diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a5e9213..07a6271 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -23229,10 +23229,10 @@ index fe0c682..3ad1b1f 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..46e1c3e 100644
+index cc877c7..1cd66c2 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
+@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
  #
  
  ## <desc>
@@ -23293,6 +23293,7 @@ index cc877c7..46e1c3e 100644
  init_daemon_domain(sshd_t, sshd_exec_t)
 +mls_trusted_object(sshd_t)
 +mls_process_write_all_levels(sshd_t)
++mls_dbus_send_all_levels(sshd_t)
 +
 +type sshd_initrc_exec_t;
 +init_script_file(sshd_initrc_exec_t)
@@ -23315,7 +23316,7 @@ index cc877c7..46e1c3e 100644
  
  type ssh_t;
  type ssh_exec_t;
-@@ -67,15 +92,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
  type ssh_tmpfs_t;
  typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
  typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@@ -23336,7 +23337,7 @@ index cc877c7..46e1c3e 100644
  
  ##############################
  #
-@@ -86,6 +113,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
  allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow ssh_t self:fd use;
  allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -23344,7 +23345,7 @@ index cc877c7..46e1c3e 100644
  allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
  allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow ssh_t self:shm create_shm_perms;
-@@ -93,50 +121,55 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,50 +122,55 @@ allow ssh_t self:sem create_sem_perms;
  allow ssh_t self:msgq create_msgq_perms;
  allow ssh_t self:msg { send receive };
  allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -23411,7 +23412,7 @@ index cc877c7..46e1c3e 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -157,40 +190,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +191,46 @@ files_read_var_files(ssh_t)
  logging_send_syslog_msg(ssh_t)
  logging_read_generic_logs(ssh_t)
  
@@ -23477,7 +23478,7 @@ index cc877c7..46e1c3e 100644
  ')
  
  optional_policy(`
-@@ -198,6 +237,7 @@ optional_policy(`
+@@ -198,6 +238,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -23485,7 +23486,7 @@ index cc877c7..46e1c3e 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -209,6 +249,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +250,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -23493,7 +23494,7 @@ index cc877c7..46e1c3e 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -226,39 +267,58 @@ optional_policy(`
+@@ -226,39 +268,58 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -23564,7 +23565,7 @@ index cc877c7..46e1c3e 100644
  ')
  
  optional_policy(`
-@@ -266,6 +326,15 @@ optional_policy(`
+@@ -266,6 +327,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23580,7 +23581,7 @@ index cc877c7..46e1c3e 100644
  	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
  ')
  
-@@ -275,10 +344,26 @@ optional_policy(`
+@@ -275,10 +345,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23607,7 +23608,7 @@ index cc877c7..46e1c3e 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -289,13 +374,93 @@ optional_policy(`
+@@ -289,13 +375,93 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23701,7 +23702,7 @@ index cc877c7..46e1c3e 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -304,19 +469,33 @@ optional_policy(`
+@@ -304,19 +470,33 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -23736,7 +23737,7 @@ index cc877c7..46e1c3e 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +511,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +512,9 @@ auth_use_nsswitch(ssh_keygen_t)
  
  logging_send_syslog_msg(ssh_keygen_t)
  
@@ -23746,7 +23747,7 @@ index cc877c7..46e1c3e 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +522,148 @@ optional_policy(`
+@@ -341,3 +523,148 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -25798,7 +25799,7 @@ index 6bf0ecc..b036584 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..07ff17c 100644
+index 8b40377..4f6e00b 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -26439,7 +26440,7 @@ index 8b40377..07ff17c 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +687,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +687,159 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -26487,6 +26488,10 @@ index 8b40377..07ff17c 100644
 +userdom_filetrans_generic_home_content(xdm_t)
 +
 +optional_policy(`
++    colord_read_lib_files(xdm_t)
++')
++
++optional_policy(`
 +	gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
 +')
 +
@@ -26601,7 +26606,7 @@ index 8b40377..07ff17c 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,12 +848,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +852,31 @@ tunable_policy(`xdm_sysadm_login',`
  #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
  ')
  
@@ -26633,7 +26638,7 @@ index 8b40377..07ff17c 100644
  ')
  
  optional_policy(`
-@@ -517,9 +882,34 @@ optional_policy(`
+@@ -517,9 +886,34 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(xdm_t)
  	dbus_connect_system_bus(xdm_t)
@@ -26641,17 +26646,17 @@ index 8b40377..07ff17c 100644
 +    optional_policy(`
 +        accountsd_dbus_chat(xdm_t)
 +    ')
-+
-+	optional_policy(`
+ 
+ 	optional_policy(`
+-		accountsd_dbus_chat(xdm_t)
 +		bluetooth_dbus_chat(xdm_t)
 +	')
 +
 +	 optional_policy(`
 +		cpufreqselector_dbus_chat(xdm_t)
 +	')
- 
- 	optional_policy(`
--		accountsd_dbus_chat(xdm_t)
++
++	optional_policy(`
 +		devicekit_dbus_chat_disk(xdm_t)
 +		devicekit_dbus_chat_power(xdm_t)
 +	')
@@ -26669,7 +26674,7 @@ index 8b40377..07ff17c 100644
  	')
  ')
  
-@@ -530,6 +920,20 @@ optional_policy(`
+@@ -530,6 +924,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26690,7 +26695,7 @@ index 8b40377..07ff17c 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -547,28 +951,78 @@ optional_policy(`
+@@ -547,28 +955,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26778,7 +26783,7 @@ index 8b40377..07ff17c 100644
  ')
  
  optional_policy(`
-@@ -580,6 +1034,14 @@ optional_policy(`
+@@ -580,6 +1038,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26793,7 +26798,7 @@ index 8b40377..07ff17c 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1060,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26802,7 +26807,7 @@ index 8b40377..07ff17c 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1070,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -26815,7 +26820,7 @@ index 8b40377..07ff17c 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1087,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -26831,7 +26836,7 @@ index 8b40377..07ff17c 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1103,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -26842,7 +26847,7 @@ index 8b40377..07ff17c 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1118,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -26879,7 +26884,7 @@ index 8b40377..07ff17c 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1164,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -26911,7 +26916,7 @@ index 8b40377..07ff17c 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1197,14 @@ fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
  
@@ -26926,7 +26931,7 @@ index 8b40377..07ff17c 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1218,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -26950,7 +26955,7 @@ index 8b40377..07ff17c 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1237,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -26959,7 +26964,7 @@ index 8b40377..07ff17c 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1277,50 @@ optional_policy(`
+@@ -785,17 +1281,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27012,7 +27017,7 @@ index 8b40377..07ff17c 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1328,10 @@ optional_policy(`
+@@ -803,6 +1332,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27023,7 +27028,7 @@ index 8b40377..07ff17c 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1347,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1351,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -27048,7 +27053,7 @@ index 8b40377..07ff17c 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1370,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1374,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -27083,7 +27088,7 @@ index 8b40377..07ff17c 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1435,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1439,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27092,7 +27097,7 @@ index 8b40377..07ff17c 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1489,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1493,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -27124,7 +27129,7 @@ index 8b40377..07ff17c 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1535,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1539,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -29610,7 +29615,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..6c7a9d9 100644
+index 79a45f6..ca8a198 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -30858,7 +30863,7 @@ index 79a45f6..6c7a9d9 100644
 +        type init_t;
 +    ')
 +
-+    allow $1 init_t:tcp_socket { read write };
++    allow $1 init_t:tcp_socket { read write getattr };
 +')
 +
 +########################################
@@ -41809,10 +41814,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..3ebbad0
+index 0000000..b4916c2
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,706 @@
+@@ -0,0 +1,707 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41911,6 +41916,7 @@ index 0000000..3ebbad0
 +
 +mls_file_read_all_levels(systemd_logind_t)
 +mls_file_write_all_levels(systemd_logind_t)
++mls_dbus_send_all_levels(systemd_logind_t)
 +
 +files_delete_tmpfs_files(systemd_logind_t)
 +
@@ -43921,7 +43927,7 @@ index db75976..1ee08ec 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..d88f402 100644
+index 9dc60c6..6498859 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -43937,7 +43943,7 @@ index 9dc60c6..d88f402 100644
  	corecmd_shell_entry_type($1_t)
  	corecmd_bin_entry_type($1_t)
  	domain_user_exemption_target($1_t)
-@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
  	term_user_pty($1_t, user_devpts_t)
  
  	term_user_tty($1_t, user_tty_device_t)
@@ -44116,13 +44122,14 @@ index 9dc60c6..d88f402 100644
 +	
 +	optional_policy(`
 +		ssh_rw_stream_sockets($1_usertype)
++        ssh_rw_dgram_sockets($1_usertype)
 +		ssh_delete_tmp($1_t)
 +		ssh_signal($1_t)
 +	')
  ')
  
  #######################################
-@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
  		type user_home_t, user_home_dir_t;
  	')
  
@@ -44131,7 +44138,7 @@ index 9dc60c6..d88f402 100644
  	##############################
  	#
  	# Domain access to home dir
-@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
  	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
  	files_list_home($2)
  
@@ -44159,7 +44166,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  #######################################
-@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
  interface(`userdom_manage_home_role',`
  	gen_require(`
  		type user_home_t, user_home_dir_t;
@@ -44171,7 +44178,7 @@ index 9dc60c6..d88f402 100644
  	##############################
  	#
  	# Domain access to home dir
-@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +269,46 @@ interface(`userdom_manage_home_role',`
  	type_member $2 user_home_dir_t:dir user_home_dir_t;
  
  	# full control of the home directory
@@ -44235,7 +44242,7 @@ index 9dc60c6..d88f402 100644
  	')
  ')
  
-@@ -273,6 +315,82 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +316,82 @@ interface(`userdom_manage_home_role',`
  ## <summary>
  ##	Manage user temporary files
  ## </summary>
@@ -44318,7 +44325,7 @@ index 9dc60c6..d88f402 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -287,17 +405,65 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +406,65 @@ interface(`userdom_manage_home_role',`
  #
  interface(`userdom_manage_tmp_role',`
  	gen_require(`
@@ -44389,7 +44396,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  #######################################
-@@ -317,11 +483,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',`
  	')
  
  	exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -44421,7 +44428,7 @@ index 9dc60c6..d88f402 100644
  ##	Role access for the user tmpfs type
  ##	that the user has full access.
  ## </summary>
-@@ -347,60 +533,45 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,60 +534,45 @@ interface(`userdom_exec_user_tmp_files',`
  ## <rolecap/>
  #
  interface(`userdom_manage_tmpfs_role',`
@@ -44502,7 +44509,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  #######################################
-@@ -431,6 +602,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +603,7 @@ template(`userdom_xwindows_client_template',`
  	dev_dontaudit_rw_dri($1_t)
  	# GNOME checks for usb and other devices:
  	dev_rw_usbfs($1_t)
@@ -44510,7 +44517,7 @@ index 9dc60c6..d88f402 100644
  
  	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
  	xserver_xsession_entry_type($1_t)
-@@ -463,8 +635,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +636,8 @@ template(`userdom_change_password_template',`
  	')
  
  	optional_policy(`
@@ -44521,7 +44528,7 @@ index 9dc60c6..d88f402 100644
  	')
  ')
  
-@@ -491,51 +663,68 @@ template(`userdom_common_user_template',`
+@@ -491,51 +664,68 @@ template(`userdom_common_user_template',`
  		attribute unpriv_userdomain;
  	')
  
@@ -44604,8 +44611,8 @@ index 9dc60c6..d88f402 100644
 +
  
 -	fs_rw_cgroup_files($1_t)
-+    ifdef(`enabled_mls',`
-+        init_rw_tcp_sockets($1_usertype)
++    ifdef(`enable_mls',`
++        init_rw_tcp_sockets($1_t)
 +    ')
 +
 +	logging_send_syslog_msg($1_t)
@@ -44614,7 +44621,7 @@ index 9dc60c6..d88f402 100644
  
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
-@@ -546,93 +735,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +736,132 @@ template(`userdom_common_user_template',`
  	selinux_compute_user_contexts($1_t)
  
  	# for eject
@@ -44785,7 +44792,7 @@ index 9dc60c6..d88f402 100644
  	')
  
  	optional_policy(`
-@@ -642,23 +870,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +871,21 @@ template(`userdom_common_user_template',`
  	optional_policy(`
  		mpd_manage_user_data_content($1_t)
  		mpd_relabel_user_data_content($1_t)
@@ -44814,7 +44821,7 @@ index 9dc60c6..d88f402 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +897,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +898,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -44823,7 +44830,7 @@ index 9dc60c6..d88f402 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +906,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +907,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -44836,7 +44843,7 @@ index 9dc60c6..d88f402 100644
  		')
  	')
  
-@@ -693,32 +919,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +920,35 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -44883,7 +44890,7 @@ index 9dc60c6..d88f402 100644
  	')
  ')
  
-@@ -743,17 +972,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +973,32 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -44920,7 +44927,7 @@ index 9dc60c6..d88f402 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,83 +1005,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +1006,107 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -45064,7 +45071,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  #######################################
-@@ -868,6 +1136,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1137,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -45077,7 +45084,7 @@ index 9dc60c6..d88f402 100644
  	##############################
  	#
  	# Local policy
-@@ -907,53 +1181,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1182,137 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -45233,7 +45240,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  #######################################
-@@ -987,27 +1345,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1346,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -45271,7 +45278,7 @@ index 9dc60c6..d88f402 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1018,23 +1382,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1383,63 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -45345,7 +45352,7 @@ index 9dc60c6..d88f402 100644
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1043,7 +1447,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1448,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -45356,7 +45363,7 @@ index 9dc60c6..d88f402 100644
  	')
  ')
  
-@@ -1079,7 +1485,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1486,9 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -45367,7 +45374,7 @@ index 9dc60c6..d88f402 100644
  	')
  
  	##############################
-@@ -1095,6 +1503,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1504,7 @@ template(`userdom_admin_user_template',`
  	role system_r types $1_t;
  
  	typeattribute $1_t admindomain;
@@ -45375,7 +45382,7 @@ index 9dc60c6..d88f402 100644
  
  	ifdef(`direct_sysadm_daemon',`
  		domain_system_change_exemption($1_t)
-@@ -1105,14 +1514,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1515,8 @@ template(`userdom_admin_user_template',`
  	# $1_t local policy
  	#
  
@@ -45392,7 +45399,7 @@ index 9dc60c6..d88f402 100644
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1128,6 +1531,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1532,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -45400,7 +45407,7 @@ index 9dc60c6..d88f402 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1145,10 +1549,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1550,15 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -45416,7 +45423,7 @@ index 9dc60c6..d88f402 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1159,29 +1568,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1569,40 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -45461,7 +45468,7 @@ index 9dc60c6..d88f402 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1611,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -45470,7 +45477,7 @@ index 9dc60c6..d88f402 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1620,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1621,21 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -45493,7 +45500,7 @@ index 9dc60c6..d88f402 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1240,7 +1670,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1671,7 @@ template(`userdom_admin_user_template',`
  ##	</summary>
  ## </param>
  #
@@ -45502,7 +45509,7 @@ index 9dc60c6..d88f402 100644
  	allow $1 self:capability { dac_read_search dac_override };
  
  	corecmd_exec_shell($1)
-@@ -1250,6 +1680,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1681,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -45511,7 +45518,7 @@ index 9dc60c6..d88f402 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1262,8 +1694,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1695,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -45523,7 +45530,7 @@ index 9dc60c6..d88f402 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1274,29 +1708,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1709,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -45566,7 +45573,7 @@ index 9dc60c6..d88f402 100644
  	')
  
  	optional_policy(`
-@@ -1357,14 +1793,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1794,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -45585,7 +45592,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -1397,12 +1836,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1837,51 @@ interface(`userdom_user_tmp_file',`
  ## </param>
  #
  interface(`userdom_user_tmpfs_file',`
@@ -45638,7 +45645,7 @@ index 9dc60c6..d88f402 100644
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
  ## <param name="domain">
-@@ -1509,11 +1987,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1988,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45670,7 +45677,7 @@ index 9dc60c6..d88f402 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1555,6 +2053,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2054,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -45685,7 +45692,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -1570,9 +2076,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2077,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -45697,7 +45704,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -1613,6 +2121,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2122,24 @@ interface(`userdom_manage_user_home_dirs',`
  
  ########################################
  ## <summary>
@@ -45722,7 +45729,7 @@ index 9dc60c6..d88f402 100644
  ##	Relabel to user home directories.
  ## </summary>
  ## <param name="domain">
-@@ -1629,6 +2155,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2156,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -45765,7 +45772,7 @@ index 9dc60c6..d88f402 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1704,10 +2266,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2267,12 @@ interface(`userdom_user_home_domtrans',`
  #
  interface(`userdom_dontaudit_search_user_home_content',`
  	gen_require(`
@@ -45780,7 +45787,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -1741,10 +2305,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2306,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -45795,7 +45802,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -1769,7 +2335,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2336,7 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -45804,7 +45811,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1777,19 +2343,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2344,17 @@ interface(`userdom_manage_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -45828,7 +45835,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1797,55 +2361,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2362,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -45899,7 +45906,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1853,18 +2417,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2418,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -45927,7 +45934,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1872,41 +2437,178 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,41 +2438,178 @@ interface(`userdom_mmap_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -46121,7 +46128,7 @@ index 9dc60c6..d88f402 100644
  ##	</summary>
  ## </param>
  #
-@@ -1938,7 +2640,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2641,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -46130,7 +46137,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1946,10 +2648,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2649,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -46143,7 +46150,7 @@ index 9dc60c6..d88f402 100644
  	')
  
  	userdom_search_user_home_content($1)
-@@ -1958,7 +2659,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2660,7 @@ interface(`userdom_delete_all_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -46152,7 +46159,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1966,12 +2667,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2668,66 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -46221,7 +46228,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2007,8 +2762,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2763,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -46231,7 +46238,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2024,20 +2778,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2779,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -46256,7 +46263,7 @@ index 9dc60c6..d88f402 100644
  
  ########################################
  ## <summary>
-@@ -2120,7 +2868,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2869,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -46265,7 +46272,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2128,19 +2876,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2877,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -46289,7 +46296,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2148,12 +2894,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2895,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -46305,7 +46312,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2388,18 +3134,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3135,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -46363,7 +46370,7 @@ index 9dc60c6..d88f402 100644
  ##	Do not audit attempts to read users
  ##	temporary files.
  ## </summary>
-@@ -2414,7 +3196,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3197,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -46372,7 +46379,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2455,6 +3237,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3238,25 @@ interface(`userdom_rw_user_tmp_files',`
  	rw_files_pattern($1, user_tmp_t, user_tmp_t)
  	files_search_tmp($1)
  ')
@@ -46398,7 +46405,7 @@ index 9dc60c6..d88f402 100644
  
  ########################################
  ## <summary>
-@@ -2538,7 +3339,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3340,7 @@ interface(`userdom_manage_user_tmp_files',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete user
@@ -46407,7 +46414,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2546,19 +3347,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3348,19 @@ interface(`userdom_manage_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -46430,7 +46437,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2566,19 +3367,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3368,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -46453,7 +46460,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2586,12 +3387,53 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,12 +3388,53 @@ interface(`userdom_manage_user_tmp_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -46509,7 +46516,7 @@ index 9dc60c6..d88f402 100644
  	files_search_tmp($1)
  ')
  
-@@ -2661,6 +3503,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3504,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -46531,7 +46538,7 @@ index 9dc60c6..d88f402 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2672,18 +3529,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3530,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  ## </param>
  #
  interface(`userdom_read_user_tmpfs_files',`
@@ -46553,7 +46560,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2692,19 +3544,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3545,13 @@ interface(`userdom_read_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_rw_user_tmpfs_files',`
@@ -46576,7 +46583,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2713,13 +3559,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3560,56 @@ interface(`userdom_rw_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_manage_user_tmpfs_files',`
@@ -46637,7 +46644,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2814,6 +3703,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3704,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -46662,7 +46669,7 @@ index 9dc60c6..d88f402 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2832,22 +3739,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3740,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -46705,7 +46712,7 @@ index 9dc60c6..d88f402 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2856,14 +3775,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3776,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -46743,7 +46750,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2882,8 +3820,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3821,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -46773,7 +46780,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -2955,69 +3912,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3913,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -46874,7 +46881,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3025,12 +3981,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3982,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -46889,7 +46896,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -3094,7 +4050,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4051,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -46898,7 +46905,7 @@ index 9dc60c6..d88f402 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3110,29 +4066,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4067,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -46932,7 +46939,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -3214,7 +4154,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4155,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -46959,7 +46966,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -3269,12 +4227,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4228,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -46975,7 +46982,7 @@ index 9dc60c6..d88f402 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3282,49 +4241,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,49 +4242,125 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -47115,7 +47122,7 @@ index 9dc60c6..d88f402 100644
  ')
  
  ########################################
-@@ -3382,6 +4417,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4418,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -47158,7 +47165,7 @@ index 9dc60c6..d88f402 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4473,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4474,60 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -47219,7 +47226,7 @@ index 9dc60c6..d88f402 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3435,4 +4560,1687 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4561,1687 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 65eb716..4961b09 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6,19 +6,21 @@ index 0000000..bea5755
 @@ -0,0 +1 @@
 +TAGS
 diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..f2b26f5 100644
+index 1a93dc5..7a7d67e 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,31 +1,46 @@
+@@ -1,31 +1,48 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
-+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
++HOME_DIR/\.config/abrt(/.*)?   	gen_context(system_u:object_r:abrt_etc_t,s0)
  
 -/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 -/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 -/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
 -/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
++/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
++
 +/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
 +
 +/usr/bin/abrt-dump-.* 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
@@ -7809,7 +7811,7 @@ index 1a7a97e..2c7252a 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 7fd431b..5ce1846 100644
+index 7fd431b..e9c4c5a 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -7838,11 +7840,13 @@ index 7fd431b..5ce1846 100644
  
  domain_use_interactive_fds(apm_t)
  
-@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
+@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
+ # Server local policy
  #
  
- allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
 -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
 +dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
  allow apmd_t self:process { signal_perms getsession };
  allow apmd_t self:fifo_file rw_fifo_file_perms;
@@ -40233,10 +40237,10 @@ index 0000000..b9347fa
 +')
 diff --git a/kmscon.te b/kmscon.te
 new file mode 100644
-index 0000000..be3d5d6
+index 0000000..32a9e13
 --- /dev/null
 +++ b/kmscon.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,88 @@
 +# KMSCon SELinux policy module
 +# Contributed by Lubomir Rintel <lkundrak@v3.sk>
 +
@@ -40280,6 +40284,8 @@ index 0000000..be3d5d6
 +list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
 +read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
 +
++kernel_read_system_state(kmscon_t)
++
 +auth_read_passwd(kmscon_t)
 +
 +dev_rw_dri(kmscon_t)
@@ -66883,7 +66889,7 @@ index 30e751f..61feb3a 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..18872dc 100644
+index 3078ce9..c57d1cf 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
 @@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -66923,7 +66929,7 @@ index 3078ce9..18872dc 100644
  logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
  
  manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
  
  fs_getattr_all_fs(plymouthd_t)
  
@@ -66933,15 +66939,16 @@ index 3078ce9..18872dc 100644
  term_getattr_pty_fs(plymouthd_t)
  term_use_all_terms(plymouthd_t)
  term_use_ptmx(plymouthd_t)
- 
--miscfiles_read_localization(plymouthd_t)
++term_use_usb_ttys(plymouthd_t)
++
 +init_signal(plymouthd_t)
 +
 +logging_link_generic_logs(plymouthd_t)
 +logging_delete_generic_logs(plymouthd_t)
 +
 +auth_use_nsswitch(plymouthd_t)
-+
+ 
+-miscfiles_read_localization(plymouthd_t)
  miscfiles_read_fonts(plymouthd_t)
  miscfiles_manage_fonts_cache(plymouthd_t)
  
@@ -66955,7 +66962,7 @@ index 3078ce9..18872dc 100644
  ')
  
  optional_policy(`
-@@ -90,35 +96,37 @@ optional_policy(`
+@@ -90,35 +97,37 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d2edc54..de73929 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 120%{?dist}
+Release: 121%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
+- Allow kmscon to read system state. BZ (1206871)
+- Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
+- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
+
 * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
 - Allow mysqld_t to use pam. BZ(1196104)
 - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)