diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 517af4a..e6e941d 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -91497,7 +91497,7 @@ index 77a13a5..9a5a73f 100644
 +')
 +
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 29075b3..13f3949 100644
+index 29075b3..5fe4467 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -91522,7 +91522,7 @@ index 29075b3..13f3949 100644
  
 -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
 +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+allow udev_t self:capability2 { block_suspend };
++allow udev_t self:capability2 { block_suspend secure_firmware };
  dontaudit udev_t self:capability sys_tty_config;
 -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index ec079c3..90b3c2e 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -42655,7 +42655,7 @@ index 46bee12..61cc81a 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/postfix.te b/postfix.te
-index a1e0f60..ec5fc31 100644
+index a1e0f60..01e8e93 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -42724,11 +42724,13 @@ index a1e0f60..ec5fc31 100644
  
  type postfix_public_t;
  files_type(postfix_public_t)
-@@ -94,23 +107,24 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -94,23 +107,26 @@ mta_mailserver_delivery(postfix_virtual_t)
  
  # chown is to set the correct ownership of queue dirs
  allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
 -allow postfix_master_t self:fifo_file rw_fifo_file_perms;
++allow postfix_master_t self:capability2 block_suspend;
++
 +allow postfix_master_t self:process setrlimit;
  allow postfix_master_t self:tcp_socket create_stream_socket_perms;
  allow postfix_master_t self:udp_socket create_socket_perms;
@@ -42754,7 +42756,7 @@ index a1e0f60..ec5fc31 100644
  
  manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
  manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+@@ -130,7 +146,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
  files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
  
  allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
@@ -42763,7 +42765,7 @@ index a1e0f60..ec5fc31 100644
  
  manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
  manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -138,11 +152,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+@@ -138,11 +154,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
  
  delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -42776,7 +42778,7 @@ index a1e0f60..ec5fc31 100644
  corenet_all_recvfrom_netlabel(postfix_master_t)
  corenet_tcp_sendrecv_generic_if(postfix_master_t)
  corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -150,6 +166,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -42786,7 +42788,7 @@ index a1e0f60..ec5fc31 100644
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -157,6 +174,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
+@@ -157,6 +176,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
  corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
  corenet_sendrecv_smtp_server_packets(postfix_master_t)
  corenet_sendrecv_all_client_packets(postfix_master_t)
@@ -42795,7 +42797,7 @@ index a1e0f60..ec5fc31 100644
  
  # for a find command
  selinux_dontaudit_search_fs(postfix_master_t)
-@@ -167,6 +186,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +188,10 @@ corecmd_exec_bin(postfix_master_t)
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
@@ -42806,7 +42808,7 @@ index a1e0f60..ec5fc31 100644
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -220,13 +243,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +245,17 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -42825,7 +42827,7 @@ index a1e0f60..ec5fc31 100644
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,22 +264,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -237,22 +266,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  #
  
  allow postfix_cleanup_t self:process setrlimit;
@@ -42857,7 +42859,7 @@ index a1e0f60..ec5fc31 100644
  mta_read_aliases(postfix_cleanup_t)
  
  optional_policy(`
-@@ -264,7 +300,6 @@ optional_policy(`
+@@ -264,7 +302,6 @@ optional_policy(`
  # Postfix local local policy
  #
  
@@ -42865,7 +42867,7 @@ index a1e0f60..ec5fc31 100644
  allow postfix_local_t self:process { setsched setrlimit };
  
  # connect to master process
-@@ -273,12 +308,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,12 +310,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
  
@@ -42880,7 +42882,7 @@ index a1e0f60..ec5fc31 100644
  
  logging_dontaudit_search_logs(postfix_local_t)
  
