diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 0dc040b..5144752 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -174,11 +174,11 @@ bind = module
 rpcbind = module
 
 # Layer: contrib
-# Module: rng
+# Module: rngd
 #
 #  Daemon used to feed random data from hardware device to kernel random device
 # 
-rng = module
+rngd = module
 
 # Layer: services
 # Module: bitlbee
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 9978ecb..e75a369 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -114011,7 +114011,7 @@ index 8796ca3..0cabe1f 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..5060977 100644
+index e1e814d..cbcb4aa 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -55,6 +55,7 @@
@@ -115512,7 +115512,7 @@ index e1e814d..5060977 100644
  ##	Search the contents of generic spool
  ##	directories (/var/spool).
  ## </summary>
-@@ -6467,3 +7403,439 @@ interface(`files_unconfined',`
+@@ -6467,3 +7403,459 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -115952,6 +115952,26 @@ index e1e814d..5060977 100644
 +	read_files_pattern($1, base_ro_file_type, base_ro_file_type)
 +	read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
 +')
++
++########################################
++## <summary>
++##	Allow the specified domain to modify the systemd configuration of 
++##	any file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_config_all_files',`
++	gen_require(`
++		attribute file_type;
++	')
++
++	allow $1 file_type:service all_service_perms;
++')
++
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 52ef84e..45cb0bc 100644
 --- a/policy/modules/kernel/files.te
@@ -124912,7 +124932,7 @@ index 130ced9..af3532c 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..8e37e5c 100644
+index d40f750..fa7e3cb 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -125441,7 +125461,7 @@ index d40f750..8e37e5c 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +591,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +591,26 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -125455,6 +125475,7 @@ index d40f750..8e37e5c 100644
  
  fs_getattr_all_fs(xdm_t)
  fs_search_auto_mountpoints(xdm_t)
++fs_search_all(xdm_t)
 +fs_rw_anon_inodefs_files(xdm_t)
 +fs_mount_tmpfs(xdm_t)
 +fs_list_inotifyfs(xdm_t)
@@ -125467,7 +125488,7 @@ index d40f750..8e37e5c 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +618,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +619,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -125512,7 +125533,7 @@ index d40f750..8e37e5c 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +661,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -125562,7 +125583,7 @@ index d40f750..8e37e5c 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +712,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -125584,7 +125605,7 @@ index d40f750..8e37e5c 100644
  ')
  
  optional_policy(`
-@@ -514,12 +733,65 @@ optional_policy(`
+@@ -514,12 +734,65 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125650,7 +125671,7 @@ index d40f750..8e37e5c 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +809,74 @@ optional_policy(`
+@@ -537,28 +810,74 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125734,7 +125755,7 @@ index d40f750..8e37e5c 100644
  ')
  
  optional_policy(`
-@@ -570,6 +888,14 @@ optional_policy(`
+@@ -570,6 +889,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125749,7 +125770,7 @@ index d40f750..8e37e5c 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +920,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +921,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -125762,7 +125783,7 @@ index d40f750..8e37e5c 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +937,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +938,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -125778,7 +125799,7 @@ index d40f750..8e37e5c 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +964,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +965,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -125800,7 +125821,7 @@ index d40f750..8e37e5c 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +984,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +985,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -125814,7 +125835,7 @@ index d40f750..8e37e5c 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1010,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1011,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -125846,7 +125867,7 @@ index d40f750..8e37e5c 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1042,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1043,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -125860,7 +125881,7 @@ index d40f750..8e37e5c 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1061,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1062,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -125884,7 +125905,7 @@ index d40f750..8e37e5c 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1126,40 @@ optional_policy(`
+@@ -775,16 +1127,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125926,7 +125947,7 @@ index d40f750..8e37e5c 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1168,10 @@ optional_policy(`
+@@ -793,6 +1169,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125937,7 +125958,7 @@ index d40f750..8e37e5c 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1187,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1188,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -125951,7 +125972,7 @@ index d40f750..8e37e5c 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1198,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1199,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -125960,7 +125981,7 @@ index d40f750..8e37e5c 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1211,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1212,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -125995,7 +126016,7 @@ index d40f750..8e37e5c 100644
  ')
  
  optional_policy(`
-@@ -859,6 +1233,10 @@ optional_policy(`
+@@ -859,6 +1234,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -126006,7 +126027,7 @@ index d40f750..8e37e5c 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -902,7 +1280,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1281,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -126015,7 +126036,7 @@ index d40f750..8e37e5c 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1334,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1335,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -126047,7 +126068,7 @@ index d40f750..8e37e5c 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1380,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1381,44 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -137338,10 +137359,10 @@ index 0000000..0d6acca
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..05da975
+index 0000000..f474076
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,444 @@
+@@ -0,0 +1,442 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -137768,8 +137789,6 @@ index 0000000..05da975
 +logging_send_syslog_msg(systemd_logger_t)
 +logging_stream_connect_syslog(systemd_logger_t)
 +
-+
-+
 +########################################
 +#
 +# systemd_sysctl domains local policy
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index ad94e53..19bd039 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -8949,7 +8949,7 @@ index bbac14a..99c5cca 100644
 +
  ')
 diff --git a/clamav.te b/clamav.te
-index a10350e..cf360c2 100644
+index a10350e..789ac95 100644
 --- a/clamav.te
 +++ b/clamav.te
 @@ -1,9 +1,23 @@
@@ -9133,12 +9133,13 @@ index a10350e..cf360c2 100644
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -196,27 +246,30 @@ dev_read_urand(freshclam_t)
+@@ -196,27 +246,31 @@ dev_read_urand(freshclam_t)
  
  domain_use_interactive_fds(freshclam_t)
  
 -files_read_etc_files(freshclam_t)
  files_read_etc_runtime_files(freshclam_t)
++files_read_usr_files(freshclam_t)
  
  auth_use_nsswitch(freshclam_t)
  
@@ -9171,7 +9172,7 @@ index a10350e..cf360c2 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +295,38 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +296,38 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -9211,7 +9212,7 @@ index a10350e..cf360c2 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +335,19 @@ files_search_var_lib(clamscan_t)
+@@ -259,15 +336,19 @@ files_search_var_lib(clamscan_t)
  init_read_utmp(clamscan_t)
  init_dontaudit_write_utmp(clamscan_t)
  
@@ -15382,7 +15383,7 @@ index fb4bf82..126d543 100644
 +	dontaudit $1 session_bus_type:dbus send_msg;
  ')
 diff --git a/dbus.te b/dbus.te
-index 625cb32..530fbfa 100644
+index 625cb32..90ad9da 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -10,6 +10,7 @@ gen_require(`
@@ -15498,14 +15499,17 @@ index 625cb32..530fbfa 100644
  	policykit_dbus_chat(system_dbusd_t)
  	policykit_domtrans_auth(system_dbusd_t)
  	policykit_search_lib(system_dbusd_t)
-@@ -150,12 +182,159 @@ optional_policy(`
+@@ -150,12 +182,162 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	systemd_use_fds_logind(system_dbusd_t)
 +	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 +	systemd_write_inhibit_pipes(system_dbusd_t)
++# These are caused by broken systemd patch
 +	systemd_start_power_services(system_dbusd_t)
++	systemd_config_all_services(system_dbusd_t)
++	files_config_all_files(system_dbusd_t)
 +')
 +
 +optional_policy(`
@@ -24670,10 +24674,10 @@ index 4fde46b..3cece7c 100644
  	policykit_domtrans_auth(gnomeclock_t)
  	policykit_read_lib(gnomeclock_t)
 diff --git a/gpg.fc b/gpg.fc
-index 5207fc2..a7848a2 100644
+index 5207fc2..c02fa56 100644
 --- a/gpg.fc
 +++ b/gpg.fc
-@@ -1,6 +1,10 @@
+@@ -1,10 +1,13 @@
  HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
  HOME_DIR/\.gnupg/log-socket	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
  
@@ -24684,6 +24688,10 @@ index 5207fc2..a7848a2 100644
  /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
  /usr/bin/gpgsm		--	gen_context(system_u:object_r:gpg_exec_t,s0)
  /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+-/usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
+ 
+ /usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 diff --git a/gpg.if b/gpg.if
 index 6d50300..2f0feca 100644
 --- a/gpg.if
@@ -44321,7 +44329,7 @@ index 9759ed8..17c097d 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/plymouthd.te b/plymouthd.te
-index 86700ed..ac3821e 100644
+index 86700ed..5772ef0 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
 @@ -1,4 +1,4 @@
@@ -44353,7 +44361,15 @@ index 86700ed..ac3821e 100644
  type plymouthd_var_run_t;
  files_pid_file(plymouthd_var_run_t)
  
-@@ -42,6 +46,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+@@ -28,6 +32,7 @@ files_pid_file(plymouthd_var_run_t)
+ #
+ 
+ allow plymouthd_t self:capability { sys_admin sys_tty_config };
++allow plymouthd_t self:capability2 block_suspend;
+ dontaudit plymouthd_t self:capability dac_override;
+ allow plymouthd_t self:process { signal getsched };
+ allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+@@ -42,6 +47,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
  manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
  files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
  
@@ -44364,7 +44380,7 @@ index 86700ed..ac3821e 100644
  manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
  manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
  files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -57,13 +65,42 @@ dev_write_framebuffer(plymouthd_t)
+@@ -57,13 +66,42 @@ dev_write_framebuffer(plymouthd_t)
  
  domain_use_interactive_fds(plymouthd_t)
  
@@ -44408,7 +44424,7 @@ index 86700ed..ac3821e 100644
  ########################################
  #
  # Plymouth private policy
-@@ -74,6 +111,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +112,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
  allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
  
  kernel_read_system_state(plymouth_t)
@@ -44416,7 +44432,7 @@ index 86700ed..ac3821e 100644
  
  domain_use_interactive_fds(plymouth_t)
  
-@@ -81,7 +119,6 @@ files_read_etc_files(plymouth_t)
+@@ -81,7 +120,6 @@ files_read_etc_files(plymouth_t)
  
  term_use_ptmx(plymouth_t)
  
@@ -54163,6 +54179,129 @@ index 16304ec..3293b25 100644
  ')
  
  optional_policy(`
+diff --git a/rngd.fc b/rngd.fc
+new file mode 100644
+index 0000000..f6be09d
+--- /dev/null
++++ b/rngd.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/rngd	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/rngd.*    --  gen_context(system_u:object_r:rngd_unit_file_t,s0)
++
++/usr/sbin/rngd	--	gen_context(system_u:object_r:rngd_exec_t,s0)
+diff --git a/rngd.if b/rngd.if
+new file mode 100644
+index 0000000..8b505d5
+--- /dev/null
++++ b/rngd.if
+@@ -0,0 +1,62 @@
++## <summary>Check and feed random data from hardware device to kernel random device.</summary>
++
++########################################
++## <summary>
++##	Execute rngd in the rngd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`rng_systemctl_rngd',`
++	gen_require(`
++		type rngd_t, rngd_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++	allow $1 rngd_unit_file_t:file read_file_perms;
++	allow $1 rngd_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, rngd_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to
++##	administrate an rng environment.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`rng_admin',`
++	gen_require(`
++		type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
++	')
++
++	allow $1 rngd_t:process signal_perms;
++	ps_process_pattern($1, rngd_t)
++
++	tunable_policy(`deny_ptrace',`',`
++		allow $1 rngd_t:process ptrace;
++	')
++
++	init_labeled_script_domtrans($1, rngd_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 rngd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	rng_systemctl($1)
++	admin_pattern($1, rngd_unit_file_t)
++	allow $1 rngd_unit_file_t:service all_service_perms;
++')
+diff --git a/rngd.te b/rngd.te
+new file mode 100644
+index 0000000..bbd9fbc
+--- /dev/null
++++ b/rngd.te
+@@ -0,0 +1,37 @@
++policy_module(rngd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rngd_t;
++type rngd_exec_t;
++init_daemon_domain(rngd_t, rngd_exec_t)
++
++type rngd_initrc_exec_t;
++init_script_file(rngd_initrc_exec_t)
++
++type rngd_unit_file_t;
++systemd_unit_file(rngd_unit_file_t)
++
++########################################
++#
++# Local policy
++#
++
++allow rngd_t self:capability sys_admin;
++allow rngd_t self:process { signal };
++allow rngd_t self:fifo_file rw_fifo_file_perms;
++allow rngd_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_read_rand(rngd_t)
++dev_read_urand(rngd_t)
++dev_rw_tpm(rngd_t)
++dev_write_rand(rngd_t)
++
++files_read_etc_files(rngd_t)
++
++logging_send_syslog_msg(rngd_t)
++
++miscfiles_read_localization(rngd_t)
 diff --git a/roundup.if b/roundup.if
 index 30c4b75..e07c2ff 100644
 --- a/roundup.if
@@ -66120,7 +66259,7 @@ index 93975d6..bd248ce 100644
  	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/varnishd.te b/varnishd.te
-index f9310f3..c321cd2 100644
+index f9310f3..b4dafb7 100644
 --- a/varnishd.te
 +++ b/varnishd.te
 @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -66141,6 +66280,15 @@ index f9310f3..c321cd2 100644
  
  ########################################
  #
+@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+ 
+ allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+ dontaudit varnishd_t self:capability sys_tty_config;
+-allow varnishd_t self:process signal;
++allow varnishd_t self:process { execmem signal };
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
+ allow varnishd_t self:udp_socket create_socket_perms;
 @@ -87,14 +87,14 @@ corenet_tcp_connect_http_port(varnishd_t)
  
  dev_read_urand(varnishd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 63a7336..9dd59e5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-37
+- Allow xdm to search all file systems
+- Add interface to allow the config of all files
+- Add rngd policy
+- Remove kgpg as a gpg_exec_t type
+- Allow plymouthd to block suspend
+- Allow systemd_dbus to config any file
+- Allow system_dbus_t to configure all services
+- Allow freshclam_t to read usr_files
+- varnishd requires execmem to load modules
+
 * Thu Oct 11 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-36
 - Allow semanage to verify types
 - Allow sudo domain to execute user home files