diff --git a/policy/modules/admin/accountsd.fc b/policy/modules/admin/accountsd.fc
deleted file mode 100644
index 1adca53..0000000
--- a/policy/modules/admin/accountsd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/libexec/accounts-daemon		--	gen_context(system_u:object_r:accountsd_exec_t,s0)
-
-/var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/policy/modules/admin/accountsd.if b/policy/modules/admin/accountsd.if
deleted file mode 100644
index ae9e219..0000000
--- a/policy/modules/admin/accountsd.if
+++ /dev/null
@@ -1,173 +0,0 @@
-## <summary>Accountsservice D-Bus interfaces for querying and manipulating user account information.</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to
-##	run Account Service daemon.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`accountsd_domtrans',`
-	gen_require(`
-		type accountsd_t, accountsd_exec_t;
-	')
-
-	domtrans_pattern($1, accountsd_exec_t, accountsd_t)
-	corecmd_search_bin($1)
-	files_search_usr($1)
-')
-
-########################################
-## <summary>
-##	Search Accounts Service daemon
-##	lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_search_lib',`
-	gen_require(`
-		type accountsd_var_lib_t;
-	')
-
-	allow $1 accountsd_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Read Accounts Service daemon
-##	lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_read_lib_files',`
-	gen_require(`
-		type accountsd_var_lib_t;
-	')
-
-	read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Manage Account Service daemon
-##	lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_manage_lib_files',`
-	gen_require(`
-		type accountsd_var_lib_t;
-	')
-
-	manage_files_pattern($1, accountsd_var_lib_t,  accountsd_var_lib_t)
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Manage Account Service daemon
-##	lib content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_manage_var_lib',`
-	gen_require(`
-		type accountsd_var_lib_t;
-	')
-
-	manage_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
-	manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
-	manage_lnk_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	Account Service daemon over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_dbus_chat',`
-	gen_require(`
-		type accountsd_t;
-		class dbus send_msg;
-	')
-
-	allow $1 accountsd_t:dbus send_msg;
-	allow accountsd_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read and 
-##	write Account Service daemon pipes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`accountsd_dontaudit_rw_fifo_file',`
-	gen_require(`
-		type accountsd_t;
-	')
-
-	dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms;
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate 
-##	an Account Service daemon environment.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`accountsd_admin',`
-	gen_require(`
-		type accountsd_t, accountsd_var_lib_t;
-	')
-
-	allow $1 accountsd_t:process { ptrace signal_perms	};
-	read_files_pattern($1, accountsd_t, accountsd_t)
-
-	admin_pattern($1, accountsd_var_lib_t)
-	files_search_var_lib($1)
-')
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index c6a1872..852f36f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,46 +37,26 @@ interface(`gnome_role',`
 
 ########################################
 ## <summary>
-##	Execute gconf programs in
-##	in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_exec_gconf',`
-	gen_require(`
-		type gconfd_exec_t;
-	')
-
-	can_exec($1, gconfd_exec_t)
-')
-
-########################################
-## <summary>
-##	Read gconf config files.
+##	gconf connection template.
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gconf',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconf_tmp_t;
 	')
 
-	allow $1 gconf_etc_t:dir list_dir_perms;
-	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-	files_search_etc($1)
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete gconf config files.
+##	Run gconfd in gconfd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,70 +64,51 @@ template(`gnome_read_gconf_config',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_domtrans_gconfd',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconfd_exec_t;
 	')
 
-	manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-	files_search_etc($1)
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
 ########################################
 ## <summary>
-##	gconf connection template.
+##	Dontaudit search gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_stream_connect_gconf',`
-	gen_require(`
-		type gconfd_t, gconf_tmp_t;
-	')
-
-	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-	allow $1 gconfd_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-##	Run gconfd in gconfd domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_search_config',`
 	gen_require(`
-		type gconfd_t, gconfd_exec_t;
+		attribute gnome_home_type;
 	')
 
-	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+	dontaudit $1 gnome_home_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read gnome homedir content (.config)
+##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_config',`
+interface(`gnome_manage_config',`
 	gen_require(`
 		attribute gnome_home_type;
 	')
 
-	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
-	read_files_pattern($1, gnome_home_type, gnome_home_type)
-	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+	allow $1 gnome_home_type:dir manage_dir_perms;
+	allow $1 gnome_home_type:file manage_file_perms;
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
@@ -258,6 +219,45 @@ interface(`gnome_write_generic_cache_files',`
 
 ########################################
 ## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`gnome_read_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+	read_files_pattern($1, gnome_home_type, gnome_home_type)
+	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
+## <summary>
+##	Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
 ##	Create objects in a Gnome gconf home directory
 ##	with an automatic type transition to
 ##	a specified private type.
@@ -525,62 +525,3 @@ interface(`gnome_dbus_chat_gconfdefault',`
 	allow $1 gconfdefaultsm_t:dbus send_msg;
 	allow gconfdefaultsm_t $1:dbus send_msg;
 ')
-
-########################################
-## <summary>
-##	Dontaudit search gnome homedir content (.config)
-## </summary>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-#
-interface(`gnome_dontaudit_search_config',`
-	gen_require(`
-		attribute gnome_home_type;
-	')
-
-	dontaudit $1 gnome_home_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Set attributes of Gnome config dirs.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_setattr_config_dirs',`
-	gen_require(`
-		type gnome_home_t;
-	')
-
-	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-	files_search_home($1)
-')
-
-########################################
-## <summary>
-##	manage gnome homedir content (.config)
-## </summary>
-## <param name="user_domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_manage_config',`
-	gen_require(`
-		attribute gnome_home_type;
-	')
-
-	allow $1 gnome_home_type:dir manage_dir_perms;
-	allow $1 gnome_home_type:file manage_file_perms;
-	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
-	userdom_search_user_home_dirs($1)
-')
-
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 48b59f9..59867f6 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -50,8 +50,8 @@ manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
-userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file})
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
 
 corenet_sendrecv_http_client_packets(telepathy_msn_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4b49efa..ef14126 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5310,25 +5310,6 @@ interface(`files_getattr_generic_locks',`
 
 ########################################
 ## <summary>
-##	Delete generic lock files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_delete_generic_locks',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	delete_files_pattern($1, var_lock_t, var_lock_t)
-')
-
-########################################
-## <summary>
 ##	Create, read, write, and delete generic
 ##	lock files.
 ## </summary>
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 812078c..f9930a3 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1233,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 #
 interface(`term_getattr_all_ttys',`
 	gen_require(`
+		type tty_device_t;
 		attribute ttynode;
 	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 ttynode:chr_file getattr;
+	allow $1 tty_device_t:chr_file getattr;
 ')
 
 ########################################
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 1875064..2ddeb70 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,56 +5,28 @@ policy_module(dbadm, 1.0.0)
 # Declarations
 #
 
-## <desc>
-## <p>
-## Allow dbadm to manage files in users home directories
-## </p>
-## </desc>
-gen_tunable(dbadm_manage_user_files, false)
-
-## <desc>
-## <p>
-## Allow dbadm to read files in users home directories
-## </p>
-## </desc>
-gen_tunable(dbadm_read_user_files, false)
-
 role dbadm_r;
 
-userdom_base_user_template(dbadm)
+userdom_unpriv_user_template(dbadm)
 
 ########################################
 #
 # database admin local policy
 #
 
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
-
-files_dontaudit_search_all_dirs(dbadm_t)
-files_delete_generic_locks(dbadm_t)
-files_list_var(dbadm_t)
-
-selinux_get_enforce_mode(dbadm_t)
-
-logging_send_syslog_msg(dbadm_t)
-
-userdom_dontaudit_search_user_home_dirs(dbadm_t)
-
-tunable_policy(`dbadm_manage_user_files',`
-	userdom_manage_user_home_content_files(dbadm_t)
-	userdom_read_user_tmp_files(dbadm_t)
-	userdom_write_user_tmp_files(dbadm_t)
+optional_policy(`
+	mysql_admin(dbadm_t, dbadm_r)
 ')
 
-tunable_policy(`dbadm_read_user_files',`
-	userdom_read_user_home_content_files(dbadm_t)
-	userdom_read_user_tmp_files(dbadm_t)
+optional_policy(`
+	postgresql_admin(dbadm_t, dbadm_r)
 ')
 
+# For starting up daemon processes
 optional_policy(`
-	mysql_admin(dbadm_t, dbadm_r)
+	su_role_template(dbadm, dbadm_r, dbadm_t)
 ')
 
 optional_policy(`
-	postgresql_admin(dbadm_t, dbadm_r)
+	sudo_role_template(dbadm, dbadm_r, dbadm_t)
 ')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f10..2724c11 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
 type accountsd_t;
 type accountsd_exec_t;
 dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
 
 type accountsd_var_lib_t;
 files_type(accountsd_var_lib_t)
@@ -55,3 +57,8 @@ optional_policy(`
 optional_policy(`
 	policykit_dbus_chat(accountsd_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(accountsd_t)
+	xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 691b539..939877a 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -678,6 +678,7 @@ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow cronjob_t user_cron_spool_t:file create_lnk_perms;
 
 tunable_policy(`fcron_crond', `
 	allow crond_t user_cron_spool_t:file manage_file_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bd9e35e..26a93da 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -446,7 +446,9 @@ files_mounton_default(initrc_t)
 files_manage_mnt_dirs(initrc_t)
 files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs