diff --git a/aiccu.te b/aiccu.te
index 6e4206c..a9039ce 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -69,6 +69,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+    pcscd_stream_connect(aiccu_t)
+')
+
+optional_policy(`
 	sysnet_dns_name_resolve(aiccu_t)
 	sysnet_domtrans_ifconfig(aiccu_t)
 ')
diff --git a/antivirus.te b/antivirus.te
index 8ba9c95..83590aa 100644
--- a/antivirus.te
+++ b/antivirus.te
@@ -37,7 +37,7 @@ typealias antivirus_unit_file_t alias { clamd_unit_file_t };
 systemd_unit_file(antivirus_unit_file_t)
 
 type antivirus_conf_t;
-typealias antivirus_conf_t alias { clamd_etc_t };
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
 files_config_file(antivirus_conf_t)
 
 type antivirus_var_run_t;
@@ -166,6 +166,7 @@ dev_read_urand(antivirus_domain)
 
 domain_dontaudit_read_all_domains_state(antivirus_domain)
 
+files_dontaudit_read_security_files(antivirus_domain)
 files_read_etc_runtime_files(antivirus_domain)
 files_search_spool(antivirus_domain)
 
@@ -190,8 +191,6 @@ userdom_dontaudit_search_user_home_dirs(antivirus_domain)
 
 tunable_policy(`antivirus_can_scan_system',`
 	files_read_non_security_files(antivirus_domain)
-    #files_dontaudit_read_all_non_security_files(antivirus_domain)
-    files_dontaudit_read_security_files(antivirus_domain)
 	files_getattr_all_pipes(antivirus_domain)
 	files_getattr_all_sockets(antivirus_domain)
     dev_getattr_all_blk_files(antivirus_domain)
diff --git a/apache.fc b/apache.fc
index 43bb1c9..b903cc0 100644
--- a/apache.fc
+++ b/apache.fc
@@ -133,6 +133,7 @@ ifdef(`distro_suse', `
 /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/apache.if b/apache.if
index 64beed7..9426db5 100644
--- a/apache.if
+++ b/apache.if
@@ -74,6 +74,8 @@ template(`apache_content_template',`
 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 
+    allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
+
 	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
 		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
diff --git a/apache.te b/apache.te
index 21d7195..bce7760 100644
--- a/apache.te
+++ b/apache.te
@@ -474,7 +474,7 @@ role system_r types httpd_passwd_t;
 # Apache server local policy
 #
 
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
@@ -510,6 +510,7 @@ allow httpd_t httpd_log_t:dir setattr;
 create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 # cjp: need to refine create interfaces to
@@ -1035,6 +1036,7 @@ optional_policy(`
 
 optional_policy(`
 	passenger_exec(httpd_t)
+	passenger_kill(httpd_t)
 	passenger_manage_pid_content(httpd_t)
 ')
 
@@ -1649,7 +1651,7 @@ allow httpd_t httpd_script_type:unix_stream_socket connectto;
 
 allow httpd_t httpd_script_exec_type:file read_file_perms;
 allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
 allow httpd_t httpd_script_exec_type:dir list_dir_perms;
 
 allow httpd_script_type self:process { setsched signal_perms };
@@ -1660,6 +1662,7 @@ allow httpd_script_type httpd_t:fd use;
 allow httpd_script_type httpd_t:process sigchld;
 
 dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
 
 fs_getattr_xattr_fs(httpd_script_type)
 
diff --git a/apcupsd.te b/apcupsd.te
index a370cb8..5206035 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -82,6 +82,8 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
 
 dev_rw_generic_usb_dev(apcupsd_t)
 
+domain_signull_all_domains(apcupsd_t)
+
 files_manage_etc_runtime_files(apcupsd_t)
 files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
 
diff --git a/automount.te b/automount.te
index f27656d..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
@@ -89,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
 
 files_dontaudit_write_var_dirs(automount_t)
 files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
 files_getattr_default_dirs(automount_t)
 files_getattr_home_dir(automount_t)
 files_getattr_isid_type_dirs(automount_t)
diff --git a/bind.if b/bind.if
index 6c2dbe4..43b445c 100644
--- a/bind.if
+++ b/bind.if
@@ -408,6 +408,25 @@ interface(`bind_udp_chat_named',`
 
 ########################################
 ## <summary>
+##	Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bind_read_state',`
+	gen_require(`
+		type named_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to
 ##	administrate an bind environment.
 ## </summary>
diff --git a/chronyd.te b/chronyd.te
index 7d723c0..d0c8001 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -87,6 +87,7 @@ domain_dontaudit_getsession_all_domains(chronyd_t)
 
 dev_read_rand(chronyd_t)
 dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
 
 dev_rw_realtime_clock(chronyd_t)
 
diff --git a/cloudform.te b/cloudform.te
index 786d623..496ce03 100644
--- a/cloudform.te
+++ b/cloudform.te
@@ -270,8 +270,9 @@ files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
 
 manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 #needed by dbomatic
-files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
 
 corecmd_exec_bin(mongod_t)
 corecmd_exec_shell(mongod_t)
diff --git a/conman.te b/conman.te
index 0de2d4d..d6b0314 100644
--- a/conman.te
+++ b/conman.te
@@ -25,7 +25,7 @@ allow conman_t self:process { setrlimit signal_perms };
 
 allow conman_t self:fifo_file rw_fifo_file_perms;
 allow conman_t self:unix_stream_socket create_stream_socket_perms;
-allow conman_t self:tcp_socket { listen create_socket_perms };
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
 
 manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
 manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@@ -40,6 +40,10 @@ auth_read_passwd(conman_t)
 
 logging_send_syslog_msg(conman_t)
 
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
 optional_policy(`
     freeipmi_stream_connect(conman_t)
 ')
diff --git a/cups.fc b/cups.fc
index afe482b..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
@@ -76,10 +76,14 @@
 /var/run/udev-configure-printer(/.*)? 	gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
 /var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
 
+/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /usr/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
 /usr/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/opt/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /usr/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.*		gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
 
 /usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
diff --git a/dhcp.te b/dhcp.te
index cdb4d60..5d61f10 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -103,13 +103,26 @@ auth_use_nsswitch(dhcpd_t)
 
 logging_send_syslog_msg(dhcpd_t)
 
+sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
 userdom_dontaudit_search_user_home_dirs(dhcpd_t)
 
 tunable_policy(`dhcpd_use_ldap',`
-	sysnet_use_ldap(dhcpd_t)
+    allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+    corenet_tcp_sendrecv_generic_if(dhcpd_t)
+    corenet_tcp_sendrecv_generic_node(dhcpd_t)
+    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+    corenet_tcp_connect_ldap_port(dhcpd_t)
+    corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+	ldap_read_certs(dhcpd_t)
 ')
 
 ifdef(`distro_gentoo',`
diff --git a/docker.te b/docker.te
index c80e06c..73e71c1 100644
--- a/docker.te
+++ b/docker.te
@@ -97,6 +97,7 @@ manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
 files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
 
 manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
@@ -135,12 +136,14 @@ files_read_etc_files(docker_t)
 
 fs_read_cgroup_files(docker_t)
 fs_read_tmpfs_symlinks(docker_t)
+fs_getattr_all_fs(docker_t)
 
 storage_raw_rw_fixed_disk(docker_t)
 
 auth_use_nsswitch(docker_t)
 
 init_read_state(docker_t)
+init_status(docker_t)
 
 logging_send_audit_msgs(docker_t)
 logging_send_syslog_msg(docker_t)
@@ -220,6 +223,12 @@ term_mounton_unallocated_ttys(docker_t)
 
 modutils_domtrans_insmod(docker_t)
 
+systemd_status_all_unit_files(docker_t)
+systemd_start_systemd_services(docker_t)
+
+userdom_stream_connect(docker_t)
+userdom_search_user_home_content(docker_t)
+
 optional_policy(`
 	dbus_system_bus_client(docker_t)
 	init_dbus_chat(docker_t)
diff --git a/drbd.fc b/drbd.fc
index 671a3fb..c781675 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
 /sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
-/usr/lib/ocf/resource.\d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 
 /usr/sbin/drbdadm	--	gen_context(system_u:object_r:drbd_exec_t,s0)
 /usr/sbin/drbdsetup	--	gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/exim.fc b/exim.fc
index dc0254b..9df498d 100644
--- a/exim.fc
+++ b/exim.fc
@@ -3,6 +3,8 @@
 /usr/sbin/exim[0-9]?	--	gen_context(system_u:object_r:exim_exec_t,s0)
 /usr/sbin/exim_tidydb	--	gen_context(system_u:object_r:exim_exec_t,s0)
 
+/var/lib/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_lib_t,s0)
+
 /var/log/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_log_t,s0)
 
 /var/run/exim[0-9]?(/.*)?	gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/exim.if b/exim.if
index ef3b449..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -241,8 +241,46 @@ interface(`exim_manage_spool_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate
-##	an exim environment.
+##	Read exim var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_read_var_lib_files',`
+	gen_require(`
+		type exim_var_lib_t;
+	')
+
+	read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create, read, and write exim var lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`exim_manage_var_lib_files',`
+	gen_require(`
+		type exim_var_lib_t;
+	')
+
+	manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an exim environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -257,8 +295,9 @@ interface(`exim_manage_spool_files',`
 #
 interface(`exim_admin',`
 	gen_require(`
-		type exim_t, exim_initrc_exec_t, exim_log_t;
-		type exim_tmp_t, exim_spool_t, exim_var_run_t;
+		type exim_t, exim_spool_t, exim_log_t;
+		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+		type exim_keytab_t;
 	')
 
 	allow $1 exim_t:process signal_perms;
@@ -273,6 +312,9 @@ interface(`exim_admin',`
 	role_transition $2 exim_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, exim_keytab_t)
+
 	files_search_spool($1)
 	admin_pattern($1, exim_spool_t)
 
diff --git a/exim.te b/exim.te
index 3e86b12..5495c90 100644
--- a/exim.te
+++ b/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.5.4)
+policy_module(exim, 1.6.1)
 
 ########################################
 #
@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
 type exim_initrc_exec_t;
 init_script_file(exim_initrc_exec_t)
 
+type exim_var_lib_t;
+files_type(exim_var_lib_t)
+
 type exim_log_t;
 logging_log_file(exim_log_t)
 
@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
 type exim_var_run_t;
 files_pid_file(exim_var_run_t)
 
+ifdef(`distro_debian',`
+	init_daemon_run_dir(exim_var_run_t, "exim4")
+')
+
 ########################################
 #
 # Local policy
@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
 allow exim_t self:tcp_socket { accept listen };
 
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
+
 append_files_pattern(exim_t, exim_log_t, exim_log_t)
 create_files_pattern(exim_t, exim_log_t, exim_log_t)
 setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
@@ -88,6 +97,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
 
 can_exec(exim_t, exim_exec_t)
 
+kernel_read_crypto_sysctls(exim_t)
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
 kernel_read_system_state(exim_t)
@@ -122,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
 
 dev_read_rand(exim_t)
 dev_read_urand(exim_t)
+dev_read_sysfs(exim_t)
 
 domain_use_interactive_fds(exim_t)
 
@@ -134,6 +145,7 @@ fs_getattr_xattr_fs(exim_t)
 fs_list_inotifyfs(exim_t)
 
 auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
 
 logging_send_syslog_msg(exim_t)
 
@@ -175,6 +187,7 @@ optional_policy(`
 optional_policy(`
 	cron_read_pipes(exim_t)
 	cron_rw_system_job_pipes(exim_t)
+	cron_use_system_job_fds(exim_t)
 ')
 
 optional_policy(`
@@ -186,7 +199,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_keytab_template(exim, exim_t)
+    kerberos_keytab_template(exim, exim_t)
 ')
 
 optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index ed04b9e..72b7712 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -33,6 +33,8 @@ dev_read_sysfs(fprintd_t)
 dev_read_urand(fprintd_t)
 dev_rw_generic_usb_dev(fprintd_t)
 
+files_dontaudit_list_tmp(fprintd_t)
+
 fs_getattr_all_fs(fprintd_t)
 
 auth_use_nsswitch(fprintd_t)
diff --git a/freeipmi.te b/freeipmi.te
index 8071a76..0710d79 100644
--- a/freeipmi.te
+++ b/freeipmi.te
@@ -40,6 +40,7 @@ files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
 
 dev_read_rand(freeipmi_domain)
 dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
 
 sysnet_dns_name_resolve(freeipmi_domain)
 
@@ -50,7 +51,6 @@ sysnet_dns_name_resolve(freeipmi_domain)
 
 files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
 
-dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
 
 allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
 
diff --git a/gear.fc b/gear.fc
index 5eabf35..98c012c 100644
--- a/gear.fc
+++ b/gear.fc
@@ -1,7 +1,7 @@
 /usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
 
-/usr/lib/systemd/system/gear.service		--	gen_context(system_u:object_r:gear_unit_file_t,s0)
-
-/var/lib/containers/bin/gear	--	gen_context(system_u:object_r:gear_exec_t,s0)
+/usr/lib/systemd/system/gear.service	--	gen_context(system_u:object_r:gear_unit_file_t,s0)
 
+/var/lib/containers(/.*)?			gen_context(system_u:object_r:gear_var_lib_t,s0)
+/var/lib/containers/units(/.*)?			gen_context(system_u:object_r:gear_unit_file_t,s0)
 /var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.te b/gear.te
index 6c32f79..cb68ca9 100644
--- a/gear.te
+++ b/gear.te
@@ -25,11 +25,15 @@ systemd_unit_file(gear_unit_file_t)
 #
 # gear local policy
 #
+allow gear_t self:capability { chown net_admin fowner dac_override };
+allow gear_t self:capability2 block_suspend;
 allow gear_t self:process { getattr signal_perms };
 allow gear_t self:fifo_file rw_fifo_file_perms;
 allow gear_t self:unix_stream_socket create_stream_socket_perms;
 allow gear_t self:tcp_socket create_stream_socket_perms;
 
