Index: refpolicy-2.20180114/policy/modules/contrib/backup.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/backup.te
+++ refpolicy-2.20180114/policy/modules/contrib/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
 
 logging_send_syslog_msg(backup_t)
 
+miscfiles_read_localization(backup_t)
+
 sysnet_read_config(backup_t)
 
 userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180114/policy/modules/contrib/boinc.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/boinc.te
+++ refpolicy-2.20180114/policy/modules/contrib/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
 # Local policy
 #
 
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
 allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
 
 can_exec(boinc_t, boinc_var_lib_t)
 libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
 
 miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 miscfiles_read_localization(boinc_t)
 
 tunable_policy(`boinc_execmem',`
@@ -169,7 +173,7 @@ optional_policy(`
 #
 
 allow boinc_project_t self:capability { setgid setuid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
 userdom_getattr_user_ttys(boinc_t)
 
 optional_policy(`
+	# for lsb_release -a
+	apt_read_cache(boinc_t)
+	apt_read_db(boinc_t)
+	dpkg_exec(boinc_t)
+	dpkg_read_db(boinc_t)
+
+	apt_read_cache(boinc_project_t)
+	apt_read_db(boinc_project_t)
+	dpkg_exec(boinc_project_t)
+	dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
 	java_exec(boinc_project_t)
 ')
Index: refpolicy-2.20180114/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20180114/policy/modules/contrib/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
 files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
Index: refpolicy-2.20180114/policy/modules/contrib/gdomap.fc
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/gdomap.fc
+++ refpolicy-2.20180114/policy/modules/contrib/gdomap.fc
@@ -5,3 +5,4 @@
 /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
 
 /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180114/policy/modules/contrib/gdomap.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/gdomap.te
+++ refpolicy-2.20180114/policy/modules/contrib/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
 allow gdomap_t self:tcp_socket { listen accept };
 
 allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
 files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
 auth_use_nsswitch(gdomap_t)
 
 logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180114/policy/modules/contrib/jabber.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/jabber.te
+++ refpolicy-2.20180114/policy/modules/contrib/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
 allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
 
 kernel_read_system_state(jabberd_domain)
 
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
 corenet_tcp_sendrecv_generic_if(jabberd_domain)
 corenet_tcp_sendrecv_generic_node(jabberd_domain)
 corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180114/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20180114/policy/modules/contrib/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
 
 allow mon_local_test_t self:capability sys_admin;
 allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
 
 kernel_dontaudit_getattr_core_if(mon_local_test_t)
 kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
 kernel_read_software_raid_state(mon_local_test_t)
 kernel_read_system_state(mon_local_test_t)
 
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
+miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180114/policy/modules/contrib/syncthing.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/syncthing.te
+++ refpolicy-2.20180114/policy/modules/contrib/syncthing.te
@@ -66,7 +66,3 @@ userdom_use_user_terminals(syncthing_t)
 # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
 userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
 
-optional_policy(`
-	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-	networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180114/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180114/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180114/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180114/policy/modules/services/ssh.te
@@ -247,6 +247,9 @@ optional_policy(`
 # sshd_t is the domain for the sshd program.
 #
 
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
Index: refpolicy-2.20180114/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180114/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
 
 #######################################
 ## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
 ##	Read and write to the last logins log.
 ## </summary>
 ## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
 ')
 
 ########################################
+## <summary>
+##     Manage the last logins log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
+	logging_rw_generic_log_dirs($1)
+')
+
+########################################
 ## <summary>
 ##	Execute pam programs in the pam domain.
 ## </summary>
Index: refpolicy-2.20180114/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180114/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
+userdom_manage_all_users_keys(local_login_t)
 userdom_spec_domtrans_all_users(local_login_t)
 userdom_signal_all_users(local_login_t)
 userdom_search_user_home_content(local_login_t)
Index: refpolicy-2.20180114/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180114/policy/modules/system/selinuxutil.te
@@ -599,6 +599,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
 fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180114/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180114/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+	optional_policy(`
+	# for /etc/resolv.conf symlink
+		networkmanager_read_pid_files($1)
+	')
 
 	# This seems needed when the mymachines NSS module is used
 	optional_policy(`
Index: refpolicy-2.20180114/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180114/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
 allow dhcpc_t dhcp_state_t:file read_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
 
 logging_send_syslog_msg(ifconfig_t)
 
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
 miscfiles_read_localization(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180114/policy/modules/contrib/consolekit.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/consolekit.te
+++ refpolicy-2.20180114/policy/modules/contrib/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
 # Local policy
 #
 
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
 allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180114/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180114/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
 #
 
 allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
 allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
+	dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
 ')
@@ -269,6 +273,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	unconfined_use_fds(groupadd_t)
+')
+
 ########################################
 #
 # Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(useradd_t)
 	dpkg_rw_pipes(useradd_t)
 ')
@@ -560,3 +572,7 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180114/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20180114/policy/modules/contrib/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	allow $1 apt_var_cache_t:file read_file_perms;
+	allow $1 apt_var_cache_t:file mmap_read_file_perms;
 ')
 
 ########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir manage_dir_perms;
-	allow $1 apt_var_cache_t:file manage_file_perms;
+	allow $1 apt_var_cache_t:file { manage_file_perms map };
 ')
 
 ########################################
Index: refpolicy-2.20180114/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20180114/policy/modules/contrib/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
Index: refpolicy-2.20180114/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180114/policy/modules/system/udev.te
@@ -305,10 +305,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	lvm_domtrans(udev_t)
-')
-
-optional_policy(`
 	fstools_domtrans(udev_t)
 ')
 
@@ -327,6 +323,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_domtrans(udev_t)
+	iptables_write_pipe(udev_t)
+')
+
+optional_policy(`
 	lvm_domtrans(udev_t)
 ')
 
Index: refpolicy-2.20180114/policy/modules/system/iptables.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/iptables.if
+++ refpolicy-2.20180114/policy/modules/system/iptables.if
@@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
 
 ########################################
 ## <summary>
+##	Allow iptables to write to a pipe
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be written to
+##	</summary>
+## </param>
+#
+interface(`iptables_write_pipe',`
+	gen_require(`
+		type iptables_t;
+	')
+
+	allow iptables_t $1:fifo_file write;
+')
+
+########################################
+## <summary>
 ##	Execute iptables in the iptables domain, and
 ##	allow the specified role the iptables domain.
 ## </summary>
Index: refpolicy-2.20180114/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20180114/policy/modules/contrib/logrotate.te
@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
 fs_list_inotifyfs(logrotate_t)
 fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)
 
 mls_file_read_all_levels(logrotate_t)
 mls_file_write_all_levels(logrotate_t)
Index: refpolicy-2.20180114/policy/modules/contrib/gpm.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/gpm.if
+++ refpolicy-2.20180114/policy/modules/contrib/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
 	')
 
 	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+	dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
 ')
 
 ########################################
Index: refpolicy-2.20180114/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20180114/policy/modules/contrib/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
 allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
Index: refpolicy-2.20180114/policy/modules/contrib/apt.fc
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/apt.fc
+++ refpolicy-2.20180114/policy/modules/contrib/apt.fc
@@ -1,9 +1,12 @@
 /etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-ifndef(`distro_redhat',`
+/usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180114/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180114/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
 
 term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 
 corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_list_hugetlbfs(bootloader_t)
 fs_mount_fusefs(bootloader_t)
 fs_mount_xattr_fs(bootloader_t)
 fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
 
 	# for apt-cache
 	apt_read_db(bootloader_t)
-	apt_read_cache(bootloader_t)
+	apt_manage_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
 	hal_dontaudit_append_lib_files(bootloader_t)
 	hal_write_log(bootloader_t)
 ')
@@ -230,5 +237,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
Index: refpolicy-2.20180114/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20180114/policy/modules/contrib/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
 
 	allow $1 dpkg_script_tmp_t:file map;
 ')
+
+########################################
+## <summary>
+##	read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180114/policy/modules/contrib/raid.if
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/raid.if
+++ refpolicy-2.20180114/policy/modules/contrib/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
 
 ########################################
 ## <summary>
+##	read mdadm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mdadm_var_run_t:dir list_dir_perms;
+	allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mdadm pid files.
 ## </summary>
Index: refpolicy-2.20180114/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180114/policy/modules/system/modutils.te
@@ -135,6 +135,7 @@ optional_policy(`
 	# for postinst of a new kernel package
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
+	dpkg_read_script_tmp_links(kmod_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20180114/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20180114/policy/modules/contrib/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
 corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
 dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
+miscfiles_read_generic_certs(tor_t)
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports',`
Index: refpolicy-2.20180114/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20180114/policy/modules/contrib/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
 kernel_read_system_state(devicekit_t)
 
 dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180114/policy/modules/contrib/dictd.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/dictd.te
+++ refpolicy-2.20180114/policy/modules/contrib/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
+	dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')
 
Index: refpolicy-2.20180114/policy/modules/contrib/irqbalance.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/irqbalance.te
+++ refpolicy-2.20180114/policy/modules/contrib/irqbalance.te
@@ -44,6 +44,7 @@ files_read_etc_runtime_files(irqbalance_
 
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 
Index: refpolicy-2.20180114/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20180114/policy/modules/contrib/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	init_dbus_chat(policykit_t)
 
 	userdom_dbus_send_all_users(policykit_t)
 
Index: refpolicy-2.20180114/policy/modules/contrib/postfix.te
===================================================================
--- refpolicy-2.20180114.orig/policy/modules/contrib/postfix.te
+++ refpolicy-2.20180114/policy/modules/contrib/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
+optional_policy(`
+	init_dbus_chat(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy
