Index: refpolicy-2.20221101/policy/modules/services/accountsd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/accountsd.te
+++ refpolicy-2.20221101/policy/modules/services/accountsd.te
@@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
 # Local policy
 #
 
-allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
-allow accountsd_t self:process signal;
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
+allow accountsd_t self:process { signal getsched setsched };
 allow accountsd_t self:fifo_file rw_fifo_file_perms;
 allow accountsd_t self:passwd { rootok passwd chfn chsh };
 
@@ -67,5 +67,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_dbus_send(accountsd_t)
+')
+
+optional_policy(`
 	xserver_read_xdm_tmp_files(accountsd_t)
 ')
Index: refpolicy-2.20221101/policy/modules/services/acpi.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/acpi.te
+++ refpolicy-2.20221101/policy/modules/services/acpi.te
@@ -64,7 +64,10 @@ logging_send_syslog_msg(acpi_t)
 
 allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time };
 dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config };
-allow acpid_t self:process { signal_perms getsession };
+# for pidof and pgrep
+allow acpid_t self:cap_userns sys_ptrace;
+
+allow acpid_t self:process { signal_perms getsession getsched };
 allow acpid_t self:fifo_file rw_fifo_file_perms;
 allow acpid_t self:netlink_socket create_socket_perms;
 allow acpid_t self:netlink_generic_socket create_socket_perms;
@@ -101,6 +104,7 @@ dev_read_mouse(acpid_t)
 dev_read_realtime_clock(acpid_t)
 dev_read_urand(acpid_t)
 dev_rw_acpi_bios(acpid_t)
+dev_rw_input_dev(acpid_t)
 dev_rw_sysfs(acpid_t)
 dev_watch_dev_dirs(acpid_t)
 dev_dontaudit_getattr_all_chr_files(acpid_t)
@@ -136,6 +140,7 @@ domain_dontaudit_list_all_domains_state(
 auth_use_nsswitch(acpid_t)
 
 init_domtrans_script(acpid_t)
+init_read_utmp(acpid_t)
 init_telinit(acpid_t)
 
 libs_exec_ld_so(acpid_t)
@@ -218,6 +223,7 @@ optional_policy(`
 
 optional_policy(`
 	init_list_unit_dirs(acpid_t)
+	systemd_dbus_chat_logind(acpid_t)
 	systemd_start_power_units(acpid_t)
 	systemd_status_power_units(acpid_t)
 ')
Index: refpolicy-2.20221101/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20221101/policy/modules/services/apache.fc
@@ -67,6 +67,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/lib/systemd/system/apache[^/]*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 /usr/lib/systemd/system/httpd.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 /usr/lib/systemd/system/jetty.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/w3m/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 
 /usr/libexec/httpd-ssl-pass-dialog			--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
@@ -165,6 +166,7 @@ ifdef(`distro_suse',`
 /var/log/glpi(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/hiawatha(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/mlogc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/pagespeed(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/log/httpd(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/horde2(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
@@ -173,7 +175,7 @@ ifdef(`distro_suse',`
 /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/php[^/]+-fpm\.log				--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php[^/]+-fpm\.log.*				--	gen_context(system_u:object_r:httpd_log_t,s0)
 
 /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/apache.te
+++ refpolicy-2.20221101/policy/modules/services/apache.te
@@ -504,6 +504,7 @@ files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
+files_map_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
 files_read_etc_runtime_files(httpd_t)
@@ -698,6 +699,7 @@ optional_policy(`
 
 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_t)
+	userdom_map_user_home_content_files(httpd_t)
 ')
 
 tunable_policy(`httpd_setrlimit',`
@@ -1225,7 +1227,7 @@ allow httpd_sys_script_t self:unix_dgram
 
 
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl };
+allow httpd_sys_script_t httpd_t:unix_stream_socket { getattr read write ioctl };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
 
Index: refpolicy-2.20221101/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20221101/policy/modules/services/aptcacher.te
@@ -36,7 +36,7 @@ files_runtime_file(aptcacher_runtime_t)
 # Local policy
 #
 
-allow aptcacher_t self:process signal;
+allow aptcacher_t self:process { signal getsched };
 
 allow aptcacher_t self:fifo_file rw_inherited_fifo_file_perms;
 allow aptcacher_t self:tcp_socket create_stream_socket_perms;
@@ -64,6 +64,8 @@ manage_files_pattern(aptcacher_t, aptcac
 
 manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
 
+kernel_read_kernel_sysctls(aptcacher_t)
+kernel_read_system_state(aptcacher_t)
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
 # Calls system()
@@ -75,7 +77,11 @@ corenet_tcp_connect_http_port(aptcacher_
 
 auth_use_nsswitch(aptcacher_t)
 
+dev_read_rand(aptcacher_t)
+dev_read_urand(aptcacher_t)
+
 files_read_etc_files(aptcacher_t)
+files_read_usr_files(aptcacher_t)
 
 # Uses sd_notify() to inform systemd it has properly started
 init_dgram_send(aptcacher_t)
@@ -93,14 +99,19 @@ sysnet_mmap_config_files(aptcacher_t)
 # acngtool local policy
 #
 
+allow acngtool_t self:capability dac_override;
 allow acngtool_t self:tcp_socket create_stream_socket_perms;
 allow acngtool_t self:unix_stream_socket create_socket_perms;
 
 allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
 allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
 
+kernel_read_kernel_sysctls(acngtool_t)
+
 aptcacher_stream_connect(acngtool_t)
 
+dev_read_rand(acngtool_t)
+dev_read_urand(acngtool_t)
 corenet_tcp_connect_aptcacher_port(acngtool_t)
 
 auth_use_nsswitch(acngtool_t)
Index: refpolicy-2.20221101/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/bind.te
+++ refpolicy-2.20221101/policy/modules/services/bind.te
@@ -213,9 +213,9 @@ optional_policy(`
 # NDC local policy
 #
 
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
 allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
@@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_
 
 kernel_read_kernel_sysctls(ndc_t)
 kernel_read_system_state(ndc_t)
+kernel_read_vm_overcommit_sysctl(ndc_t)
+
+dev_read_sysfs(ndc_t)
 
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)
Index: refpolicy-2.20221101/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/bluetooth.te
+++ refpolicy-2.20221101/policy/modules/services/bluetooth.te
@@ -89,6 +89,7 @@ files_runtime_filetrans(bluetooth_t, blu
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+kernel_read_crypto_sysctls(bluetooth_t)
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)
@@ -125,6 +126,8 @@ miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
 
+udev_search_runtime(bluetooth_t)
+
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -217,5 +220,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_dbus_send(bluetooth_t)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
 ')
Index: refpolicy-2.20221101/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20221101/policy/modules/services/boinc.te
@@ -12,6 +12,13 @@ policy_module(boinc)
 ## </desc>
 gen_tunable(boinc_execmem, true)
 
+## <desc>
+##	<p>
+##	Determine whether boinc can access X/GPU
+##	</p>
+## </desc>
+gen_tunable(boinc_gpu, true)
+
 type boinc_t;
 type boinc_exec_t;
 init_daemon_domain(boinc_t, boinc_exec_t)
@@ -98,6 +105,7 @@ corenet_sendrecv_boinc_client_packets(bo
 corenet_sendrecv_boinc_server_packets(boinc_t)
 corenet_tcp_bind_boinc_port(boinc_t)
 corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_generic_port(boinc_t)
 
 corenet_sendrecv_boinc_client_server_packets(boinc_t)
 corenet_tcp_bind_boinc_client_port(boinc_t)
@@ -117,7 +125,10 @@ corecmd_exec_shell(boinc_t)
 dev_read_rand(boinc_t)
 dev_read_urand(boinc_t)
 dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
+tunable_policy(`boinc_gpu',`
+	dev_rw_dri(boinc_t)
+	dev_rw_xserver_misc(boinc_t)
+')
 
 domain_read_all_domains_state(boinc_t)
 
@@ -154,10 +165,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	corenet_tcp_connect_xserver_port(boinc_t)
+	tunable_policy(`boinc_gpu',`
+		corenet_tcp_connect_xserver_port(boinc_t)
 
-	xserver_list_xdm_tmp(boinc_t)
-	xserver_non_drawing_client(boinc_t)
+		xserver_list_xdm_tmp(boinc_t)
+		xserver_non_drawing_client(boinc_t)
+		xserver_stream_connect_xdm(boinc_t)
+	')
 ')
 
 ########################################
@@ -220,3 +234,7 @@ optional_policy(`
 optional_policy(`
 	java_exec(boinc_project_t)
 ')
+
+optional_policy(`
+	unconfined_stream_connect(boinc_t)
+')
Index: refpolicy-2.20221101/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20221101/policy/modules/services/clamav.te
@@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t)
 
 allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
-allow clamd_t self:process signal;
+allow clamd_t self:process { signal getsched };
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { accept connectto listen };
 allow clamd_t self:tcp_socket { listen accept };
@@ -174,7 +174,7 @@ optional_policy(`
 # Freshclam local policy
 #
 
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
 allow freshclam_t self:fifo_file rw_fifo_file_perms;
 allow freshclam_t self:unix_stream_socket { accept listen };
 allow freshclam_t self:tcp_socket { accept listen };
@@ -225,6 +225,7 @@ dev_read_urand(freshclam_t)
 domain_use_interactive_fds(freshclam_t)
 
 files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
 files_search_var_lib(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)
Index: refpolicy-2.20221101/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/colord.te
+++ refpolicy-2.20221101/policy/modules/services/colord.te
@@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
 
 allow colord_t self:capability { dac_override dac_read_search };
 dontaudit colord_t self:capability sys_admin;
-allow colord_t self:process signal;
+allow colord_t self:process { signal getsched setsched };
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow colord_t self:tcp_socket { accept listen };
Index: refpolicy-2.20221101/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/cups.te
+++ refpolicy-2.20221101/policy/modules/services/cups.te
@@ -5,6 +5,13 @@ policy_module(cups)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allows legacy ld_so for old printer filters
+## </p>
+## </desc>
+gen_tunable(cups_legacy_ldso, false)
+
 type cupsd_config_t;
 type cupsd_config_exec_t;
 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
@@ -127,6 +134,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
 
@@ -207,11 +215,13 @@ domain_use_interactive_fds(cupsd_t)
 
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
+files_map_etc_files(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
 files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
+files_read_var_lib_symlinks(cupsd_t)
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
@@ -561,6 +571,10 @@ userdom_manage_user_home_content_dirs(cu
 userdom_manage_user_home_content_files(cups_pdf_t)
 userdom_home_filetrans_user_home_dir(cups_pdf_t)
 
+tunable_policy(`cups_legacy_ldso',`
+	libs_legacy_use_ld_so(cupsd_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
 	fs_manage_nfs_files(cups_pdf_t)
Index: refpolicy-2.20221101/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20221101/policy/modules/services/devicekit.te
@@ -119,6 +119,7 @@ files_getattr_all_files(devicekit_disk_t
 files_getattr_all_pipes(devicekit_disk_t)
 files_manage_boot_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
+files_mounton_mnt(devicekit_disk_t)
 files_read_etc_runtime_files(devicekit_disk_t)
 files_read_usr_files(devicekit_disk_t)
 files_watch_etc_dirs(devicekit_disk_t)
@@ -134,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
 mls_file_write_to_clearance(devicekit_disk_t)
 
 mount_rw_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files_reads(devicekit_disk_t)
 
 storage_raw_read_fixed_disk(devicekit_disk_t)
 storage_raw_write_fixed_disk(devicekit_disk_t)
@@ -146,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
 
 logging_send_syslog_msg(devicekit_disk_t)
 
+mount_watch_runtime_dirs(devicekit_disk_t)
 miscfiles_read_localization(devicekit_disk_t)
 
 userdom_read_all_users_state(devicekit_disk_t)
@@ -215,7 +219,7 @@ optional_policy(`
 
 allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
 allow devicekit_power_t self:capability2 wake_alarm;
-allow devicekit_power_t self:process { getsched signal_perms };
+allow devicekit_power_t self:process { getsched setsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:unix_stream_socket create_socket_perms;
Index: refpolicy-2.20221101/policy/modules/services/dirmngr.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/dirmngr.te
+++ refpolicy-2.20221101/policy/modules/services/dirmngr.te
@@ -83,6 +83,7 @@ miscfiles_read_generic_certs(dirmngr_t)
 userdom_search_user_home_dirs(dirmngr_t)
 userdom_search_user_runtime(dirmngr_t)
 userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
 
 optional_policy(`
 	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
@@ -90,3 +91,7 @@ optional_policy(`
 	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
 	gpg_stream_connect_agent(dirmngr_t)
 ')
+
+optional_policy(`
+	corenet_tcp_connect_tor_port(dirmngr_t)
+')
Index: refpolicy-2.20221101/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20221101/policy/modules/services/dovecot.te
@@ -215,6 +215,7 @@ optional_policy(`
 	mta_manage_mail_home_rw_content(dovecot_t)
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
 ')
 
 optional_policy(`
@@ -268,6 +269,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
 
 kernel_dontaudit_getattr_proc(dovecot_auth_t)
 
+kernel_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
Index: refpolicy-2.20221101/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20221101/policy/modules/services/fail2ban.te
@@ -91,6 +91,8 @@ fs_getattr_all_fs(fail2ban_t)
 
 auth_use_nsswitch(fail2ban_t)
 
+libs_dontaudit_write_lib_dirs(fail2ban_t)
+
 logging_read_all_logs(fail2ban_t)
 logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
@@ -135,7 +137,7 @@ optional_policy(`
 #
 
 allow fail2ban_client_t self:capability dac_read_search;
-allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+allow fail2ban_client_t self:unix_stream_socket { create connect write read shutdown };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
@@ -151,6 +153,8 @@ files_read_etc_files(fail2ban_client_t)
 files_read_usr_files(fail2ban_client_t)
 files_search_runtime(fail2ban_client_t)
 
+libs_dontaudit_write_lib_dirs(fail2ban_client_t)
+
 logging_getattr_all_logs(fail2ban_client_t)
 logging_search_all_logs(fail2ban_client_t)
 
Index: refpolicy-2.20221101/policy/modules/services/ftp.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ftp.fc
+++ refpolicy-2.20221101/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_etc_t,s0)
 
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
@@ -22,8 +23,10 @@
 /usr/sbin/muddleftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/vsftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
-/run/proftpd.*	gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.*			gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_runtime_t,s0)
 