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+
 manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
 manage_files_pattern(gear_t, gear_log_t, gear_log_t)
 manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
@@ -43,6 +47,7 @@ manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
 files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
 
 manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
 manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
@@ -56,6 +61,7 @@ kernel_read_all_sysctls(gear_t)
 kernel_rw_net_sysctls(gear_t)
 
 domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
 
 corecmd_exec_bin(gear_t)
 corecmd_exec_shell(gear_t)
@@ -66,6 +72,11 @@ corenet_tcp_sendrecv_generic_node(gear_t)
 corenet_tcp_sendrecv_generic_port(gear_t)
 corenet_tcp_bind_gear_port(gear_t)
 
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
 files_read_etc_files(gear_t)
 
 fs_read_cgroup_files(gear_t)
@@ -75,6 +86,9 @@ auth_use_nsswitch(gear_t)
 
 init_read_state(gear_t)
 init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
 
 logging_send_audit_msgs(gear_t)
 logging_send_syslog_msg(gear_t)
@@ -87,8 +101,25 @@ seutil_read_default_contexts(gear_t)
 
 sysnet_dns_name_resolve(gear_t)
 
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
 systemd_manage_all_unit_files(gear_t)
 
 optional_policy(`
+	hostname_exec(gear_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
 	docker_stream_connect(gear_t)
 ')
+
+optional_policy(`
+	openshift_manage_lib_dirs(gear_t)
+	openshift_manage_lib_files(gear_t)
+	openshift_relabelfrom_lib(gear_t)
+')
diff --git a/glance.te b/glance.te
index 16dcb5b..2d17fe6 100644
--- a/glance.te
+++ b/glance.te
@@ -5,6 +5,13 @@ policy_module(glance, 1.0.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
 attribute glance_domain;
 
 glance_basic_types_template(glance_registry)
@@ -77,6 +84,19 @@ libs_exec_ldconfig(glance_domain)
 
 sysnet_dns_name_resolve(glance_domain)
 
+tunable_policy(`glance_use_fusefs',`
+	fs_manage_fusefs_dirs(glance_domain)
+	fs_manage_fusefs_files(glance_domain)
+	fs_read_fusefs_symlinks(glance_domain)
+	fs_getattr_fusefs(glance_domain)
+')
+
+
+
+optional_policy(`
+    mysql_read_db_lnk_files(glance_domain)
+')
+
 ########################################
 #
 # Registry local policy
@@ -122,6 +142,8 @@ corenet_tcp_connect_mysqld_port(glance_api_t)
 corenet_tcp_connect_http_port(glance_api_t)
 
 corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
 
 corenet_sendrecv_hplip_server_packets(glance_api_t)
 corenet_tcp_bind_hplip_port(glance_api_t)
diff --git a/gnome.te b/gnome.te
index 5314f96..ea1115c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -226,7 +226,6 @@ allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
 filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
 filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
 filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
 
 manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
 manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
diff --git a/iscsi.if b/iscsi.if
index 2ea1241..a7e1562 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -117,6 +117,28 @@ interface(`iscsi_filetrans_named_content',`
     files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
 ')
 
+########################################
+## <summary>
+##     Execute iscsi server in the iscsi domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`iscsi_systemctl',`
+       gen_require(`
+               type iscsid_t;
+               type iscsi_unit_file_t;
+       ')
+
+       systemd_exec_systemctl($1)
+       allow $1 iscsi_unit_file_t:file read_file_perms;
+       allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+       ps_process_pattern($1, iscsid_t)
+')
 
 ########################################
 ## <summary>
diff --git a/iscsi.te b/iscsi.te
index 56d45ec..b25cfd0 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -90,6 +90,9 @@ corenet_sendrecv_winshadow_client_packets(iscsid_t)
 corenet_tcp_connect_winshadow_port(iscsid_t)
 corenet_tcp_sendrecv_winshadow_port(iscsid_t)
 
+corecmd_exec_bin(iscsid_t)
+corecmd_exec_shell(iscsid_t)
+
 dev_read_urand(iscsid_t)
 dev_rw_sysfs(iscsid_t)
 dev_rw_userio_dev(iscsid_t)
@@ -108,5 +111,9 @@ logging_send_syslog_msg(iscsid_t)
 modutils_read_module_config(iscsid_t)
 
 optional_policy(`
+    iscsi_systemctl(iscsid_t)
+')
+
+optional_policy(`
 	tgtd_manage_semaphores(iscsid_t)
 ')
diff --git a/keepalived.te b/keepalived.te
index 535f79b..dc5c775 100644
--- a/keepalived.te
+++ b/keepalived.te
@@ -33,6 +33,9 @@ files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
 kernel_read_system_state(keepalived_t)
 kernel_read_network_state(keepalived_t)
 
+corecmd_exec_bin(keepalived_t)
+corecmd_exec_shell(keepalived_t)
+
 auth_use_nsswitch(keepalived_t)
 
 corenet_tcp_connect_connlcli_port(keepalived_t)
diff --git a/keystone.te b/keystone.te
index a82637c..c21beab 100644
--- a/keystone.te
+++ b/keystone.te
@@ -78,6 +78,7 @@ libs_exec_ldconfig(keystone_t)
 optional_policy(`
 	mysql_stream_connect(keystone_t)
 	mysql_tcp_connect(keystone_t)
+    mysql_read_db_lnk_files(keystone_t)
 ')
 
 optional_policy(`
diff --git a/logrotate.te b/logrotate.te
index f8c5464..17ea89c 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -38,7 +38,7 @@ files_type(logrotate_var_lib_t)
 
 # Change ownership on log files.
 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
-dontaudit logrotate_t self:capability sys_resource;
+dontaudit logrotate_t self:capability { sys_resource net_admin };
 
 allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 
diff --git a/logwatch.te b/logwatch.te
index 7569cd9..aea48db 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -187,6 +187,8 @@ dev_read_sysfs(logwatch_mail_t)
 logging_read_all_logs(logwatch_mail_t)
 
 mta_read_home(logwatch_mail_t)
+mta_filetrans_home_content(logwatch_mail_t)
+mta_filetrans_admin_home_content(logwatch_mail_t)
 
 optional_policy(`
 	cron_use_system_job_fds(logwatch_mail_t)
diff --git a/mock.if b/mock.if
index 6568bfe..f5b98e6 100644
--- a/mock.if
+++ b/mock.if
@@ -53,6 +53,7 @@ interface(`mock_read_lib_files',`
 	')
 
 	files_search_var_lib($1)
+    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
 	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
 ')
 
diff --git a/mock.te b/mock.te
index fc64201..1bf717f 100644
--- a/mock.te
+++ b/mock.te
@@ -192,7 +192,7 @@ optional_policy(`
 #
 # mock_build local policy
 #
-allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
 dontaudit mock_build_t self:capability audit_write;
 allow mock_build_t self:process { fork setsched setpgid signal_perms };
 allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -269,6 +269,7 @@ init_dontaudit_stream_connect(mock_build_t)
 
 libs_exec_ldconfig(mock_build_t)
 
