diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index ec838bd..5d940f8 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -126,7 +126,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nsplugin_manage_rw_files(prelink_t)
+	mozilla_plugin_manage_rw_files(prelink_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 35b51ab..800b5c8 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -4,6 +4,11 @@ HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.thunderbird(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 
 #
 # /bin
@@ -15,6 +20,9 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 /usr/bin/epiphany		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/nspluginscan		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 
 #
 # /lib
@@ -27,4 +35,9 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 /usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
 /usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index b9b8ac2..aa15d05 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -208,10 +208,12 @@ interface(`mozilla_domtrans',`
 interface(`mozilla_domtrans_plugin',`
 	gen_require(`
 		type mozilla_plugin_t, mozilla_plugin_exec_t;
+		type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
 		class dbus send_msg;
 	')
 
 	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+	domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
 	allow mozilla_plugin_t $1:process signull;
 	allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
 	allow $1 mozilla_plugin_t:fd use;
@@ -247,6 +249,7 @@ interface(`mozilla_run_plugin',`
 
 	mozilla_domtrans_plugin($1)
 	role $2 types mozilla_plugin_t;
+	role $2 types mozilla_plugin_config_t;
 ')
 
 #######################################
@@ -266,6 +269,7 @@ interface(`mozilla_role_plugin',`
     ')
 
     role $1 types mozilla_plugin_t;
+    role $1 types mozilla_plugin_config_t;
 ')
 
 ########################################
@@ -360,3 +364,23 @@ interface(`mozilla_plugin_dontaudit_leaks',`
 
 	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mozilla_plugin rw files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_plugin_manage_rw_files',`
+	gen_require(`
+		type mozilla_plugin_rw_t;
+	')
+
+	allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+	allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 75d0b62..344f2e4 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -23,7 +23,7 @@ type mozilla_conf_t;
 files_config_file(mozilla_conf_t)
 
 type mozilla_home_t;
-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t };
 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
 files_poly_member(mozilla_home_t)
 userdom_user_home_content(mozilla_home_t)
@@ -43,6 +43,13 @@ userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
 files_tmpfs_file(mozilla_plugin_tmpfs_t)
 ubac_constrained(mozilla_plugin_tmpfs_t)
 
+type mozilla_plugin_rw_t alias nsplugin_rw_t;
+files_type(mozilla_plugin_rw_t)
+
+type mozilla_plugin_config_t;
+type mozilla_plugin_config_exec_t;
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+
 type mozilla_tmp_t;
 files_tmp_file(mozilla_tmp_t)
 ubac_constrained(mozilla_tmp_t)
@@ -280,11 +287,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nsplugin_manage_rw(mozilla_t)
-	nsplugin_manage_home_files(mozilla_t)
-')
-
-optional_policy(`
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
@@ -330,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
 can_exec(mozilla_plugin_t, mozilla_exec_t)
 
 kernel_read_kernel_sysctls(mozilla_plugin_t)
@@ -452,17 +458,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nsplugin_domtrans(mozilla_plugin_t)
-	nsplugin_rw_exec(mozilla_plugin_t)
-	nsplugin_manage_home_dirs(mozilla_plugin_t)
-	nsplugin_manage_home_files(mozilla_plugin_t)
-	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
-	nsplugin_user_home_filetrans(mozilla_plugin_t, file)
-	nsplugin_read_rw_files(mozilla_plugin_t);
-	nsplugin_signal(mozilla_plugin_t)
-')
-
-optional_policy(`
 	pulseaudio_exec(mozilla_plugin_t)
 	pulseaudio_stream_connect(mozilla_plugin_t)
 	pulseaudio_setattr_home_dir(mozilla_plugin_t)
@@ -491,3 +486,61 @@ optional_policy(`
 	xserver_append_xdm_home_files(mozilla_plugin_t);
 ')
 
+########################################
+#
+# mozilla_plugin_config local policy
+#
+
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
+
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
+
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
+
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
+corecmd_exec_bin(mozilla_plugin_config_t)
+corecmd_exec_shell(mozilla_plugin_config_t)
+
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
+
+domain_use_interactive_fds(mozilla_plugin_config_t)
+
+files_read_etc_files(mozilla_plugin_config_t)
+files_read_usr_files(mozilla_plugin_config_t)
+files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
+
+auth_use_nsswitch(mozilla_plugin_config_t)
+
+miscfiles_read_localization(mozilla_plugin_config_t)
+miscfiles_read_fonts(mozilla_plugin_config_t)
+
+userdom_search_user_home_content(mozilla_plugin_config_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+optional_policy(`
+	xserver_use_user_fonts(mozilla_plugin_config_t)
+')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 39b1056..cc3f02e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4176,6 +4176,30 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 
 ########################################
 ## <summary>
+##	Read cpu online hardware state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online file.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	dev_search_sysfs($1)
+	read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
+########################################
+## <summary>
 ##	Read hardware state information.
 ## </summary>
 ## <desc>
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 1c2562c..112bebb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -225,6 +225,10 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
+type cpu_online_t;
+allow cpu_online_t sysfs_t:filesystem associate;
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+
 #
 # Type for /dev/tpm
 #
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index f9a1bcc..a478431 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,7 @@ kernel_dontaudit_search_debugfs(domain)
 allow domain self:process { fork getsched sigchld };
 
 # Use trusted objects in /dev
+dev_read_cpu_online(domain)
 dev_rw_null(domain)
 dev_rw_zero(domain)
 term_use_controlling_term(domain)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 11ad8fb..35524d6 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -8,13 +8,6 @@ attribute unconfined_login_domain;
 
 ## <desc>
 ## <p>
-##  allow unconfined users to transition to the nsplugin domains when running nspluginviewer
-## </p>
-## </desc>
-gen_tunable(allow_unconfined_nsplugin_transition, false)
-
-## <desc>
-## <p>
 ## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
 ## </p>
 ## </desc>
@@ -128,14 +121,6 @@ optional_policy(`
 		attribute unconfined_usertype;
 	')
 
-	nsplugin_role_notrans(unconfined_r, unconfined_usertype)
-	optional_policy(`
-		tunable_policy(`allow_unconfined_nsplugin_transition',`
-		      nsplugin_domtrans(unconfined_usertype)
-		      nsplugin_domtrans_config(unconfined_usertype)
-		')
-	')
-
 	optional_policy(`
 		abrt_dbus_chat(unconfined_usertype)
 		abrt_run_helper(unconfined_usertype, unconfined_r)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 6f176f9..0258e24 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -117,10 +117,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nsplugin_role(xguest_r, xguest_t)
-')
-
-optional_policy(`
 	pcscd_read_pub_files(xguest_usertype)
 	pcscd_stream_connect(xguest_usertype)
 ')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index d5a9038..a1cbdb4 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -208,11 +208,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nsplugin_read_rw_files(abrt_t)
-	nsplugin_read_home(abrt_t)
-')
-
-optional_policy(`
 	policykit_dbus_chat(abrt_t)
 	policykit_domtrans_auth(abrt_t)
 	policykit_read_lib(abrt_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0b3811d..0281618 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -787,10 +787,6 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
-		nsplugin_role($1_r, $1_usertype)
-	')
-
-	optional_policy(`
 		tunable_policy(`allow_user_mysql_connect',`
 			mysql_stream_connect($1_t)
 		')