Index: refpolicy-2.20210203/policy/modules/services/accountsd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/accountsd.te
+++ refpolicy-2.20210203/policy/modules/services/accountsd.te
@@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
 # Local policy
 #
 
-allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
-allow accountsd_t self:process signal;
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
+allow accountsd_t self:process { signal getsched setsched };
 allow accountsd_t self:fifo_file rw_fifo_file_perms;
 allow accountsd_t self:passwd { rootok passwd chfn chsh };
 
Index: refpolicy-2.20210203/policy/modules/services/acpi.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/acpi.te
+++ refpolicy-2.20210203/policy/modules/services/acpi.te
@@ -45,6 +45,8 @@ files_type(acpid_var_lib_t)
 #
 
 allow acpi_t self:capability { dac_override sys_admin };
+# for pidof and pgrep
+allow acpid_t self:cap_userns sys_ptrace;
 
 kernel_read_system_state(acpi_t)
 
@@ -102,9 +104,11 @@ dev_read_mouse(acpid_t)
 dev_read_realtime_clock(acpid_t)
 dev_read_urand(acpid_t)
 dev_rw_acpi_bios(acpid_t)
+dev_rw_input_dev(acpid_t)
 dev_rw_sysfs(acpid_t)
 dev_dontaudit_getattr_all_chr_files(acpid_t)
 dev_dontaudit_getattr_all_blk_files(acpid_t)
+dev_watch_dev_dirs(acpid_t)
 
 files_exec_etc_files(acpid_t)
 files_read_etc_runtime_files(acpid_t)
@@ -136,6 +140,7 @@ domain_dontaudit_list_all_domains_state(
 auth_use_nsswitch(acpid_t)
 
 init_domtrans_script(acpid_t)
+init_read_utmp(acpid_t)
 init_telinit(acpid_t)
 
 libs_exec_ld_so(acpid_t)
@@ -218,6 +223,7 @@ optional_policy(`
 
 optional_policy(`
 	init_list_unit_dirs(acpid_t)
+	systemd_dbus_chat_logind(acpid_t)
 	systemd_start_power_units(acpid_t)
 	systemd_status_power_units(acpid_t)
 ')
Index: refpolicy-2.20210203/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210203/policy/modules/services/apache.fc
@@ -67,6 +67,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
 /usr/lib/systemd/system/apache[^/]*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 /usr/lib/systemd/system/httpd.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
 /usr/lib/systemd/system/jetty.*\.service		--	gen_context(system_u:object_r:httpd_unit_t,s0)
+/usr/lib/w3m/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 
 /usr/libexec/httpd-ssl-pass-dialog			--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 
@@ -164,6 +165,7 @@ ifdef(`distro_suse',`
 /var/log/glpi(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/hiawatha(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/mlogc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/pagespeed(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/log/httpd(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/horde2(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_log_t,s0)
@@ -172,7 +174,7 @@ ifdef(`distro_suse',`
 /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/php[^/]+-fpm\.log				--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php[^/]+-fpm\.log.*				--	gen_context(system_u:object_r:httpd_log_t,s0)
 
 /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210203/policy/modules/services/apache.te
@@ -505,6 +505,7 @@ files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
 files_read_var_lib_files(httpd_t)
+files_map_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
 files_read_etc_runtime_files(httpd_t)
@@ -703,6 +704,7 @@ optional_policy(`
 
 tunable_policy(`httpd_read_user_content',`
 	userdom_read_user_home_content_files(httpd_t)
+	userdom_map_user_home_content_files(httpd_t)
 ')
 
 tunable_policy(`httpd_setrlimit',`
Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210203/policy/modules/services/aptcacher.te
@@ -64,6 +64,8 @@ manage_files_pattern(aptcacher_t, aptcac
 
 manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
 
+kernel_read_kernel_sysctls(aptcacher_t)
+kernel_read_system_state(aptcacher_t)
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
 # Calls system()
@@ -75,7 +77,11 @@ corenet_tcp_connect_http_port(aptcacher_
 
 auth_use_nsswitch(aptcacher_t)
 
+dev_read_rand(aptcacher_t)
+dev_read_urand(aptcacher_t)
+
 files_read_etc_files(aptcacher_t)
+files_read_usr_files(aptcacher_t)
 
 # Uses sd_notify() to inform systemd it has properly started
 init_dgram_send(aptcacher_t)
@@ -99,8 +105,12 @@ allow acngtool_t self:unix_stream_socket
 allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
 allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
 
+kernel_read_kernel_sysctls(acngtool_t)
+
 aptcacher_stream_connect(acngtool_t)
 
+dev_read_rand(acngtool_t)
+dev_read_urand(acngtool_t)
 corenet_tcp_connect_aptcacher_port(acngtool_t)
 
 auth_use_nsswitch(acngtool_t)
Index: refpolicy-2.20210203/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210203/policy/modules/services/bind.te
@@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
 
 allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:process { getsched setsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
 allow named_t self:tcp_socket { accept listen };
@@ -212,9 +212,9 @@ optional_policy(`
 # NDC local policy
 #
 
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
 allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
Index: refpolicy-2.20210203/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/bluetooth.te
+++ refpolicy-2.20210203/policy/modules/services/bluetooth.te
@@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
 allow bluetooth_t self:unix_stream_socket { accept connectto listen };
 allow bluetooth_t self:tcp_socket { accept listen };
 allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
@@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+kernel_read_crypto_sysctls(bluetooth_t)
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)
@@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
 miscfiles_read_hwdata(bluetooth_t)
 
+udev_search_runtime(bluetooth_t)
+
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -210,5 +214,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_dbus_send(bluetooth_t)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
 ')
Index: refpolicy-2.20210203/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20210203/policy/modules/services/boinc.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
 dev_read_rand(boinc_t)
 dev_read_urand(boinc_t)
 dev_read_sysfs(boinc_t)
+dev_rw_dri(boinc_t)
 dev_rw_xserver_misc(boinc_t)
 
 domain_read_all_domains_state(boinc_t)
Index: refpolicy-2.20210203/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20210203/policy/modules/services/clamav.te
@@ -176,7 +176,7 @@ optional_policy(`
 # Freshclam local policy
 #
 
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
 allow freshclam_t self:fifo_file rw_fifo_file_perms;
 allow freshclam_t self:unix_stream_socket { accept listen };
 allow freshclam_t self:tcp_socket { accept listen };
@@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
 domain_use_interactive_fds(freshclam_t)
 
 files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
 files_search_var_lib(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)
Index: refpolicy-2.20210203/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210203/policy/modules/services/colord.te
@@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
 
 allow colord_t self:capability { dac_override dac_read_search };
 dontaudit colord_t self:capability sys_admin;
-allow colord_t self:process signal;
+allow colord_t self:process { signal getsched setsched };
 allow colord_t self:fifo_file rw_fifo_file_perms;
 allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow colord_t self:tcp_socket { accept listen };
Index: refpolicy-2.20210203/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210203/policy/modules/services/cron.te
@@ -461,6 +461,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
+kernel_read_rpc_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
Index: refpolicy-2.20210203/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210203/policy/modules/services/cups.te
@@ -5,6 +5,13 @@ policy_module(cups, 1.26.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allows legacy ld_so for old printer filters
+## </p>
+## </desc>
+gen_tunable(cups_legacy_ldso, false)
+
 type cupsd_config_t;
 type cupsd_config_exec_t;
 init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
@@ -131,6 +138,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
 
@@ -211,11 +219,13 @@ domain_use_interactive_fds(cupsd_t)
 
 files_getattr_boot_dirs(cupsd_t)
 files_list_spool(cupsd_t)
+files_map_etc_files(cupsd_t)
 files_read_etc_runtime_files(cupsd_t)
 files_read_usr_files(cupsd_t)
 files_exec_usr_files(cupsd_t)
 # for /var/lib/defoma
 files_read_var_lib_files(cupsd_t)
+files_read_var_lib_symlinks(cupsd_t)
 files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
@@ -565,6 +575,10 @@ userdom_manage_user_home_content_dirs(cu
 userdom_manage_user_home_content_files(cups_pdf_t)
 userdom_home_filetrans_user_home_dir(cups_pdf_t)
 
+tunable_policy(`cups_legacy_ldso',`
+	libs_legacy_use_ld_so(cupsd_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(cups_pdf_t)
 	fs_manage_nfs_files(cups_pdf_t)
Index: refpolicy-2.20210203/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210203/policy/modules/services/devicekit.te
@@ -67,7 +67,7 @@ optional_policy(`
 
 allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
 allow devicekit_disk_t self:capability2 wake_alarm;
-allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:process { getsched setsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
 
@@ -135,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
 mls_file_write_to_clearance(devicekit_disk_t)
 
 mount_rw_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files_reads(devicekit_disk_t)
 
 storage_raw_read_fixed_disk(devicekit_disk_t)
 storage_raw_write_fixed_disk(devicekit_disk_t)
@@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
 
 logging_send_syslog_msg(devicekit_disk_t)
 
+mount_watch_runtime_dirs(devicekit_disk_t)
 miscfiles_read_localization(devicekit_disk_t)
 
 userdom_read_all_users_state(devicekit_disk_t)
@@ -216,7 +219,7 @@ optional_policy(`
 
 allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
 allow devicekit_power_t self:capability2 wake_alarm;
-allow devicekit_power_t self:process { getsched signal_perms };
+allow devicekit_power_t self:process { getsched setsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:unix_stream_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/services/dirmngr.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dirmngr.te
+++ refpolicy-2.20210203/policy/modules/services/dirmngr.te
@@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
 userdom_search_user_home_dirs(dirmngr_t)
 userdom_search_user_runtime(dirmngr_t)
 userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
 
 optional_policy(`
 	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
@@ -92,3 +93,7 @@ optional_policy(`
 	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
 	gpg_stream_connect_agent(dirmngr_t)
 ')
+
+optional_policy(`
+	corenet_tcp_connect_tor_port(dirmngr_t)
+')
Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20210203/policy/modules/services/dovecot.te
@@ -211,6 +211,7 @@ optional_policy(`
 	mta_manage_mail_home_rw_content(dovecot_t)
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
 ')
 
 optional_policy(`
@@ -258,6 +259,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
 
 kernel_dontaudit_getattr_proc(dovecot_auth_t)
 
+kernel_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
Index: refpolicy-2.20210203/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210203/policy/modules/services/fail2ban.te
@@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
 kernel_read_system_state(fail2ban_t)
+kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)
+kernel_search_vm_sysctl(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
@@ -133,7 +135,7 @@ optional_policy(`
 #
 
 allow fail2ban_client_t self:capability dac_read_search;
-allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+allow fail2ban_client_t self:unix_stream_socket { create connect write read shutdown };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
 
Index: refpolicy-2.20210203/policy/modules/services/ftp.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ftp.fc
+++ refpolicy-2.20210203/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
 /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_etc_t,s0)
 
 /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
@@ -22,8 +23,10 @@
 /usr/sbin/muddleftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 /usr/sbin/vsftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
 
-/run/proftpd.*	gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.*			gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_runtime_t,s0)
 
 /usr/libexec/webmin/vsftpd/webalizer/xfer_log	--	gen_context(system_u:object_r:xferlog_t,s0)
 
@@ -31,6 +34,7 @@
 
 /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/ftp.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ftp.te
+++ refpolicy-2.20210203/policy/modules/services/ftp.te
@@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
 allow ftpd_t self:shm create_shm_perms;
 allow ftpd_t self:key manage_key_perms;
 
+allow ftpd_t ftpd_etc_t:dir list_dir_perms;
 allow ftpd_t ftpd_etc_t:file read_file_perms;
 
 allow ftpd_t ftpd_keytab_t:file read_file_perms;
@@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
 
 manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
+allow ftpd_t ftpd_runtime_t:file map;
 manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
 files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
 
@@ -405,6 +407,13 @@ optional_policy(`
 	seutil_sigchld_newrole(ftpd_t)
 ')
 
+optional_policy(`
+	systemd_connect_machined(ftpd_t)
+	systemd_dbus_chat_logind(ftpd_t)
+	systemd_read_logind_state(ftpd_t)
+	systemd_write_inherited_logind_sessions_pipes(ftpd_t)
+')
+
 ########################################
 #
 # Ctl local policy
Index: refpolicy-2.20210203/policy/modules/services/kerneloops.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/kerneloops.te
+++ refpolicy-2.20210203/policy/modules/services/kerneloops.te
@@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
 
 auth_use_nsswitch(kerneloops_t)
 
+logging_mmap_generic_logs(kerneloops_t)
 logging_send_syslog_msg(kerneloops_t)
 logging_read_generic_logs(kerneloops_t)
 
Index: refpolicy-2.20210203/policy/modules/services/modemmanager.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/modemmanager.te
+++ refpolicy-2.20210203/policy/modules/services/modemmanager.te
@@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
 #
 
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
 allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210203/policy/modules/services/mon.te
@@ -154,6 +154,10 @@ optional_policy(`
 	mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+	snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 ########################################
 #
 # Local policy
@@ -164,9 +168,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for reading /proc/1/maps etc
-allow mon_local_test_t self:capability { sys_ptrace sys_admin };
+allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
 allow mon_local_test_t self:process getsched;
+allow mon_local_test_t self:cap_userns sys_ptrace;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -189,6 +194,7 @@ dev_read_sysfs(mon_local_test_t)
 
 domain_read_all_domains_state(mon_local_test_t)
 
+files_dontaudit_tmpfs_file_getattr(mon_local_test_t)
 files_read_usr_files(mon_local_test_t)
 files_search_mnt(mon_local_test_t)
 files_search_spool(mon_local_test_t)
@@ -197,9 +203,13 @@ files_list_boot(mon_local_test_t)
 fs_search_auto_mountpoints(mon_local_test_t)
 fs_getattr_nfs(mon_local_test_t)
 fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_cgroup_dirs(mon_local_test_t)
 fs_list_hugetlbfs(mon_local_test_t)
 fs_list_tmpfs(mon_local_test_t)
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
 fs_search_nfs(mon_local_test_t)
+fstools_domtrans(mon_local_test_t)
 
 storage_getattr_fixed_disk_dev(mon_local_test_t)
 storage_getattr_removable_dev(mon_local_test_t)
@@ -211,12 +221,14 @@ application_exec_all(mon_local_test_t)
 
 auth_use_nsswitch(mon_local_test_t)
 
+fsdaemon_read_lib(mon_local_test_t)
 init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
 miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
+storage_raw_read_fixed_disk(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
 
Index: refpolicy-2.20210203/policy/modules/services/mta.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mta.if
+++ refpolicy-2.20210203/policy/modules/services/mta.if
@@ -74,26 +74,20 @@ template(`mta_base_mail_template',`
 ##	</summary>
 ## </param>
 #
-interface(`mta_role',`
+interface(`mta_base_role',`
 	gen_require(`
 		attribute mta_user_agent;
-		attribute_role user_mail_roles;
-		type user_mail_t, sendmail_exec_t, mail_home_t;
+		type user_mail_t, mail_home_t;
 		type user_mail_tmp_t, mail_home_rw_t;
 	')
 
-	roleattribute $1 user_mail_roles;
-
 	# this is something i need to fix
 	# i dont know if and why it is needed
 	# will role attribute work?
 	role $1 types mta_user_agent;
 
-	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
-	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
-
-	allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
-	ps_process_pattern($2, { user_mail_t mta_user_agent })
+	allow $2 mta_user_agent:process { ptrace signal_perms };
+	ps_process_pattern($2, mta_user_agent)
 
 	allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
 	userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
@@ -121,6 +115,70 @@ interface(`mta_role',`
 
 ########################################
 ## <summary>
+##	User Role access for mta.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`mta_user_role',`
+	gen_require(`
+		attribute_role user_mail_roles;
+		type user_mail_t, sendmail_exec_t, mail_home_t;
+		type user_mail_tmp_t, mail_home_rw_t;
+	')
+	mta_base_role($1, $2)
+
+	roleattribute $1 user_mail_roles;
+
+	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+	allow $2 user_mail_t:process { ptrace signal_perms };
+	ps_process_pattern($2, user_mail_t)
+')
+
+########################################
+## <summary>
+##	Admin Role access for mta.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`mta_admin_role',`
+	gen_require(`
+		attribute_role admin_mail_roles;
+		type admin_mail_t, sendmail_exec_t, mail_home_t;
+		type user_mail_tmp_t, mail_home_rw_t;
+	')
+	mta_base_role($1, $2)
+
+	roleattribute $1 admin_mail_roles;
+
+	domtrans_pattern($2, sendmail_exec_t, admin_mail_t)
+	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+	allow $2 admin_mail_t:process { ptrace signal_perms };
+	ps_process_pattern($2, admin_mail_t)
+')
+
+########################################
+## <summary>
 ##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">
@@ -253,6 +311,7 @@ interface(`mta_manage_mail_home_rw_conte
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:{ dir file } watch;
 ')
 
 ########################################
Index: refpolicy-2.20210203/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210203/policy/modules/services/mysql.te
@@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
 
 allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket { connectto accept listen };
Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
@@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
 files_read_usr_src_files(NetworkManager_t)
 
 fs_getattr_all_fs(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
 fs_search_auto_mountpoints(NetworkManager_t)
 fs_list_inotifyfs(NetworkManager_t)
 
@@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
+libs_watch_shared_libs_dir(NetworkManager_t)
+
 logging_send_audit_msgs(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
@@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
 sysnet_search_dhcp_state(NetworkManager_t)
 sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_watch_config_dir(NetworkManager_t)
 
 # certificates in user home directories (cert_home_t in ~/\.pki)
 userdom_read_user_certs(NetworkManager_t)
Index: refpolicy-2.20210203/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210203/policy/modules/services/openvpn.te
@@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
 
 fs_getattr_all_fs(openvpn_t)
 fs_search_auto_mountpoints(openvpn_t)
+fs_search_tmpfs(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
Index: refpolicy-2.20210203/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20210203/policy/modules/services/policykit.te
@@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
 
 manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+allow policykit_t policykit_var_lib_t:dir watch;
 
 manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
 manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
Index: refpolicy-2.20210203/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20210203/policy/modules/services/postfix.te
@@ -516,6 +516,7 @@ manage_files_pattern(postfix_map_t, post
 files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
@@ -538,10 +539,14 @@ files_dontaudit_search_var(postfix_map_t
 
 auth_use_nsswitch(postfix_map_t)
 
+domain_use_interactive_fds(postfix_map_t)
+
 logging_send_syslog_msg(postfix_map_t)
 
 miscfiles_read_localization(postfix_map_t)
 
+userdom_use_user_ptys(postfix_map_t)
+
 optional_policy(`
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
@@ -747,12 +752,17 @@ allow postfix_showq_t postfix_spool_mail
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
 
 mcs_file_read_all(postfix_showq_t)
 
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
+optional_policy(`
+	unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
+')
+
 ########################################
 #
 # Smtp delivery local policy
Index: refpolicy-2.20210203/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210203/policy/modules/services/rpc.te
@@ -121,6 +121,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
 
 fs_rw_rpc_named_pipes(rpc_domain)
 fs_search_auto_mountpoints(rpc_domain)
+fs_watch_rpc_pipefs_dir(rpc_domain)
 
 files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
Index: refpolicy-2.20210203/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210203/policy/modules/services/samba.te
@@ -426,11 +426,13 @@ tunable_policy(`samba_domain_controller'
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
+	files_watch_home(smbd_t)
 	userdom_manage_user_home_content_dirs(smbd_t)
 	userdom_manage_user_home_content_files(smbd_t)
 	userdom_manage_user_home_content_symlinks(smbd_t)
 	userdom_manage_user_home_content_sockets(smbd_t)
 	userdom_manage_user_home_content_pipes(smbd_t)
+	userdom_watch_user_home_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_portmapper',`
@@ -462,11 +464,13 @@ tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t)
 	files_list_non_auth_dirs(smbd_t)
 	files_read_non_auth_files(smbd_t)
+	files_watch_all_file_type_dir(smbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
 	fs_read_noxattr_fs_files(smbd_t)
 	files_manage_non_auth_files(smbd_t)
+	files_watch_all_file_type_dir(smbd_t)
 ')
 
 optional_policy(`
@@ -616,13 +620,17 @@ optional_policy(`
 allow smbcontrol_t self:process signal;
 allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
 allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
 allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
 allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_file_perms;
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -638,6 +646,7 @@ files_search_var_lib(smbcontrol_t)
 term_use_console(smbcontrol_t)
 
 init_use_fds(smbcontrol_t)
+init_rw_inherited_stream_socket(smbcontrol_t)
 
 miscfiles_read_localization(smbcontrol_t)
 
Index: refpolicy-2.20210203/policy/modules/services/sendmail.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/sendmail.te
+++ refpolicy-2.20210203/policy/modules/services/sendmail.te
@@ -173,6 +173,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	userdom_use_user_ttys(sendmail_t)
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_domtrans_postqueue(sendmail_t)
Index: refpolicy-2.20210203/policy/modules/services/smartmon.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/smartmon.if
+++ refpolicy-2.20210203/policy/modules/services/smartmon.if
@@ -56,3 +56,24 @@ interface(`smartmon_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, fsdaemon_var_lib_t)
 ')
+
+########################################
+## <summary>
+##	Read fsdaemon /var/lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fsdaemon_read_lib',`
+	gen_require(`
+		type fsdaemon_var_lib_t;
+	')
+
+	allow $1 fsdaemon_var_lib_t:dir search;
+	allow $1 fsdaemon_var_lib_t:file read_file_perms;
+')
+
Index: refpolicy-2.20210203/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210203/policy/modules/services/ssh.te
@@ -199,6 +199,11 @@ tunable_policy(`user_tcp_server',`
 ')
 
 optional_policy(`
+	cron_read_pipes(ssh_t)
+	cron_rw_tmp_files(ssh_t)
+')
+
+optional_policy(`
 	tunable_policy(`ssh_use_gpg_agent',`
 		gpg_stream_connect_agent(ssh_t)
 	')
@@ -269,6 +274,8 @@ ifdef(`distro_debian',`
 ifdef(`init_systemd',`
 	auth_use_pam_systemd(sshd_t)
 	init_dbus_chat(sshd_t)
+	# dynamic users
+	init_stream_connect(sshd_t)
 	init_rw_stream_sockets(sshd_t)
 	systemd_dgram_nspawn(sshd_t)
 	systemd_write_inherited_logind_sessions_pipes(sshd_t)
Index: refpolicy-2.20210203/policy/modules/services/virt.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/virt.fc
+++ refpolicy-2.20210203/policy/modules/services/virt.fc
@@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
+/etc/qemu	-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/qemu/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
+
 /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/virt.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/virt.te
+++ refpolicy-2.20210203/policy/modules/services/virt.te
@@ -1272,6 +1272,9 @@ allow virt_bridgehelper_t self:tcp_socke
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
+allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
+allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
+
 manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 
 kernel_read_network_state(virt_bridgehelper_t)
Index: refpolicy-2.20210203/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20210203/policy/modules/services/xserver.fc
@@ -69,6 +69,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm-greeter	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20210203/policy/modules/services/xserver.te
@@ -282,6 +282,7 @@ term_use_ptmx(xauth_t)
 auth_use_nsswitch(xauth_t)
 
 userdom_use_user_terminals(xauth_t)
+userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
 userdom_read_user_tmp_files(xauth_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
Index: refpolicy-2.20210203/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.if
+++ refpolicy-2.20210203/policy/modules/system/mount.if
@@ -260,6 +260,24 @@ interface(`mount_watch_reads_runtime_fil
 
 ########################################
 ## <summary>
+##	Watch mount runtime files reads.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files_reads',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file watch_reads;
+')
+
+########################################
+## <summary>
 ##     Getattr on mount_runtime_t files
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210203/policy/modules/kernel/files.if
@@ -480,6 +480,24 @@ interface(`files_tmpfs_file',`
 
 ########################################
 ## <summary>
+##	dontaudit getattr on tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not have stat on tmpfs files audited
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_tmpfs_file_getattr',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all directories.
 ## </summary>
 ## <param name="domain">
@@ -1418,6 +1436,25 @@ interface(`files_unmount_all_file_type_f
 
 ########################################
 ## <summary>
+##	watch all directories of file_type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_all_file_type_dir',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:dir watch;
+')
+
+########################################
+########################################
+## <summary>
 ##	Read all non-authentication related
 ##	directories.
 ## </summary>
@@ -3881,6 +3918,24 @@ interface(`files_home_filetrans',`
 
 ########################################
 ## <summary>
+##	watch /home.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir watch;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of lost+found directories.
 ## </summary>
 ## <param name="domain">
@@ -5989,6 +6044,24 @@ interface(`files_read_var_lib_files',`
 ')
 
 ########################################
+## <summary>
+##	map generic files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_map_var_lib_files',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:file map;
+')
+
+########################################
 ## <summary>
 ##	Read generic symbolic links in /var/lib
 ## </summary>
Index: refpolicy-2.20210203/policy/modules/system/libraries.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/libraries.if
+++ refpolicy-2.20210203/policy/modules/system/libraries.if
@@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
 
 	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
 ')
+
+########################################
+## <summary>
+##	watch lib dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_watch_shared_libs_dir',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir watch;
+')
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
@@ -549,6 +549,24 @@ interface(`sysnet_manage_config',`
 
 #######################################
 ## <summary>
+##	Watch a network config dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_watch_config_dir',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	allow $1 net_conf_t:dir watch;
+')
+
+#######################################
+## <summary>
 ##	Read the dhcp client pid file.  (Deprecated)
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
@@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
 
 ########################################
 ## <summary>
+##	Get the attributes of binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:filesystem getattr;
+
+')
+
+########################################
+## <summary>
 ##	Get the attributes of directories on
 ##	binfmt_misc filesystems.
 ## </summary>
@@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
 	allow $1 rpc_pipefs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Watch a rpc pipefs dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_watch_rpc_pipefs_dir',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
+	allow $1 rpc_pipefs_t:dir watch;
+')
+
 #########################################
 ## <summary>
 ##	Read and write RPC pipe filesystem named pipes.
@@ -5822,3 +5859,21 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Search bpf dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_bpf',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	allow $1 bpf_t:dir search;
+')
Index: refpolicy-2.20210203/policy/modules/services/acpi.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/acpi.fc
+++ refpolicy-2.20210203/policy/modules/services/acpi.fc
@@ -8,6 +8,7 @@
 /usr/lib/systemd/system/apmd.*\.service -- gen_context(system_u:object_r:acpid_unit_t,s0)
 
 /usr/sbin/acpid	--	gen_context(system_u:object_r:acpid_exec_t,s0)
+/usr/sbin/acpi_fakekeyd	--	gen_context(system_u:object_r:acpid_exec_t,s0)
 /usr/sbin/apmd	--	gen_context(system_u:object_r:acpid_exec_t,s0)
 /usr/sbin/powersaved	--	gen_context(system_u:object_r:acpid_exec_t,s0)
 
Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
@@ -376,6 +376,7 @@ selinux_compute_user_contexts(restorecon
 
 files_relabel_non_auth_files(restorecond_t )
 files_dontaudit_read_all_symlinks(restorecond_t)
+files_watch_all_file_type_dir(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
 logging_send_syslog_msg(restorecond_t)
Index: refpolicy-2.20210203/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210203/policy/modules/system/userdomain.if
@@ -4348,6 +4348,24 @@ interface(`userdom_search_user_home_cont
 
 ########################################
 ## <summary>
+##	watch users home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_watch_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir watch;
+')
+
+########################################
+## <summary>
 ##	Send signull to unprivileged user domains.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/services/milter.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/milter.te
+++ refpolicy-2.20210203/policy/modules/services/milter.te
@@ -9,9 +9,19 @@ attribute milter_domains;
 attribute milter_data_type;
 
 milter_template(greylist)
+milter_template(postfwd)
 milter_template(regex)
 milter_template(spamass)
 
+type postfwd_milter_runtime_t;
+files_runtime_file(postfwd_milter_runtime_t)
+
+type postfwd_milter_tmp_t;
+files_tmp_file(postfwd_milter_tmp_t)
+allow postfwd_milter_t postfwd_milter_tmp_t:sock_file manage_sock_file_perms;
+allow postfwd_milter_t postfwd_milter_tmp_t:file manage_file_perms;
+files_tmp_filetrans(postfwd_milter_t, postfwd_milter_tmp_t, { file sock_file })
+
 type spamass_milter_initrc_exec_t;
 init_script_file(spamass_milter_initrc_exec_t)
 
@@ -75,6 +85,35 @@ optional_policy(`
 ')
 
 ########################################
+#
+# postfwd local policy
+#
+
+allow postfwd_milter_t self:process { signal signull };
+allow postfwd_milter_t self:capability { chown dac_override dac_read_search setgid setuid };
+allow postfwd_milter_t self:unix_stream_socket connectto;
+
+files_runtime_filetrans(postfwd_milter_t, postfwd_milter_runtime_t, file, "postfwd.pid")
+allow postfwd_milter_t postfwd_milter_runtime_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(postfwd_milter_t)
+
+corecmd_exec_bin(postfwd_milter_t)
+corecmd_exec_shell(postfwd_milter_t)
+corecmd_mmap_bin_files(postfwd_milter_t)
+corenet_tcp_bind_all_unreserved_ports(postfwd_milter_t)
+corenet_tcp_connect_all_unreserved_ports(postfwd_milter_t)
+dev_read_urand(postfwd_milter_t)
+
+files_read_usr_files(postfwd_milter_t)
+files_read_usr_symlinks(postfwd_milter_t)
+files_search_tmp(postfwd_milter_t)
+
+optional_policy(`
+	postfix_read_config(postfwd_milter_t)
+')
+
+########################################
 #
 # regex local policy
 #
Index: refpolicy-2.20210203/policy/modules/services/milter.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/milter.fc
+++ refpolicy-2.20210203/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/sqlgrey		--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.*		--	gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
 /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
 
 /run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid		--	gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
 /run/spamass(/.*)?			gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /run/sqlgrey\.pid		--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/redis.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/redis.fc
+++ refpolicy-2.20210203/policy/modules/services/redis.fc
@@ -3,6 +3,7 @@
 /etc/redis.*\.conf	--	gen_context(system_u:object_r:redis_conf_t,s0)
 
 /usr/bin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
+/usr/bin/redis-check-rdb --	gen_context(system_u:object_r:redis_exec_t,s0)
 
 /usr/sbin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
 
Index: refpolicy-2.20210203/policy/modules/services/redis.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/redis.te
+++ refpolicy-2.20210203/policy/modules/services/redis.te
@@ -50,7 +50,9 @@ manage_dirs_pattern(redis_t, redis_runti
 manage_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_lnk_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 
+kernel_read_net_sysctls(redis_t)
 kernel_read_system_state(redis_t)
+kernel_read_vm_overcommit_sysctl(redis_t)
 
 corenet_all_recvfrom_netlabel(redis_t)
 corenet_tcp_sendrecv_generic_if(redis_t)
@@ -66,6 +68,7 @@ dev_read_urand(redis_t)
 
 logging_send_syslog_msg(redis_t)
 
+miscfiles_read_generic_certs(redis_t)
 miscfiles_read_localization(redis_t)
 
 sysnet_dns_name_resolve(redis_t)
Index: refpolicy-2.20210203/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/postgresql.te
+++ refpolicy-2.20210203/policy/modules/services/postgresql.te
@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runt
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_tmpfs_t;
+files_tmpfs_file(postgresql_tmpfs_t)
+
 type postgresql_unit_t;
 init_unit_file(postgresql_unit_t)
 
@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, p
 manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+allow postgresql_t postgresql_tmpfs_t:file map;
+manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
 
 manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
 manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
 logging_send_syslog_msg(postgresql_t)
 logging_send_audit_msgs(postgresql_t)
 
+miscfiles_read_generic_tls_privkey(postgresql_t)
 miscfiles_read_localization(postgresql_t)
 
 seutil_libselinux_linked(postgresql_t)
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -699,6 +699,7 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_dontaudit_tmpfs_file_getattr(systemd_logind_t)
 files_search_boot(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
Index: refpolicy-2.20210203/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20210203/policy/modules/roles/staff.te
@@ -154,7 +154,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mta_role(staff_r, staff_t)
+		mta_user_role(staff_r, staff_t)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
@@ -706,7 +706,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mta_role(sysadm_r, sysadm_t)
+	mta_admin_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
@@ -126,7 +126,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mta_role(user_r, user_t)
+		mta_user_role(user_r, user_t)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20210203/policy/modules/services/mta.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mta.te
+++ refpolicy-2.20210203/policy/modules/services/mta.te
@@ -15,6 +15,7 @@ attribute mailserver_sender;
 attribute user_mail_domain;
 
 attribute_role user_mail_roles;
+attribute_role admin_mail_roles;
 
 type etc_aliases_t;
 files_type(etc_aliases_t)
@@ -44,6 +45,10 @@ mta_base_mail_template(user)
 userdom_user_application_type(user_mail_t)
 role user_mail_roles types user_mail_t;
 
+mta_base_mail_template(admin)
+userdom_user_application_type(admin_mail_t)
+role admin_mail_roles types admin_mail_t;
+
 userdom_user_tmp_file(user_mail_tmp_t)
 
 ########################################
@@ -424,3 +429,30 @@ optional_policy(`
 	postfix_read_config(user_mail_t)
 	postfix_list_spool(user_mail_t)
 ')
+
+########################################
+#
+# Admin local policy
+#
+
+manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".esmtp_queue")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
+
+dev_read_sysfs(admin_mail_t)
+
+userdom_use_user_terminals(admin_mail_t)
+
+files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
+allow admin_mail_t etc_aliases_t:file manage_file_perms;
+
+optional_policy(`
+	allow admin_mail_t self:capability dac_override;
+
+	userdom_rw_user_tmp_files(admin_mail_t)
+
+	postfix_read_config(admin_mail_t)
+	postfix_list_spool(admin_mail_t)
+')
Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210203/policy/modules/system/unconfined.te
@@ -141,7 +141,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mta_role(unconfined_r, unconfined_t)
+	mta_admin_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/services/spamassassin.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/spamassassin.fc
+++ refpolicy-2.20210203/policy/modules/services/spamassassin.fc
@@ -16,7 +16,7 @@ HOME_DIR/\.spamd(/.*)?			gen_context(sys
 /usr/bin/spamd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/spampd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/sa-update		--	gen_context(system_u:object_r:spamd_update_exec_t,s0)
-/usr/bin/rspamd			-l	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/rspamd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/rspamd-[^/]+	--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/rspamc			-l	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/rspamc-[^/]+	--	gen_context(system_u:object_r:spamc_exec_t,s0)
@@ -41,6 +41,7 @@ HOME_DIR/\.spamd(/.*)?			gen_context(sys
 
 /var/log/spamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/rspamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/rspamd(/.*)?			gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/mimedefang.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 
 /var/vmail/\.spamassassin(/.*)?		gen_context(system_u:object_r:spamassassin_home_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/courier.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/courier.fc
+++ refpolicy-2.20210203/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
 /usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
 /usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
 /usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/courier.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/courier.te
+++ refpolicy-2.20210203/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_
 
 can_exec(courier_authdaemon_t, courier_exec_t)
 
+kernel_getattr_proc(courier_authdaemon_t)
+
 corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t
 miscfiles_read_localization(courier_authdaemon_t)
 
 selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket connectto;
+allow courier_pop_t self:process setrlimit;
+
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
 
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
 stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
+files_search_var_lib(courier_pop_t)
 
+miscfiles_read_generic_certs(courier_pop_t)
 miscfiles_read_localization(courier_pop_t)
 
 mta_manage_mail_home_rw_content(courier_pop_t)
Index: refpolicy-2.20210203/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20210203/policy/modules/services/spamassassin.te
@@ -399,6 +399,10 @@ tunable_policy(`rspamd_spamd',`
 	allow spamd_t self:process setrlimit;
 	allow spamc_t self:process setrlimit;
 
+	allow spamd_t self:process execmem;
+
+	kernel_read_network_state(spamd_t)
+
 	list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	allow spamd_t spamd_etc_t:dir watch;
@@ -407,7 +411,7 @@ tunable_policy(`rspamd_spamd',`
 	allow spamd_t spamd_var_lib_t:dir watch;
 	filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file)
 
-	search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t)
+	allow spamd_t spamd_log_t:dir rw_dir_perms;
 
 	fs_search_tmpfs(spamd_t)
 	manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)
Index: refpolicy-2.20210203/policy/modules/services/exim.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/exim.te
+++ refpolicy-2.20210203/policy/modules/services/exim.te
@@ -73,7 +73,7 @@ ifdef(`distro_debian',`
 # Local policy
 #
 
-allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
@@ -190,6 +190,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_read_pipes(exim_t)
+	cron_rw_inherited_tmp_files(exim_t)
 	cron_rw_system_job_pipes(exim_t)
 	cron_use_system_job_fds(exim_t)
 ')
Index: refpolicy-2.20210203/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20210203/policy/modules/kernel/corenetwork.te.in
@@ -255,7 +255,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
 network_port(socks) # no defined portcon
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
+network_port(spamd, tcp,783,s0, tcp,11333,s0)
 network_port(speech, tcp,8036,s0)
 network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
 network_port(ssdp, tcp,1900,s0, udp,1900,s0)
Index: refpolicy-2.20210203/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20210203/policy/modules/services/smartmon.te
@@ -39,7 +39,7 @@ ifdef(`enable_mls',`
 #
 
 allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
-dontaudit fsdaemon_t self:capability sys_tty_config;
+dontaudit fsdaemon_t self:capability { net_admin sys_tty_config };
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
 allow fsdaemon_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20210203/policy/modules/services/inetd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/inetd.te
+++ refpolicy-2.20210203/policy/modules/services/inetd.te
@@ -37,7 +37,7 @@ ifdef(`enable_mcs',`
 # Local policy
 #
 
-allow inetd_t self:capability { setgid setuid sys_resource };
+allow inetd_t self:capability { kill setgid setuid sys_resource };
 dontaudit inetd_t self:capability sys_tty_config;
 allow inetd_t self:process { setsched setexec setrlimit };
 allow inetd_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20210203/policy/modules/kernel/corecommands.fc
@@ -43,6 +43,8 @@ ifdef(`distro_redhat',`
 /etc/cron\.monthly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/etc/dhcp/dhclient-enter-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
+/etc/dhcp/dhclient-exit-hooks.d(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
@@ -101,6 +103,9 @@ ifdef(`distro_redhat',`
 
 /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
+/etc/wide-dhcpv6/dhcp6c-ifupdown --	gen_context(system_u:object_r:bin_t,s0)
+/etc/wide-dhcpv6/dhcp6c-script	--	gen_context(system_u:object_r:bin_t,s0)
+
 /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20210203/policy/modules/kernel/storage.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.fc
+++ refpolicy-2.20210203/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
 /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
Index: refpolicy-2.20210203/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20210203/policy/modules/system/fstools.te
@@ -137,6 +137,8 @@ mls_file_write_all_levels(fsadm_t)
 
 selinux_getattr_fs(fsadm_t)
 
+storage_dev_filetrans_fixed_disk_control(fsadm_t, "megaraid_sas_ioctl_node")
+storage_manage_fixed_disk(fsadm_t)
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
@@ -192,6 +194,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fsdaemon_read_lib(fsadm_t)
+')
+
+optional_policy(`
 	livecd_rw_tmp_files(fsadm_t)
 ')
 
@@ -201,6 +207,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mon_dontaudit_use_fds(fsadm_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')
 
Index: refpolicy-2.20210203/policy/modules/apps/java.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/java.te
+++ refpolicy-2.20210203/policy/modules/apps/java.te
@@ -128,11 +128,17 @@ tunable_policy(`allow_java_execstack',`
 auth_use_nsswitch(java_t)
 
 corecmd_search_bin(java_t)
+corecmd_exec_bin(java_t)
 
 dev_read_sysfs(java_t)
 
+fs_read_cgroup_files(java_t)
+fs_search_cgroup_dirs(java_t)
+
 locallogin_use_fds(java_t)
 
+libs_exec_lib_files(java_t)
+
 userdom_read_user_tmp_files(java_t)
 userdom_use_user_terminals(java_t)
 
Index: refpolicy-2.20210203/policy/modules/kernel/storage.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/storage.if
+++ refpolicy-2.20210203/policy/modules/kernel/storage.if
@@ -309,6 +309,30 @@ interface(`storage_dev_filetrans_fixed_d
 
 ########################################
 ## <summary>
+##	Create char devices in /dev with the fixed disk type
+##	via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional filename of the char device to be created
+##	</summary>
+## </param>
+#
+interface(`storage_dev_filetrans_fixed_disk_control',`
+	gen_require(`
+		type fixed_disk_device_t;
+	')
+
+	dev_filetrans($1, fixed_disk_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Create block devices in on a tmpfs filesystem with the
 ##	fixed disk type via an automatic type transition.
 ## </summary>
