+#kernel_read_system_state(git_daemon)
 
 corecmd_exec_bin(git_daemon)
 
-files_read_usr_files(git_daemon)
-
 fs_search_auto_mountpoints(git_daemon)
 
-miscfiles_read_localization(git_daemon)
diff --git a/gitosis.te b/gitosis.te
index 582db0a..d77a1a5 100644
--- a/gitosis.te
+++ b/gitosis.te
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
 
 dev_read_urand(gitosis_t)
 
-files_read_etc_files(gitosis_t)
-files_read_usr_files(gitosis_t)
 files_search_var_lib(gitosis_t)
 
-miscfiles_read_localization(gitosis_t)
-
 sysnet_read_config(gitosis_t)
 
 tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.fc b/glance.fc
index c21a528..a746a2b 100644
--- a/glance.fc
+++ b/glance.fc
@@ -1,8 +1,14 @@
 /etc/rc\.d/init\.d/openstack-glance-api	--	gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/openstack-glance-registry	--	gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-scrubber	--	gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
 
-/usr/bin/glance-api	--	gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/lib/systemd/system/openstack-glance-api.*              --  gen_context(system_u:object_r:glance_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-registry.*         --  gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-scrubber.*         --  gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
+
+/usr/bin/glance-api	        --	gen_context(system_u:object_r:glance_api_exec_t,s0)
 /usr/bin/glance-registry	--	gen_context(system_u:object_r:glance_registry_exec_t,s0)
+/usr/bin/glance-scrubber    --  gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
 
 /var/lib/glance(/.*)?	gen_context(system_u:object_r:glance_var_lib_t,s0)
 
diff --git a/glance.if b/glance.if
index 9eacb2c..7b19ad2 100644
--- a/glance.if
+++ b/glance.if
@@ -1,5 +1,38 @@
 ## <summary>OpenStack image registry and delivery service.</summary>
 
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  glance daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`glance_basic_types_template',`
+    gen_require(`
+		attribute glance_domain;
+    ')
+
+	type $1_t, glance_domain;
+	type $1_exec_t;
+
+    type $1_unit_file_t;
+    systemd_unit_file($1_unit_file_t)
+
+	kernel_read_system_state($1_t)
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_all_recvfrom_netlabel($1_t)
+
+    logging_send_syslog_msg($1_t)
+
+    auth_use_nsswitch($1_t)
+
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to
@@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
 ##	run glance api.
 ## </summary>
 ## <param name="domain">
-##	<summary>
+## <summary>
 ##	Domain allowed to transition.
-##	</summary>
+## </summary>
 ## </param>
 #
 interface(`glance_domtrans_api',`
@@ -242,8 +275,13 @@ interface(`glance_admin',`
 		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
 	')
 
-	allow $1 { glance_api_t glance_registry_t }:process signal_perms;
-	ps_process_pattern($1, { glance_api_t glance_registry_t })
+	allow $1 glance_registry_t:process signal_perms;
+	ps_process_pattern($1, glance_registry_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 glance_registry_t:process ptrace;
+		allow $1 glance_api_t:process ptrace;
+	')
 
 	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
 	domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index 5cd0909..bd3c3d2 100644
--- a/glance.te
+++ b/glance.te
@@ -5,10 +5,31 @@ policy_module(glance, 1.1.0)
 # Declarations
 #
 
+## <desc>
+##  <p>
+##	Determine whether glance-api can
+##	connect to all TCP ports
+##	</p>
+## </desc>
+gen_tunable(glance_api_can_network, false)
+
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow glance domain to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(glance_use_execmem, false)
+
 attribute glance_domain;
 
-type glance_registry_t, glance_domain;
-type glance_registry_exec_t;
+glance_basic_types_template(glance_registry)
 init_daemon_domain(glance_registry_t, glance_registry_exec_t)
 
 type glance_registry_initrc_exec_t;
@@ -17,13 +38,21 @@ init_script_file(glance_registry_initrc_exec_t)
 type glance_registry_tmp_t;
 files_tmp_file(glance_registry_tmp_t)
 
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
+type glance_registry_tmpfs_t;
+files_tmpfs_file(glance_registry_tmpfs_t)
+
+glance_basic_types_template(glance_api)
 init_daemon_domain(glance_api_t, glance_api_exec_t)
 
 type glance_api_initrc_exec_t;
 init_script_file(glance_api_initrc_exec_t)
 
+glance_basic_types_template(glance_scrubber)
+init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
+
+type glance_scrubber_initrc_exec_t;
+init_script_file(glance_scrubber_initrc_exec_t)
+
 type glance_log_t;
 logging_log_file(glance_log_t)
 
@@ -41,6 +70,7 @@ files_pid_file(glance_var_run_t)
 # Common local policy
 #
 
+allow glance_domain self:process signal_perms;
 allow glance_domain self:fifo_file rw_fifo_file_perms;
 allow glance_domain self:unix_stream_socket create_stream_socket_perms;
 allow glance_domain self:tcp_socket { accept listen };
@@ -56,29 +86,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
 manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
 
-kernel_read_system_state(glance_domain)
-
-corenet_all_recvfrom_unlabeled(glance_domain)
-corenet_all_recvfrom_netlabel(glance_domain)
 corenet_tcp_sendrecv_generic_if(glance_domain)
 corenet_tcp_sendrecv_generic_node(glance_domain)
 corenet_tcp_sendrecv_all_ports(glance_domain)
 corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
+corenet_tcp_connect_http_port(glance_domain)
 
 corecmd_exec_bin(glance_domain)
 corecmd_exec_shell(glance_domain)
 
 dev_read_urand(glance_domain)
+dev_read_sysfs(glance_domain)
 
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
+auth_read_passwd(glance_domain)
 
 libs_exec_ldconfig(glance_domain)
 
-miscfiles_read_localization(glance_domain)
-
 sysnet_dns_name_resolve(glance_domain)
 
+tunable_policy(`glance_use_fusefs',`
+	fs_manage_fusefs_dirs(glance_domain)
+	fs_manage_fusefs_files(glance_domain)
+	fs_read_fusefs_symlinks(glance_domain)
+	fs_getattr_fusefs(glance_domain)
+')
+
+tunable_policy(`glance_use_execmem',`
+    allow glance_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+    mysql_read_db_lnk_files(glance_domain)
+')
+
 ########################################
 #
 # Registry local policy
@@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
 manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
 files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
 
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
+corenet_tcp_bind_generic_node(glance_registry_t)
 corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
 corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+corenet_tcp_connect_keystone_port(glance_registry_t)
 
 logging_send_syslog_msg(glance_registry_t)
 
@@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
 files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
 can_exec(glance_api_t, glance_tmp_t)
 
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
-
-corenet_sendrecv_hplip_server_packets(glance_api_t)
-corenet_tcp_bind_hplip_port(glance_api_t)
+corenet_tcp_bind_generic_node(glance_api_t)
 
+corenet_tcp_bind_glance_port(glance_api_t)
 corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+corenet_tcp_connect_amqp_port(glance_api_t)
 corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_mysqld_port(glance_api_t)
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
 