 /usr/libexec/webmin/vsftpd/webalizer/xfer_log	--	gen_context(system_u:object_r:xferlog_t,s0)
 
@@ -31,6 +34,7 @@
 
 /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/ftp.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ftp.te
+++ refpolicy-2.20221101/policy/modules/services/ftp.te
@@ -175,6 +175,7 @@ allow ftpd_t self:tcp_socket { accept li
 allow ftpd_t self:shm create_shm_perms;
 allow ftpd_t self:key manage_key_perms;
 
+allow ftpd_t ftpd_etc_t:dir list_dir_perms;
 allow ftpd_t ftpd_etc_t:file read_file_perms;
 
 allow ftpd_t ftpd_keytab_t:file read_file_perms;
@@ -191,6 +192,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
 
 manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
+allow ftpd_t ftpd_runtime_t:file map;
 manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
 
@@ -400,6 +402,13 @@ optional_policy(`
 	seutil_sigchld_newrole(ftpd_t)
 ')
 
+optional_policy(`
+	systemd_connect_machined(ftpd_t)
+	systemd_dbus_chat_logind(ftpd_t)
+	systemd_read_logind_state(ftpd_t)
+	systemd_write_inherited_logind_sessions_pipes(ftpd_t)
+')
+
 ########################################
 #
 # Ctl local policy
Index: refpolicy-2.20221101/policy/modules/services/kerneloops.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/kerneloops.te
+++ refpolicy-2.20221101/policy/modules/services/kerneloops.te
@@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
 
 auth_use_nsswitch(kerneloops_t)
 
+logging_mmap_generic_logs(kerneloops_t)
 logging_send_syslog_msg(kerneloops_t)
 logging_read_generic_logs(kerneloops_t)
 
Index: refpolicy-2.20221101/policy/modules/services/modemmanager.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/modemmanager.te
+++ refpolicy-2.20221101/policy/modules/services/modemmanager.te
@@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
 #
 
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
 allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
Index: refpolicy-2.20221101/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/mon.te
+++ refpolicy-2.20221101/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
 
 allow mon_t self:fifo_file rw_fifo_file_perms;
 allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
 
 domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
 
@@ -104,6 +103,11 @@ optional_policy(`
 	mta_send_mail(mon_t)
 ')
 
+optional_policy(`
+	# for config of xmpp sending program
+	xdg_read_config_files(mon_t)
+')
+
 ########################################
 #
 # Local policy
@@ -151,6 +155,10 @@ optional_policy(`
 	mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+	snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 ########################################
 #
 # Local policy
@@ -161,9 +169,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for reading /proc/1/maps etc
-allow mon_local_test_t self:capability { sys_ptrace sys_admin };
+allow mon_local_test_t self:capability { dac_override dac_read_search setgid setuid sys_rawio sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
-allow mon_local_test_t self:process getsched;
+allow mon_local_test_t self:process { getsched sigkill sigstop signal };
+allow mon_local_test_t self:cap_userns sys_ptrace;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -184,8 +193,10 @@ dev_getattr_sysfs(mon_local_test_t)
 dev_read_urand(mon_local_test_t)
 dev_read_sysfs(mon_local_test_t)
 
+domain_getattr_all_domains(mon_local_test_t)
 domain_read_all_domains_state(mon_local_test_t)
 
+files_dontaudit_tmpfs_file_getattr(mon_local_test_t)
 files_read_usr_files(mon_local_test_t)
 files_search_mnt(mon_local_test_t)
 files_search_spool(mon_local_test_t)
@@ -194,9 +205,18 @@ files_list_boot(mon_local_test_t)
 fs_search_auto_mountpoints(mon_local_test_t)
 fs_getattr_nfs(mon_local_test_t)
 fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_cgroup_dirs(mon_local_test_t)
 fs_list_hugetlbfs(mon_local_test_t)
 fs_list_tmpfs(mon_local_test_t)
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
 fs_search_nfs(mon_local_test_t)
+fstools_domtrans(mon_local_test_t)
+
+# for selinux.monitor
+selinux_get_enforce_mode(mon_local_test_t)
+selinux_getattr_fs(mon_local_test_t)
+seutil_search_default_contexts(mon_local_test_t)
 
 storage_getattr_fixed_disk_dev(mon_local_test_t)
 storage_getattr_removable_dev(mon_local_test_t)
@@ -208,12 +228,14 @@ application_exec_all(mon_local_test_t)
 
 auth_use_nsswitch(mon_local_test_t)
 
+fsdaemon_read_lib(mon_local_test_t)
 init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
 miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
+storage_raw_read_fixed_disk(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
 
Index: refpolicy-2.20221101/policy/modules/services/mta.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/mta.if
+++ refpolicy-2.20221101/policy/modules/services/mta.if
@@ -136,6 +136,70 @@ template(`mta_role',`
 
 ########################################
 ## <summary>
+##	User Role access for mta.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`mta_user_role',`
+	gen_require(`
+		attribute_role user_mail_roles;
+		type user_mail_t, sendmail_exec_t, mail_home_t;
+		type user_mail_tmp_t, mail_home_rw_t;
+	')
+	mta_base_role($1, $2)
+
+	roleattribute $1 user_mail_roles;
+
+	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+	allow $2 user_mail_t:process { ptrace signal_perms };
+	ps_process_pattern($2, user_mail_t)
+')
+
+########################################
+## <summary>
+##	Admin Role access for mta.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`mta_admin_role',`
+	gen_require(`
+		attribute_role admin_mail_roles;
+		type admin_mail_t, sendmail_exec_t, mail_home_t;
+		type user_mail_tmp_t, mail_home_rw_t;
+	')
+	mta_base_role($1, $2)
+
+	roleattribute $1 admin_mail_roles;
+
+	domtrans_pattern($2, sendmail_exec_t, admin_mail_t)
+	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+	allow $2 admin_mail_t:process { ptrace signal_perms };
+	ps_process_pattern($2, admin_mail_t)
+')
+
+########################################
+## <summary>
 ##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">
@@ -268,6 +332,7 @@ interface(`mta_manage_mail_home_rw_conte
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:{ dir file } watch;
 ')
 
 ########################################
Index: refpolicy-2.20221101/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20221101/policy/modules/services/mysql.te
@@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime
 
 allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:anon_inode { create map read write };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t)
 
 domain_read_all_domains_state(mysqld_safe_t)
 
+files_dontaudit_write_root_dirs(mysqld_safe_t)
 files_read_etc_files(mysqld_safe_t)
 files_read_usr_files(mysqld_safe_t)
 files_search_runtime(mysqld_safe_t)
Index: refpolicy-2.20221101/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20221101/policy/modules/services/networkmanager.te
@@ -148,6 +148,7 @@ files_read_usr_src_files(NetworkManager_
 files_watch_etc_dirs(NetworkManager_t)
 
 fs_getattr_all_fs(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
 
@@ -164,6 +165,8 @@ init_get_system_status(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
+libs_watch_shared_libs_dir(NetworkManager_t)
+
 logging_send_audit_msgs(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
@@ -187,6 +190,7 @@ sysnet_delete_dhcpc_state(NetworkManager
 sysnet_search_dhcp_state(NetworkManager_t)
 sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_watch_config_dir(NetworkManager_t)
 
 # certificates in user home directories (cert_home_t in ~/\.pki)
 userdom_read_user_certs(NetworkManager_t)
Index: refpolicy-2.20221101/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20221101/policy/modules/services/openvpn.te
@@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
 
 fs_getattr_all_fs(openvpn_t)
 fs_search_auto_mountpoints(openvpn_t)
+fs_search_tmpfs(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
Index: refpolicy-2.20221101/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20221101/policy/modules/services/policykit.te
@@ -77,6 +77,7 @@ allow policykit_t self:unix_stream_socke
 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
 
 manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+allow policykit_t policykit_var_lib_t:dir watch;
 
 manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
 manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
@@ -136,6 +137,7 @@ optional_policy(`
 	# for /run/systemd/machines
 	systemd_read_machines(policykit_t)
 	systemd_watch_machines_dirs(policykit_t)
+	systemd_connect_machined(policykit_t)
 
 	# for /run/systemd/seats/seat*
 	systemd_read_logind_sessions_files(policykit_t)
Index: refpolicy-2.20221101/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20221101/policy/modules/services/postfix.te
@@ -516,9 +516,12 @@ manage_files_pattern(postfix_map_t, post
 files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
+dev_read_urand(postfix_map_t)
+
 corenet_all_recvfrom_netlabel(postfix_map_t)
 corenet_tcp_sendrecv_generic_if(postfix_map_t)
 corenet_tcp_sendrecv_generic_node(postfix_map_t)
@@ -538,10 +541,14 @@ files_dontaudit_search_var(postfix_map_t
 
 auth_use_nsswitch(postfix_map_t)
 
+domain_use_interactive_fds(postfix_map_t)
+
 logging_send_syslog_msg(postfix_map_t)
 
 miscfiles_read_localization(postfix_map_t)
 
+userdom_use_user_ptys(postfix_map_t)
+
 optional_policy(`
 	certbot_read_lib(postfix_map_t)
 ')
@@ -745,6 +752,7 @@ allow postfix_showq_t postfix_spool_mail
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
 
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
@@ -753,6 +761,10 @@ optional_policy(`
 	systemd_use_nss(postfix_showq_t)
 ')
 
+optional_policy(`
+	unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
+')
+
 ########################################
 #
 # Smtp delivery local policy
Index: refpolicy-2.20221101/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20221101/policy/modules/services/rpc.te
@@ -121,6 +121,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
 
 fs_rw_rpc_named_pipes(rpc_domain)
 fs_search_auto_mountpoints(rpc_domain)
+fs_watch_rpc_pipefs_dir(rpc_domain)
 
 files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
@@ -306,7 +307,8 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource lease };
+allow nfsd_t self:process setcap;
 
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -336,6 +338,8 @@ fs_mount_nfsd_fs(nfsd_t)
 fs_getattr_all_fs(nfsd_t)
 fs_getattr_all_dirs(nfsd_t)
 fs_list_nfsd_fs(nfsd_t)
+fs_list_rpc(nfsd_t)
+
 fs_watch_nfsd_dirs(nfsd_t)
 fs_watch_nfsd_files(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t)
Index: refpolicy-2.20221101/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/samba.te
+++ refpolicy-2.20221101/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
+	files_watch_home(smbd_t)
 	userdom_manage_user_home_content_dirs(smbd_t)
 	userdom_manage_user_home_content_files(smbd_t)
 	userdom_manage_user_home_content_symlinks(smbd_t)
 	userdom_manage_user_home_content_sockets(smbd_t)
 	userdom_manage_user_home_content_pipes(smbd_t)
+	userdom_watch_user_home_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t)
 	files_list_non_auth_dirs(smbd_t)
 	files_read_non_auth_files(smbd_t)
+	files_watch_all_file_type_dir(smbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
 	fs_read_noxattr_fs_files(smbd_t)
 	files_manage_non_auth_files(smbd_t)
+	files_watch_all_file_type_dir(smbd_t)
 ')
 
 optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
 allow smbcontrol_t self:process signal;
 allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
 allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
 allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
 allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_file_perms;
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t)
 term_use_console(smbcontrol_t)
 
 init_use_fds(smbcontrol_t)
+init_rw_inherited_stream_socket(smbcontrol_t)
 
 miscfiles_read_localization(smbcontrol_t)
 
Index: refpolicy-2.20221101/policy/modules/services/sendmail.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/sendmail.te
+++ refpolicy-2.20221101/policy/modules/services/sendmail.te
@@ -173,6 +173,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	userdom_use_user_ttys(sendmail_t)
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_domtrans_postqueue(sendmail_t)
Index: refpolicy-2.20221101/policy/modules/services/smartmon.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/smartmon.if
+++ refpolicy-2.20221101/policy/modules/services/smartmon.if
@@ -56,3 +56,24 @@ interface(`smartmon_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, fsdaemon_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Read fsdaemon /var/lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fsdaemon_read_lib',`
+	gen_require(`
+		type fsdaemon_var_lib_t;
+	')
+
+	allow $1 fsdaemon_var_lib_t:dir search;
+	allow $1 fsdaemon_var_lib_t:file read_file_perms;
+')
+
Index: refpolicy-2.20221101/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20221101/policy/modules/services/ssh.te
@@ -17,7 +17,7 @@ gen_tunable(allow_ssh_keysign, false)
 ## Allow ssh logins as sysadm_r:sysadm_t
 ## </p>
 ## </desc>
-gen_tunable(ssh_sysadm_login, false)
+gen_tunable(ssh_sysadm_login, true)
 
 ## <desc>
 ## <p>
@@ -195,6 +195,11 @@ tunable_policy(`user_tcp_server',`
 ')
 
 optional_policy(`
+	cron_read_pipes(ssh_t)
+	cron_rw_tmp_files(ssh_t)
+')
+
+optional_policy(`
 	tunable_policy(`ssh_use_gpg_agent',`
 		gpg_stream_connect_agent(ssh_t)
 	')
@@ -272,6 +277,8 @@ ifdef(`distro_debian',`
 ifdef(`init_systemd',`
 	auth_use_pam_systemd(sshd_t)
 	init_dbus_chat(sshd_t)
+	# dynamic users
+	init_stream_connect(sshd_t)
 	init_rw_stream_sockets(sshd_t)
 	systemd_dgram_nspawn(sshd_t)
 	systemd_write_inherited_logind_sessions_pipes(sshd_t)
@@ -297,6 +304,11 @@ tunable_policy(`allow_polyinstantiation'
 ')
 
 optional_policy(`
+	# for /var/lib/unattended-upgrades
+	apt_read_db(sshd_t)
+')
+
+optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
Index: refpolicy-2.20221101/policy/modules/services/virt.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/virt.fc
+++ refpolicy-2.20221101/policy/modules/services/virt.fc
@@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
+/etc/qemu	-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/qemu/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
+
 /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/virt.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/virt.te
+++ refpolicy-2.20221101/policy/modules/services/virt.te
@@ -1107,6 +1107,9 @@ allow virt_bridgehelper_t self:tcp_socke
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
+allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
+allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
+
 manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 
 kernel_read_network_state(virt_bridgehelper_t)
Index: refpolicy-2.20221101/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20221101/policy/modules/services/xserver.fc
@@ -72,6 +72,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm-greeter	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20221101/policy/modules/services/xserver.te
@@ -277,6 +277,7 @@ term_use_ptmx(xauth_t)
 auth_use_nsswitch(xauth_t)
 
 userdom_use_user_terminals(xauth_t)
+userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
 userdom_read_user_tmp_files(xauth_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
Index: refpolicy-2.20221101/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/mount.if
+++ refpolicy-2.20221101/policy/modules/system/mount.if
@@ -260,6 +260,24 @@ interface(`mount_watch_reads_runtime_fil
 
 ########################################
 ## <summary>
+##	Watch mount runtime files reads.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files_reads',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file watch_reads;
+')
+
+########################################
+## <summary>
 ##     Getattr on mount_runtime_t files
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20221101/policy/modules/kernel/files.if
@@ -436,6 +436,24 @@ interface(`files_tmpfs_file',`
 
 ########################################
 ## <summary>
+##	dontaudit getattr on tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not have stat on tmpfs files audited
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_tmpfs_file_getattr',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all directories.
 ## </summary>
 ## <param name="domain">
@@ -1428,6 +1446,25 @@ interface(`files_unmount_all_file_type_f
 
 ########################################
 ## <summary>
+##	watch all directories of file_type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_all_file_type_dir',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir watch;
+')
+
+########################################
+########################################
+## <summary>
 ##	Read all non-authentication related
 ##	directories.
 ## </summary>
@@ -6199,6 +6236,24 @@ interface(`files_read_var_lib_files',`
 ')
 
 ########################################
+## <summary>
+##	map generic files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_map_var_lib_files',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:file map;
+')
+
+########################################
 ## <summary>
 ##	Read generic symbolic links in /var/lib
 ## </summary>
Index: refpolicy-2.20221101/policy/modules/system/libraries.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/libraries.if
+++ refpolicy-2.20221101/policy/modules/system/libraries.if
@@ -531,3 +531,21 @@ interface(`libs_relabel_shared_libs',`
 
 	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
 ')
+
+########################################
+## <summary>
+##	watch lib dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_watch_shared_libs_dir',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir watch;
+')
Index: refpolicy-2.20221101/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20221101/policy/modules/system/sysnetwork.if
@@ -550,6 +550,24 @@ interface(`sysnet_manage_config',`
 
 #######################################
 ## <summary>
+##     Watch a network config dir
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_watch_config_dir',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 net_conf_t:dir watch;
+')
+
+#######################################
+## <summary>
 ##	Read dhcp client runtime files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20221101/policy/modules/kernel/filesystem.if
@@ -604,6 +604,25 @@ interface(`fs_manage_autofs_symlinks',`
 
 ########################################
 ## <summary>
+##	Get the attributes of binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:filesystem getattr;
+
+')
+
+########################################
+## <summary>
 ##	Get the attributes of directories on
 ##	binfmt_misc filesystems.
 ## </summary>
@@ -4702,6 +4721,24 @@ interface(`fs_getattr_rpc_pipefs',`
 	allow $1 rpc_pipefs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Watch a rpc pipefs dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_rpc_pipefs_dir',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read and write RPC pipe filesystem named pipes.
@@ -6126,3 +6163,21 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Search bpf dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_bpf',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	allow $1 bpf_t:dir search;
+')
Index: refpolicy-2.20221101/policy/modules/services/acpi.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/acpi.fc
+++ refpolicy-2.20221101/policy/modules/services/acpi.fc
@@ -8,6 +8,7 @@
 /usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
 
 /usr/sbin/acpid	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/acpi_fakekeyd	--	gen_context(system_u:object_r:acpid_exec_t,s0)
 /usr/sbin/apmd	--	gen_context(system_u:object_r:acpid_exec_t,s0)
 /usr/sbin/powersaved	--	gen_context(system_u:object_r:acpid_exec_t,s0)
 
Index: refpolicy-2.20221101/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20221101/policy/modules/system/selinuxutil.te
@@ -380,6 +380,7 @@ selinux_compute_user_contexts(restorecon
 
 files_relabel_non_auth_files(restorecond_t )
 files_dontaudit_read_all_symlinks(restorecond_t)
+files_watch_all_file_type_dir(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
 logging_send_syslog_msg(restorecond_t)
Index: refpolicy-2.20221101/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20221101/policy/modules/system/userdomain.if
@@ -4520,6 +4520,24 @@ interface(`userdom_search_user_home_cont
 
 ########################################
 ## <summary>
+##	watch users home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_watch_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir watch;
+')
+
+########################################
+## <summary>
 ##	Send signull to unprivileged user domains.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/services/milter.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/milter.te
+++ refpolicy-2.20221101/policy/modules/services/milter.te
@@ -9,9 +9,19 @@ attribute milter_domains;
 attribute milter_data_type;
 
 milter_template(greylist)
+milter_template(postfwd)
 milter_template(regex)
 milter_template(spamass)
 
+type postfwd_milter_runtime_t;
+files_runtime_file(postfwd_milter_runtime_t)
+
+type postfwd_milter_tmp_t;
+files_tmp_file(postfwd_milter_tmp_t)
+allow postfwd_milter_t postfwd_milter_tmp_t:sock_file manage_sock_file_perms;
+allow postfwd_milter_t postfwd_milter_tmp_t:file manage_file_perms;
+files_tmp_filetrans(postfwd_milter_t, postfwd_milter_tmp_t, { file sock_file })
+
 type spamass_milter_initrc_exec_t;
 init_script_file(spamass_milter_initrc_exec_t)
 
@@ -75,6 +85,35 @@ optional_policy(`
 ')
 
 ########################################
+#
+# postfwd local policy
+#
+
+allow postfwd_milter_t self:process { signal signull };
+allow postfwd_milter_t self:capability { chown dac_override dac_read_search kill setgid setuid };
+allow postfwd_milter_t self:unix_stream_socket connectto;
+
+files_runtime_filetrans(postfwd_milter_t, postfwd_milter_runtime_t, file, "postfwd.pid")
+allow postfwd_milter_t postfwd_milter_runtime_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(postfwd_milter_t)
+
+corecmd_exec_bin(postfwd_milter_t)
+corecmd_exec_shell(postfwd_milter_t)
+corecmd_mmap_bin_files(postfwd_milter_t)
+corenet_tcp_bind_all_unreserved_ports(postfwd_milter_t)
+corenet_tcp_connect_all_unreserved_ports(postfwd_milter_t)
+dev_read_urand(postfwd_milter_t)
+
+files_read_usr_files(postfwd_milter_t)
+files_read_usr_symlinks(postfwd_milter_t)
+files_search_tmp(postfwd_milter_t)
+
+optional_policy(`
+	postfix_read_config(postfwd_milter_t)
+')
+
+########################################
 #
 # regex local policy
 #
Index: refpolicy-2.20221101/policy/modules/services/milter.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/milter.fc
+++ refpolicy-2.20221101/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/sqlgrey		--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.*		--	gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
 /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
 
 /run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid		--	gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
 /run/spamass(/.*)?			gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /run/sqlgrey\.pid		--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/redis.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/redis.fc
+++ refpolicy-2.20221101/policy/modules/services/redis.fc
@@ -3,6 +3,7 @@
 /etc/redis.*\.conf	--	gen_context(system_u:object_r:redis_conf_t,s0)
 
 /usr/bin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
+/usr/bin/redis-check-rdb --	gen_context(system_u:object_r:redis_exec_t,s0)
 
