diff --git a/policy-F16.patch b/policy-F16.patch
index d69b112..207bd6d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2572,15 +2572,16 @@ index 95bce88..1a53b7b 100644
  optional_policy(`
  	hostname_exec(shorewall_t)
 diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d0604cf..15311b4 100644
+index d0604cf..95c53c5 100644
 --- a/policy/modules/admin/shutdown.if
 +++ b/policy/modules/admin/shutdown.if
-@@ -18,9 +18,12 @@ interface(`shutdown_domtrans',`
+@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
  	corecmd_search_bin($1)
  	domtrans_pattern($1, shutdown_exec_t, shutdown_t)
  
 +	optional_policy(`
 +		systemd_exec_systemctl($1)
++		init_stream_connect($1)
 +	')
 +
  	ifdef(`hide_broken_symptoms', `
@@ -2590,7 +2591,7 @@ index d0604cf..15311b4 100644
  	')
  ')
  
-@@ -51,6 +54,73 @@ interface(`shutdown_run',`
+@@ -51,6 +55,73 @@ interface(`shutdown_run',`
  
  ########################################
  ## <summary>
@@ -6950,7 +6951,7 @@ index fbb5c5a..83fc139 100644
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
  ')
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..d4c78ac 100644
+index 2e9318b..68929b9 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -7097,7 +7098,7 @@ index 2e9318b..d4c78ac 100644
  
  tunable_policy(`allow_execmem',`
  	allow mozilla_plugin_t self:process { execmem execstack };
-@@ -425,6 +445,11 @@ optional_policy(`
+@@ -425,7 +445,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7107,9 +7108,11 @@ index 2e9318b..d4c78ac 100644
 +
 +optional_policy(`
  	gnome_manage_config(mozilla_plugin_t)
++	gnome_read_usr_config(mozilla_plugin_t)
  ')
  
-@@ -438,7 +463,14 @@ optional_policy(`
+ optional_policy(`
+@@ -438,7 +464,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7125,7 +7128,7 @@ index 2e9318b..d4c78ac 100644
  ')
  
  optional_policy(`
-@@ -446,10 +478,27 @@ optional_policy(`
+@@ -446,10 +479,27 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -10691,7 +10694,7 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..51756fc 100644
+index 3fae11a..f8f940f 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -10850,18 +10853,19 @@ index 3fae11a..51756fc 100644
  /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +298,9 @@ ifdef(`distro_gentoo',`
+@@ -293,8 +298,10 @@ ifdef(`distro_gentoo',`
  /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/virtualbox/.*\.sh 		gen_context(system_u:object_r:bin_t,s0)
++/usr/share/wicd/daemon(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  
 -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
 +/usr/X11R6/lib/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -307,9 +313,8 @@ ifdef(`distro_redhat', `
+@@ -307,9 +314,8 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
  /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -10872,7 +10876,7 @@ index 3fae11a..51756fc 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +324,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +325,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -10884,7 +10888,7 @@ index 3fae11a..51756fc 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +370,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +371,7 @@ ifdef(`distro_redhat', `
  ifdef(`distro_suse', `
  /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
@@ -10893,7 +10897,7 @@ index 3fae11a..51756fc 100644
  /usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
  ')
  
-@@ -375,8 +382,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +383,9 @@ ifdef(`distro_suse', `
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -10904,7 +10908,7 @@ index 3fae11a..51756fc 100644
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +393,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +394,4 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -19658,10 +19662,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..f88b087
+index 0000000..a55926b
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,533 @@
+@@ -0,0 +1,531 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -19754,6 +19758,8 @@ index 0000000..f88b087
 +storage_filetrans_all_named_dev(unconfined_t)
 +term_filetrans_all_named_dev(unconfined_t)
 +
++authlogin_filetrans_named_content(unconfined_t)
++
 +sysnet_etc_filetrans_config(unconfined_t, "resolv.conf")
 +sysnet_etc_filetrans_config(unconfined_t, "denyhosts")
 +sysnet_etc_filetrans_config(unconfined_t, "hosts")
@@ -19925,10 +19931,6 @@ index 0000000..f88b087
 +')
 +
 +optional_policy(`
-+	cron_unconfined_role(unconfined_r, unconfined_t)
-+')
-+
-+optional_policy(`
 +	chrome_role_notrans(unconfined_r, unconfined_usertype)
 +
 +	tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -25891,8 +25893,25 @@ index dad226c..7617c53 100644
  logging_send_syslog_msg(cgred_t)
  
  miscfiles_read_localization(cgred_t)
+diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
+index fd8cd0b..46678a2 100644
+--- a/policy/modules/services/chronyd.fc
++++ b/policy/modules/services/chronyd.fc
+@@ -2,8 +2,12 @@
+ 
+ /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+ 
++/lib/systemd/system/chonyd\.service  --              gen_context(system_u:object_r:chronyd_unit_t,s0)
++
+ /usr/sbin/chronyd		--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+ 
+ /var/lib/chrony(/.*)?			gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+ /var/log/chrony(/.*)?			gen_context(system_u:object_r:chronyd_var_log_t,s0)
+ /var/run/chronyd\.pid		--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd(/.*)			gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd\.sock			gen_context(system_u:object_r:chronyd_var_run_t,s0)
 diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..2ede737 100644
+index 9a0da94..f599a70 100644
 --- a/policy/modules/services/chronyd.if
 +++ b/policy/modules/services/chronyd.if
 @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -25920,7 +25939,7 @@ index 9a0da94..2ede737 100644
  ####################################
  ## <summary>
  ##	Execute chronyd
-@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,103 @@ interface(`chronyd_read_log',`
  	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
  ')
  
@@ -25982,10 +26001,49 @@ index 9a0da94..2ede737 100644
 +	append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
 +')
 +
++########################################
++## <summary>
++##	Execute chronyd server in the chronyd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`chronyd_systemctl',`
++	gen_require(`
++		type chronyd_unit_t;
++	')
++
++	systemd_exec_systemctl($1)
++	allow $1 chronyd_unit_t:file read_file_perms;
++	allow $1 chronyd_unit_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++##	Connect to chronyd over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`chronyd_stream_connect',`
++	gen_require(`
++		type chronyd_t, chronyd_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++')
++
  ####################################
  ## <summary>
  ##	All of the rules required to administrate
-@@ -75,9 +151,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +190,9 @@ interface(`chronyd_read_log',`
  #
  interface(`chronyd_admin',`
  	gen_require(`
@@ -25998,7 +26056,7 @@ index 9a0da94..2ede737 100644
  	')
  
  	allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +164,17 @@ interface(`chronyd_admin',`
+@@ -88,18 +203,19 @@ interface(`chronyd_admin',`
  	role_transition $2 chronyd_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -26021,22 +26079,27 @@ index 9a0da94..2ede737 100644
 -	files_search_tmp($1)
 -	admin_pattern($1, chronyd_tmp_t)
 +	admin_pattern($1, chronyd_tmpfs_t)
++
++	chronyd_sysemctl($1)
  ')
 diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..db20d26 100644
+index fa82327..4b32348 100644
 --- a/policy/modules/services/chronyd.te
 +++ b/policy/modules/services/chronyd.te
-@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
+@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
  type chronyd_keys_t;
  files_type(chronyd_keys_t)
  
 +type chronyd_tmpfs_t;
 +files_tmpfs_file(chronyd_tmpfs_t)
 +
++type chronyd_unit_t;
++systemd_unit_file(chronyd_unit_t)
++
  type chronyd_var_lib_t;
  files_type(chronyd_var_lib_t)
  
-@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
  allow chronyd_t self:shm create_shm_perms;
  allow chronyd_t self:udp_socket create_socket_perms;
  allow chronyd_t self:unix_dgram_socket create_socket_perms;
@@ -26051,9 +26114,13 @@ index fa82327..db20d26 100644
  manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
  manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
  manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+@@ -48,8 +59,14 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+ 
+ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
  manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
- files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+-files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
++files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
  
 +kernel_read_system_state(chronyd_t)
 +
@@ -26063,7 +26130,7 @@ index fa82327..db20d26 100644
  corenet_udp_bind_ntp_port(chronyd_t)
  # bind to udp/323
  corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t)
+@@ -63,6 +80,8 @@ logging_send_syslog_msg(chronyd_t)
  
  miscfiles_read_localization(chronyd_t)
  
@@ -29108,7 +29175,7 @@ index 305ddf4..173cd16 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..a3a6265 100644
+index 0f28095..e6225d3 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -29183,7 +29250,15 @@ index 0f28095..a3a6265 100644
  	')
  ')
  
-@@ -315,6 +315,14 @@ optional_policy(`
+@@ -311,10 +311,22 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	kerberos_manage_host_rcache(cupsd_t)
++')
++
++optional_policy(`
+ 	logrotate_domtrans(cupsd_t)
  ')
  
  optional_policy(`
@@ -29198,7 +29273,7 @@ index 0f28095..a3a6265 100644
  	mta_send_mail(cupsd_t)
  ')
  
-@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +383,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
  
@@ -29209,7 +29284,7 @@ index 0f28095..a3a6265 100644
  
  domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  
-@@ -393,6 +402,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +406,10 @@ dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
  dev_rw_generic_usb_dev(cupsd_config_t)
@@ -29220,7 +29295,7 @@ index 0f28095..a3a6265 100644
  
  files_search_all_mountpoints(cupsd_config_t)
  
-@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +442,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -29234,7 +29309,7 @@ index 0f28095..a3a6265 100644
  ifdef(`distro_redhat',`
  	optional_policy(`
  		rpm_read_db(cupsd_config_t)
-@@ -453,6 +466,10 @@ optional_policy(`
+@@ -453,6 +470,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29245,7 +29320,7 @@ index 0f28095..a3a6265 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +484,10 @@ optional_policy(`
+@@ -467,6 +488,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29256,7 +29331,7 @@ index 0f28095..a3a6265 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +612,17 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -29276,7 +29351,7 @@ index 0f28095..a3a6265 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +635,10 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(cups_pdf_t)
  ')
  
@@ -29287,7 +29362,7 @@ index 0f28095..a3a6265 100644
  ########################################
  #
  # HPLIP local policy
-@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +672,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -29296,7 +29371,7 @@ index 0f28095..a3a6265 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +718,7 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -29304,7 +29379,7 @@ index 0f28095..a3a6265 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -30278,7 +30353,7 @@ index 418a5a0..c25fbdc 100644
  /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..0d4a2ea 100644
+index f706b99..13d3a35 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
 @@ -5,9 +5,9 @@
@@ -30318,10 +30393,28 @@ index f706b99..0d4a2ea 100644
  ##	Send to devicekit over a unix domain
  ##	datagram socket.
  ## </summary>
-@@ -81,6 +99,27 @@ interface(`devicekit_dbus_chat_disk',`
+@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',`
  
  ########################################
  ## <summary>
++##	Use file descriptors for devicekit_disk.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`devicekit_use_fds_disk',`
++	gen_require(`
++		type devicekit_disk_t;
++	')
++
++	allow $1 devicekit_disk_t:fd use; 
++')
++
++########################################
++## <summary>
 +##	Dontaudit Send and receive messages from
 +##	devicekit disk over dbus.
 +## </summary>
@@ -30346,7 +30439,7 @@ index f706b99..0d4a2ea 100644
  ##	Send signal devicekit power
  ## </summary>
  ## <param name="domain">
-@@ -118,6 +157,62 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',`
  	allow devicekit_power_t $1:dbus send_msg;
  ')
  
@@ -30409,7 +30502,7 @@ index f706b99..0d4a2ea 100644
  ########################################
  ## <summary>
  ##	Read devicekit PID files.
-@@ -139,22 +234,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,52 @@ interface(`devicekit_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -30469,7 +30562,7 @@ index f706b99..0d4a2ea 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -165,21 +290,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +308,21 @@ interface(`devicekit_admin',`
  		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
  	')
  
@@ -34638,7 +34731,7 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..a710ddc 100644
+index 4fde46b..983ab3e 100644
 --- a/policy/modules/services/gnomeclock.te
 +++ b/policy/modules/services/gnomeclock.te
 @@ -9,24 +9,32 @@ type gnomeclock_t;
@@ -34677,10 +34770,14 @@ index 4fde46b..a710ddc 100644
  
  miscfiles_read_localization(gnomeclock_t)
  miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,48 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
  userdom_read_all_users_state(gnomeclock_t)
  
  optional_policy(`
++	chronyd_systemctl(gnomeclock_t)
++')
++
++optional_policy(`
 +	clock_domtrans(gnomeclock_t)
 +')
 +
@@ -34700,7 +34797,7 @@ index 4fde46b..a710ddc 100644
 +	ntp_domtrans_ntpdate(gnomeclock_t)
 +	ntp_initrc_domtrans(gnomeclock_t)
 +	init_dontaudit_getattr_all_script_files(gnomeclock_t)
-+	ntp_sysctl(gnomeclock_t)
++	ntp_systemctl(gnomeclock_t)
 +')
 +
 +optional_policy(`
@@ -34788,10 +34885,21 @@ index a627b34..c4cfc6d 100644
  optional_policy(`
  	seutil_sigchld_newrole(gpm_t)
 diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..c65263e 100644
+index 03742d8..6ba7c74 100644
 --- a/policy/modules/services/gpsd.te
 +++ b/policy/modules/services/gpsd.te
-@@ -43,9 +43,11 @@ corenet_all_recvfrom_netlabel(gpsd_t)
+@@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t)
+ # gpsd local policy
+ #
+ 
+-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
+-allow gpsd_t self:process setsched;
++allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
++allow gpsd_t self:process { setsched signal_perms };
+ allow gpsd_t self:shm create_shm_perms;
+ allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow gpsd_t self:tcp_socket create_stream_socket_perms;
+@@ -43,9 +43,13 @@ corenet_all_recvfrom_netlabel(gpsd_t)
  corenet_tcp_sendrecv_generic_if(gpsd_t)
  corenet_tcp_sendrecv_generic_node(gpsd_t)
  corenet_tcp_sendrecv_all_ports(gpsd_t)
@@ -34801,14 +34909,17 @@ index 03742d8..c65263e 100644
  
 +dev_read_sysfs(gpsd_t)
 +
++domain_dontaudit_read_all_domains_state(gpsd_t)
++
  term_use_unallocated_ttys(gpsd_t)
  term_setattr_unallocated_ttys(gpsd_t)
  
-@@ -56,6 +58,10 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +60,11 @@ logging_send_syslog_msg(gpsd_t)
  miscfiles_read_localization(gpsd_t)
  
  optional_policy(`
 +	chronyd_rw_shm(gpsd_t)
++	chronyd_stream_connect(gpsd_t)
 +')
 +
 +optional_policy(`
@@ -41104,7 +41215,7 @@ index 15448d5..b6b42c1 100644
 +/lib/systemd/system/yppasswdd\.service	--	gen_context(system_u:object_r:nis_unit_t,s0)
 +/lib/systemd/system/ypxfrd\.service	--	gen_context(system_u:object_r:nis_unit_t,s0)
 diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..3d2be3e 100644
+index abe3f7f..fe15a7d 100644
 --- a/policy/modules/services/nis.if
 +++ b/policy/modules/services/nis.if
 @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -41170,7 +41281,7 @@ index abe3f7f..3d2be3e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`nis_sysctl_ypbind',`
++interface(`nis_systemctl_ypbind',`
 +	gen_require(`
 +		type ypbind_unit_t;
 +	')
@@ -41190,7 +41301,7 @@ index abe3f7f..3d2be3e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`nis_sysctl',`
++interface(`nis_systemctl',`
 +	gen_require(`
 +		type nis_unit_t;
 +	')
@@ -41222,7 +41333,7 @@ index abe3f7f..3d2be3e 100644
  
  	files_list_pids($1)
  	admin_pattern($1, ypbind_var_run_t)
-+	nis_sysctl_ypbind($1)
++	nis_systemctl_ypbind($1)
  
  	admin_pattern($1, yppasswdd_var_run_t)
  