+term_use_all_inherited_terms(mock_build_t)
 userdom_use_inherited_user_ptys(mock_build_t)
 
 tunable_policy(`mock_enable_homedirs',`
diff --git a/motion.te b/motion.te
index b694afc..c7f4eb5 100644
--- a/motion.te
+++ b/motion.te
@@ -26,7 +26,7 @@ files_type(motion_data_t)
 # motion local policy
 #
 allow motion_t self:udp_socket { create connect getattr };
-allow motion_t self:tcp_socket { bind create setopt listen };
+allow motion_t self:tcp_socket create_stream_socket_perms;
 allow motion_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
@@ -43,6 +43,7 @@ files_var_filetrans(motion_t, motion_data_t, { dir file })
 
 corenet_tcp_bind_http_cache_port(motion_t)
 corenet_tcp_bind_transproxy_port(motion_t)
+corenet_tcp_bind_us_cli_port(motion_t)
 corenet_tcp_connect_http_port(motion_t)
 corenet_tcp_bind_generic_node(motion_t)
 
diff --git a/mozilla.te b/mozilla.te
index e76899c..a4f86f5 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -442,6 +442,7 @@ dev_dontaudit_read_mtrr(mozilla_plugin_t)
 xserver_dri_domain(mozilla_plugin_t)
 
 dev_dontaudit_getattr_all(mozilla_plugin_t)
+dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
 
 domain_use_interactive_fds(mozilla_plugin_t)
 domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -458,6 +459,10 @@ fs_read_noxattr_fs_files(mozilla_plugin_t)
 fs_read_hugetlbfs_files(mozilla_plugin_t)
 fs_exec_hugetlbfs_files(mozilla_plugin_t)
 
+storage_raw_read_removable_device(mozilla_plugin_t)
+fs_read_removable_files(mozilla_plugin_t)
+fs_read_removable_symlinks(mozilla_plugin_t)
+
 application_exec(mozilla_plugin_t)
 application_dontaudit_signull(mozilla_plugin_t)
 
diff --git a/mta.fc b/mta.fc
index cb2791a..1e1a679 100644
--- a/mta.fc
+++ b/mta.fc
@@ -1,7 +1,7 @@
-HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.esmtp_queue(/.*)?    gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
 
@@ -17,10 +17,10 @@ ifdef(`distro_redhat',`
 /etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
 ')
 
-/root/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
 /root/\.forward		--	gen_context(system_u:object_r:mail_home_t,s0)
 /root/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 /root/\.mailrc		--	gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.esmtp_queue(/.*)?     gen_context(system_u:object_r:mail_home_rw_t,s0)
 /root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
 
 /usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -42,3 +42,4 @@ ifdef(`distro_redhat',`
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index e968c28..8f217ea 100644
--- a/mta.if
+++ b/mta.if
@@ -1174,6 +1174,7 @@ interface(`mta_filetrans_admin_home_content',`
 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
 ')
 
 ########################################
@@ -1198,6 +1199,7 @@ interface(`mta_filetrans_home_content',`
 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
 ')
 
 ########################################
diff --git a/mysql.if b/mysql.if
index 404ed6d..a77dc09 100644
--- a/mysql.if
+++ b/mysql.if
@@ -233,6 +233,24 @@ interface(`mysql_append_db_files',`
 	files_search_var_lib($1)
 	append_files_pattern($1, mysqld_db_t, mysqld_db_t)
 ')
+#######################################
+## <summary>
+##	Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_read_db_lnk_files',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_search_var_lib($1)
+    read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
 
 #######################################
 ## <summary>
diff --git a/mysql.te b/mysql.te
index 699587e..6e73360 100644
--- a/mysql.te
+++ b/mysql.te
@@ -132,6 +132,7 @@ auth_use_nsswitch(mysqld_t)
 logging_send_syslog_msg(mysqld_t)
 
 sysnet_read_config(mysqld_t)
+sysnet_exec_ifconfig(mysqld_t)
 
 ifdef(`distro_redhat',`
 	filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
diff --git a/nova.te b/nova.te
index d5b54e5..2d9ab86 100644
--- a/nova.te
+++ b/nova.te
@@ -46,6 +46,7 @@ files_pid_file(nova_var_run_t)
 # nova general domain local policy
 #
 
+allow nova_domain self:process signal_perms;
 allow nova_domain self:fifo_file rw_fifo_file_perms;
 allow nova_domain self:tcp_socket create_stream_socket_perms;
 allow nova_domain self:unix_stream_socket create_stream_socket_perms;
@@ -76,6 +77,11 @@ fs_getattr_xattr_fs(nova_domain)
 libs_exec_ldconfig(nova_domain)
 
 optional_policy(`
+    mysql_stream_connect(nova_domain)
+    mysql_read_db_lnk_files(nova_domain)
+')
+
+optional_policy(`
 	sysnet_read_config(nova_domain)
 	sysnet_exec_ifconfig(nova_domain)
 ')
@@ -142,10 +148,6 @@ auth_use_nsswitch(nova_cert_t)
 miscfiles_read_certs(nova_cert_t)
 
 optional_policy(`
-	mysql_stream_connect(nova_cert_t)
-')
-
-optional_policy(`
 	postgresql_stream_connect(nova_cert_t)
 ')
 
@@ -176,10 +178,6 @@ allow nova_console_t self:udp_socket create_socket_perms;
 
 auth_use_nsswitch(nova_console_t)
 
-optional_policy(`
-    mysql_stream_connect(nova_console_t)
-')
-
 #######################################
 #
 # nova direct local policy
@@ -270,6 +268,8 @@ optional_policy(`
 allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
 allow nova_scheduler_t self:udp_socket create_socket_perms;
 
+auth_read_passwd(nova_scheduler_t)
+
 #optional_policy(`
 #	unconfined_domain(nova_scheduler_t)
 #')
diff --git a/openshift.fc b/openshift.fc
index 1d4e039..95b6381 100644
--- a/openshift.fc
+++ b/openshift.fc
@@ -5,7 +5,7 @@
 
 /var/lib/stickshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
 /var/lib/stickshift/.*/data(/.*)?	       gen_context(system_u:object_r:openshift_rw_file_t,s0)
-/var/lib/containers(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/containers/home(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
 /var/lib/openshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
 /var/lib/openshift/.*/data(/.*)?          gen_context(system_u:object_r:openshift_rw_file_t,s0)
 
diff --git a/openshift.if b/openshift.if
index 9451b83..a472b52 100644
--- a/openshift.if
+++ b/openshift.if
@@ -362,6 +362,26 @@ interface(`openshift_manage_content',`
 	manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
 ')
 
+########################################
+## <summary>
+##	Relabel openshift library files 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openshift_relabelfrom_lib',`
+	gen_require(`
+		type openshift_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+	relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
 #######################################
 ## <summary>
 ##	Create private objects in the
@@ -416,7 +436,6 @@ interface(`openshift_read_pid_files',`
 	allow $1 openshift_var_run_t:file read_file_perms;
 ')
 
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
diff --git a/openshift.te b/openshift.te
index ebd0c68..93fd0ea 100644
--- a/openshift.te
+++ b/openshift.te
@@ -321,6 +321,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gear_search_lib(openshift_domain)
+')
+
+optional_policy(`
 	gpg_entry_type(openshift_domain)
 ')
 
diff --git a/openvpn.te b/openvpn.te
index 265896b..fcda1bc 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -26,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
 ##  connect to the TCP network.
 ##  </p>
 ## </desc>
-gen_tunable(openvpn_can_network_connect, false)
+gen_tunable(openvpn_can_network_connect, true)
 
 attribute_role openvpn_roles;
 
diff --git a/openwsman.te b/openwsman.te
index 49dc5ef..3bcd32c 100644
--- a/openwsman.te
+++ b/openwsman.te
@@ -9,6 +9,12 @@ type openwsman_t;
 type openwsman_exec_t;
 init_daemon_domain(openwsman_t, openwsman_exec_t)
 