 fs_getattr_xattr_fs(glance_api_t)
+
+tunable_policy(`glance_api_can_network',`
+	corenet_sendrecv_all_client_packets(glance_api_t)
+	corenet_tcp_connect_all_ports(glance_api_t)
+	corenet_tcp_sendrecv_all_ports(glance_api_t)
+')
+
+optional_policy(`
+    mysql_stream_connect(glance_api_t)
+')
+
+########################################
+#
+# Scrubber local policy
+#
+
+corenet_tcp_connect_commplex_main_port(glance_scrubber_t)
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
index 0000000..52b4110
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/gluster(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/ganesha.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
index 0000000..fc9bf19
--- /dev/null
+++ b/glusterd.if
@@ -0,0 +1,243 @@
+
+## <summary>policy for glusterd</summary>
+
+
+########################################
+## <summary>
+##	Transition to glusterd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glusterd_domtrans',`
+	gen_require(`
+		type glusterd_t, glusterd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute glusterd server in the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_initrc_domtrans',`
+	gen_require(`
+		type glusterd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read glusterd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_read_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+########################################
+## <summary>
+##	Append to glusterd log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_append_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+#######################################
+## <summary>
+##  Transition content labels to glusterd named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_filetrans_named_pid',`
+    gen_require(`
+        type glusterd_var_run_t;
+    ')
+    files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
+')
+
+########################################
+## <summary>
+##	Manage glusterd log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterd_manage_log',`
+	gen_require(`
+		type glusterd_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+')
+
+######################################
+## <summary>
+##  Allow the specified domain to execute gluster's lib files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gluster_execute_lib',`
+    gen_require(`
+        type glusterd_var_lib_t;
+    ')
+
+    files_list_var_lib($1)
+    allow $1 glusterd_var_lib_t:dir search_dir_perms;
+    can_exec($1, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+##  Read glusterd's config files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_read_conf',`
+       gen_require(`
+               type glusterd_conf_t;
+       ')
+
+    files_search_etc($1)
+    read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
+')
+
+######################################
+## <summary>
+##  Read and write /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`glusterd_rw_lib',`
+       gen_require(`
+               type glusterd_var_lib_t;
+       ')
+
+    files_search_var_lib($1)
+    rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+## Read and write /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`glusterd_manage_lib_files',`
+       gen_require(`
+               type glusterd_var_lib_t;
+       ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate
+##	an glusterd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_admin',`
+	gen_require(`
+		type glusterd_t;
+		type glusterd_initrc_exec_t;
+		type glusterd_log_t;
+		type glusterd_tmp_t;
+		type glusterd_conf_t; 
+	')
+
+	allow $1 glusterd_t:process { signal_perms };
+	ps_process_pattern($1, glusterd_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 glusterd_t:process ptrace;
+    ')
+
+	glusterd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 glusterd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, glusterd_log_t)
+
+	admin_pattern($1, glusterd_tmp_t)
+
+	admin_pattern($1, glusterd_conf_t)
+
+')
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 0000000..1dbcf2a
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,297 @@
+policy_module(glusterd, 1.1.3)
+
+## <desc>
+## <p>
+## Allow glusterfsd to modify public files used for public file
+## transfer services.  Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(gluster_anon_write, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow glusterfsd to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(gluster_export_all_rw, true)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+domain_obj_id_change_exemption(glusterd_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t)
