diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te

index ec838bd..5d940f8 100644

--- a/policy/modules/admin/prelink.te

+++ b/policy/modules/admin/prelink.te

@@ -126,7 +126,7 @@ optional_policy(`

 ')

 optional_policy(`

-	nsplugin_manage_rw_files(prelink_t)

+	mozilla_plugin_manage_rw_files(prelink_t)

 ')

 optional_policy(`

diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc

index 35b51ab..800b5c8 100644

--- a/policy/modules/apps/mozilla.fc

+++ b/policy/modules/apps/mozilla.fc

@@ -4,6 +4,11 @@ HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

 HOME_DIR/\.thunderbird(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

 HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

 HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

+HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)

+HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

+HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)

+HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

+HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

 #

 # /bin

@@ -15,6 +20,9 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

 /usr/bin/epiphany		--	gen_context(system_u:object_r:mozilla_exec_t,s0)

 /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)

 /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)

+/usr/bin/nspluginscan		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

+/usr/bin/nspluginviewer		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

+/usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

 #

 # /lib

@@ -27,4 +35,9 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)

 /usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)

 /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)

 /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)

+

 /usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

+

+/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)

+

+/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)

diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if

index b9b8ac2..aa15d05 100644

--- a/policy/modules/apps/mozilla.if

+++ b/policy/modules/apps/mozilla.if

@@ -208,10 +208,12 @@ interface(`mozilla_domtrans',`

 interface(`mozilla_domtrans_plugin',`

 	gen_require(`

 		type mozilla_plugin_t, mozilla_plugin_exec_t;

+		type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;

 		class dbus send_msg;

 	')

 	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)

+	domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)

 	allow mozilla_plugin_t $1:process signull;

 	allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };

 	allow $1 mozilla_plugin_t:fd use;

@@ -247,6 +249,7 @@ interface(`mozilla_run_plugin',`

 	mozilla_domtrans_plugin($1)

 	role $2 types mozilla_plugin_t;

+	role $2 types mozilla_plugin_config_t;

 ')

 #######################################

@@ -266,6 +269,7 @@ interface(`mozilla_role_plugin',`

     ')

     role $1 types mozilla_plugin_t;

+    role $1 types mozilla_plugin_config_t;

 ')

 ########################################

@@ -360,3 +364,23 @@ interface(`mozilla_plugin_dontaudit_leaks',`

 	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };

 ')

+

+########################################

+## <summary>

+##	Create, read, write, and delete

+##	mozilla_plugin rw files.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`mozilla_plugin_manage_rw_files',`

+	gen_require(`

+		type mozilla_plugin_rw_t;

+	')

+

+	allow $1 mozilla_plugin_rw_t:file manage_file_perms;

+	allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;

+')

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te

index 75d0b62..344f2e4 100644

--- a/policy/modules/apps/mozilla.te

+++ b/policy/modules/apps/mozilla.te

@@ -23,7 +23,7 @@ type mozilla_conf_t;

 files_config_file(mozilla_conf_t)

 type mozilla_home_t;

-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };

+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t };

 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };

 files_poly_member(mozilla_home_t)

 userdom_user_home_content(mozilla_home_t)

@@ -43,6 +43,13 @@ userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)

 files_tmpfs_file(mozilla_plugin_tmpfs_t)

 ubac_constrained(mozilla_plugin_tmpfs_t)

+type mozilla_plugin_rw_t alias nsplugin_rw_t;

+files_type(mozilla_plugin_rw_t)

+

+type mozilla_plugin_config_t;

+type mozilla_plugin_config_exec_t;

+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)

+

 type mozilla_tmp_t;

 files_tmp_file(mozilla_tmp_t)

 ubac_constrained(mozilla_tmp_t)

@@ -280,11 +287,6 @@ optional_policy(`

 ')

 optional_policy(`

-	nsplugin_manage_rw(mozilla_t)

-	nsplugin_manage_home_files(mozilla_t)

-')

-

-optional_policy(`

 	pulseaudio_exec(mozilla_t)

 	pulseaudio_stream_connect(mozilla_t)

 	pulseaudio_manage_home_files(mozilla_t)

@@ -330,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug

 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)

 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })

+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;

+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)

+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)

+

 can_exec(mozilla_plugin_t, mozilla_exec_t)

 kernel_read_kernel_sysctls(mozilla_plugin_t)

@@ -452,17 +458,6 @@ optional_policy(`

 ')

 optional_policy(`

-	nsplugin_domtrans(mozilla_plugin_t)

-	nsplugin_rw_exec(mozilla_plugin_t)

-	nsplugin_manage_home_dirs(mozilla_plugin_t)

-	nsplugin_manage_home_files(mozilla_plugin_t)

-	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)

-	nsplugin_user_home_filetrans(mozilla_plugin_t, file)

-	nsplugin_read_rw_files(mozilla_plugin_t);

-	nsplugin_signal(mozilla_plugin_t)

-')

-

-optional_policy(`

 	pulseaudio_exec(mozilla_plugin_t)

 	pulseaudio_stream_connect(mozilla_plugin_t)

 	pulseaudio_setattr_home_dir(mozilla_plugin_t)

@@ -491,3 +486,61 @@ optional_policy(`

 	xserver_append_xdm_home_files(mozilla_plugin_t);

 ')

+########################################

+#

+# mozilla_plugin_config local policy

+#

+

+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };

+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };

+

+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;

+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;

+

+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)

+

+dev_search_sysfs(mozilla_plugin_config_t)

+dev_read_urand(mozilla_plugin_config_t)

+dev_dontaudit_read_rand(mozilla_plugin_config_t)

+dev_dontaudit_rw_dri(mozilla_plugin_config_t)

+

+fs_search_auto_mountpoints(mozilla_plugin_config_t)

+fs_list_inotifyfs(mozilla_plugin_config_t)

+

+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)

+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)

+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)

+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)

+

+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)

+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)

+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)

+

+corecmd_exec_bin(mozilla_plugin_config_t)

+corecmd_exec_shell(mozilla_plugin_config_t)

+

+kernel_read_system_state(mozilla_plugin_config_t)

+kernel_request_load_module(mozilla_plugin_config_t)

+

+domain_use_interactive_fds(mozilla_plugin_config_t)

+

+files_read_etc_files(mozilla_plugin_config_t)

+files_read_usr_files(mozilla_plugin_config_t)

+files_dontaudit_search_home(mozilla_plugin_config_t)

+files_list_tmp(mozilla_plugin_config_t)

+

+auth_use_nsswitch(mozilla_plugin_config_t)

+

+miscfiles_read_localization(mozilla_plugin_config_t)

+miscfiles_read_fonts(mozilla_plugin_config_t)

+

+userdom_search_user_home_content(mozilla_plugin_config_t)

+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)

+userdom_read_user_home_content_files(mozilla_plugin_config_t)

+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)

+

+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)

+

+optional_policy(`

+	xserver_use_user_fonts(mozilla_plugin_config_t)

+')

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if

index 39b1056..cc3f02e 100644

--- a/policy/modules/kernel/devices.if

+++ b/policy/modules/kernel/devices.if

@@ -4176,6 +4176,30 @@ interface(`dev_dontaudit_write_sysfs_dirs',`

 ########################################

 ## <summary>

+##	Read cpu online hardware state information.

+## </summary>

+## <desc>

+##	

+##	Allow the specified domain to read /sys/devices/system/cpu/online file.

+##	

+## </desc>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`dev_read_cpu_online',`

+	gen_require(`

+		type cpu_online_t;

+	')

+

+	dev_search_sysfs($1)

+	read_files_pattern($1, cpu_online_t, cpu_online_t)

+')

+

+########################################

+## <summary>

 ##	Read hardware state information.

 ## </summary>

 ## <desc>

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te

index 1c2562c..112bebb 100644

--- a/policy/modules/kernel/devices.te

+++ b/policy/modules/kernel/devices.te

@@ -225,6 +225,10 @@ files_mountpoint(sysfs_t)

 fs_type(sysfs_t)

 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

+type cpu_online_t;

+allow cpu_online_t sysfs_t:filesystem associate;

+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)

+

 #

 # Type for /dev/tpm

 #

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te

index f9a1bcc..a478431 100644

--- a/policy/modules/kernel/domain.te

+++ b/policy/modules/kernel/domain.te

@@ -115,6 +115,7 @@ kernel_dontaudit_search_debugfs(domain)

 allow domain self:process { fork getsched sigchld };

 # Use trusted objects in /dev

+dev_read_cpu_online(domain)

 dev_rw_null(domain)

 dev_rw_zero(domain)

 term_use_controlling_term(domain)

diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te

index 11ad8fb..35524d6 100644

--- a/policy/modules/roles/unconfineduser.te

+++ b/policy/modules/roles/unconfineduser.te

@@ -8,13 +8,6 @@ attribute unconfined_login_domain;

 ## <desc>

 ## 

-##  allow unconfined users to transition to the nsplugin domains when running nspluginviewer

-## 

-## </desc>

-gen_tunable(allow_unconfined_nsplugin_transition, false)

-

-## <desc>

-## 

 ## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox

 ## 

 ## </desc>

@@ -128,14 +121,6 @@ optional_policy(`

 		attribute unconfined_usertype;

 	')

-	nsplugin_role_notrans(unconfined_r, unconfined_usertype)

-	optional_policy(`

-		tunable_policy(`allow_unconfined_nsplugin_transition',`

-		      nsplugin_domtrans(unconfined_usertype)

-		      nsplugin_domtrans_config(unconfined_usertype)

-		')

-	')

-

 	optional_policy(`

 		abrt_dbus_chat(unconfined_usertype)

 		abrt_run_helper(unconfined_usertype, unconfined_r)

diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te

index 6f176f9..0258e24 100644

--- a/policy/modules/roles/xguest.te

+++ b/policy/modules/roles/xguest.te

@@ -117,10 +117,6 @@ optional_policy(`

 ')

 optional_policy(`

-	nsplugin_role(xguest_r, xguest_t)

-')

-

-optional_policy(`

 	pcscd_read_pub_files(xguest_usertype)

 	pcscd_stream_connect(xguest_usertype)

 ')

diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te

index d5a9038..a1cbdb4 100644

--- a/policy/modules/services/abrt.te

+++ b/policy/modules/services/abrt.te

@@ -208,11 +208,6 @@ optional_policy(`

 ')

 optional_policy(`

-	nsplugin_read_rw_files(abrt_t)

-	nsplugin_read_home(abrt_t)

-')

-

-optional_policy(`

 	policykit_dbus_chat(abrt_t)

 	policykit_domtrans_auth(abrt_t)

 	policykit_read_lib(abrt_t)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if

index 0b3811d..0281618 100644

--- a/policy/modules/system/userdomain.if

+++ b/policy/modules/system/userdomain.if

@@ -787,10 +787,6 @@ template(`userdom_common_user_template',`

 	')

 	optional_policy(`

-		nsplugin_role($1_r, $1_usertype)

-	')

-

-	optional_policy(`

 		tunable_policy(`allow_user_mysql_connect',`

 			mysql_stream_connect($1_t)

 		')