 /usr/sbin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
 
Index: refpolicy-2.20221101/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/postgresql.te
+++ refpolicy-2.20221101/policy/modules/services/postgresql.te
@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runt
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_tmpfs_t;
+files_tmpfs_file(postgresql_tmpfs_t)
+
 type postgresql_unit_t;
 init_unit_file(postgresql_unit_t)
 
@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, p
 manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+allow postgresql_t postgresql_tmpfs_t:file map;
+manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
 
 manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
 manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
 logging_send_syslog_msg(postgresql_t)
 logging_send_audit_msgs(postgresql_t)
 
+miscfiles_read_generic_tls_privkey(postgresql_t)
 miscfiles_read_localization(postgresql_t)
 
 seutil_libselinux_linked(postgresql_t)
Index: refpolicy-2.20221101/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20221101/policy/modules/system/systemd.te
@@ -1344,6 +1344,7 @@ kernel_read_network_state(systemd_nspawn
 kernel_read_kernel_sysctls(systemd_nspawn_t)
 kernel_read_sysctl(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
+kernel_read_vm_sysctls(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
 kernel_request_load_module(systemd_nspawn_t)
 kernel_search_network_sysctl(systemd_nspawn_t)
Index: refpolicy-2.20221101/policy/modules/services/mta.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/mta.te
+++ refpolicy-2.20221101/policy/modules/services/mta.te
@@ -15,6 +15,7 @@ attribute mailserver_sender;
 attribute user_mail_domain;
 
 attribute_role user_mail_roles;
+attribute_role admin_mail_roles;
 
 type etc_aliases_t;
 files_type(etc_aliases_t)
@@ -44,6 +45,10 @@ mta_base_mail_template(user)
 userdom_user_application_type(user_mail_t)
 role user_mail_roles types user_mail_t;
 
+mta_base_mail_template(admin)
+userdom_user_application_type(admin_mail_t)
+role admin_mail_roles types admin_mail_t;
+
 userdom_user_tmp_file(user_mail_tmp_t)
 
 ########################################
@@ -429,3 +434,30 @@ optional_policy(`
 	postfix_read_config(user_mail_t)
 	postfix_list_spool(user_mail_t)
 ')
+
+########################################
+#
+# Admin local policy
+#
+
+manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".esmtp_queue")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
+
+dev_read_sysfs(admin_mail_t)
+
+userdom_use_user_terminals(admin_mail_t)
+
+files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
+allow admin_mail_t etc_aliases_t:file manage_file_perms;
+
+optional_policy(`
+	allow admin_mail_t self:capability dac_override;
+
+	userdom_rw_user_tmp_files(admin_mail_t)
+
+	postfix_read_config(admin_mail_t)
+	postfix_list_spool(admin_mail_t)
+')
Index: refpolicy-2.20221101/policy/modules/services/spamassassin.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/spamassassin.fc
+++ refpolicy-2.20221101/policy/modules/services/spamassassin.fc
@@ -39,6 +39,7 @@ HOME_DIR/\.spamd(/.*)?			gen_context(sys
 /var/log/spamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/rspamd(/.*)?		gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/rspamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/rspamd(/.*)?			gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/mimedefang.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 
 /var/vmail/\.spamassassin(/.*)?		gen_context(system_u:object_r:spamassassin_home_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/courier.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/courier.fc
+++ refpolicy-2.20221101/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
 /usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
 /usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
 /usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/courier.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/courier.te
+++ refpolicy-2.20221101/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_
 
 can_exec(courier_authdaemon_t, courier_exec_t)
 
+kernel_getattr_proc(courier_authdaemon_t)
+
 corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t
 miscfiles_read_localization(courier_authdaemon_t)
 
 selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket connectto;
+allow courier_pop_t self:process setrlimit;
+
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
 
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
 stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
+files_search_var_lib(courier_pop_t)
 
+miscfiles_read_generic_certs(courier_pop_t)
 miscfiles_read_localization(courier_pop_t)
 
 mta_manage_mail_home_rw_content(courier_pop_t)
Index: refpolicy-2.20221101/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20221101/policy/modules/services/spamassassin.te
@@ -401,6 +401,10 @@ tunable_policy(`rspamd_spamd',`
 	allow spamd_t self:process setrlimit;
 	allow spamc_t self:process setrlimit;
 
+	allow spamd_t self:process execmem;
+
+	kernel_read_network_state(spamd_t)
+
 	list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	allow spamd_t spamd_etc_t:dir watch;
@@ -409,7 +413,7 @@ tunable_policy(`rspamd_spamd',`
 	allow spamd_t spamd_var_lib_t:dir watch;
 	filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file)
 
-	search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t)
+	allow spamd_t spamd_log_t:dir rw_dir_perms;
 
 	fs_search_tmpfs(spamd_t)
 	manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)
Index: refpolicy-2.20221101/policy/modules/services/exim.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/exim.te
+++ refpolicy-2.20221101/policy/modules/services/exim.te
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
 # Local policy
 #
 
-allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
@@ -192,6 +192,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_read_pipes(exim_t)
+	cron_rw_inherited_tmp_files(exim_t)
 	cron_rw_system_job_pipes(exim_t)
 	cron_use_system_job_fds(exim_t)
 ')
Index: refpolicy-2.20221101/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20221101/policy/modules/kernel/corenetwork.te.in
@@ -263,7 +263,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
 network_port(socks) # no defined portcon
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
+network_port(spamd, tcp,783,s0, tcp,11333,s0)
 network_port(speech, tcp,8036,s0)
 network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
 network_port(ssdp, tcp,1900,s0, udp,1900,s0)
Index: refpolicy-2.20221101/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20221101/policy/modules/services/smartmon.te
@@ -39,7 +39,7 @@ ifdef(`enable_mls',`
 #
 
 allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
-dontaudit fsdaemon_t self:capability sys_tty_config;
+dontaudit fsdaemon_t self:capability { net_admin sys_tty_config };
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 allow fsdaemon_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20221101/policy/modules/services/inetd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/inetd.te
+++ refpolicy-2.20221101/policy/modules/services/inetd.te
@@ -33,7 +33,7 @@ files_tmp_file(inetd_child_tmp_t)
 # Local policy
 #
 
-allow inetd_t self:capability { setgid setuid sys_resource };
+allow inetd_t self:capability { kill setgid setuid sys_resource };
 dontaudit inetd_t self:capability sys_tty_config;
 allow inetd_t self:process { setsched setexec setrlimit };
 allow inetd_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20221101/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20221101/policy/modules/kernel/corecommands.fc
@@ -43,6 +43,8 @@ ifdef(`distro_redhat',`
 /etc/cron\.monthly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/etc/dhcp/dhclient-enter-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+/etc/dhcp/dhclient-exit-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
@@ -101,6 +103,9 @@ ifdef(`distro_redhat',`
 
 /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+/etc/wide-dhcpv6/dhcp6c-ifupdown --	gen_context(system_u:object_r:bin_t,s0)
+/etc/wide-dhcpv6/dhcp6c-script	--	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20221101/policy/modules/kernel/storage.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/storage.fc
+++ refpolicy-2.20221101/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
 /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
Index: refpolicy-2.20221101/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20221101/policy/modules/system/fstools.te
@@ -29,6 +29,7 @@ files_type(swapfile_t)
 
 # ipc_lock is for losetup
 allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config };
+dontaudit fsadm_t self:capability net_admin;
 allow fsadm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execstack setkeycreate setsockcreate getrlimit };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_fifo_file_perms;
@@ -118,6 +119,7 @@ files_manage_lost_found(fsadm_t)
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
 
+fs_getattr_cgroup(fsadm_t)
 fs_rw_all_image_files(fsadm_t)
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
@@ -130,6 +132,8 @@ fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
+# for fstrim
+files_manage_boot_dirs(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
@@ -140,6 +144,8 @@ mls_file_write_all_levels(fsadm_t)
 
 selinux_getattr_fs(fsadm_t)
 
+storage_dev_filetrans_fixed_disk_control(fsadm_t, "megaraid_sas_ioctl_node")
+storage_manage_fixed_disk(fsadm_t)
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
@@ -152,6 +158,8 @@ term_use_console(fsadm_t)
 init_use_fds(fsadm_t)
 init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
+# for systemd-fsckd to access /proc/1/environ
+init_read_state(fsadm_t)
 init_rw_script_stream_sockets(fsadm_t)
 
 logging_send_syslog_msg(fsadm_t)
@@ -193,6 +201,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fsdaemon_read_lib(fsadm_t)
+')
+
+optional_policy(`
 	livecd_rw_tmp_files(fsadm_t)
 ')
 
@@ -202,6 +214,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mon_dontaudit_use_fds(fsadm_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')
 
Index: refpolicy-2.20221101/policy/modules/apps/java.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/apps/java.te
+++ refpolicy-2.20221101/policy/modules/apps/java.te
@@ -128,11 +128,17 @@ tunable_policy(`allow_java_execstack',`
 auth_use_nsswitch(java_t)
 
 corecmd_search_bin(java_t)
+corecmd_exec_bin(java_t)
 
 dev_read_sysfs(java_t)
 
+fs_read_cgroup_files(java_t)
+fs_search_cgroup_dirs(java_t)
+
 locallogin_use_fds(java_t)
 
+libs_exec_lib_files(java_t)
+
 userdom_read_user_tmp_files(java_t)
 userdom_use_user_terminals(java_t)
 
Index: refpolicy-2.20221101/policy/modules/kernel/storage.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/storage.if
+++ refpolicy-2.20221101/policy/modules/kernel/storage.if
@@ -312,6 +312,30 @@ interface(`storage_dev_filetrans_fixed_d
 
 ########################################
 ## <summary>
+##	Create char devices in /dev with the fixed disk type
+##	via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional filename of the char device to be created
+##	</summary>
+## </param>
+#
+interface(`storage_dev_filetrans_fixed_disk_control',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_filetrans($1, fixed_disk_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Create block devices in on a tmpfs filesystem with the
 ##	fixed disk type via an automatic type transition.
 ## </summary>
Index: refpolicy-2.20221101/policy/modules/services/ppp.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ppp.fc
+++ refpolicy-2.20221101/policy/modules/services/ppp.fc
@@ -8,6 +8,7 @@ HOME_DIR/\.ppprc	--	gen_context(system_u
 /etc/ppp/.*secrets	--	gen_context(system_u:object_r:pppd_secret_t,s0)
 /etc/ppp/resolv\.conf	--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp/ip-pre-up	--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
 
 /usr/bin/ipppd		--	gen_context(system_u:object_r:pppd_exec_t,s0)
 /usr/bin/ppp-watch	--	gen_context(system_u:object_r:pppd_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/ppp.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ppp.te
+++ refpolicy-2.20221101/policy/modules/services/ppp.te
@@ -86,6 +86,7 @@ allow pppd_t self:socket create_socket_p
 allow pppd_t self:netlink_route_socket nlmsg_write;
 allow pppd_t self:tcp_socket { accept listen };
 allow pppd_t self:packet_socket create_socket_perms;
+allow pppd_t self:pppox_socket { connect create ioctl };
 
 allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 
@@ -108,6 +109,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t,
 
 manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
 manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
+allow pppd_t pppd_runtime_t:file map;
 files_runtime_filetrans(pppd_t, pppd_runtime_t, { dir file })
 
 can_exec(pppd_t, pppd_exec_t)
Index: refpolicy-2.20221101/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20221101/policy/modules/admin/netutils.te
@@ -136,6 +136,7 @@ logging_send_syslog_msg(ping_t)
 miscfiles_read_localization(ping_t)
 
 userdom_use_inherited_user_terminals(ping_t)
+term_use_unallocated_ttys(ping_t)
 
 optional_policy(`
 	munin_append_log(ping_t)
Index: refpolicy-2.20221101/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20221101/policy/modules/services/ntp.te
@@ -157,6 +157,8 @@ ifdef(`init_systemd',`
 	allow ntpd_t self:capability { fowner setpcap };
 	init_read_state(ntpd_t)
 	init_reload(ntpd_t)
+	init_start_generic_units(ntpd_t)
+	init_stop_generic_units(ntpd_t)
 
 	# for /var/lib/systemd/clock
 	init_list_var_lib_dirs(ntpd_t)
Index: refpolicy-2.20221101/policy/modules/admin/bootloader.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/bootloader.fc
+++ refpolicy-2.20221101/policy/modules/admin/bootloader.fc
@@ -21,6 +21,7 @@
 /usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/lilo.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkinitramfs		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/mkrlconf		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/mvrefind		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/refind-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/certbot.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/certbot.te
+++ refpolicy-2.20221101/policy/modules/services/certbot.te
@@ -38,7 +38,8 @@ files_type(certbot_lib_t)
 #
 
 allow certbot_t self:fifo_file rw_inherited_fifo_file_perms;
-allow certbot_t self:capability { chown dac_override sys_resource };
+allow certbot_t self:capability { chown dac_override fsetid sys_resource };
+dontaudit certbot_t self:capability net_admin;
 allow certbot_t self:udp_socket all_udp_socket_perms;
 allow certbot_t self:tcp_socket all_tcp_socket_perms;
 allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
Index: refpolicy-2.20221101/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20221101/policy/modules/system/lvm.te
@@ -163,6 +163,7 @@ files_read_etc_files(lvm_t)
 files_watch_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
 
+fs_getattr_cgroup(lvm_t)
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_list_tmpfs(lvm_t)
Index: refpolicy-2.20221101/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/logging.te
+++ refpolicy-2.20221101/policy/modules/system/logging.te
@@ -96,6 +96,8 @@ ifdef(`enable_mls',`
 
 optional_policy(`
 	systemd_tmpfilesd_managed(var_log_t)
+	systemd_relabelfrom_journal_files(syslogd_t)
+	systemd_relabelto_journal_files(syslogd_t)
 ')
 
 ########################################
@@ -164,7 +166,7 @@ allow auditd_t self:tcp_socket create_st
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
-dontaudit auditd_t auditd_etc_t:file map;
+allow auditd_t auditd_etc_t:file map;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
Index: refpolicy-2.20221101/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20221101/policy/modules/system/systemd.if
@@ -1494,6 +1494,24 @@ interface(`systemd_connect_machined',`
 
 ########################################
 ## <summary>
+##     dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the socket
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	dontaudit $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 ##   Send and receive messages from
 ##   systemd machined over dbus.
 ## </summary>
@@ -1790,6 +1808,26 @@ interface(`systemd_relabelto_journal_dir
 ')
 
 ########################################
+## <summary>
+##	Relabel from systemd-journald file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelfrom_journal_files',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	files_search_var($1)
+	list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
+	allow $1 systemd_journal_t:file relabelfrom_file_perms;
+')
+
+########################################
 ## <summary>
 ##	Relabel to systemd-journald file type.
 ## </summary>
Index: refpolicy-2.20221101/policy/modules/services/chronyd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/chronyd.te
+++ refpolicy-2.20221101/policy/modules/services/chronyd.te
@@ -54,7 +54,7 @@ logging_log_file(chronyd_var_log_t)
 # chronyd local policy
 #
 
-allow chronyd_t self:capability { chown dac_override ipc_lock setgid setuid sys_resource sys_time };
+allow chronyd_t self:capability { chown dac_override dac_read_search ipc_lock setgid setuid sys_resource sys_time };
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
@@ -125,6 +125,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_unix_dgram_send(chronyd_t)
+')
+
+optional_policy(`
 	mta_send_mail(chronyd_t)
 ')
 
Index: refpolicy-2.20221101/policy/modules/services/dkim.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/dkim.fc
+++ refpolicy-2.20221101/policy/modules/services/dkim.fc
@@ -1,4 +1,5 @@
 /etc/opendkim/keys(/.*)?				gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/dkimkeys(/.*)?					gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
 /etc/rc\.d/init\.d/((opendkim)|(dkim-milter))	--	gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
 
Index: refpolicy-2.20221101/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20221101/policy/modules/system/unconfined.if
@@ -632,3 +632,21 @@ interface(`unconfined_dbus_connect',`
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
+
+########################################
+## <summary>
+##	Send unix_dgram_socket to unconfined_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_unix_dgram_send',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:unix_dgram_socket sendto;
+')
Index: refpolicy-2.20221101/policy/modules/services/firewalld.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/firewalld.te
+++ refpolicy-2.20221101/policy/modules/services/firewalld.te
@@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo
 allow firewalld_t self:unix_stream_socket { accept listen };
 allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;
+allow firewalld_t self:netlink_netfilter_socket { create getopt read setopt write };
 
 allow firewalld_t firewalld_etc_rw_t:dir watch;
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
+allow firewalld_t firewalld_etc_rw_t:dir watch;
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t)
 
 libs_watch_lib_dirs(firewalld_t)
 
+miscfiles_read_generic_certs(firewalld_t)
 miscfiles_read_localization(firewalld_t)
 
 seutil_exec_setfiles(firewalld_t)
Index: refpolicy-2.20221101/policy/modules/admin/apt.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/apt.te
+++ refpolicy-2.20221101/policy/modules/admin/apt.te
@@ -106,6 +106,8 @@ files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
+init_get_system_status(apt_t)
+
 term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
@@ -156,6 +158,7 @@ optional_policy(`
 
 optional_policy(`
 	networkmanager_dbus_chat(apt_t)
+	networkmanager_status(apt_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20221101/policy/modules/services/networkmanager.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/networkmanager.fc
+++ refpolicy-2.20221101/policy/modules/services/networkmanager.fc
@@ -15,7 +15,7 @@
 /etc/wicd/wireless-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 /etc/wicd/wired-settings\.conf	--	gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
 
-/usr/lib/NetworkManager/nm-dispatcher.*	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/NetworkManager/nm-dispatcher.*	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/lib/networkmanager/nm-dispatcher.*	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 /usr/libexec/nm-dispatcher.*	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 /usr/libexec/iwd			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/memlockd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/memlockd.te
+++ refpolicy-2.20221101/policy/modules/services/memlockd.te
@@ -37,7 +37,9 @@ logging_send_syslog_msg(memlockd_t)
 miscfiles_read_localization(memlockd_t)
 
 sysnet_mmap_read_config(memlockd_t)
+sysnet_read_config(memlockd_t)
 
 ifndef(`distro_debian', `
 	allow memlockd_t self:capability dac_read_search;
 ')
+
Index: refpolicy-2.20221101/policy/modules/services/postfix.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/postfix.if
+++ refpolicy-2.20221101/policy/modules/services/postfix.if
@@ -50,6 +50,9 @@ template(`postfix_domain_template',`
 	can_exec(postfix_$1_t, postfix_$1_exec_t)
 
 	auth_use_nsswitch(postfix_$1_t)
+	ifdef(`init_systemd',`
+		systemd_dontaudit_connect_machined(postfix_$1_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20221101/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20221101/policy/modules/admin/dpkg.te
@@ -351,6 +351,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_filetrans_drift(dpkg_script_t)
+')
+
+optional_policy(`
 	systemd_read_logind_state(dpkg_script_t)
 	systemd_dbus_chat_logind(dpkg_script_t)
 	systemd_run_sysusers(dpkg_script_t, dpkg_roles)
Index: refpolicy-2.20221101/policy/modules/services/ntp.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ntp.if
+++ refpolicy-2.20221101/policy/modules/services/ntp.if
@@ -178,6 +178,25 @@ interface(`ntp_read_drift_files',`
 
 ########################################
 ## <summary>
+##	specified domain creates /var/lib/ntpsec/ with the correct type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_filetrans_drift',`
+	gen_require(`
+		type ntp_drift_t;
+	')
+
+	files_search_var_lib($1)
+	files_var_lib_filetrans($1, ntp_drift_t, dir)
+')
+
+########################################
+## <summary>
 ##	Read and write ntpd shared memory.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/services/ntp.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/ntp.fc
+++ refpolicy-2.20221101/policy/modules/services/ntp.fc
@@ -30,6 +30,7 @@
 
 /var/db/ntp-kod				--	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntpsec(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/clock			--	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/timesync(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20221101/policy/modules/services/jabber.te
@@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { a
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
 allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
+allow jabberd_domain jabberd_var_lib_t:sock_file create;
 
 kernel_read_system_state(jabberd_domain)
 
Index: refpolicy-2.20221101/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20221101/policy/modules/services/dkim.te
@@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_dat
 #
 
 allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
-allow dkim_milter_t self:process { signal signull };
+allow dkim_milter_t self:process { signal signull getsched };
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
Index: refpolicy-2.20221101/policy/modules/services/matrixd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/matrixd.te
+++ refpolicy-2.20221101/policy/modules/services/matrixd.te
@@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t)
 corenet_udp_bind_generic_port(matrixd_t)
 corenet_udp_bind_reserved_port(matrixd_t)
 
+dev_read_sysfs(matrixd_t)
 dev_read_urand(matrixd_t)
 
 files_read_etc_files(matrixd_t)
Index: refpolicy-2.20221101/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20221101/policy/modules/admin/bootloader.te
@@ -80,6 +80,7 @@ storage_rw_fuse(bootloader_t)
 
 dev_getattr_all_chr_files(bootloader_t)
 dev_getattr_all_blk_files(bootloader_t)
+dev_dontaudit_read_raw_memory(bootloader_t)
 dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
Index: refpolicy-2.20221101/policy/modules/services/vnstatd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/vnstatd.te
+++ refpolicy-2.20221101/policy/modules/services/vnstatd.te
@@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t)
 
 # read /sys/class/net/eth0
 dev_read_sysfs(vnstatd_t)
+dev_read_urand(vnstatd_t)
 
 files_read_etc_files(vnstatd_t)
 files_search_var_lib(vnstatd_t)
