diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index ac6c789..13f62a6 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,7 +1,13 @@
-/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 
-/usr/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 9012783..6aca04d 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -69,3 +69,99 @@ interface(`iptables_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, iptables_exec_t)
 ')
+
+#####################################
+## <summary>
+##	Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`iptables_initrc_domtrans',`
+	gen_require(`
+		type iptables_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+##	Set the attributes of iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_setattr_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 iptables_conf_t:file setattr;
+')
+
+#####################################
+## <summary>
+##	Read iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_read_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 iptables_conf_t:dir list_dir_perms;
+	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
+
+#####################################
+## <summary>
+##	Create files in /etc with the type used for
+##	the iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`iptables_etc_filetrans_config',`
+	gen_require(`
+		type iptables_conf_t;
+	')
+
+	files_etc_filetrans($1, iptables_conf_t, file)
+')
+
+###################################
+## <summary>
+##	Manage iptables config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_manage_config',`
+	gen_require(`
+		type iptables_conf_t;
+		type etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7ad2544..7626034 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables, 1.10.0)
+policy_module(iptables, 1.10.1)
 
 ########################################
 #
@@ -11,6 +11,12 @@ type iptables_exec_t;
 init_system_domain(iptables_t, iptables_exec_t)
 role system_r types iptables_t;
 
+type iptables_initrc_exec_t;
+init_script_file(iptables_initrc_exec_t)
+
+type iptables_conf_t;
+files_config_file(iptables_conf_t)
+
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
@@ -27,6 +33,9 @@ dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 
+manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
+files_etc_filetrans(iptables_t, iptables_conf_t, file)
+
 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t, iptables_var_run_t, file)
 
@@ -36,6 +45,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
+kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
 kernel_read_kernel_sysctls(iptables_t)
@@ -100,6 +110,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	psad_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
 	rhgb_dontaudit_use_ptys(iptables_t)
 ')
 
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 688afeb..532181a 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -1,6 +1,7 @@
 
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
 
 ifdef(`distro_gentoo',`
 # gentoo init scripts still manage this file
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index ce4ac17..e1057e3 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -1,5 +1,23 @@
 ## <summary>Policy for kernel module utilities</summary>
 
+######################################
+## <summary>
+##	Getattr the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_getattr_module_deps',`
+	gen_require(`
+		type modules_dep_t;
+	')
+
+	getattr_files_pattern($1, modules_object_t, modules_dep_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the dependencies of kernel modules.
@@ -41,8 +59,8 @@ interface(`modutils_read_module_config',`
 	files_search_etc($1)
 	files_search_boot($1)
 
-	allow $1 modules_conf_t:file read_file_perms;
-	allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
+	read_files_pattern($1, modules_conf_t, modules_conf_t)
+	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
 ########################################
@@ -61,7 +79,7 @@ interface(`modutils_rename_module_config',`
 		type modules_conf_t;
 	')
 
-	allow $1 modules_conf_t:file rename_file_perms;
+	rename_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
 ########################################
@@ -80,7 +98,26 @@ interface(`modutils_delete_module_config',`
 		type modules_conf_t;
 	')
 
-	allow $1 modules_conf_t:file unlink;
+	delete_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage files with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_manage_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	manage_files_pattern($1, modules_conf_t, modules_conf_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 87b8b7e..20f4fa8 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils, 1.9.0)
+policy_module(modutils, 1.9.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -45,7 +45,7 @@ files_tmp_file(update_modules_tmp_t)
 can_exec(depmod_t, depmod_exec_t)
 
 # Read conf.modules.
-allow depmod_t modules_conf_t:file read_file_perms;
+read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
 
 allow depmod_t modules_dep_t:file manage_file_perms;
 files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
@@ -82,8 +82,22 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(depmod_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(depmod_t)
+')
+
 optional_policy(`
 	rpm_rw_pipes(depmod_t)
+	rpm_manage_script_tmp_files(depmod_t)
+')
+
+optional_policy(`
+	# Read System.map from home directories.
+	unconfined_domain(depmod_t)
 ')
 
 ########################################
@@ -91,19 +105,23 @@ optional_policy(`
 # insmod local policy
 #
 
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
-allow insmod_t self:udp_socket create_socket_perms; 
-allow insmod_t self:rawip_socket create_socket_perms; 
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
 
 # Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
 
 can_exec(insmod_t, insmod_exec_t)
 
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
+kernel_read_network_state(insmod_t)
 kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
 kernel_mount_kvmfs(insmod_t)
@@ -112,6 +130,7 @@ kernel_read_debugfs(insmod_t)
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 kernel_read_hotplug_sysctls(insmod_t)
+kernel_setsched(insmod_t)
 
 corecmd_exec_bin(insmod_t)
 corecmd_exec_shell(insmod_t)
@@ -124,9 +143,6 @@ dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)
 dev_write_sound(insmod_t)
 dev_rw_apm_bios(insmod_t)
-# cjp: why is this needed?  insmod cannot mounton any dir
-# and it also transitions to mount
-dev_mount_usbfs(insmod_t)
 
 domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
@@ -159,17 +175,26 @@ seutil_read_file_contexts(insmod_t)
 
 userdom_use_user_terminals(insmod_t)
 
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(insmod_t)
-	')
-')
+userdom_dontaudit_search_user_home_dirs(insmod_t)
 
 if( ! secure_mode_insmod ) {
 	kernel_domtrans_to(insmod_t, insmod_exec_t)
 }
 
 optional_policy(`
+	alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+	firstboot_dontaudit_rw_pipes(insmod_t)
+	firstboot_dontaudit_rw_stream_sockets(insmod_t)
+')
+
+optional_policy(`
+	hal_write_log(insmod_t)
+')
+
+optional_policy(`
 	hotplug_search_config(insmod_t)
 ')
 
@@ -205,7 +230,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_domain(insmod_t)
 ')
 
 optional_policy(`
@@ -228,7 +253,7 @@ can_exec(update_modules_t, insmod_exec_t)
 can_exec(update_modules_t, update_modules_exec_t)
 
 # manage module loading configuration
-allow update_modules_t modules_conf_t:file manage_file_perms;
+manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
 files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
 files_etc_filetrans(update_modules_t, modules_conf_t, file)