Index: refpolicy-2.20190201/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/system/init.if
+++ refpolicy-2.20190201/policy/modules/system/init.if
@@ -127,7 +127,11 @@ interface(`init_domain',`
 
 	role system_r types $1;
 
-	domtrans_pattern(init_t, $2, $1)
+	ifdef(`init_systemd', `
+		domtrans_pattern(init_t, $2, $1)
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
 
 	allow init_t $1:process rlimitinh;
 
Index: refpolicy-2.20190201/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20190201.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20190201/policy/support/obj_perm_sets.spt
@@ -154,11 +154,6 @@ define(`relabel_dir_perms',`{ getattr re
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
 define(`read_file_perms',`{ getattr open read lock ioctl }')
-# deprecated 20171213
-define(`mmap_file_perms',`
-	{ getattr open map read execute ioctl }
-	refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
-')
 define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
 define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
 define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
Index: refpolicy-2.20190201/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20190201/policy/modules/system/systemd.te
@@ -349,6 +349,10 @@ optional_policy(`
 	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(systemd_hostnamed_t)
+')
+
 #########################################
 #
 # hw local policy
@@ -1110,6 +1114,10 @@ tunable_policy(`systemd_tmpfiles_manage_
 ')
 
 optional_policy(`
+	colord_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
Index: refpolicy-2.20190201/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20190201/policy/modules/system/fstools.te
@@ -150,6 +150,11 @@ init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
 init_rw_script_stream_sockets(fsadm_t)
 
+ifdef(`hide_broken_symptoms',`
+	# for /run/pm-utils/locks/pm-powersave.lock
+	init_read_utmp(fsadm_t)
+')
+
 logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
Index: refpolicy-2.20190201/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20190201/policy/modules/system/sysnetwork.te
@@ -59,7 +59,7 @@ allow dhcpc_t self:capability { dac_over
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
@@ -357,6 +357,11 @@ files_dontaudit_read_root_files(ifconfig
 init_use_fds(ifconfig_t)
 init_use_script_ptys(ifconfig_t)
 
+ifdef(`hide_broken_symptoms',`
+	# for /run/pm-utils/locks/pm-powersave.lock
+	init_read_utmp(ifconfig_t)
+')
+
 logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
Index: refpolicy-2.20190201/policy/constraints
===================================================================
--- refpolicy-2.20190201.orig/policy/constraints
+++ refpolicy-2.20190201/policy/constraints
@@ -28,6 +28,7 @@
 define(`basic_ubac_conditions',`
 	ifdef(`enable_ubac',`
 		u1 == u2
+		or r1 == sysadm_r
 		or u1 == system_u
 		or u2 == system_u
 		or t1 != ubac_constrained_type
Index: refpolicy-2.20190201/policy/modules/services/accountsd.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/services/accountsd.te
+++ refpolicy-2.20190201/policy/modules/services/accountsd.te
@@ -49,6 +49,8 @@ auth_use_nsswitch(accountsd_t)
 auth_read_login_records(accountsd_t)
 auth_read_shadow(accountsd_t)
 
+init_dbus_chat(accountsd_t)
+
 miscfiles_read_localization(accountsd_t)
 
 logging_list_logs(accountsd_t)
Index: refpolicy-2.20190201/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/services/bluetooth.te
+++ refpolicy-2.20190201/policy/modules/services/bluetooth.te
@@ -66,6 +66,7 @@ allow bluetooth_t self:socket create_str
 allow bluetooth_t self:unix_stream_socket { accept connectto listen };
 allow bluetooth_t self:tcp_socket { accept listen };
 allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow bluetooth_t self:bluetooth_socket create;
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
Index: refpolicy-2.20190201/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/services/cups.te
+++ refpolicy-2.20190201/policy/modules/services/cups.te
@@ -131,6 +131,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
 
@@ -219,7 +220,9 @@ files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
+files_read_var_lib_symlinks(cupsd_t)
 files_list_world_readable(cupsd_t)
+files_map_etc_files(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
 files_read_var_files(cupsd_t)
Index: refpolicy-2.20190201/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20190201.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20190201/policy/modules/services/clamav.te
@@ -203,6 +203,7 @@ stream_connect_pattern(freshclam_t, clam
 read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 
 kernel_dontaudit_list_proc(freshclam_t)
+kernel_read_crypto_sysctls(freshclam_t)
 kernel_read_kernel_sysctls(freshclam_t)
 kernel_read_network_state(freshclam_t)
 kernel_read_system_state(freshclam_t)
@@ -234,6 +235,7 @@ dev_read_urand(freshclam_t)
 domain_use_interactive_fds(freshclam_t)
 
 files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
 files_search_var_lib(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)