-@@ -286,10 +322,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +324,15 @@ mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
  mta_read_config(postfix_local_t)
@@ -42899,7 +42901,7 @@ index a1e0f60..ec5fc31 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -297,6 +338,14 @@ optional_policy(`
+@@ -297,6 +340,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42914,7 +42916,7 @@ index a1e0f60..ec5fc31 100644
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
-@@ -304,9 +353,22 @@ optional_policy(`
+@@ -304,9 +355,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42937,7 +42939,7 @@ index a1e0f60..ec5fc31 100644
  ########################################
  #
  # Postfix map local policy
-@@ -329,7 +391,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +393,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -42945,7 +42947,7 @@ index a1e0f60..ec5fc31 100644
  corenet_all_recvfrom_netlabel(postfix_map_t)
  corenet_tcp_sendrecv_generic_if(postfix_map_t)
  corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +409,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +411,6 @@ corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
  files_read_usr_files(postfix_map_t)
@@ -42953,7 +42955,7 @@ index a1e0f60..ec5fc31 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -379,18 +439,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +441,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -42979,7 +42981,7 @@ index a1e0f60..ec5fc31 100644
  allow postfix_pipe_t self:process setrlimit;
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +467,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +469,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -42988,7 +42990,7 @@ index a1e0f60..ec5fc31 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +488,7 @@ optional_policy(`
+@@ -420,6 +490,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -42996,7 +42998,7 @@ index a1e0f60..ec5fc31 100644
  ')
  
  optional_policy(`
-@@ -436,11 +505,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +507,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -43014,7 +43016,7 @@ index a1e0f60..ec5fc31 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +562,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +564,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -43025,7 +43027,7 @@ index a1e0f60..ec5fc31 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +594,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +596,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -43038,7 +43040,7 @@ index a1e0f60..ec5fc31 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +618,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +620,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -43049,7 +43051,7 @@ index a1e0f60..ec5fc31 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +639,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +641,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -43061,7 +43063,7 @@ index a1e0f60..ec5fc31 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +651,14 @@ optional_policy(`
+@@ -565,6 +653,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43076,7 +43078,7 @@ index a1e0f60..ec5fc31 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -581,17 +675,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +677,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
  corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
  
  # for prng_exch
@@ -43103,7 +43105,7 @@ index a1e0f60..ec5fc31 100644
  ')
  
  optional_policy(`
-@@ -599,6 +701,12 @@ optional_policy(`
+@@ -599,6 +703,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43116,7 +43118,7 @@ index a1e0f60..ec5fc31 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,7 +719,6 @@ optional_policy(`
+@@ -611,7 +721,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -43124,7 +43126,7 @@ index a1e0f60..ec5fc31 100644
  allow postfix_virtual_t self:process { setsched setrlimit };
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +729,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +731,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
  
@@ -43132,7 +43134,7 @@ index a1e0f60..ec5fc31 100644
  files_read_usr_files(postfix_virtual_t)
  
  mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +736,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +738,75 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -50288,7 +50290,7 @@ index dddabcf..90b3b52 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/rpc.te b/rpc.te
-index 330d01f..b80dad2 100644
+index 330d01f..d7875f4 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
@@ -50327,12 +50329,14 @@ index 330d01f..b80dad2 100644
  type nfsd_rw_t;
  files_type(nfsd_rw_t)
  
-@@ -58,13 +64,14 @@ files_mountpoint(var_lib_nfs_t)
+@@ -58,13 +64,16 @@ files_mountpoint(var_lib_nfs_t)
  # RPC local policy
  #
  
 -allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
 +allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
++allow rpcd_t self:capability2 block_suspend;
++
  allow rpcd_t self:process { getcap setcap };
  allow rpcd_t self:fifo_file rw_fifo_file_perms;
  
@@ -50345,7 +50349,7 @@ index 330d01f..b80dad2 100644
  
  # rpc.statd executes sm-notify
  can_exec(rpcd_t, rpcd_exec_t)
-@@ -81,12 +88,14 @@ corecmd_exec_bin(rpcd_t)
+@@ -81,12 +90,14 @@ corecmd_exec_bin(rpcd_t)
  
  files_manage_mounttab(rpcd_t)
  files_getattr_all_dirs(rpcd_t)
@@ -50360,7 +50364,7 @@ index 330d01f..b80dad2 100644
  fs_getattr_all_fs(rpcd_t)
  
  storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,21 +106,41 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,21 +108,41 @@ miscfiles_read_generic_certs(rpcd_t)
  
  seutil_dontaudit_search_config(rpcd_t)
  
@@ -50402,7 +50406,7 @@ index 330d01f..b80dad2 100644
  
  allow nfsd_t exports_t:file read_file_perms;
  allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
-@@ -120,9 +149,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +151,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
  kernel_read_system_state(nfsd_t)
  kernel_read_network_state(nfsd_t)
  kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -50419,7 +50423,7 @@ index 330d01f..b80dad2 100644
  
  dev_dontaudit_getattr_all_blk_files(nfsd_t)
  dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -135,12 +171,12 @@ files_getattr_tmp_dirs(nfsd_t)
+@@ -135,12 +173,12 @@ files_getattr_tmp_dirs(nfsd_t)
  # cjp: this should really have its own type
  files_manage_mounttab(nfsd_t)
  files_read_etc_runtime_files(nfsd_t)
@@ -50434,7 +50438,7 @@ index 330d01f..b80dad2 100644
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
  storage_raw_read_removable_device(nfsd_t)
-@@ -148,8 +184,11 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,8 +186,11 @@ storage_raw_read_removable_device(nfsd_t)
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
  
@@ -50447,7 +50451,7 @@ index 330d01f..b80dad2 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -158,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -50455,7 +50459,7 @@ index 330d01f..b80dad2 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +208,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +210,11 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -50469,7 +50473,7 @@ index 330d01f..b80dad2 100644
  ')
  
  ########################################
-@@ -181,7 +222,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +224,7 @@ tunable_policy(`nfs_export_all_ro',`
  
  allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
  allow gssd_t self:process { getsched setsched };
@@ -50478,7 +50482,7 @@ index 330d01f..b80dad2 100644
  
  manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +240,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +242,7 @@ corecmd_exec_bin(gssd_t)
  fs_list_rpc(gssd_t)
  fs_rw_rpc_sockets(gssd_t)
  fs_read_rpc_files(gssd_t)
@@ -50486,7 +50490,7 @@ index 330d01f..b80dad2 100644
  
  fs_list_inotifyfs(gssd_t)
  files_list_tmp(gssd_t)
-@@ -210,14 +252,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +254,14 @@ auth_manage_cache(gssd_t)
  
  miscfiles_read_generic_certs(gssd_t)
  
@@ -50504,7 +50508,7 @@ index 330d01f..b80dad2 100644
  ')
  
  optional_policy(`
-@@ -226,6 +268,11 @@ optional_policy(`
+@@ -226,6 +270,11 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(gssd, gssd_t)
@@ -57024,7 +57028,7 @@ index 941380a..ff89df6 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/sssd.te b/sssd.te
-index a1b61bc..8fc2d2d 100644
+index a1b61bc..ab27950 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
@@ -57043,7 +57047,7 @@ index a1b61bc..8fc2d2d 100644
  
  type sssd_var_log_t;
  logging_log_file(sssd_var_log_t)
-@@ -28,18 +32,23 @@ files_pid_file(sssd_var_run_t)
+@@ -28,18 +32,24 @@ files_pid_file(sssd_var_run_t)
  #
  # sssd local policy
  #
@@ -57052,6 +57056,7 @@ index a1b61bc..8fc2d2d 100644
 -allow sssd_t self:fifo_file rw_file_perms;
 +
 +allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
++allow sssd_t self:capability2 block_suspend;
 +allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
 +allow sssd_t self:fifo_file rw_fifo_file_perms;
 +allow sssd_t self:key manage_key_perms;
@@ -57071,7 +57076,7 @@ index a1b61bc..8fc2d2d 100644
  
  manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,30 +57,44 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,30 +58,44 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
  manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
  files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
  
@@ -57117,7 +57122,7 @@ index a1b61bc..8fc2d2d 100644
  
  init_read_utmp(sssd_t)
  
-@@ -79,6 +102,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +103,12 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_localization(sssd_t)
@@ -57130,7 +57135,7 @@ index a1b61bc..8fc2d2d 100644
  
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
-@@ -87,8 +116,17 @@ optional_policy(`
+@@ -87,8 +117,17 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_manage_host_rcache(sssd_t)
@@ -61975,7 +61980,7 @@ index 6f0736b..aaee499 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..155db40 100644
+index 947bbc6..8378c6d 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -62040,15 +62045,15 @@ index 947bbc6..155db40 100644
 +gen_tunable(virt_use_sanlock, false)
 +
 +## <desc>
- ## <p>
--## Allow virt to use usb devices
++## <p>
 +## Allow confined virtual guests to interact with the xserver
 +## </p>
 +## </desc>
 +gen_tunable(virt_use_xserver, false)
 +
 +## <desc>
-+## <p>
+ ## <p>
+-## Allow virt to use usb devices
 +## Allow confined virtual guests to use usb devices
  ## </p>
  ## </desc>
@@ -62468,7 +62473,7 @@ index 947bbc6..155db40 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -335,19 +516,30 @@ optional_policy(`
+@@ -335,19 +516,34 @@ optional_policy(`
  	optional_policy(`
  		hal_dbus_chat(virtd_t)
  	')
@@ -62491,6 +62496,10 @@ index 947bbc6..155db40 100644
 +	dnsmasq_create_pid_dirs(virtd_t)
 +	dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
 +	dnsmasq_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
++	firewalld_dbus_chat(virtd_t)
  ')
  
  optional_policy(`
@@ -62500,7 +62509,7 @@ index 947bbc6..155db40 100644
  
  	# Manages /etc/sysconfig/system-config-firewall
  	iptables_manage_config(virtd_t)
-@@ -362,6 +554,12 @@ optional_policy(`
+@@ -362,6 +558,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -62513,7 +62522,7 @@ index 947bbc6..155db40 100644
  	policykit_dbus_chat(virtd_t)
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +567,11 @@ optional_policy(`
+@@ -369,11 +571,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -62530,7 +62539,7 @@ index 947bbc6..155db40 100644
  ')
  
  optional_policy(`
-@@ -384,6 +582,7 @@ optional_policy(`
+@@ -384,6 +586,7 @@ optional_policy(`
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
@@ -62538,7 +62547,7 @@ index 947bbc6..155db40 100644
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
  	xen_read_image_files(virtd_t)
-@@ -403,34 +602,51 @@ optional_policy(`
+@@ -403,34 +606,51 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -62595,7 +62604,7 @@ index 947bbc6..155db40 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -438,10 +654,11 @@ dev_write_sound(virt_domain)
+@@ -438,10 +658,11 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -62608,7 +62617,7 @@ index 947bbc6..155db40 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -449,8 +666,16 @@ files_search_all(virt_domain)
+@@ -449,8 +670,16 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -62616,17 +62625,17 @@ index 947bbc6..155db40 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+ 
+-term_use_all_terms(virt_domain)
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +storage_raw_read_removable_device(virt_domain)
- 
--term_use_all_terms(virt_domain)
++
 +term_use_all_inherited_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
  term_use_generic_ptys(virt_domain)
  term_use_ptmx(virt_domain)
-@@ -459,13 +684,466 @@ logging_send_syslog_msg(virt_domain)
+@@ -459,13 +688,466 @@ logging_send_syslog_msg(virt_domain)
  
  miscfiles_read_localization(virt_domain)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bc74ad1..87609e9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Aug 16 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-9
+- Allow postfix, sssd, rpcd to block_suspend
+- udev seems to need secure_firmware capability
+- Allow virtd to send dbus messages to firewalld so it can configure the firewall
+
 * Thu Aug 16 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-8
 - Fix labeling of content in /run created by virsh_t
 - Allow condor domains to read kernel sysctls