diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 9223f7d..d0aaa1c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3826,6 +3826,24 @@ interface(`dev_rw_sysfs',`
########################################
##
+## Allow caller to modify hardware state information.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_manage_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+##
## Read from pseudo random number generator devices (e.g., /dev/urandom).
##
##
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index a3ddd43..20d9333 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
role dbadm_r;
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
########################################
#
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index a57fe37..1bdfe84 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -148,24 +148,6 @@ interface(`cobbler_manage_lib_files',`
########################################
##
-## dontaudit read and write Cobbler log files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`cobbler_dontaudit_rw_log',`
- gen_require(`
- type cobbler_var_log_t;
- ')
-
- dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms;
-')
-
-########################################
-##
## Do not audit attempts to read and write
## Cobbler log files (leaked fd).
##
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index a7de603..1e554a9 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -228,6 +228,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 8696a6e..6ff8f25 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -101,8 +101,6 @@ ifdef(`hide_broken_symptoms', `
dev_getattr_agp_dev($2)
tunable_policy(`user_direct_dri',`
dev_rw_dri($2)
- ',`
- dev_dontaudit_rw_dri($2)
')
# GNOME checks for usb and other devices:
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd266c0..a100eb6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -220,7 +220,7 @@ storage_raw_rw_fixed_disk(init_t)
modutils_domtrans_insmod(init_t)
tunable_policy(`init_systemd',`
- allow init_t self:unix_dgram_socket create_socket_perms;
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
allow init_t self:process { setsockcreate setfscreate };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -239,6 +239,7 @@ tunable_policy(`init_systemd',`
dev_read_generic_chr_files(init_t)
dev_relabelfrom_generic_chr_files(init_t)
dev_relabel_autofs_dev(init_t)
+ dev_manage_sysfs_dirs(init_t)
files_mounton_all_mountpoints(init_t)
files_manage_all_pids_dirs(init_t)
@@ -249,16 +250,17 @@ tunable_policy(`init_systemd',`
fs_list_auto_mountpoints(init_t)
fs_read_cgroup_files(init_t)
fs_write_cgroup_files(init_t)
+ fs_search_cgroup_dirs(daemon)
selinux_compute_create_context(init_t)
selinux_validate_context(init_t)
selinux_unmount_fs(init_t)
+ storage_getattr_removable_dev(init_t)
+
init_read_script_state(init_t)
seutil_read_file_contexts(init_t)
-
- storage_getattr_removable_dev(init_t)
')
optional_policy(`
@@ -287,6 +289,11 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+')
+
+optional_policy(`
sssd_stream_connect(init_t)
')