Index: refpolicy-2.20201205/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/init.if
+++ refpolicy-2.20201205/policy/modules/system/init.if
@@ -178,7 +178,11 @@ interface(`init_domain',`
 
 	role system_r types $1;
 
-	domtrans_pattern(init_t, $2, $1)
+	ifdef(`init_systemd', `
+		domtrans_pattern(init_t, $2, $1)
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
 
 	allow init_t $1:process rlimitinh;
 
Index: refpolicy-2.20201205/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20201205.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20201205/policy/support/obj_perm_sets.spt
@@ -150,11 +150,6 @@ define(`getattr_file_perms',`{ getattr }
 define(`setattr_file_perms',`{ setattr }')
 define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
 define(`read_file_perms',`{ getattr open read lock ioctl }')
-# deprecated 20171213
-define(`mmap_file_perms',`
-	{ getattr open map read execute ioctl }
-	refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
-')
 define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
 define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
 define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
Index: refpolicy-2.20201205/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20201205/policy/modules/system/fstools.te
@@ -151,6 +151,11 @@ init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
 init_rw_script_stream_sockets(fsadm_t)
 
+ifdef(`hide_broken_symptoms',`
+	# for /run/pm-utils/locks/pm-powersave.lock
+	init_read_utmp(fsadm_t)
+')
+
 logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
Index: refpolicy-2.20201205/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20201205/policy/modules/system/sysnetwork.te
@@ -367,6 +367,11 @@ files_dontaudit_read_root_files(ifconfig
 init_use_fds(ifconfig_t)
 init_use_script_ptys(ifconfig_t)
 
+ifdef(`hide_broken_symptoms',`
+	# for /run/pm-utils/locks/pm-powersave.lock
+	init_read_utmp(ifconfig_t)
+')
+
 logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
Index: refpolicy-2.20201205/policy/constraints
===================================================================
--- refpolicy-2.20201205.orig/policy/constraints
+++ refpolicy-2.20201205/policy/constraints
@@ -28,6 +28,7 @@
 define(`basic_ubac_conditions',`
 	ifdef(`enable_ubac',`
 		u1 == u2
+		or r1 == sysadm_r
 		or u1 == system_u
 		or u2 == system_u
 		or t1 != ubac_constrained_type
Index: refpolicy-2.20201205/config/appconfig-mcs/default_contexts
===================================================================
--- refpolicy-2.20201205.orig/config/appconfig-mcs/default_contexts
+++ refpolicy-2.20201205/config/appconfig-mcs/default_contexts
@@ -2,7 +2,7 @@ system_r:crond_t:s0		user_r:user_t:s0 st
 system_r:init_t:s0		user_r:user_systemd_t:s0 staff_r:staff_systemd_t:s0 sysadm_r:sysadm_systemd_t:s0 unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 
Index: refpolicy-2.20201205/Makefile
===================================================================
--- refpolicy-2.20201205.orig/Makefile
+++ refpolicy-2.20201205/Makefile
@@ -239,6 +239,7 @@ M4PARAM += -D mls_num_sens=$(MLS_SENS) -
 # differently on different distros
 ifeq ($(DISTRO),debian)
 	CTAGS := ctags-exuberant
+	M4PARAM += -D use_alsa
 endif
 
 ifeq ($(DISTRO),gentoo)