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
 type openwsman_log_t;
 logging_log_file(openwsman_log_t)
 
@@ -22,10 +28,21 @@ systemd_unit_file(openwsman_unit_file_t)
 #
 # openwsman local policy
 #
+
+allow openwsman_t self:capability setuid;
+
 allow openwsman_t self:process { fork };
 allow openwsman_t self:fifo_file rw_fifo_file_perms;
 allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
-allow openwsman_t self:tcp_socket { create_socket_perms listen };
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
 
 manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
 logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
@@ -34,10 +51,24 @@ manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
 files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
 
 auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
 
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
 corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
 
 dev_read_urand(openwsman_t)
 
 logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+    sblim_stream_connect_sfcbd(openwsman_t)
+    sblim_rw_semaphores_sfcbd(openwsman_t)
+    sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+    unconfined_domain(openwsman_t)
+')
 
diff --git a/passenger.if b/passenger.if
index 0ec51d4..2d8335f 100644
--- a/passenger.if
+++ b/passenger.if
@@ -159,3 +159,22 @@ interface(`passenger_manage_tmp_files',`
 	manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
 	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Send kill signals to passenger.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`passenger_kill',`
+	gen_require(`
+		type passenger_t;
+	')
+
+	allow $1 passenger_t:process sigkill;
+')
+
diff --git a/pegasus.te b/pegasus.te
index 6c3afa0..37539ec 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -203,6 +203,8 @@ optional_policy(`
 # pegasus openlmi service local policy
 #
 
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
+
 init_manage_transient_unit(pegasus_openlmi_admin_t)
 init_disable_services(pegasus_openlmi_admin_t)
 init_enable_services(pegasus_openlmi_admin_t)
@@ -217,6 +219,9 @@ systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
 
 allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
 
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
+logging_read_generic_logs(pegasus_openlmi_admin_t)
+
 optional_policy(`
     dbus_system_bus_client(pegasus_openlmi_admin_t)
     
diff --git a/puppet.fc b/puppet.fc
index 8c0b242..cad91e2 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -1,11 +1,19 @@
-/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
 
-/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppet	    --	gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
 
-/usr/sbin/puppetca		--	gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent       --  gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master      --  gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/usr/bin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/usr/sbin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
 /var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
 /var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
diff --git a/puppet.te b/puppet.te
index a375475..0903e67 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.3.0)
+policy_module(puppet, 1.4.0)
 
 ########################################
 #
@@ -11,7 +11,7 @@ policy_module(puppet, 1.3.0)
 ## types.
 ## </p>
 ## </desc>
-gen_tunable(puppet_manage_all_files, false)
+gen_tunable(puppetagent_manage_all_files, false)
 
 ## <desc>
 ## <p>
@@ -20,15 +20,18 @@ gen_tunable(puppet_manage_all_files, false)
 ## </desc>
 gen_tunable(puppetmaster_use_db, false)
 
-type puppet_t;
-type puppet_exec_t;
-init_daemon_domain(puppet_t, puppet_exec_t)
+type puppetagent_t;
+type puppetagent_exec_t;
+typealias puppetagent_exec_t alias puppet_exec_t;
+typealias puppetagent_t alias puppet_t;
+init_daemon_domain(puppetagent_t, puppetagent_exec_t)
 
 type puppet_etc_t;
 files_config_file(puppet_etc_t)
 
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
+type puppetagent_initrc_exec_t;
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
+init_script_file(puppetagent_initrc_exec_t)
 
 type puppet_log_t;
 logging_log_file(puppet_log_t)
@@ -62,205 +65,142 @@ files_tmp_file(puppetmaster_tmp_t)
 # Puppet personal policy
 #
 
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
-allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket create_stream_socket_perms;
-allow puppet_t self:udp_socket create_socket_perms;
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+allow puppetagent_t self:process { signal signull getsched setsched };
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetagent_t self:tcp_socket create_stream_socket_perms;
+allow puppetagent_t self:udp_socket create_socket_perms;
 
-read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
 
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-files_search_var_lib(puppet_t)
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppetagent_t)
 
-manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
 
-create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
+create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
 
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
 
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_system_state(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-kernel_read_kernel_sysctls(puppet_t)
+kernel_dontaudit_search_sysctl(puppetagent_t)
+kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
+kernel_read_system_state(puppetagent_t)
+kernel_read_crypto_sysctls(puppetagent_t)
+kernel_read_kernel_sysctls(puppetagent_t)
 
-corecmd_read_all_executables(puppet_t)
-corecmd_dontaudit_access_all_executables(puppet_t)
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
+corecmd_read_all_executables(puppetagent_t)
+corecmd_dontaudit_access_all_executables(puppetagent_t)
+corecmd_exec_bin(puppetagent_t)
+corecmd_exec_shell(puppetagent_t)
 
-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-corenet_tcp_bind_generic_node(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_sendrecv_puppet_client_packets(puppet_t)
+corenet_all_recvfrom_netlabel(puppetagent_t)
+corenet_tcp_sendrecv_generic_if(puppetagent_t)
+corenet_tcp_sendrecv_generic_node(puppetagent_t)
+corenet_tcp_bind_generic_node(puppetagent_t)
+corenet_tcp_connect_puppet_port(puppetagent_t)
+corenet_sendrecv_puppet_client_packets(puppetagent_t)
 
-dev_read_rand(puppet_t)
-dev_read_sysfs(puppet_t)
-dev_read_urand(puppet_t)
+dev_read_rand(puppetagent_t)
+dev_read_sysfs(puppetagent_t)
+dev_read_urand(puppetagent_t)
 
-domain_read_all_domains_state(puppet_t)
-domain_interactive_fd(puppet_t)
+domain_read_all_domains_state(puppetagent_t)
+domain_interactive_fd(puppetagent_t)
+domain_named_filetrans(puppetagent_t)
 
-files_manage_config_files(puppet_t)
-files_manage_config_dirs(puppet_t)
-files_manage_etc_dirs(puppet_t)
-files_manage_etc_files(puppet_t)
-files_read_usr_symlinks(puppet_t)
-files_relabel_config_dirs(puppet_t)
-files_relabel_config_files(puppet_t)
+files_manage_config_files(puppetagent_t)
+files_manage_config_dirs(puppetagent_t)
+files_manage_etc_dirs(puppetagent_t)
+files_manage_etc_files(puppetagent_t)
+files_read_usr_symlinks(puppetagent_t)
+files_relabel_config_dirs(puppetagent_t)
+files_relabel_config_files(puppetagent_t)
 
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
+selinux_set_all_booleans(puppetagent_t)
+selinux_set_generic_booleans(puppetagent_t)
+selinux_validate_context(puppetagent_t)
 
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_ttys(puppet_t)
+term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
+term_dontaudit_getattr_all_ttys(puppetagent_t)
 
-auth_use_nsswitch(puppet_t)
+auth_use_nsswitch(puppetagent_t)
 
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
+init_all_labeled_script_domtrans(puppetagent_t)
+init_domtrans_script(puppetagent_t)
+init_read_utmp(puppetagent_t)
+init_signull_script(puppetagent_t)
 
-logging_send_syslog_msg(puppet_t)
+logging_send_syslog_msg(puppetagent_t)
 
-miscfiles_read_hwdata(puppet_t)
+miscfiles_read_hwdata(puppetagent_t)
 
-seutil_domtrans_setfiles(puppet_t)
-seutil_domtrans_semanage(puppet_t)
-seutil_read_file_contexts(puppet_t)
+seutil_domtrans_setfiles(puppetagent_t)
+seutil_domtrans_semanage(puppetagent_t)
+seutil_read_file_contexts(puppetagent_t)
 
-sysnet_run_ifconfig(puppet_t, system_r)
+sysnet_run_ifconfig(puppetagent_t, system_r)
 
-usermanage_access_check_groupadd(puppet_t)
-usermanage_access_check_passwd(puppet_t)
-usermanage_access_check_useradd(puppet_t)
+usermanage_access_check_groupadd(puppetagent_t)
+usermanage_access_check_passwd(puppetagent_t)
+usermanage_access_check_useradd(puppetagent_t)
 
-tunable_policy(`puppet_manage_all_files',`
-	files_manage_non_security_files(puppet_t)
+tunable_policy(`puppetagent_manage_all_files',`
+	files_manage_non_security_files(puppetagent_t)
 ')
 
 optional_policy(`
-	cfengine_read_lib_files(puppet_t)
+    mysql_stream_connect(puppetagent_t)
 ')
 
 optional_policy(`
-	consoletype_exec(puppet_t)
+    postgresql_stream_connect(puppetagent_t)
 ')
 
 optional_policy(`
-	hostname_exec(puppet_t)
+	cfengine_read_lib_files(puppetagent_t)
 ')
 
 optional_policy(`
-	mount_domtrans(puppet_t)
+	consoletype_exec(puppetagent_t)
 ')
 
 optional_policy(`
-	mta_send_mail(puppet_t)
+	hostname_exec(puppetagent_t)
 ')
 
 optional_policy(`
-	portage_domtrans(puppet_t)
-	portage_domtrans_fetch(puppet_t)
-	portage_domtrans_gcc_config(puppet_t)
+	mount_domtrans(puppetagent_t)
 ')
 
 optional_policy(`
-	files_rw_var_files(puppet_t)
-
-	rpm_domtrans(puppet_t)
-	rpm_manage_db(puppet_t)
-	rpm_manage_log(puppet_t)
-')
-
-optional_policy(`
-	unconfined_domain(puppet_t)
-')
-
-optional_policy(`
-	auth_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	alsa_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	bootloader_filetrans_config(puppet_t)
-')
-
-optional_policy(`
-	devicekit_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	dnsmasq_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	kerberos_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	libs_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	miscfiles_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	mta_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	modules_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	networkmanager_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	nx_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	postfix_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
-	openshift_initrc_domtrans(puppet_t)
+	mta_send_mail(puppetagent_t)
 ')
 
 optional_policy(`
-	quota_filetrans_named_content(puppet_t)
+	portage_domtrans(puppetagent_t)
+	portage_domtrans_fetch(puppetagent_t)
+	portage_domtrans_gcc_config(puppetagent_t)
 ')
 
 optional_policy(`
-	sysnet_filetrans_named_content(puppet_t)
-')
+	files_rw_var_files(puppetagent_t)
 
-optional_policy(`
-	virt_filetrans_home_content(puppet_t)
+	rpm_domtrans(puppetagent_t)
+	rpm_manage_db(puppetagent_t)
+	rpm_manage_log(puppetagent_t)
 ')
 
 optional_policy(`
-	ssh_filetrans_admin_home_content(puppet_t)
+    unconfined_domain_noaudit(puppetagent_t)
 ')
 
 ########################################
diff --git a/quantum.te b/quantum.te
index 52bad99..156e9af 100644
--- a/quantum.te
+++ b/quantum.te
@@ -29,13 +29,17 @@ systemd_unit_file(neutron_unit_file_t)
 # Local policy
 #
 
-allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
-allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
 allow neutron_t self:fifo_file rw_fifo_file_perms;
 allow neutron_t self:key manage_key_perms;
 allow neutron_t self:tcp_socket { accept listen };
 allow neutron_t self:unix_stream_socket { accept listen };
 allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
+allow neutron_t self:packet_socket create_socket_perms;
 
 manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
 append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -44,18 +48,21 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 logging_log_filetrans(neutron_t, neutron_log_t, dir)
 
 manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
 
 manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
 
 can_exec(neutron_t, neutron_tmp_t)
 
-kernel_read_kernel_sysctls(neutron_t)
 kernel_read_system_state(neutron_t)
 kernel_read_network_state(neutron_t)
 kernel_request_load_module(neutron_t)
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
 
 corecmd_exec_shell(neutron_t)
 corecmd_exec_bin(neutron_t)
@@ -71,7 +78,9 @@ corenet_tcp_bind_neutron_port(neutron_t)
 corenet_tcp_connect_keystone_port(neutron_t)
 corenet_tcp_connect_amqp_port(neutron_t)
 corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
 
+domain_read_all_domains_state(neutron_t)
 domain_named_filetrans(neutron_t)
 
 dev_read_sysfs(neutron_t)
@@ -82,6 +91,8 @@ dev_unmount_sysfs_fs(neutron_t)
 
 files_mounton_non_security(neutron_t)
 
+fs_getattr_all_fs(neutron_t)
+
 auth_use_nsswitch(neutron_t)
 
 libs_exec_ldconfig(neutron_t)
@@ -89,6 +100,9 @@ libs_exec_ldconfig(neutron_t)
 logging_send_audit_msgs(neutron_t)
 logging_send_syslog_msg(neutron_t)
 
+netutils_exec(neutron_t)
+
+# need to stay in neutron
 sysnet_exec_ifconfig(neutron_t)
 sysnet_manage_ifconfig_run(neutron_t)
 sysnet_filetrans_named_content_ifconfig(neutron_t)
@@ -109,16 +123,19 @@ optional_policy(`
 ')
 
 optional_policy(`
+    modutils_domtrans_insmod(neutron_t)
+')
+
+optional_policy(`
 	mysql_stream_connect(neutron_t)
+    mysql_read_db_lnk_files(neutron_t)
 	mysql_read_config(neutron_t)
-
 	mysql_tcp_connect(neutron_t)
 ')
 
 optional_policy(`
 	postgresql_stream_connect(neutron_t)
 	postgresql_unpriv_client(neutron_t)
-
 	postgresql_tcp_connect(neutron_t)
 ')
 
@@ -129,4 +146,8 @@ optional_policy(`
 
 optional_policy(`
 	sudo_exec(neutron_t)
+')
+
+optional_policy(`
+    udev_domtrans(neutron_t)
 ')  
diff --git a/rabbitmq.te b/rabbitmq.te
index 7d5630f..9fb98a1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -87,6 +87,7 @@ corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
 corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
 corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
 corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+corenet_tcp_connect_http_port(rabbitmq_beam_t)
 
 domain_read_all_domains_state(rabbitmq_beam_t)
 
@@ -127,7 +128,7 @@ allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
 allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
 allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
 
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms;
 
 manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
 
diff --git a/rhcs.te b/rhcs.te
index 4fd3b77..503838b 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -593,6 +593,7 @@ logging_send_syslog_msg(groupd_t)
 allow haproxy_t self:capability { dac_override kill };
 
 allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
+allow haproxy_t self:capability2 block_suspend;
 allow haproxy_t self:process { fork setrlimit signal_perms };
 allow haproxy_t self:fifo_file rw_fifo_file_perms;
 allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d193f7a..87038e7 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -53,6 +53,7 @@ kernel_read_system_state(rhsmcertd_t)
 kernel_read_sysctl(rhsmcertd_t)
 
 corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
 corenet_tcp_connect_squid_port(rhsmcertd_t)
 
 corecmd_exec_bin(rhsmcertd_t)
diff --git a/rsync.te b/rsync.te
index d7db2d9..7a6ca6c 100644
--- a/rsync.te
+++ b/rsync.te
@@ -170,4 +170,6 @@ auth_can_read_shadow_passwords(rsync_t)
 
 optional_policy(`
 	swift_manage_data_files(rsync_t)
+    swift_manage_lock(rsync_t)
+    swift_filetrans_named_lock(rsync_t)
 ')
diff --git a/sandbox.if b/sandbox.if
index 89bc443..a2cb772 100644
--- a/sandbox.if
+++ b/sandbox.if
@@ -22,14 +22,42 @@ interface(`sandbox_transition',`
 		attribute sandbox_domain;
 	')
 
-	allow $1 sandbox_domain:process transition;
-	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-	role $2 types sandbox_domain;
-	allow sandbox_domain $1:process { sigchld signull };
-	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-	dontaudit sandbox_domain $1:process signal;
-	dontaudit sandbox_domain $1:key { link read search view };
-	dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+    sandbox_dyntransition($1) #885288
+    allow $1 sandbox_domain:process transition;
+    dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+
+    role $2 types sandbox_domain;
+
+    allow sandbox_domain $1:process { sigchld signull };
+    allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+    dontaudit sandbox_domain $1:process signal;
+    dontaudit sandbox_domain $1:key { link read search view };
+    dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Execute sandbox in the sandbox domain, and
+##	allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the sandbox domain.
+##	</summary>
+## </param>
+#
+interface(`sandbox_dyntransition',`
+	gen_require(`
+		attribute sandbox_domain;
+	')
+
+	allow $1 sandbox_domain:process dyntransition;
 ')
 
 ########################################
diff --git a/sandboxX.if b/sandboxX.if
index 3258f45..03bdcef 100644
--- a/sandboxX.if
+++ b/sandboxX.if
@@ -26,6 +26,7 @@ interface(`sandbox_x_transition',`
 	')
 
 	allow $1 sandbox_x_domain:process { signal_perms transition };
+	allow $1 sandbox_x_domain:process dyntransition;
 	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
 	allow sandbox_x_domain $1:process { sigchld signull };
 	allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
diff --git a/sblim.if b/sblim.if
index d4aa009..562666e 100644
--- a/sblim.if
+++ b/sblim.if
@@ -86,6 +86,84 @@ interface(`sblim_filetrans_named_content',`
 
 ########################################
 ## <summary>
+##	Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcbd',`
+	gen_require(`
+		type sblim_sfcb_t, sblim_var_lib_t;
+        type sblim_tmp_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
+#######################################
+## <summary>
+##  Getattr on sblim executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`sblim_getattr_exec_sfcbd',`
+    gen_require(`
+        type sblim_sfcbd_exec_t;
+    ')
+
+	allow $1 sblim_sfcbd_exec_t:file getattr;
+')
+
+
+########################################
+## <summary>
+##	Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcb',`
+	gen_require(`
+		type sblim_sfcb_t, sblim_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+')
+
+#######################################
+## <summary>
+##	Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sblim_rw_semaphores_sfcbd',`
+	gen_require(`
+		type sblim_sfcbd_t;
+	')
+
+	allow $1 sblim_sfcbd_t:sem rw_sem_perms;
+')
+
+
+########################################
+## <summary>
 ##	All of the rules required to administrate
 ##	an gatherd environment
 ## </summary>
diff --git a/sblim.te b/sblim.te
index 20f5040..21c15bb 100644
--- a/sblim.te
+++ b/sblim.te
@@ -157,9 +157,19 @@ auth_use_nsswitch(sblim_sfcbd_t)
 
 corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
 corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
 
 dev_read_rand(sblim_sfcbd_t)
 dev_read_urand(sblim_sfcbd_t)
 
 domain_read_all_domains_state(sblim_sfcbd_t)
 domain_use_interactive_fds(sblim_sfcbd_t)
+
+optional_policy(`
+    rpm_exec(sblim_sfcbd_t)
+    rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
diff --git a/sensord.fc b/sensord.fc
index 97926d2..9be989a 100644
--- a/sensord.fc
+++ b/sensord.fc
@@ -4,6 +4,6 @@
 
 /usr/sbin/sensord	--	gen_context(system_u:object_r:sensord_exec_t,s0)
 
-/var/log/sensord\.rrd	--	gen_context(system_u:object_r:sensord_log_t,s0)
+/var/log/sensor.*		gen_context(system_u:object_r:sensord_log_t,s0)
 
 /var/run/sensord\.pid	--	gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/slocate.te b/slocate.te
index 8417705..669d253 100644
--- a/slocate.te
+++ b/slocate.te
@@ -61,3 +61,8 @@ ifdef(`enable_mls',`
 optional_policy(`
 	cron_system_entry(locate_t, locate_exec_t)
 ')
+
+optional_policy(`
+	mock_getattr_lib(locate_t)
+')
+
diff --git a/snapper.fc b/snapper.fc
index 660fcd2..d1d72f2 100644
--- a/snapper.fc
+++ b/snapper.fc
@@ -6,3 +6,5 @@ HOME_DIR/\.snapshots    -d  gen_context(system_u:object_r:snapperd_home_t,s0)
 /etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
 
 /var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
+
+/mnt/(.*/)?.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/spamassassin.te b/spamassassin.te
index 32f670e..e8531d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -275,12 +275,17 @@ manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 userdom_append_user_home_content_files(spamc_t)
+spamassassin_filetrans_home_content(spamc_t)
+spamassassin_filetrans_admin_home_content(spamc_t)
 # for /root/.pyzor
 allow spamc_t self:capability dac_override;
 
 list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+
 # Allow connecting to a local spamd
 allow spamc_t spamd_t:unix_stream_socket connectto;
 allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
diff --git a/sssd.te b/sssd.te
index fb39837..eb8bb88 100644
--- a/sssd.te
+++ b/sssd.te
@@ -68,6 +68,7 @@ kernel_request_load_module(sssd_t)
 corenet_udp_bind_generic_port(sssd_t)
 corenet_dontaudit_udp_bind_all_ports(sssd_t)
 corenet_tcp_connect_kerberos_password_port(sssd_t)
+corenet_tcp_connect_smbd_port(sssd_t)
 
 corecmd_exec_bin(sssd_t)
 
diff --git a/stapserver.te b/stapserver.te
index e472397..6aeecac 100644
--- a/stapserver.te
+++ b/stapserver.te
@@ -72,6 +72,7 @@ files_list_tmp(stapserver_t)
 files_search_kernel_modules(stapserver_t)
 
 fs_search_cgroup_dirs(stapserver_t)
+fs_getattr_all_fs(stapserver_t)
 
 auth_use_nsswitch(stapserver_t)
 
diff --git a/swift.fc b/swift.fc
index 744f0ce..b07d112 100644
--- a/swift.fc
+++ b/swift.fc
@@ -15,8 +15,11 @@
 /usr/bin/swift-object-server		--	gen_context(system_u:object_r:swift_exec_t,s0)
 /usr/bin/swift-object-updater		--	gen_context(system_u:object_r:swift_exec_t,s0)
 
+/usr/bin/swift-proxy-server         --  gen_context(system_u:object_r:swift_exec_t,s0)
+
 /usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
 
+/var/lock/swift.*                   gen_context(system_u:object_r:swift_lock_t,s0)
 /var/cache/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_cache_t,s0)
 /var/run/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_run_t,s0)
 
diff --git a/swift.if b/swift.if
index df82c36..6a1f575 100644
--- a/swift.if
+++ b/swift.if
@@ -59,6 +59,43 @@ interface(`swift_manage_data_files',`
 	manage_dirs_pattern($1, swift_data_t, swift_data_t)
 ')
 
+#####################################
+## <summary>
+##	Read and write swift lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`swift_manage_lock',`
+	gen_require(`
+		type swift_lock_t;
+	')
+
+	files_search_locks($1)
+    manage_files_pattern($1, swift_lock_t, swift_lock_t)
+')
+
+#######################################
+## <summary>
+##  Transition content labels to swift named content
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`swift_filetrans_named_lock',`
+    gen_require(`
+        type swift_lock_t;
+    ')
+
+    files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
+')
+
 ########################################
 ## <summary>
 ##	Execute swift server in the swift domain.
diff --git a/swift.te b/swift.te
index 7bef550..7fce837 100644
--- a/swift.te
+++ b/swift.te
@@ -9,8 +9,14 @@ type swift_t;
 type swift_exec_t;
 init_daemon_domain(swift_t, swift_exec_t)
 
+type swift_lock_t;
+files_lock_file(swift_lock_t)
+
 type swift_tmp_t;
-files_tmpfs_file(swift_tmp_t)
+files_tmp_file(swift_tmp_t)
+
+type swift_tmpfs_t;
+files_tmpfs_file(swift_tmpfs_t)
 
 type swift_var_cache_t;
 files_type(swift_var_cache_t)
@@ -36,10 +42,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms;
 allow swift_t self:unix_stream_socket create_stream_socket_perms;
 allow swift_t self:unix_dgram_socket create_socket_perms;
 
+manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
+manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
+files_lock_filetrans(swift_t, swift_lock_t, { dir file })
+
 manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
 manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
 files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
 
+manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
+
 manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
@@ -59,7 +73,12 @@ kernel_dgram_send(swift_t)
 kernel_read_system_state(swift_t)
 kernel_read_network_state(swift_t)
 
+# bug in swift
+corenet_tcp_bind_xserver_port(swift_t)
+corenet_tcp_bind_http_cache_port(swift_t)
+
 corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
 
 dev_read_urand(swift_t)
 
@@ -67,6 +86,8 @@ domain_use_interactive_fds(swift_t)
 
 files_dontaudit_search_home(swift_t)
 
+fs_getattr_all_fs(swift_t)
+
 auth_use_nsswitch(swift_t)
 
 libs_exec_ldconfig(swift_t)
@@ -77,4 +98,5 @@ userdom_dontaudit_search_user_home_dirs(swift_t)
 
 optional_policy(`
     rpm_exec(swift_t)
+    rpm_dontaudit_manage_db(swift_t)
 ')
diff --git a/tgtd.te b/tgtd.te
index 60f4ce9..704a0e2 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -56,6 +56,7 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
 
 kernel_read_system_state(tgtd_t)
 kernel_read_fs_sysctls(tgtd_t)
+kernel_read_network_state(tgtd_t)
 
 corenet_all_recvfrom_netlabel(tgtd_t)
 corenet_tcp_sendrecv_generic_if(tgtd_t)
diff --git a/ulogd.te b/ulogd.te
index bd23e7f..022c367 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -44,7 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
 
-
+kernel_request_load_module(ulogd_t)
 
 sysnet_dns_name_resolve(ulogd_t)
 
diff --git a/virt.te b/virt.te
index 57af4d0..1df2084 100644
--- a/virt.te
+++ b/virt.te
@@ -522,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
 ')
 
 tunable_policy(`virt_use_samba',`
-	fs_manage_nfs_files(virtd_t)
+	fs_manage_cifs_dirs(virtd_t)
 	fs_manage_cifs_files(virtd_t)
 	fs_read_cifs_symlinks(virtd_t)
 ')
@@ -1168,6 +1168,7 @@ allow svirt_sandbox_domain self:msgq create_msgq_perms;
 allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
 allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
 
 tunable_policy(`deny_ptrace',`',`
 	allow svirt_sandbox_domain self:process ptrace;
@@ -1256,11 +1257,16 @@ optional_policy(`
 	docker_manage_lib_files(svirt_lxc_net_t)
 	docker_manage_lib_dirs(svirt_lxc_net_t)
 	docker_read_share_files(svirt_sandbox_domain)
+	docker_exec_lib(svirt_sandbox_domain)
 	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
 	docker_use_ptys(svirt_sandbox_domain)
 ')
 
 optional_policy(`
+	gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
 	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 ')
 
@@ -1283,8 +1289,8 @@ tunable_policy(`virt_use_nfs',`
 ')
 
 tunable_policy(`virt_use_samba',`
-	fs_manage_nfs_files(svirt_sandbox_domain)
 	fs_manage_cifs_files(svirt_sandbox_domain)
+	fs_manage_cifs_dirs(svirt_sandbox_domain)
 	fs_read_cifs_symlinks(svirt_sandbox_domain)
 ')
 
@@ -1671,5 +1677,3 @@ optional_policy(`
 optional_policy(`
 	systemd_dbus_chat_logind(sandbox_net_domain)
 ')
-
-
diff --git a/zabbix.te b/zabbix.te
index 614e66c..551c4e9 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -125,9 +125,9 @@ zabbix_agent_tcp_connect(zabbix_t)
 logging_send_syslog_msg(zabbix_t)
 
 tunable_policy(`zabbix_can_network',`
-	corenet_sendrecv_all_client_packets(zabbix_t)
-	corenet_tcp_connect_all_ports(zabbix_t)
-	corenet_tcp_sendrecv_all_ports(zabbix_t)
+	corenet_sendrecv_all_client_packets(zabbix_domain)
+	corenet_tcp_connect_all_ports(zabbix_domain)
+	corenet_tcp_sendrecv_all_ports(zabbix_domain)
 ')
 
 optional_policy(`