Index: refpolicy-2.20210120/policy/modules/admin/brctl.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/brctl.te
+++ refpolicy-2.20210120/policy/modules/admin/brctl.te
@@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
 # Local policy
 #
 
-allow brctl_t self:capability net_admin;
+allow brctl_t self:capability { net_admin sys_module };
 allow brctl_t self:fifo_file rw_fifo_file_perms;
 allow brctl_t self:unix_stream_socket create_stream_socket_perms;
 allow brctl_t self:unix_dgram_socket create_socket_perms;
Index: refpolicy-2.20210120/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210120/policy/modules/services/bind.te
@@ -212,9 +212,9 @@ optional_policy(`
 # NDC local policy
 #
 
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
 allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms setsched };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
@@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
 kernel_read_system_state(fail2ban_t)
+kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)
+kernel_search_vm_sysctl(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
@@ -129,7 +131,7 @@ optional_policy(`
 #
 
 allow fail2ban_client_t self:capability dac_read_search;
-allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+allow fail2ban_client_t self:unix_stream_socket { create connect write read shutdown };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
Index: refpolicy-2.20210120/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210120/policy/modules/system/systemd.te
@@ -129,6 +129,7 @@ type systemd_logind_t;
 type systemd_logind_exec_t;
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
+init_stream_connect(systemd_logind_t)
 
 type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
 files_runtime_file(systemd_logind_inhibit_runtime_t)
@@ -292,6 +293,8 @@ allow systemd_backlight_t systemd_backli
 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
 
+kernel_read_kernel_sysctls(systemd_backlight_t)
+
 systemd_log_parse_environment(systemd_backlight_t)
 
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
@@ -355,13 +358,15 @@ ifdef(`enable_mls',`
 #
 
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
-allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
+allow systemd_coredump_t self:unix_stream_socket connectto;
+allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
 
 manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
 allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
 
 kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
+kernel_read_crypto_sysctls(systemd_coredump_t)
 kernel_read_kernel_sysctls(systemd_coredump_t)
 kernel_read_system_state(systemd_coredump_t)
 kernel_rw_pipes(systemd_coredump_t)
@@ -372,11 +377,16 @@ corecmd_read_all_executables(systemd_cor
 
 dev_write_kmsg(systemd_coredump_t)
 
+domain_read_all_domains_state(systemd_coredump_t)
+
 files_getattr_all_mountpoints(systemd_coredump_t)
 files_read_etc_files(systemd_coredump_t)
 files_search_var_lib(systemd_coredump_t)
 
+fs_getattr_cgroup(systemd_coredump_t)
+fs_getattr_tmpfs(systemd_coredump_t)
 fs_getattr_xattr_fs(systemd_coredump_t)
+fs_search_cgroup_dirs(systemd_coredump_t)
 fs_search_tmpfs(systemd_coredump_t)
 
 selinux_getattr_fs(systemd_coredump_t)
@@ -390,6 +400,32 @@ logging_send_syslog_msg(systemd_coredump
 
 seutil_search_default_contexts(systemd_coredump_t)
 
+allow systemd_generator_t self:fifo_file rw_file_perms;
+allow systemd_generator_t self:process setfscreate;
+
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:tcp_socket create;
+allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
+
+corecmd_exec_bin(systemd_generator_t)
+corecmd_exec_shell(systemd_generator_t)
+files_exec_etc_files(systemd_generator_t)
+fs_getattr_cgroup(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
+fs_rw_tmpfs_files(systemd_generator_t)
+miscfiles_read_localization(systemd_generator_t)
+
+optional_policy(`
+	# for /lib/systemd/system-generators/openvpn-generator
+	openvpn_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+	# it runs postconf
+	# maybe /lib/systemd/system-generators/postfix-instance-generator
+	postfix_read_config(systemd_generator_t)
+')
+
 #######################################
 #
 # Systemd generator local policy
@@ -401,12 +437,17 @@ allow systemd_generator_t self:process s
 
 allow systemd_generator_t systemd_unit_t:file getattr;
 
+allow systemd_generator_t self:udp_socket create;
+
 corecmd_getattr_bin_files(systemd_generator_t)
 
 dev_read_sysfs(systemd_generator_t)
+dev_read_urand(systemd_generator_t)
 dev_write_kmsg(systemd_generator_t)
 dev_write_sysfs_dirs(systemd_generator_t)
 
+application_exec(systemd_generator_t)
+domain_read_all_entry_files(systemd_generator_t)
 files_read_etc_files(systemd_generator_t)
 files_search_runtime(systemd_generator_t)
 files_list_boot(systemd_generator_t)
@@ -414,9 +455,11 @@ files_read_boot_files(systemd_generator_
 files_read_config_files(systemd_generator_t)
 files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
+files_getattr_usr_files(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_xattr_fs(systemd_generator_t)
+fs_search_nfs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_read_all_script_files(systemd_generator_t)
@@ -436,6 +479,11 @@ init_read_script_files(systemd_generator
 kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_read_network_state(systemd_generator_t)
+kernel_search_network_sysctl(systemd_generator_t)
+
+selinux_getattr_fs(systemd_generator_t)
+seutil_search_default_contexts(systemd_generator_t)
 
 storage_raw_read_fixed_disk(systemd_generator_t)
 
@@ -443,6 +491,8 @@ systemd_log_parse_environment(systemd_ge
 
 term_use_unallocated_ttys(systemd_generator_t)
 
+udev_search_runtime(systemd_generator_t)
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')
@@ -486,6 +536,10 @@ optional_policy(`
 	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(systemd_hostnamed_t)
+')
+
 #########################################
 #
 # hw local policy
@@ -554,6 +608,7 @@ logging_send_syslog_msg(systemd_log_pars
 #
 
 allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:lockdown integrity;
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -562,6 +617,9 @@ allow systemd_logind_t self:fifo_file rw
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -577,6 +635,8 @@ allow systemd_logind_t systemd_sessions_
 
 kernel_read_kernel_sysctls(systemd_logind_t)
 
+auth_read_shadow(systemd_logind_t)
+
 dev_getattr_dri_dev(systemd_logind_t)
 dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
@@ -596,11 +656,13 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_search_boot(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
 fs_mount_tmpfs(systemd_logind_t)
 fs_read_cgroup_files(systemd_logind_t)
@@ -632,6 +694,7 @@ init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
+init_stream_connect(systemd_logind_t)
 init_watch_utmp(systemd_logind_t)
 
 # for /run/systemd/transient/*
@@ -735,6 +798,9 @@ allow systemd_machined_t self:unix_dgram
 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
 
+allow systemd_machined_t systemd_userdb_runtime_t:dir manage_dir_perms;
+allow systemd_machined_t systemd_userdb_runtime_t:sock_file create;
+
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
@@ -847,6 +913,10 @@ sysnet_read_config(systemd_networkd_t)
 systemd_log_parse_environment(systemd_networkd_t)
 
 optional_policy(`
+	bluetooth_dbus_chat(systemd_hostnamed_t)
+')
+
+optional_policy(`
 	dbus_system_bus_client(systemd_networkd_t)
 	dbus_connect_system_bus(systemd_networkd_t)
 	dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
@@ -887,7 +957,7 @@ miscfiles_read_localization(systemd_noti
 # Nspawn local policy
 #
 
-allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:process { signal getsched setsched getcap setcap setfscreate setrlimit sigkill };
 allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
 allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
@@ -913,14 +983,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
 # for /run/systemd/nspawn/incoming in chroot
 allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
 
+kernel_getattr_core_if(systemd_nspawn_t)
+kernel_getattr_proc(systemd_nspawn_t)
+kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
+
 kernel_mount_proc(systemd_nspawn_t)
 kernel_mounton_sysctl_dirs(systemd_nspawn_t)
 kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
 kernel_mounton_message_if(systemd_nspawn_t)
 kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_files(systemd_nspawn_t)
+kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
+
+kernel_read_irq_sysctls(systemd_nspawn_t)
+kernel_read_network_state(systemd_nspawn_t)
 kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_sysctl(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
+kernel_request_load_module(systemd_nspawn_t)
+kernel_search_network_sysctl(systemd_nspawn_t)
 
 corecmd_exec_shell(systemd_nspawn_t)
 corecmd_search_bin(systemd_nspawn_t)
@@ -937,6 +1019,7 @@ dev_read_sysfs(systemd_nspawn_t)
 dev_read_rand(systemd_nspawn_t)
 dev_read_urand(systemd_nspawn_t)
 
+files_getattr_default_dirs(systemd_nspawn_t)
 files_getattr_tmp_dirs(systemd_nspawn_t)
 files_manage_etc_files(systemd_nspawn_t)
 files_manage_mnt_dirs(systemd_nspawn_t)
@@ -948,11 +1031,14 @@ files_setattr_runtime_dirs(systemd_nspaw
 
 fs_getattr_cgroup(systemd_nspawn_t)
 fs_getattr_tmpfs(systemd_nspawn_t)
+fs_getattr_xattr_fs(systemd_nspawn_t)
+fs_manage_tmpfs_blk_files(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
+fs_read_cgroup_files(systemd_nspawn_t)
+fs_read_nsfs_files(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
 fs_remount_xattr_fs(systemd_nspawn_t)
-fs_read_cgroup_files(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)
@@ -960,6 +1046,7 @@ term_mount_devpts(systemd_nspawn_t)
 term_search_ptys(systemd_nspawn_t)
 term_setattr_generic_ptys(systemd_nspawn_t)
 term_use_ptmx(systemd_nspawn_t)
+term_use_generic_ptys(systemd_nspawn_t)
 
 init_domtrans_script(systemd_nspawn_t)
 init_getrlimit(systemd_nspawn_t)
@@ -970,8 +1057,12 @@ init_write_runtime_socket(systemd_nspawn
 init_spec_domtrans_script(systemd_nspawn_t)
 
 miscfiles_manage_localization(systemd_nspawn_t)
+mount_exec(systemd_nspawn_t)
+
 udev_read_runtime_files(systemd_nspawn_t)
 
+sysnet_exec_ifconfig(systemd_nspawn_t)
+
 # for writing inside chroot
 sysnet_manage_config(systemd_nspawn_t)
 
