Index: refpolicy-2.20180220/policy/modules/contrib/backup.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/backup.te
+++ refpolicy-2.20180220/policy/modules/contrib/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
 
 logging_send_syslog_msg(backup_t)
 
+miscfiles_read_localization(backup_t)
+
 sysnet_read_config(backup_t)
 
 userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180220/policy/modules/contrib/boinc.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/boinc.te
+++ refpolicy-2.20180220/policy/modules/contrib/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
 # Local policy
 #
 
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
 allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
 
 can_exec(boinc_t, boinc_var_lib_t)
 libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
 
 miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 miscfiles_read_localization(boinc_t)
 
 tunable_policy(`boinc_execmem',`
@@ -169,7 +173,7 @@ optional_policy(`
 #
 
 allow boinc_project_t self:capability { setgid setuid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -210,5 +214,13 @@ term_getattr_generic_ptys(boinc_t)
 userdom_getattr_user_ttys(boinc_t)
 
 optional_policy(`
+	# for lsb_release -a
+	apt_read_cache(boinc_project_t)
+	apt_read_db(boinc_project_t)
+	dpkg_exec(boinc_project_t)
+	dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
 	java_exec(boinc_project_t)
 ')
Index: refpolicy-2.20180220/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20180220/policy/modules/contrib/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
 files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
Index: refpolicy-2.20180220/policy/modules/contrib/gdomap.fc
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/gdomap.fc
+++ refpolicy-2.20180220/policy/modules/contrib/gdomap.fc
@@ -5,3 +5,4 @@
 /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
 
 /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180220/policy/modules/contrib/gdomap.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/gdomap.te
+++ refpolicy-2.20180220/policy/modules/contrib/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
 allow gdomap_t self:tcp_socket { listen accept };
 
 allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
 files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
 auth_use_nsswitch(gdomap_t)
 
 logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180220/policy/modules/contrib/jabber.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/jabber.te
+++ refpolicy-2.20180220/policy/modules/contrib/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
 allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
 
 kernel_read_system_state(jabberd_domain)
 
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
 corenet_tcp_sendrecv_generic_if(jabberd_domain)
 corenet_tcp_sendrecv_generic_node(jabberd_domain)
 corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180220/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20180220/policy/modules/contrib/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
 
 allow mon_local_test_t self:capability sys_admin;
 allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
 
 kernel_dontaudit_getattr_core_if(mon_local_test_t)
 kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
 kernel_read_software_raid_state(mon_local_test_t)
 kernel_read_system_state(mon_local_test_t)
 
Index: refpolicy-2.20180220/policy/modules/contrib/syncthing.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/syncthing.te
+++ refpolicy-2.20180220/policy/modules/contrib/syncthing.te
@@ -66,7 +66,3 @@ userdom_use_user_terminals(syncthing_t)
 # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
 userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
 
-optional_policy(`
-	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-	networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180220/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180220/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180220/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180220/policy/modules/services/ssh.te
@@ -247,6 +247,9 @@ optional_policy(`
 # sshd_t is the domain for the sshd program.
 #
 
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
Index: refpolicy-2.20180220/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180220/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
 
 #######################################
 ## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
 ##	Read and write to the last logins log.
 ## </summary>
 ## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
 ')
 
 ########################################
+## <summary>
+##     Manage the last logins log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
+	logging_rw_generic_log_dirs($1)
+')
+
+########################################
 ## <summary>
 ##	Execute pam programs in the pam domain.
 ## </summary>
Index: refpolicy-2.20180220/policy/modules/system/iptables.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/system/iptables.te
+++ refpolicy-2.20180220/policy/modules/system/iptables.te
@@ -53,6 +53,7 @@ allow iptables_t iptables_tmp_t:dir mana
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
+kernel_getattr_proc(iptables_t)
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
Index: refpolicy-2.20180220/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180220/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
+userdom_manage_all_users_keys(local_login_t)
 userdom_spec_domtrans_all_users(local_login_t)
 userdom_signal_all_users(local_login_t)
 userdom_search_user_home_content(local_login_t)
Index: refpolicy-2.20180220/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180220/policy/modules/system/selinuxutil.te
@@ -599,6 +599,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
 fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180220/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180220/policy/modules/system/sysnetwork.if
@@ -751,6 +751,10 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+	optional_policy(`
+	# for /etc/resolv.conf symlink
+		networkmanager_read_pid_files($1)
+	')
 
 	# This seems needed when the mymachines NSS module is used
 	optional_policy(`
Index: refpolicy-2.20180220/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180220/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
 allow dhcpc_t dhcp_state_t:file read_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
 
 logging_send_syslog_msg(ifconfig_t)
 
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
 miscfiles_read_localization(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180220/policy/modules/contrib/consolekit.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/consolekit.te
+++ refpolicy-2.20180220/policy/modules/contrib/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
 # Local policy
 #
 
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
 allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180220/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180220/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
 #
 
 allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
 allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
+	dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
 ')
@@ -269,6 +273,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	unconfined_use_fds(groupadd_t)
+')
+
 ########################################
 #
 # Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(useradd_t)
 	dpkg_rw_pipes(useradd_t)
 ')
@@ -560,3 +572,7 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180220/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20180220/policy/modules/contrib/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	allow $1 apt_var_cache_t:file read_file_perms;
+	allow $1 apt_var_cache_t:file mmap_read_file_perms;
 ')
 
 ########################################
Index: refpolicy-2.20180220/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20180220.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20180220/policy/modules/contrib/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