@@ -41230,7 +41341,7 @@ index abe3f7f..3d2be3e 100644
  	admin_pattern($1, ypserv_tmp_t)
  
  	admin_pattern($1, ypserv_var_run_t)
-+	nis_sysctl($1)
++	nis_systemctl($1)
  ')
 diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
 index 4876cae..5f29ad9 100644
@@ -41545,7 +41656,7 @@ index e79dccc..50202ef 100644
  /usr/sbin/ntpdate		--	gen_context(system_u:object_r:ntpdate_exec_t,s0)
  
 diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..766d99c 100644
+index e80f8c0..aaa2e79 100644
 --- a/policy/modules/services/ntp.if
 +++ b/policy/modules/services/ntp.if
 @@ -98,6 +98,45 @@ interface(`ntp_initrc_domtrans',`
@@ -41581,7 +41692,7 @@ index e80f8c0..766d99c 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`ntp_sysctl',`
++interface(`ntp_systemctl',`
 +	gen_require(`
 +		type ntpd_unit_t;
 +	')
@@ -41639,7 +41750,7 @@ index e80f8c0..766d99c 100644
  	files_list_pids($1)
  	admin_pattern($1, ntpd_var_run_t)
 +
-+	ntp_sysctl($1)
++	ntp_systemctl($1)
  ')
 diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
 index c61adc8..09bb140 100644
@@ -58731,7 +58842,7 @@ index 28ad538..5b765ce 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..0fe2836 100644
+index 73554ec..197fa07 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -59132,6 +59243,40 @@ index 73554ec..0fe2836 100644
  ')
  
  ########################################
+@@ -1659,3 +1796,33 @@ interface(`auth_unconfined',`
+ 	typeattribute $1 can_write_shadow_passwords;
+ 	typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
++########################################
++## <summary>
++##	Transition to authlogin named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`authlogin_filetrans_named_content',`
++	gen_require(`
++		type shadow_t;
++		type faillog_t;
++		type wtmp_t;
++	')
++
++	files_etc_filetrans($1, shadow_t, file, "shadow")
++	files_etc_filetrans($1, shadow_t, file, "shadow-")
++	files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
++	files_etc_filetrans($1, shadow_t, file, "gshadow")
++	files_var_filetrans($1, shadow_t, file, "shadow")
++	files_var_filetrans($1, shadow_t, file, "shadow-")
++	logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++	logging_log_named_filetrans($1, faillog_t, file, "faillog")
++	logging_log_named_filetrans($1, faillog_t, file, "btmp")
++	files_pid_filetrans($1, faillog_t, file, "faillog")
++	logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
 index b7a5f00..a53db2b 100644
 --- a/policy/modules/system/authlogin.te
@@ -59671,7 +59816,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..26c973e 100644
+index 94fd8dd..3e8f08e 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -59767,17 +59912,17 @@ index 94fd8dd..26c973e 100644
  		typeattribute $2 direct_init_entry;
  
 -		userdom_dontaudit_use_user_terminals($1)
-+#		userdom_dontaudit_use_user_terminals($1)
- 	')
- 
+-	')
+-
 -	ifdef(`hide_broken_symptoms',`
 -		# RHEL4 systems seem to have a stray
 -		# fds open from the initrd
 -		ifdef(`distro_rhel4',`
 -			kernel_dontaudit_use_fds($1)
 -		')
--	')
--
++#		userdom_dontaudit_use_user_terminals($1)
+ 	')
+ 
 -	optional_policy(`
 -		nscd_socket_use($1)
 +	tunable_policy(`init_upstart || init_systemd',`
@@ -59917,7 +60062,7 @@ index 94fd8dd..26c973e 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -519,10 +589,48 @@ interface(`init_sigchld',`
+@@ -519,10 +589,66 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -59951,6 +60096,24 @@ index 94fd8dd..26c973e 100644
 +
 +######################################
 +## <summary>
++##  Dontaudit getattr to init with a unix socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`init_dontaudit_getattr_stream_socket',`
++    gen_require(`
++        type init_t;
++    ')
++
++    dontaudit $1 init_t:unix_stream_socket getattr;
++')
++
++######################################
++## <summary>
 +##  Dontaudit read and write to init with a unix socket.
 +## </summary>
 +## <param name="domain">
@@ -59968,7 +60131,7 @@ index 94fd8dd..26c973e 100644
  ')
  
  ########################################
-@@ -688,19 +796,25 @@ interface(`init_telinit',`
+@@ -688,19 +814,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -59995,7 +60158,7 @@ index 94fd8dd..26c973e 100644
  	')
  ')
  