@@ -994,6 +1085,7 @@ tunable_policy(`systemd_nspawn_labeled_n
 	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
 	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
 	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
 
 	fs_getattr_cgroup(systemd_nspawn_t)
 	fs_manage_cgroup_dirs(systemd_nspawn_t)
@@ -1018,6 +1110,7 @@ tunable_policy(`systemd_nspawn_labeled_n
 
 	logging_search_logs(systemd_nspawn_t)
 
+	seutil_exec_setfiles(systemd_nspawn_t)
 	seutil_search_default_contexts(systemd_nspawn_t)
 ')
 
@@ -1054,6 +1147,7 @@ init_runtime_filetrans(systemd_passwd_ag
 can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
 kernel_read_system_state(systemd_passwd_agent_t)
+kernel_search_fs_sysctls(systemd_passwd_agent_t)
 kernel_stream_connect(systemd_passwd_agent_t)
 
 dev_create_generic_dirs(systemd_passwd_agent_t)
@@ -1080,6 +1174,7 @@ init_create_runtime_dirs(systemd_passwd_
 init_read_runtime_pipes(systemd_passwd_agent_t)
 init_read_state(systemd_passwd_agent_t)
 init_read_utmp(systemd_passwd_agent_t)
+init_use_script_ptys(systemd_passwd_agent_t)
 init_stream_connect(systemd_passwd_agent_t)
 
 logging_send_syslog_msg(systemd_passwd_agent_t)
@@ -1394,6 +1489,10 @@ tunable_policy(`systemd_tmpfiles_manage_
 ')
 
 optional_policy(`
+	colord_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
 	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
@@ -1509,11 +1608,15 @@ seutil_libselinux_linked(systemd_user_se
 # systemd-user-runtime-dir local policy
 #
 
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
+allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };
 allow systemd_user_runtime_dir_t self:process setfscreate;
 
 domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
 
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
+
 files_read_etc_files(systemd_user_runtime_dir_t)
 
 fs_mount_tmpfs(systemd_user_runtime_dir_t)
@@ -1533,7 +1636,10 @@ seutil_read_file_contexts(systemd_user_r
 seutil_libselinux_linked(systemd_user_runtime_dir_t)
 
 userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
 userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
+userdom_list_user_tmp(systemd_user_runtime_dir_t)
 userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
 userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
 userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20210120/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.if
+++ refpolicy-2.20210120/policy/modules/system/init.if
@@ -3516,6 +3516,24 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
 
+#######################################
+## <summary>
+##	getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_units',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	allow $1 systemdunit:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Manage systemd unit dirs and the files in them
Index: refpolicy-2.20210120/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210120/policy/modules/system/authlogin.te
@@ -391,6 +391,8 @@ domain_use_interactive_fds(utempter_t)
 
 logging_search_logs(utempter_t)
 
+term_use_ptmx(utempter_t)
+
 userdom_use_user_terminals(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_user_tmp_files(utempter_t)
@@ -408,6 +410,7 @@ optional_policy(`
 optional_policy(`
 	xserver_use_xdm_fds(utempter_t)
 	xserver_rw_xdm_pipes(utempter_t)
+	xserver_write_inherited_xsession_log(utempter_t)
 ')
 
 #######################################
Index: refpolicy-2.20210120/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210120/policy/modules/services/cron.te
@@ -472,6 +472,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
+kernel_read_rpc_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
@@ -651,6 +652,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mailman_domtrans_queue(system_cronjob_t)
+')
+
+optional_policy(`
 	ntp_read_config(system_cronjob_t)
 ')
 
Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
@@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
+allow bootloader_t self:netlink_selinux_socket create;
 
 allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
@@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
 kernel_getattr_core_if(bootloader_t)
+kernel_read_crypto_sysctls(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
@@ -154,6 +156,7 @@ mount_rw_runtime_files(bootloader_t)
 
 selinux_getattr_fs(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
+seutil_read_config(bootloader_t)
 seutil_read_file_contexts(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20210120/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20210120/policy/modules/services/xserver.te
@@ -277,6 +277,7 @@ term_use_ptmx(xauth_t)
 auth_use_nsswitch(xauth_t)
 
 userdom_use_user_terminals(xauth_t)
+userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
 userdom_read_user_tmp_files(xauth_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
Index: refpolicy-2.20210120/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/devices.fc
+++ refpolicy-2.20210120/policy/modules/kernel/devices.fc
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
 /dev/vhci			-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-scsi		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-vsock	-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/dirmngr.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/dirmngr.te
+++ refpolicy-2.20210120/policy/modules/services/dirmngr.te
@@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
 userdom_search_user_home_dirs(dirmngr_t)
 userdom_search_user_runtime(dirmngr_t)
 userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
 
 optional_policy(`
 	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
@@ -92,3 +93,7 @@ optional_policy(`
 	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
 	gpg_stream_connect_agent(dirmngr_t)
 ')
+
+optional_policy(`
+	corenet_tcp_connect_tor_port(dirmngr_t)
+')
Index: refpolicy-2.20210120/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210120/policy/modules/apps/games.te
@@ -92,7 +92,9 @@ optional_policy(`
 allow games_t self:fifo_file rw_fifo_file_perms;
 allow games_t self:sem create_sem_perms;
 allow games_t self:tcp_socket { accept listen };
+allow games_t self:process getsched;
 
+manage_dirs_pattern(games_t, games_data_t, games_data_t)
 manage_files_pattern(games_t, games_data_t, games_data_t)
 manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
 
@@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
 
 manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
 manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+allow games_t games_tmp_t:file map;
+
 files_tmp_filetrans(games_t, games_tmp_t, { file dir })
 
 manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
@@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
 corenet_sendrecv_generic_client_packets(games_t)
 corenet_tcp_connect_generic_port(games_t)
 
+corenet_udp_bind_generic_node(games_t)
+
 dev_read_sound(games_t)
 dev_read_input(games_t)
 dev_read_mouse(games_t)
@@ -136,13 +142,16 @@ dev_rw_dri(games_t)
 dev_write_sound(games_t)
 
 files_list_var(games_t)
+files_search_mnt(games_t)
 files_search_var_lib(games_t)
 files_dontaudit_search_var(games_t)
+files_map_usr_files(games_t)
 files_read_etc_files(games_t)
 files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
 fs_dontaudit_getattr_xattr_fs(games_t)
+fs_search_nfs(games_t)
 
 init_dontaudit_rw_utmp(games_t)
 
@@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
 userdom_manage_user_tmp_files(games_t)
 userdom_manage_user_tmp_symlinks(games_t)
 userdom_manage_user_tmp_sockets(games_t)
+userdom_use_user_ptys(games_t)
 userdom_dontaudit_read_user_home_content_files(games_t)
 
 tunable_policy(`allow_execmem',`
@@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
 
 optional_policy(`
 	alsa_read_config(games_t)
+	alsa_read_home_files(games_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20210120/policy/modules/kernel/filesystem.if
@@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
 
 ########################################
 ## <summary>
+##	Get the attributes of binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:filesystem getattr;
+
+')
+
+########################################
+## <summary>
 ##	Get the attributes of directories on
 ##	binfmt_misc filesystems.
 ## </summary>
@@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
 	allow $1 rpc_pipefs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Watch a rpc pipefs dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_rpc_pipefs_dir',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read and write RPC pipe filesystem named pipes.
@@ -5773,3 +5810,21 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Search bpf dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_bpf',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	allow $1 bpf_t:dir search;
+')
Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -164,9 +164,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for reading /proc/1/maps etc
-allow mon_local_test_t self:capability { sys_ptrace sys_admin };
+allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
 allow mon_local_test_t self:process getsched;
+allow mon_local_test_t self:cap_userns sys_ptrace;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -197,8 +198,11 @@ files_list_boot(mon_local_test_t)
 fs_search_auto_mountpoints(mon_local_test_t)
 fs_getattr_nfs(mon_local_test_t)
 fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_cgroup_dirs(mon_local_test_t)
 fs_list_hugetlbfs(mon_local_test_t)
 fs_list_tmpfs(mon_local_test_t)
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
 fs_search_nfs(mon_local_test_t)
 
 storage_getattr_fixed_disk_dev(mon_local_test_t)
@@ -211,12 +215,14 @@ application_exec_all(mon_local_test_t)
 
 auth_use_nsswitch(mon_local_test_t)
 
+fsdaemon_read_lib(mon_local_test_t)
 init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
 miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
+storage_raw_read_fixed_disk(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
 
Index: refpolicy-2.20210120/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20210120/policy/modules/services/postfix.te
@@ -745,12 +745,17 @@ allow postfix_showq_t postfix_spool_mail
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
 
 mcs_file_read_all(postfix_showq_t)
 
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
+optional_policy(`
+	unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
+')
+
 ########################################
 #
 # Smtp delivery local policy
Index: refpolicy-2.20210120/policy/modules/services/sendmail.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/sendmail.te
+++ refpolicy-2.20210120/policy/modules/services/sendmail.te
@@ -173,6 +173,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	userdom_use_user_ttys(sendmail_t)
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_domtrans_postqueue(sendmail_t)
Index: refpolicy-2.20210120/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210120/policy/modules/system/lvm.te
@@ -102,10 +102,13 @@ files_read_etc_files(clvmd_t)
 files_list_usr(clvmd_t)
 
 fs_getattr_all_fs(clvmd_t)
+fs_getattr_pstore_dirs(lvm_t)
 fs_search_auto_mountpoints(clvmd_t)
+fs_search_cgroup_dirs(lvm_t)
 fs_dontaudit_list_tmpfs(clvmd_t)
 fs_dontaudit_read_removable_files(clvmd_t)
 fs_rw_anon_inodefs_files(clvmd_t)
+fs_search_bpf(lvm_t)
 
 storage_dontaudit_getattr_removable_dev(clvmd_t)
 storage_manage_fixed_disk(clvmd_t)
@@ -164,7 +167,6 @@ optional_policy(`
 allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
-# LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file manage_fifo_file_perms;
Index: refpolicy-2.20210120/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/mount.te
+++ refpolicy-2.20210120/policy/modules/system/mount.te
@@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
 files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
 
+fs_getattr_binfmt_misc_fs(mount_t)
 fs_getattr_xattr_fs(mount_t)
 fs_getattr_tmpfs(mount_t)
 fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
 fs_getattr_nfs(mount_t)
 fs_mount_all_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_all_fs(mount_t)
Index: refpolicy-2.20210120/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/raid.te
+++ refpolicy-2.20210120/policy/modules/system/raid.te
@@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
 files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
 files_dontaudit_getattr_all_files(mdadm_t)
+files_search_tmp(mdadm_t)
 
 fs_getattr_all_fs(mdadm_t)
 fs_list_auto_mountpoints(mdadm_t)
Index: refpolicy-2.20210120/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210120/policy/modules/system/udev.te
@@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
 dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:capability2 { wake_alarm block_suspend };
+allow udev_t self:lockdown confidentiality;
 allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -120,6 +121,7 @@ domain_dontaudit_ptrace_all_domains(udev
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
+files_read_var_lib_symlinks(udev_t)
 files_mmap_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
@@ -129,6 +131,7 @@ fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
+fs_search_tmpfs(udev_t)
 fs_search_tracefs(udev_t)
 
 mcs_ptrace_all(udev_t)
@@ -153,6 +156,10 @@ auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
+# for /run/console-setup
+fs_manage_tmpfs_dirs(udev_t)
+fs_manage_tmpfs_files(udev_t)
+
 init_read_utmp(udev_t)
 init_domtrans_script(udev_t)
 # systemd-udevd searches /run/systemd
@@ -260,9 +267,6 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		init_dbus_chat(udev_t)
 	')
-',`
-	fs_manage_tmpfs_dirs(udev_t)
-	fs_manage_tmpfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210120/policy/modules/services/devicekit.te
@@ -67,7 +67,7 @@ optional_policy(`
 
 allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
 allow devicekit_disk_t self:capability2 wake_alarm;
-allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:process { getsched setsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
 
@@ -132,6 +132,8 @@ fs_unmount_all_fs(devicekit_disk_t)
 fs_search_all(devicekit_disk_t)
 
 mount_rw_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files_reads(devicekit_disk_t)
 
 mls_file_read_all_levels(devicekit_disk_t)
 mls_file_write_to_clearance(devicekit_disk_t)
@@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
 
 logging_send_syslog_msg(devicekit_disk_t)
 
+mount_watch_runtime_dirs(devicekit_disk_t)
 miscfiles_read_localization(devicekit_disk_t)
 
 userdom_read_all_users_state(devicekit_disk_t)
@@ -214,7 +217,7 @@ optional_policy(`
 
 allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
 allow devicekit_power_t self:capability2 wake_alarm;
-allow devicekit_power_t self:process { getsched signal_perms };
+allow devicekit_power_t self:process { getsched setsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:unix_stream_socket create_socket_perms;
Index: refpolicy-2.20210120/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/mount.if
+++ refpolicy-2.20210120/policy/modules/system/mount.if
@@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
 
 ########################################
 ## <summary>
+##	Watch mount runtime files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file watch;
+')
+
+########################################
+## <summary>
+##	Watch mount runtime files reads.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files_reads',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file watch_reads;
+')
+
+########################################
+## <summary>
 ##     Getattr on mount_runtime_t files
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
@@ -64,6 +64,7 @@ manage_files_pattern(aptcacher_t, aptcac
 
 manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
 
+kernel_read_system_state(aptcacher_t)
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
 # Calls system()
Index: refpolicy-2.20210120/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210120/policy/modules/services/cups.te
@@ -131,6 +131,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
 
@@ -211,11 +212,13 @@ domain_use_interactive_fds(cupsd_t)
 
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
+files_map_etc_files(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
 files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
+files_read_var_lib_symlinks(cupsd_t)
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.te
@@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20210120/policy/modules/services/virt.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/virt.fc
+++ refpolicy-2.20210120/policy/modules/services/virt.fc
@@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
+/etc/qemu	-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/qemu/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
+
 /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/virt.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/virt.te
+++ refpolicy-2.20210120/policy/modules/services/virt.te
@@ -1284,6 +1284,9 @@ allow virt_bridgehelper_t self:tcp_socke
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
+allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
+allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
+
 manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 
 kernel_read_network_state(virt_bridgehelper_t)
Index: refpolicy-2.20210120/policy/modules/services/accountsd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/accountsd.te
+++ refpolicy-2.20210120/policy/modules/services/accountsd.te
@@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
 # Local policy
 #
 
-allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
-allow accountsd_t self:process signal;
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
+allow accountsd_t self:process { signal getsched setsched };
 allow accountsd_t self:fifo_file rw_fifo_file_perms;
 allow accountsd_t self:passwd { rootok passwd chfn chsh };
 
Index: refpolicy-2.20210120/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.te
+++ refpolicy-2.20210120/policy/modules/system/init.te
@@ -245,7 +245,6 @@ ifdef(`init_systemd',`
 	allow init_t self:udp_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
-	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 
@@ -263,7 +262,7 @@ ifdef(`init_systemd',`
 
 	# setexec and setkeycreate for systemd --user
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
-	allow init_t self:capability2 { audit_read block_suspend };
+	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
Index: refpolicy-2.20210120/policy/modules/admin/acct.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/acct.te
+++ refpolicy-2.20210120/policy/modules/admin/acct.te
@@ -57,6 +57,7 @@ init_use_fds(acct_t)
 init_use_script_ptys(acct_t)
 init_exec_script_files(acct_t)
 
+logging_search_logs(acct_t)
 logging_send_syslog_msg(acct_t)
 
 miscfiles_read_localization(acct_t)
Index: refpolicy-2.20210120/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20210120/policy/modules/services/boinc.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
 dev_read_rand(boinc_t)
 dev_read_urand(boinc_t)
 dev_read_sysfs(boinc_t)
+dev_rw_dri(boinc_t)
 dev_rw_xserver_misc(boinc_t)
 
 domain_read_all_domains_state(boinc_t)
Index: refpolicy-2.20210120/policy/modules/services/kerneloops.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/kerneloops.te
+++ refpolicy-2.20210120/policy/modules/services/kerneloops.te
@@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
 
 auth_use_nsswitch(kerneloops_t)
 
+logging_mmap_generic_logs(kerneloops_t)
 logging_send_syslog_msg(kerneloops_t)
 logging_read_generic_logs(kerneloops_t)
 
Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210120/policy/modules/services/openvpn.te
@@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
 
 fs_getattr_all_fs(openvpn_t)
 fs_search_auto_mountpoints(openvpn_t)
+fs_search_tmpfs(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
Index: refpolicy-2.20210120/policy/modules/services/smartmon.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/smartmon.if
+++ refpolicy-2.20210120/policy/modules/services/smartmon.if
@@ -56,3 +56,24 @@ interface(`smartmon_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, fsdaemon_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Read fsdaemon /var/lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fsdaemon_read_lib',`
+	gen_require(`
+		type fsdaemon_var_lib_t;
+	')
+
+	allow $1 fsdaemon_var_lib_t:dir search;
+	allow $1 fsdaemon_var_lib_t:file read_file_perms;
+')
+
Index: refpolicy-2.20210120/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210120/policy/modules/system/logging.te
@@ -549,6 +549,8 @@ ifdef(`init_systemd',`
 	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
+	userdom_list_user_tmp(syslogd_t)
+	userdom_read_user_tmp_symlinks(syslogd_t)
 ')
 
 ifdef(`distro_gentoo',`
Index: refpolicy-2.20210120/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210120/policy/modules/system/selinuxutil.te
@@ -377,6 +377,7 @@ selinux_compute_access_vector(restorecon
 selinux_compute_create_context(restorecond_t)
 selinux_compute_relabel_context(restorecond_t)
 selinux_compute_user_contexts(restorecond_t)
+seutil_read_file_contexts(restorecond_t)
 
 files_relabel_non_auth_files(restorecond_t )
 files_dontaudit_read_all_symlinks(restorecond_t)
@@ -420,6 +421,8 @@ allow run_init_t self:netlink_audit_sock
 # the failed access to the current directory
 dontaudit run_init_t self:capability { dac_override dac_read_search };
 
+kernel_getattr_proc(run_init_t)
+
 corecmd_exec_bin(run_init_t)
 corecmd_exec_shell(run_init_t)
 
@@ -588,6 +591,7 @@ allow setfiles_t { policy_src_t policy_c
 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 allow setfiles_t file_context_t:file map;
 
+kernel_read_kernel_sysctls(setfiles_t)
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 kernel_relabelfrom_unlabeled_files(setfiles_t)
Index: refpolicy-2.20210120/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210120/policy/modules/services/colord.te
@@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
 
 allow colord_t self:capability { dac_override dac_read_search };
 dontaudit colord_t self:capability sys_admin;
-allow colord_t self:process signal;
+allow colord_t self:process { signal getsched setsched };
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow colord_t self:tcp_socket { accept listen };
Index: refpolicy-2.20210120/policy/modules/services/ftp.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/ftp.te
+++ refpolicy-2.20210120/policy/modules/services/ftp.te
@@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
 allow ftpd_t self:shm create_shm_perms;
 allow ftpd_t self:key manage_key_perms;
 
+allow ftpd_t ftpd_etc_t:dir list_dir_perms;
 allow ftpd_t ftpd_etc_t:file read_file_perms;
 
 allow ftpd_t ftpd_keytab_t:file read_file_perms;
@@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
 
 manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
+allow ftpd_t ftpd_runtime_t:file map;
 manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
 
@@ -405,6 +407,10 @@ optional_policy(`
 	seutil_sigchld_newrole(ftpd_t)
 ')
 
+optional_policy(`
+	systemd_connect_machined(ftpd_t)
+')
+
 ########################################
 #
 # Ctl local policy
Index: refpolicy-2.20210120/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20210120/policy/modules/services/clamav.te
@@ -176,7 +176,7 @@ optional_policy(`
 # Freshclam local policy
 #
 
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
 allow freshclam_t self:fifo_file rw_fifo_file_perms;
 allow freshclam_t self:unix_stream_socket { accept listen };
 allow freshclam_t self:tcp_socket { accept listen };
@@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
 domain_use_interactive_fds(freshclam_t)
 
 files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
 files_search_var_lib(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)
Index: refpolicy-2.20210120/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20210120/policy/modules/system/modutils.te
@@ -34,6 +34,7 @@ ifdef(`init_systemd',`
 #
 
 allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
+allow kmod_t self:lockdown confidentiality;
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;
Index: refpolicy-2.20210120/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210120/policy/modules/services/rpc.te
@@ -114,6 +114,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
 
 fs_rw_rpc_named_pipes(rpc_domain)
 fs_search_auto_mountpoints(rpc_domain)
+fs_watch_rpc_pipefs_dir(rpc_domain)
 
 files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
Index: refpolicy-2.20210120/policy/modules/services/ftp.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/ftp.fc
+++ refpolicy-2.20210120/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_etc_t,s0)
 
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
@@ -22,8 +23,10 @@
 /usr/sbin/muddleftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/vsftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
-/run/proftpd.*	gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.*			gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_runtime_t,s0)
 
 /usr/libexec/webmin/vsftpd/webalizer/xfer_log	--	gen_context(system_u:object_r:xferlog_t,s0)
 
@@ -31,6 +34,7 @@
 
 /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20210120/policy/modules/services/policykit.te
@@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
 
 manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+allow policykit_t policykit_var_lib_t:dir watch;
 
 manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
 manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
@@ -143,12 +144,15 @@ optional_policy(`
 optional_policy(`
 	# for /run/systemd/machines
 	systemd_read_machines(policykit_t)
+	systemd_watch_machines_dir(policykit_t)
 
 	# for /run/systemd/seats/seat*
 	systemd_read_logind_sessions_files(policykit_t)
+	systemd_watch_logind_sessions_dir(policykit_t)
 
 	# for /run/systemd/users/*
 	systemd_read_logind_runtime_files(policykit_t)
+	systemd_watch_logind_runtime_dir(policykit_t)
 ')
 
 ########################################
Index: refpolicy-2.20210120/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210120/policy/modules/system/systemd.if
@@ -24,7 +24,7 @@ template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-		type systemd_run_exec_t, systemd_analyze_exec_t;
+		type systemd_run_exec_t, systemd_analyze_exec_t, systemd_machined_t;
 	')
 
 	#################################
@@ -56,9 +56,20 @@ template(`systemd_role_template',`
 	allow $1_systemd_t $3:process { setsched rlimitinh };
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
+	corecmd_shell_entry_type($1_systemd_t)
+	allow $1_systemd_t self:process signal;
+
+	files_search_home($1_systemd_t)
 
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
+	allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
+
+	# for "machinectl shell"
+	allow $1_systemd_t systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:dbus send_msg;
+	allow systemd_machined_t $3:dbus send_msg;
 
 	# systemctl --user
 	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
@@ -66,6 +77,10 @@ template(`systemd_role_template',`
 	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 
 	dbus_system_bus_client($1_systemd_t)
+
+	selinux_use_status_page($1_systemd_t)
+	seutil_read_file_contexts($1_systemd_t)
+	seutil_search_default_contexts($1_systemd_t)
 ')
 
 ######################################
@@ -275,6 +290,24 @@ interface(`systemd_write_logind_runtime_
 
 ######################################
 ## <summary>
+##     Watch systemd-logind runtime dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dir',`
+	gen_require(`
+		type systemd_logind_runtime_t;
+	')
+
+	allow $1 systemd_logind_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
 ##   Use inherited systemd
 ##   logind file descriptors.
 ## </summary>
@@ -335,6 +368,24 @@ interface(`systemd_write_inherited_login
 
 ######################################
 ## <summary>
+##      Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dir',`
+	gen_require(`
+		type systemd_sessions_runtime_t;
+	')
+
+	allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
 ##      Write inherited logind inhibit pipes.
 ## </summary>
 ## <param name="domain">
@@ -489,6 +540,42 @@ interface(`systemd_read_machines',`
 
 ########################################
 ## <summary>
+##	Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can watch the machines files
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_machines_dir',`
+	gen_require(`
+		type systemd_machined_runtime_t;
+	')
+
+	allow $1 systemd_machined_runtime_t:dir watch;
+')
+
+########################################
+## <summary>
+##	Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the socket
+##	</summary>
+## </param>
+#
+interface(`systemd_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 ##   Send and receive messages from
 ##   systemd hostnamed over dbus.
 ## </summary>
@@ -609,6 +696,24 @@ interface(`systemd_manage_passwd_runtime
 ')
 
 ########################################
+## <summary>
+##      watch systemd_passwd_runtime_t dirs
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_watch_passwd_runtime_dirs',`
+	gen_require(`
+		type systemd_passwd_runtime_t;
+	')
+
+	allow $1 systemd_passwd_runtime_t:dir watch;
+')
+
+########################################
 ## <summary>
 ##      manage systemd unit dirs and the files in them  (Deprecated)
 ## </summary>
Index: refpolicy-2.20210120/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20210120/policy/modules/system/locallogin.te
@@ -142,6 +142,7 @@ ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
 	init_dbus_chat(local_login_t)
+	systemd_connect_machined(local_login_t)
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_runtime_pipes(local_login_t)
Index: refpolicy-2.20210120/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20210120/policy/modules/services/dovecot.te
@@ -255,6 +255,8 @@ manage_sock_files_pattern(dovecot_auth_t
 
 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
+kernel_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
@@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
 allow sysadm_t self:capability audit_write;
 allow sysadm_t self:system status;
 
+kernel_request_load_module(sysadm_t)
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
@@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
 init_admin(sysadm_t)
+init_rw_stream_sockets(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
@@ -95,6 +98,8 @@ ifdef(`init_systemd',`
 	# Allow sysadm to resolve the username of dynamic users by calling
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)
+
+	systemd_watch_passwd_runtime_dirs(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`
Index: refpolicy-2.20210120/policy/modules/services/mta.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mta.if
+++ refpolicy-2.20210120/policy/modules/services/mta.if
@@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:dir watch;
 ')
 
 ########################################
Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
@@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
 init_stream_connect(logrotate_t)
 init_manage_all_units(logrotate_t)
 
+libs_exec_lib_files(logrotate_t)
+
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
Index: refpolicy-2.20210120/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210120/policy/modules/kernel/files.if
@@ -5932,6 +5932,24 @@ interface(`files_read_var_lib_files',`
 
 ########################################
 ## <summary>
+##	map generic files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_map_var_lib_files',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:file map;
+')
+
+########################################
+## <summary>
 ##	Read generic symbolic links in /var/lib
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210120/policy/modules/services/apache.te
@@ -508,6 +508,7 @@ files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
+files_map_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
 files_read_etc_runtime_files(httpd_t)
Index: refpolicy-2.20210120/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210120/policy/modules/services/mailman.te
@@ -259,6 +259,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+	cron_use_fds(mailman_queue_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/services/mailman.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20210120/policy/modules/services/mailman.fc
@@ -25,6 +25,12 @@
 /usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
+/usr/lib/mailman3/bin/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman3/bin/master	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman3/bin/runner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
 /usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/bin/mailman-wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
 /usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/mailman3-web/manage.py --	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/acpi.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/acpi.te
+++ refpolicy-2.20210120/policy/modules/services/acpi.te
@@ -105,6 +105,7 @@ dev_rw_acpi_bios(acpid_t)
 dev_rw_sysfs(acpid_t)
 dev_dontaudit_getattr_all_chr_files(acpid_t)
 dev_dontaudit_getattr_all_blk_files(acpid_t)
+dev_watch_dev_dirs(acpid_t)
 
 files_exec_etc_files(acpid_t)
 files_read_etc_runtime_files(acpid_t)
Index: refpolicy-2.20210120/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210120/policy/modules/services/mysql.te
@@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
 
 allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket { connectto accept listen };
Index: refpolicy-2.20210120/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/bluetooth.te
+++ refpolicy-2.20210120/policy/modules/services/bluetooth.te
@@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
 allow bluetooth_t self:unix_stream_socket { accept connectto listen };
 allow bluetooth_t self:tcp_socket { accept listen };
 allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
@@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+kernel_read_crypto_sysctls(bluetooth_t)
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)
@@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
 
+udev_search_runtime(bluetooth_t)
+
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
Index: refpolicy-2.20210120/policy/modules/services/modemmanager.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/modemmanager.te
+++ refpolicy-2.20210120/policy/modules/services/modemmanager.te
@@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
 #
 
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
 allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
Index: refpolicy-2.20210120/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20210120/policy/modules/services/networkmanager.te
@@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
 files_read_usr_src_files(NetworkManager_t)
 
 fs_getattr_all_fs(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
 
@@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
+libs_watch_shared_libs_dir(NetworkManager_t)
+
 logging_send_audit_msgs(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
@@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
 sysnet_search_dhcp_state(NetworkManager_t)
 sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_watch_config_dir(NetworkManager_t)
 
 # certificates in user home directories (cert_home_t in ~/\.pki)
 userdom_read_user_certs(NetworkManager_t)
@@ -353,6 +357,9 @@ optional_policy(`
 optional_policy(`
 	systemd_read_logind_runtime_files(NetworkManager_t)
 	systemd_read_logind_sessions_files(NetworkManager_t)
+	systemd_watch_logind_runtime_dir(NetworkManager_t)
+	systemd_watch_logind_sessions_dir(NetworkManager_t)
+	systemd_watch_machines_dir(NetworkManager_t)
 	systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
 ')
 
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.if
@@ -545,6 +545,24 @@ interface(`sysnet_manage_config',`
 
 #######################################
 ## <summary>
+##	Watch a network config dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_watch_config_dir',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 net_conf_t:dir watch;
+')
+
+#######################################
+## <summary>
 ##	Read the dhcp client pid file.  (Deprecated)
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/system/libraries.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/libraries.if
+++ refpolicy-2.20210120/policy/modules/system/libraries.if
@@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
 
 	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
 ')
+
+########################################
+## <summary>
+##	watch lib dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_watch_shared_libs_dir',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir watch;
+')