+
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
+allow glusterd_t self:sem create_sem_perms;
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
+allow glusterd_t self:rawip_socket create_socket_perms;
+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+kernel_read_network_state(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_request_load_module(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+corenet_raw_bind_generic_node(glusterd_t)
+
+corenet_tcp_connect_gluster_port(glusterd_t)
+corenet_tcp_bind_gluster_port(glusterd_t)
+
+# replacement for rpc.mountd
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
+corenet_tcp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_nfs_port(glusterd_t)
+corenet_udp_bind_mountd_port(glusterd_t)
+corenet_tcp_bind_mountd_port(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
+corenet_tcp_connect_ssh_port(glusterd_t)
+corenet_tcp_connect_all_rpc_ports(glusterd_t)
+corenet_tcp_connect_all_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+dev_read_rand(glusterd_t)
+
+domain_read_all_domains_state(glusterd_t)
+domain_getattr_all_sockets(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
+fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_non_security(glusterd_t)
+
+files_dontaudit_read_security_files(glusterd_t)
+files_dontaudit_list_security_dirs(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
+#needed by /usr/sbin/xfs_db
+storage_raw_read_fixed_disk(glusterd_t)
+storage_raw_write_fixed_disk(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+fs_getattr_all_fs(glusterd_t)
+
+init_domtrans_script(glusterd_t)
+init_initrc_domain(glusterd_t)
+init_read_script_state(glusterd_t)
+init_rw_script_tmp_files(glusterd_t)
+init_manage_script_status_files(glusterd_t)
+init_status(glusterd_t)
+
+systemd_config_systemd_services(glusterd_t)
+systemd_signal_passwd_agent(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+logging_dontaudit_search_audit_logs(glusterd_t)
+
+libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+userdom_read_user_tmp_files(glusterd_t)
+userdom_delete_user_tmp_files(glusterd_t)
+userdom_rw_user_tmp_files(glusterd_t)
+userdom_kill_all_users(glusterd_t)
+
+mount_domtrans(glusterd_t)
+
+fstools_domtrans(glusterd_t)
+
+tunable_policy(`gluster_anon_write',`
+	miscfiles_manage_public_files(glusterd_t)
+') 
+
+tunable_policy(`gluster_export_all_ro',`
+	fs_read_noxattr_fs_files(glusterd_t) 
+	files_read_non_security_files(glusterd_t) 
+    files_getattr_all_pipes(glusterd_t)
+    files_getattr_all_sockets(glusterd_t)
+')
+
+tunable_policy(`gluster_export_all_rw',`
+	fs_manage_noxattr_fs_files(glusterd_t) 
+	files_manage_non_security_dirs(glusterd_t)
+	files_manage_non_security_files(glusterd_t)
+    files_relabel_base_file_types(glusterd_t)
+    files_getattr_all_pipes(glusterd_t)
+    files_getattr_all_sockets(glusterd_t)
+')
+
+optional_policy(`
+    ctdbd_domtrans(glusterd_t)
+    ctdbd_signal(glusterd_t)
+')
+
+optional_policy(`
+    dbus_system_bus_client(glusterd_t)
+    dbus_connect_system_bus(glusterd_t)
+	unconfined_dbus_chat(glusterd_t)
+
+    optional_policy(`
+        policykit_dbus_chat(glusterd_t)
+    ')
+')
+
+optional_policy(`
+    hostname_exec(glusterd_t)
+')
+
+optional_policy(`
+    lvm_domtrans(glusterd_t)
+')
+
+optional_policy(`
+    mount_domtrans_showmount(glusterd_t)
+')
+
+optional_policy(`
+    samba_domtrans_smbd(glusterd_t)
+    samba_systemctl(glusterd_t)
+    samba_signal_smbd(glusterd_t)
+    samba_manage_config(glusterd_t)
+')
+
+optional_policy(`
+    ssh_exec_keygen(glusterd_t)
+')
+
+optional_policy(`
+    rpc_domtrans_rpcd(glusterd_t)
+    rpc_kill_rpcd(glusterd_t)
+')
+
+optional_policy(`
+	rsync_exec(glusterd_t)
+')
+
+optional_policy(`
+    rpc_systemctl_nfsd(glusterd_t)
+    rpc_systemctl_rpcd(glusterd_t)
+
+    rpc_domtrans_nfsd(glusterd_t)
+    rpc_domtrans_rpcd(glusterd_t)
+    rpc_manage_nfs_state_data(glusterd_t)
+	rpc_manage_nfs_state_data_dir(glusterd_t)
+	rpcbind_stream_connect(glusterd_t)
+')
+
+optional_policy(`
+    rhcs_dbus_chat_cluster(glusterd_t)
+    rhcs_domtrans_cluster(glusterd_t)
+    rhcs_systemctl_cluster(glusterd_t)
+    rhcs_stream_connect_cluster(glusterd_t)
+')
+
+optional_policy(`
+	ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
index 4bd6ade..0000000
--- a/glusterfs.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-
-/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-
-/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-
-/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-
-/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
-
-/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterfs.if b/glusterfs.if
deleted file mode 100644
index 05233c8..0000000
--- a/glusterfs.if
+++ /dev/null
@@ -1,71 +0,0 @@
-## <summary>Cluster File System binary, daemon and command line.</summary>
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterd_admin',`
-	refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
-	glusterfs_admin($1, $2)
-')
-
-########################################
-## <summary>
-##	All of the rules required to
-##	administrate an glusterfs environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`glusterfs_admin',`
-	gen_require(`
-		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
-		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_var_run_t;
-	')
-
-	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 glusterd_initrc_exec_t system_r;
-	allow $2 system_r;
-
-	allow $1 glusterd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, glusterd_t)
-
-	files_search_etc($1)
-	admin_pattern($1, glusterd_conf_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, glusterd_log_t)
-
-	files_search_tmp($1)
-	admin_pattern($1, glusterd_tmp_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, glusterd_var_lib_t)
-
-	files_search_pids($1)
-	admin_pattern($1, glusterd_var_run_t)
-')
diff --git a/glusterfs.te b/glusterfs.te
deleted file mode 100644
index 4e95c7e..0000000
--- a/glusterfs.te
+++ /dev/null
@@ -1,105 +0,0 @@
-policy_module(glusterfs, 1.1.2)
-
-########################################
-#
-# Declarations
-#
-
-type glusterd_t;
-type glusterd_exec_t;
-init_daemon_domain(glusterd_t, glusterd_exec_t)
-
-type glusterd_conf_t;
-files_type(glusterd_conf_t)
-
-type glusterd_initrc_exec_t;
-init_script_file(glusterd_initrc_exec_t)
-
-type glusterd_tmp_t;
-files_tmp_file(glusterd_tmp_t)
-
-type glusterd_log_t;
-logging_log_file(glusterd_log_t)
-
-type glusterd_var_run_t;
-files_pid_file(glusterd_var_run_t)
-
-type glusterd_var_lib_t;
-files_type(glusterd_var_lib_t)
-
-########################################
-#
-# Local policy
-#
-
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
-allow glusterd_t self:process { setrlimit signal };
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
-
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
-
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
-
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
-
-can_exec(glusterd_t, glusterd_exec_t)
-
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
-corenet_all_recvfrom_unlabeled(glusterd_t)
-corenet_all_recvfrom_netlabel(glusterd_t)
-corenet_tcp_sendrecv_generic_if(glusterd_t)
-corenet_udp_sendrecv_generic_if(glusterd_t)
-corenet_tcp_sendrecv_generic_node(glusterd_t)
-corenet_udp_sendrecv_generic_node(glusterd_t)
-corenet_tcp_sendrecv_all_ports(glusterd_t)
-corenet_udp_sendrecv_all_ports(glusterd_t)
-corenet_tcp_bind_generic_node(glusterd_t)
-corenet_udp_bind_generic_node(glusterd_t)
-
-# Too coarse?
-corenet_sendrecv_all_server_packets(glusterd_t)
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
-corenet_udp_bind_all_rpc_ports(glusterd_t)
-corenet_udp_bind_ipp_port(glusterd_t)
-
-corenet_sendrecv_all_client_packets(glusterd_t)
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
-
-dev_read_sysfs(glusterd_t)
-dev_read_urand(glusterd_t)
-
-domain_read_all_domains_state(glusterd_t)
-
-domain_use_interactive_fds(glusterd_t)
-
-files_read_usr_files(glusterd_t)
-
-auth_use_nsswitch(glusterd_t)
-
-logging_send_syslog_msg(glusterd_t)
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
index e39de43..5edcb83 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -1,15 +1,60 @@
-HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
-HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gnome_keyring_home_t,s0)
-HOME_DIR/\.gnome2_private(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.cache/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)?  gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.nv/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-metadata-store		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.cache/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
+HOME_DIR/\.local/share/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults		gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
 
-/etc/gconf(/.*)?	gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.*	gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+
+/root/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
+/root/\.color/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
+/root/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.dbus(/.*)?	gen_context(system_u:object_r:dbus_home_t,s0)
+/root/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.cache/gstreamer-.*        gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.*			gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)?	gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults		gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)?		gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
 /tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
+/usr/share/config(/.*)? 	gen_context(system_u:object_r:config_usr_t,s0)
+
 /usr/bin/gnome-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 --	gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
 
-/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
-/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index ab09d61..980f1f6 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,52 +1,76 @@
-## <summary>GNU network object model environment.</summary>
+## <summary>GNU network object model environment (GNOME)</summary>
 
-########################################
+#######################################
 ## <summary>
-##	Role access for gnome.  (Deprecated)
+##  Role access for gnome.  (Deprecated)
 ## </summary>
 ## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
+##  <summary>
+##  Role allowed access.
+##  </summary>
 ## </param>
 ## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
+##  <summary>
+##  User domain for the role.
+##  </summary>
 ## </param>
 #
 interface(`gnome_role',`
-	refpolicywarn(`$0($*) has been deprecated')
+    refpolicywarn(`$0($*) has been deprecated')
+    ')
+
+######################################
+## <summary>
+##      The role template for the gnome-keyring-daemon.
+## </summary>
+## <param name="user_prefix">
+##      <summary>
+##      The user prefix.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The user role.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The user domain associated with the role.
+##      </summary>
+## </param>
+#
+interface(`gnome_role_gkeyringd',`
+    refpolicywarn(`$0($*) has been deprecated')
 ')
 
-#######################################
+######################################
 ## <summary>
-##	The role template for gnome.
+##  The role template for gnome.
 ## </summary>
 ## <param name="role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
+##  <summary>
+##  The prefix of the user domain (e.g., user
+##  is the prefix for user_t).
+##  </summary>
 ## </param>
 ## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
-##	</summary>
+##  <summary>
+##  The role associated with the user domain.
+##  </summary>
 ## </param>
 ## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
+##  <summary>
+##  The type of the user domain.
+##  </summary>
 ## </param>
 #
 template(`gnome_role_template',`
-	gen_require(`
-		attribute gnomedomain, gkeyringd_domain;
+    gen_require(`
+		attribute gnomedomain, gkeyringd_domain, gnome_home_type;
 		attribute_role gconfd_roles;
-		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+		type gkeyringd_exec_t, gkeyringd_tmp_t;
 		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
-		type gconf_home_t;
+		class dbus send_msg;
 	')
 
 	########################################
@@ -74,14 +98,11 @@ template(`gnome_role_template',`
 
 	domtrans_pattern($3, gconfd_exec_t, gconfd_t)
 
-	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
-	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
-	allow $3 gconfd_t:process { ptrace signal_perms };
+	allow $3 gconfd_t:process { signal_perms };
+	allow $3 gconfd_t:unix_stream_socket connectto;
 	ps_process_pattern($3, gconfd_t)
 
+
 	########################################
 	#
 	# Gkeyringd policy
@@ -89,37 +110,85 @@ template(`gnome_role_template',`
 
 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
 
-	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
-	allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+	allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+	allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
 
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
-	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
-	
-	gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+	userdom_home_manager($1_gkeyringd_t)
 
-	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
 
 	ps_process_pattern($3, $1_gkeyringd_t)
-	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+	allow $3 $1_gkeyringd_t:process signal_perms;
+	dontaudit $3 gkeyringd_exec_t:file entrypoint;
+
+	allow $1_gkeyringd_t $3:process sigkill;
+	allow $3 $1_gkeyringd_t:fd use;
+	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
+
+	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+
+	kernel_read_system_state($1_gkeyringd_t)
 
 	corecmd_bin_domtrans($1_gkeyringd_t, $3)
 	corecmd_shell_domtrans($1_gkeyringd_t, $3)
 
-	gnome_stream_connect_gkeyringd($1, $3)
+	gnome_stream_connect_gkeyringd($3)
+
+	ps_process_pattern($1_gkeyringd_t, $3)
+
+	auth_use_nsswitch($1_gkeyringd_t)
+
+	logging_send_syslog_msg($1_gkeyringd_t)
+
+	allow $1_gkeyringd_t $3:dbus send_msg;
+	allow $3 $1_gkeyringd_t:dbus send_msg;
 
 	optional_policy(`
-		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+        dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+		gnome_manage_generic_home_dirs($1_gkeyringd_t)
+		gnome_read_generic_data_home_files($1_gkeyringd_t)
+		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
 
 		optional_policy(`
-			gnome_dbus_chat_gkeyringd($1, $3)
+			telepathy_mission_control_read_state($1_gkeyringd_t)
+            telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
 		')
 	')
 ')
 
+#######################################
+## <summary>
+##  Allow domain to run gkeyring in the $1_gkeyringd_t domain.
+## </summary>
+## <param name="user_prefix">
+##      <summary>
+##      The user prefix.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The user role.
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##	Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_run_gkeyringd',`
+    gen_require(`
+		type $1_gkeyringd_t;
+		type gkeyringd_exec_t;
+	')
+	role $2 types $1_gkeyringd_t;
+	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+')
+
 ########################################
 ## <summary>
-##	Execute gconf in the caller domain.
+##	gconf connection template.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -127,18 +196,18 @@ template(`gnome_role_template',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
 	gen_require(`
-		type gconfd_exec_t;
+		type gconfd_t, gconf_tmp_t;
 	')
 
-	corecmd_search_bin($1)
-	can_exec($1, gconfd_exec_t)
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Read gconf configuration content.
+##	Connect to gkeyringd with a unix stream socket. 
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -146,119 +215,114 @@ interface(`gnome_exec_gconf',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
 	gen_require(`
-		type gconf_etc_t;
+			attribute gkeyringd_domain;
+			type gkeyringd_tmp_t;
+			type gconf_tmp_t;
+			type cache_home_t;
 	')
 
-	files_search_etc($1)
-	allow $1 gconf_etc_t:dir list_dir_perms;
-	allow $1 gconf_etc_t:file read_file_perms;
-	allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+	allow $1 gconf_tmp_t:dir search_dir_perms;
+	userdom_search_user_tmp_dirs($1)
+	stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+	stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	inherited gconf configuration files.
+##	Run gconfd in gconfd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconfd_exec_t;
 	')
 
-	dontaudit $1 gconf_etc_t:file read;
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete
-##	gconf configuration content.
+##	Dontaudit read gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
 	gen_require(`
-		type gconf_etc_t;
+		attribute gnome_home_type;
 	')
 
-	files_search_etc($1)
-	allow $1 gconf_etc_t:dir manage_dir_perms;
-	allow $1 gconf_etc_t:file manage_file_perms;
-	allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+	dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Connect to gconf using a unix
-##	domain stream socket.
+##	Dontaudit search gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
 	gen_require(`
-		type gconfd_t, gconf_tmp_t;
+		attribute gnome_home_type;
 	')
 
-	files_search_tmp($1)
-	stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+	dontaudit $1 gnome_home_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Run gconfd in gconfd domain.
+##	Dontaudit write gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_append_config_files',`
 	gen_require(`
-		type gconfd_t, gconfd_exec_t;
+		attribute gnome_home_type;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+	dontaudit $1 gnome_home_type:file append;
 ')
 
+
 ########################################
 ## <summary>
-##	Create generic gnome home directories.
+##	Dontaudit write gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnome_home_type;
 	')
 
-	allow $1 gnome_home_t:dir create_dir_perms;
+	dontaudit $1 gnome_home_type:file write;
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of generic gnome
-##	user home directories.  (Deprecated)
+##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -266,15 +330,21 @@ interface(`gnome_create_generic_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_setattr_config_dirs',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
-	gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	allow $1 gnome_home_type:dir manage_dir_perms;
+	allow $1 gnome_home_type:file manage_file_perms;
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+	allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of generic gnome
-##	user home directories.
+##	Send general signals to all gconf domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -282,57 +352,89 @@ interface(`gnome_setattr_config_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
 	gen_require(`
-		type gnome_home_t;
+		attribute gnomedomain;
 	')
 
-	userdom_search_user_home_dirs($1)
-	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	allow $1 gnomedomain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Read generic gnome user home content.  (Deprecated)
+##	Create objects in a Gnome cache home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_read_config',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
-	gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	filetrans_pattern($1, cache_home_t, $2, $3, $4)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read generic gnome home content.
+##	Create objects in a Gnome cache home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 #
-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
 	gen_require(`
-		type gnome_home_t;
+		type config_home_t;
 	')
 
+	filetrans_pattern($1, config_home_t, $2, $3, $4)
 	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir list_dir_perms;
-	allow $1 gnome_home_t:file read_file_perms;
-	allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
-	allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
-	allow $1 gnome_home_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gnome user home content.  (Deprecated)
+##	Read generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -340,15 +442,18 @@ interface(`gnome_read_generic_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_config',`
-	refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
-	gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+	gen_require(`
+		type cache_home_t;
+	')
+
+	read_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gnome home content.
+##	Create generic cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -356,22 +461,18 @@ interface(`gnome_manage_config',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_create_generic_cache_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir manage_dir_perms;
-	allow $1 gnome_home_t:file manage_file_perms;
-	allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+	allow $1 cache_home_t:dir create_dir_perms;
+	userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
 ')
 
 ########################################
 ## <summary>
-##	Search generic gnome home directories.
+##	Set attributes of cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -379,53 +480,37 @@ interface(`gnome_manage_generic_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_search_generic_home',`
+interface(`gnome_setattr_cache_home_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
+	setattr_dirs_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gnome_home_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create objects in gnome user home
-##	directories with a private type.
+##	Manage cache home dir (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private_type">
-##	<summary>
-##	Private file type.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
-interface(`gnome_home_filetrans',`
+interface(`gnome_manage_cache_home_dir',`
 	gen_require(`
-		type gnome_home_t;
+		type cache_home_t;
 	')
 
+	manage_dirs_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	filetrans_pattern($1, gnome_home_t, $2, $3, $4)
 ')
 
 ########################################
 ## <summary>
-##	Create generic gconf home directories.
+##	append to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -433,17 +518,18 @@ interface(`gnome_home_filetrans',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_append_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
-	allow $1 gconf_home_t:dir create_dir_perms;
+	append_files_pattern($1, cache_home_t, cache_home_t)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read generic gconf home content.
+##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -451,23 +537,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_write_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
+	write_files_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir list_dir_perms;
-	allow $1 gconf_home_t:file read_file_perms;
-	allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
-	allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
-	allow $1 gconf_home_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	generic gconf home content.
+##	write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -475,22 +556,18 @@ interface(`gnome_read_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_files',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
+	manage_files_pattern($1, cache_home_t, cache_home_t)
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir manage_dir_perms;
-	allow $1 gconf_home_t:file manage_file_perms;
-	allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
-	allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
-	allow $1 gconf_home_t:sock_file manage_sock_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search generic gconf home directories.
+##	Manage a sock_file in the generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -498,79 +575,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_manage_generic_cache_sockets',`
 	gen_require(`
-		type gconf_home_t;
+		type cache_home_t;
 	')
 
 	userdom_search_user_home_dirs($1)
-	allow $1 gconf_home_t:dir search_dir_perms;
+	manage_sock_files_pattern($1, cache_home_t, cache_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in user home
-##	directories with the generic gconf
-##	home type.
+##	Dontaudit read/write to generic cache home files (.cache)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	Class of the object being created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_dontaudit_rw_generic_cache_