-@@ -730,7 +844,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +862,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -60004,7 +60167,7 @@ index 94fd8dd..26c973e 100644
  ##	</summary>
  ## </param>
  #
-@@ -773,18 +887,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +905,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -60028,7 +60191,7 @@ index 94fd8dd..26c973e 100644
  	')
  ')
  
-@@ -800,19 +915,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +933,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -60051,11 +60214,11 @@ index 94fd8dd..26c973e 100644
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+	')
-+')
-+
-+########################################
-+## <summary>
+ 	')
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -60068,13 +60231,17 @@ index 94fd8dd..26c973e 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
- 	')
++	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
- ')
- 
- ########################################
-@@ -868,9 +1005,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -60089,7 +60256,7 @@ index 94fd8dd..26c973e 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1221,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1239,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -60114,7 +60281,7 @@ index 94fd8dd..26c973e 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1290,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1308,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -60128,7 +60295,7 @@ index 94fd8dd..26c973e 100644
  ')
  
  ########################################
-@@ -1375,6 +1530,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1548,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -60156,7 +60323,7 @@ index 94fd8dd..26c973e 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1637,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1655,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -60182,7 +60349,7 @@ index 94fd8dd..26c973e 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1714,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1732,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -60207,7 +60374,7 @@ index 94fd8dd..26c973e 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1586,6 +1799,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1817,24 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -60232,7 +60399,7 @@ index 94fd8dd..26c973e 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1674,7 +1905,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1923,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -60241,7 +60408,7 @@ index 94fd8dd..26c973e 100644
  ')
  
  ########################################
-@@ -1715,6 +1946,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1964,128 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -60370,7 +60537,7 @@ index 94fd8dd..26c973e 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2102,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2120,156 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -62667,10 +62834,74 @@ index 02f4c97..cd16709 100644
 +
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..57064ad 100644
+index 831b909..efe1038 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
-@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
+@@ -491,6 +491,63 @@ interface(`logging_log_filetrans',`
+ 	filetrans_pattern($1, var_log_t, $2, $3)
+ ')
+ 
++#######################################
++## <summary>
++##  Create an object in the log directory, with a private type.
++## </summary>
++## <desc>
++##  <p>
++##  Allow the specified domain to create an object
++##  in the general system log directories (e.g., /var/log)
++##  with a private type.  Typically this is used for creating
++##  private log files in /var/log with the private type instead
++##  of the general system log type. To accomplish this goal,
++##  either the program must be SELinux-aware, or use this interface.
++##  </p>
++##  <p>
++##  Related interfaces:
++##  </p>
++##  <ul>
++##      <li>logging_log_file()</li>
++##  </ul>
++##  <p>
++##  Example usage with a domain that can create
++##  and append to a private log file stored in the
++##  general directories (e.g., /var/log):
++##  </p>
++##  <p>
++##  type mylogfile_t;
++##  logging_log_file(mylogfile_t)
++##  allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
++##  logging_log_filetrans(mydomain_t, mylogfile_t, file)
++##  </p>
++## </desc>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <param name="private type">
++##  <summary>
++##  The type of the object to be created.
++##  </summary>
++## </param>
++## <param name="object">
++##  <summary>
++##  The object class of the object being created.
++##  </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`logging_log_named_filetrans',`
++    gen_require(`
++        type var_log_t;
++    ')
++
++    files_search_var($1)
++    filetrans_pattern($1, var_log_t, $2, $3, $4)
++')
++
+ ########################################
+ ## <summary>
+ ##	Send system log messages.
+@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',`
  
  ########################################
  ## <summary>
@@ -62715,7 +62946,7 @@ index 831b909..57064ad 100644
  ##	Read the auditd configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -734,7 +772,25 @@ interface(`logging_append_all_logs',`
+@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',`
  	')
  
  	files_search_var($1)
@@ -62742,7 +62973,7 @@ index 831b909..57064ad 100644
  ')
  
  ########################################
-@@ -817,7 +873,7 @@ interface(`logging_manage_all_logs',`
+@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',`
  
  	files_search_var($1)
  	manage_files_pattern($1, logfile, logfile)
@@ -62751,7 +62982,7 @@ index 831b909..57064ad 100644
  ')
  
  ########################################
-@@ -843,6 +899,44 @@ interface(`logging_read_generic_logs',`
+@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',`
  
  ########################################
  ## <summary>
@@ -62796,7 +63027,7 @@ index 831b909..57064ad 100644
  ##	Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -990,6 +1084,7 @@ interface(`logging_admin_syslog',`
+@@ -990,6 +1141,7 @@ interface(`logging_admin_syslog',`
  		type syslogd_initrc_exec_t;
  	')
  
@@ -62804,7 +63035,7 @@ index 831b909..57064ad 100644
  	allow $1 syslogd_t:process { ptrace signal_perms };
  	allow $1 klogd_t:process { ptrace signal_perms };
  	ps_process_pattern($1, syslogd_t)
-@@ -1015,6 +1110,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1167,8 @@ interface(`logging_admin_syslog',`
  	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
  
  	logging_manage_all_logs($1)
@@ -63474,7 +63705,7 @@ index 9c0faab..dd6530e 100644
  ##	loading modules.
  ## </summary>
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..223af54 100644
+index a0eef20..8b724a5 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -18,11 +18,12 @@ type insmod_t;
@@ -63584,7 +63815,7 @@ index a0eef20..223af54 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -161,11 +175,17 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +175,18 @@ files_write_kernel_modules(insmod_t)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -63599,10 +63830,11 @@ index a0eef20..223af54 100644
  init_use_script_ptys(insmod_t)
 +init_spec_domtrans_script(insmod_t)
 +init_rw_script_tmp_files(insmod_t)
++init_dontaudit_getattr_stream_socket(insmod_t)
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +195,7 @@ miscfiles_read_localization(insmod_t)
  
  seutil_read_file_contexts(insmod_t)
  
@@ -63612,25 +63844,26 @@ index a0eef20..223af54 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  if( ! secure_mode_insmod ) {
-@@ -187,28 +206,23 @@ optional_policy(`
+@@ -187,28 +207,27 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	firstboot_dontaudit_rw_pipes(insmod_t)
 -	firstboot_dontaudit_rw_stream_sockets(insmod_t)
-+	firstboot_dontaudit_leaks(insmod_t)
++	devicekit_use_fds_disk(insmod_t)
  ')
  
  optional_policy(`
 -	hal_write_log(insmod_t)
-+	firewallgui_dontaudit_rw_pipes(insmod_t)
++	firstboot_dontaudit_leaks(insmod_t)
  ')
  
  optional_policy(`
 -	hotplug_search_config(insmod_t)
--')
--
--optional_policy(`
++	firewallgui_dontaudit_rw_pipes(insmod_t)
+ ')
+ 
+ optional_policy(`
 -	mount_domtrans(insmod_t)
 +	hal_write_log(insmod_t)
  ')
@@ -63646,7 +63879,7 @@ index a0eef20..223af54 100644
  ')
  
  optional_policy(`
-@@ -231,11 +245,15 @@ optional_policy(`
+@@ -231,11 +250,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -63663,7 +63896,7 @@ index a0eef20..223af54 100644
  	# cjp: why is this needed:
  	dev_rw_xserver_misc(insmod_t)
  
-@@ -296,7 +314,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
  
  miscfiles_read_localization(update_modules_t)
  
@@ -65727,7 +65960,7 @@ index ff80d0a..752e031 100644
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..7564ed4 100644
+index 34d0ec5..ac52258 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -65878,7 +66111,7 @@ index 34d0ec5..7564ed4 100644
 +optional_policy(`
 +	nis_initrc_domtrans_ypbind(dhcpc_t)
  	nis_read_ypbind_pid(dhcpc_t)
-+	nis_sysctl_ypbind(dhcpc_t)
++	nis_systemctl_ypbind(dhcpc_t)
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4ea9766..cca2336 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Aug 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-21
+- Allow insmod_t to use fds leaked from devicekit
+- dontaudit getattr between insmod_t and init_t unix_stream_sockets
+- Change sysctl unit file interfaces to use systemctl
+- Add support for chronyd unit file
+- Allow mozilla_plugin to read gnome_usr_config
+- Add policy for new gpsd
+- Allow cups to create kerberos rhost cache files
+- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
+
 * Tue Aug 23 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-20
 - Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten