++##
++## Determine whether lsmd_plugin can
++## connect to all TCP ports.
++##
++##
++gen_tunable(lsmd_plugin_connect_any, false)
+
+type lsmd_t;
+type lsmd_exec_t;
@@ -39295,6 +39314,7 @@ index 0000000..5a9d09d
+#
+
+allow lsmd_plugin_t self:udp_socket create_socket_perms;
++allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
+allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
@@ -39306,12 +39326,22 @@ index 0000000..5a9d09d
+manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
+files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
+
++tunable_policy(`lsmd_plugin_connect_any',`
++ corenet_tcp_connect_all_ports(lsmd_plugin_t)
++ corenet_sendrecv_all_packets(lsmd_plugin_t)
++ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
++')
++
+kernel_read_system_state(lsmd_plugin_t)
+
+dev_read_urand(lsmd_plugin_t)
+
+corecmd_exec_bin(lsmd_plugin_t)
+
++corenet_tcp_connect_http_port(lsmd_plugin_t)
++corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
++corenet_tcp_connect_ssh_port(lsmd_plugin_t)
++
+init_stream_connect(lsmd_plugin_t)
+init_dontaudit_rw_stream_socket(lsmd_plugin_t)
+
@@ -43699,7 +43729,7 @@ index 6194b80..03c6414 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..055286f 100644
+index 6a306ee..405e285 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -44145,7 +44175,7 @@ index 6a306ee..055286f 100644
')
optional_policy(`
-@@ -300,259 +326,241 @@ optional_policy(`
+@@ -300,259 +326,243 @@ optional_policy(`
########################################
#
@@ -44159,7 +44189,7 @@ index 6a306ee..055286f 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -44244,6 +44274,8 @@ index 6a306ee..055286f 100644
kernel_request_load_module(mozilla_plugin_t)
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+files_dontaudit_read_root_files(mozilla_plugin_t)
++kernel_dontaudit_list_all_proc(mozilla_plugin_t)
++kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -44536,7 +44568,7 @@ index 6a306ee..055286f 100644
')
optional_policy(`
-@@ -560,7 +568,11 @@ optional_policy(`
+@@ -560,7 +570,11 @@ optional_policy(`
')
optional_policy(`
@@ -44549,7 +44581,7 @@ index 6a306ee..055286f 100644
')
optional_policy(`
-@@ -568,108 +580,131 @@ optional_policy(`
+@@ -568,108 +582,131 @@ optional_policy(`
')
optional_policy(`
@@ -48076,7 +48108,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..c75403e 100644
+index 9f6179e..699587e 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -48249,7 +48281,7 @@ index 9f6179e..c75403e 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +160,24 @@ optional_policy(`
+@@ -153,29 +160,25 @@ optional_policy(`
#######################################
#
@@ -48259,6 +48291,7 @@ index 9f6179e..c75403e 100644
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -48287,7 +48320,7 @@ index 9f6179e..c75403e 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -48323,7 +48356,7 @@ index 9f6179e..c75403e 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +215,7 @@ optional_policy(`
+@@ -205,7 +216,7 @@ optional_policy(`
########################################
#
@@ -48332,7 +48365,7 @@ index 9f6179e..c75403e 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -48350,7 +48383,7 @@ index 9f6179e..c75403e 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -50027,7 +50060,7 @@ index 0e8508c..647712a 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..a732e30 100644
+index 0b48a30..f031bc6 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -50395,7 +50428,7 @@ index 0b48a30..a732e30 100644
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
-+ systemd_hostnamed_read_config(NetworkManager_t)
++ systemd_hostnamed_manage_config(NetworkManager_t)
+')
+
+optional_policy(`
@@ -58853,10 +58886,10 @@ index 0000000..ba24b40
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..d21c5d7
+index 0000000..3bd4aa3
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,196 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -58963,6 +58996,7 @@ index 0000000..d21c5d7
+fs_getattr_all_fs(pcp_pmcd_t)
+fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t)
++fs_read_cgroup_files(pcp_pmcd_t)
+
+logging_send_syslog_msg(pcp_pmcd_t)
+
@@ -59031,11 +59065,14 @@ index 0000000..d21c5d7
+#
+
+allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
++logging_send_syslog_msg(pcp_pmie_t)
++
+########################################
+#
+# pcp_pmlogger local policy
@@ -60819,10 +60856,10 @@ index 0000000..848ddc9
+')
diff --git a/pkcsslotd.te b/pkcsslotd.te
new file mode 100644
-index 0000000..2ce92e0
+index 0000000..a82ca85
--- /dev/null
+++ b/pkcsslotd.te
-@@ -0,0 +1,67 @@
+@@ -0,0 +1,69 @@
+policy_module(pkcsslotd, 1.0.0)
+
+########################################
@@ -60890,6 +60927,8 @@ index 0000000..2ce92e0
+auth_read_passwd(pkcsslotd_t)
+
+logging_send_syslog_msg(pkcsslotd_t)
++
++userdom_read_all_users_state(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
index 0000000..726d992
@@ -72601,7 +72640,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..b475e72 100644
+index 3698b51..5240406 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -72623,7 +72662,7 @@ index 3698b51..b475e72 100644
allow rabbitmq_beam_t self:process { setsched signal signull };
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,50 +43,88 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,50 +43,84 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -72661,35 +72700,35 @@ index 3698b51..b475e72 100644
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-dev_read_sysfs(rabbitmq_beam_t)
-+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-+
-+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
+domain_read_all_domains_state(rabbitmq_beam_t)
-+
+
+-files_read_etc_files(rabbitmq_beam_t)
+auth_read_passwd(rabbitmq_beam_t)
+auth_use_pam(rabbitmq_beam_t)
-+
-+files_getattr_all_mountpoints(rabbitmq_beam_t)
--files_read_etc_files(rabbitmq_beam_t)
+-miscfiles_read_localization(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_beam_t)
++
+fs_getattr_all_fs(rabbitmq_beam_t)
+fs_getattr_all_dirs(rabbitmq_beam_t)
+fs_getattr_cgroup(rabbitmq_beam_t)
+fs_search_cgroup_dirs(rabbitmq_beam_t)
-
--miscfiles_read_localization(rabbitmq_beam_t)
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+
+dev_read_sysfs(rabbitmq_beam_t)
+dev_read_urand(rabbitmq_beam_t)
@@ -72702,8 +72741,6 @@ index 3698b51..b475e72 100644
+
+optional_policy(`
+ couchdb_manage_files(rabbitmq_beam_t)
-+ couchdb_manage_lib_files(rabbitmq_beam_t)
-+ couchdb_read_conf_files(rabbitmq_beam_t)
+')
+
+optional_policy(`
@@ -72719,7 +72756,7 @@ index 3698b51..b475e72 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -89,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+@@ -89,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
@@ -72728,7 +72765,7 @@ index 3698b51..b475e72 100644
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-@@ -99,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -74619,10 +74656,10 @@ index 9a8f052..3baa71a 100644
')
diff --git a/redis.fc b/redis.fc
new file mode 100644
-index 0000000..638d6b4
+index 0000000..741b785
--- /dev/null
+++ b/redis.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
@@ -74634,6 +74671,7 @@ index 0000000..638d6b4
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
++/var/run/redis\.sock -- gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
new file mode 100644
index 0000000..2640ab5
@@ -74908,10 +74946,10 @@ index 0000000..2640ab5
+')
diff --git a/redis.te b/redis.te
new file mode 100644
-index 0000000..e5e9cf7
+index 0000000..51cd1fe
--- /dev/null
+++ b/redis.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,64 @@
+policy_module(redis, 1.0.0)
+
+########################################
@@ -74959,6 +74997,8 @@ index 0000000..e5e9cf7
+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++files_pid_filetrans(redis_t, redis_var_run_t, { sock_file })
+
+kernel_read_system_state(redis_t)
+
@@ -80451,7 +80491,7 @@ index 0628d50..e9dbd7e 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..ce45f0c 100644
+index 5cbe81c..be4fc7f 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -80856,7 +80896,7 @@ index 5cbe81c..ce45f0c 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,70 @@ ifdef(`distro_redhat',`
')
')
@@ -80894,6 +80934,7 @@ index 5cbe81c..ce45f0c 100644
- ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
++ systemd_dbus_chat_timedated(rpm_script_t)
+ ')
+')
+
@@ -80936,7 +80977,7 @@ index 5cbe81c..ce45f0c 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +459,6 @@ optional_policy(`
+@@ -409,6 +460,6 @@ optional_policy(`
')
optional_policy(`
@@ -84233,10 +84274,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..8a6ad19
+index 0000000..89bc443
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,57 @@
+
+##