Index: refpolicy-2.20210203/policy/modules/admin/acct.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/acct.te
+++ refpolicy-2.20210203/policy/modules/admin/acct.te
@@ -57,6 +57,7 @@ init_use_fds(acct_t)
 init_use_script_ptys(acct_t)
 init_exec_script_files(acct_t)
 
+logging_search_logs(acct_t)
 logging_send_syslog_msg(acct_t)
 
 miscfiles_read_localization(acct_t)
Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210203/policy/modules/admin/bootloader.te
@@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
+allow bootloader_t self:netlink_selinux_socket connected_socket_perms;
 
 allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
@@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
 kernel_getattr_core_if(bootloader_t)
+kernel_read_crypto_sysctls(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
@@ -106,6 +108,7 @@ domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
 files_getattr_default_dirs(bootloader_t)
+files_getattr_lost_found_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
@@ -152,8 +155,12 @@ miscfiles_read_localization(bootloader_t
 
 mount_rw_runtime_files(bootloader_t)
 
+selinux_get_enforce_mode(bootloader_t)
 selinux_getattr_fs(bootloader_t)
+selinux_search_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
+seutil_read_config(bootloader_t)
 seutil_read_file_contexts(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20210203/policy/modules/admin/brctl.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te
+++ refpolicy-2.20210203/policy/modules/admin/brctl.te
@@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
 # Local policy
 #
 
-allow brctl_t self:capability net_admin;
+allow brctl_t self:capability { net_admin sys_module };
 allow brctl_t self:fifo_file rw_fifo_file_perms;
 allow brctl_t self:unix_stream_socket create_stream_socket_perms;
 allow brctl_t self:unix_dgram_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210203/policy/modules/admin/logrotate.te
@@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
 init_stream_connect(logrotate_t)
 init_manage_all_units(logrotate_t)
 
+libs_exec_lib_files(logrotate_t)
+
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc
+++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
@@ -1,3 +1,4 @@
 /usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/cdrskin	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
 /usr/bin/growisofs	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
 /usr/bin/wodim	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210203/policy/modules/apps/games.te
@@ -92,7 +92,9 @@ optional_policy(`
 allow games_t self:fifo_file rw_fifo_file_perms;
 allow games_t self:sem create_sem_perms;
 allow games_t self:tcp_socket { accept listen };
+allow games_t self:process getsched;
 
+manage_dirs_pattern(games_t, games_data_t, games_data_t)
 manage_files_pattern(games_t, games_data_t, games_data_t)
 manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
 
@@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
 
 manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
 manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+allow games_t games_tmp_t:file map;
+
 files_tmp_filetrans(games_t, games_tmp_t, { file dir })
 
 manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
@@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
 corenet_sendrecv_generic_client_packets(games_t)
 corenet_tcp_connect_generic_port(games_t)
 
+corenet_udp_bind_generic_node(games_t)
+
 dev_read_sound(games_t)
 dev_read_input(games_t)
 dev_read_mouse(games_t)
@@ -136,13 +142,16 @@ dev_rw_dri(games_t)
 dev_write_sound(games_t)
 
 files_list_var(games_t)
+files_search_mnt(games_t)
 files_search_var_lib(games_t)
 files_dontaudit_search_var(games_t)
+files_map_usr_files(games_t)
 files_read_etc_files(games_t)
 files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
 fs_dontaudit_getattr_xattr_fs(games_t)
+fs_search_nfs(games_t)
 
 init_dontaudit_rw_utmp(games_t)
 
@@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
 userdom_manage_user_tmp_files(games_t)
 userdom_manage_user_tmp_symlinks(games_t)
 userdom_manage_user_tmp_sockets(games_t)
+userdom_use_user_ptys(games_t)
 userdom_dontaudit_read_user_home_content_files(games_t)
 
 tunable_policy(`allow_execmem',`
@@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
 
 optional_policy(`
 	alsa_read_config(games_t)
+	alsa_read_home_files(games_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
+++ refpolicy-2.20210203/policy/modules/apps/gpg.te
@@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t)
 miscfiles_read_localization(gpg_t)
 
 userdom_use_user_terminals(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
 
 userdom_manage_user_tmp_dirs(gpg_t)
 userdom_manage_user_tmp_files(gpg_t)
Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc
+++ refpolicy-2.20210203/policy/modules/kernel/devices.fc
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
 /dev/vhci			-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vhost-scsi		-c	gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-vsock	-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
@@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
 allow sysadm_t self:capability audit_write;
 allow sysadm_t self:system status;
 
+kernel_request_load_module(sysadm_t)
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
@@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
 init_admin(sysadm_t)
+init_rw_stream_sockets(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
@@ -29,6 +29,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
 	vlock_run(user_t, user_r)
 ')
 
@@ -162,10 +166,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		ssh_role_template(user, user_r, user_t)
-	')
-
-	optional_policy(`
 		su_role_template(user, user_r, user_t)
 	')
 
Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210203/policy/modules/system/authlogin.te
@@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t)
 
 logging_search_logs(utempter_t)
 
+term_use_ptmx(utempter_t)
+
 userdom_use_user_terminals(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_user_tmp_files(utempter_t)
@@ -406,6 +408,7 @@ optional_policy(`
 optional_policy(`
 	xserver_use_xdm_fds(utempter_t)
 	xserver_rw_xdm_pipes(utempter_t)
+	xserver_write_inherited_xsession_log(utempter_t)
 ')
 
 #######################################
Index: refpolicy-2.20210203/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
@@ -3516,6 +3516,24 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
 
+#######################################
+## <summary>
+##	getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_units',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	allow $1 systemdunit:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Manage systemd unit dirs and the files in them
Index: refpolicy-2.20210203/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
@@ -248,7 +248,6 @@ ifdef(`init_systemd',`
 	allow init_t self:udp_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
-	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 
@@ -267,7 +266,7 @@ ifdef(`init_systemd',`
 
 	# setexec and setkeycreate for systemd --user
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
-	allow init_t self:capability2 { audit_read block_suspend };
+	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
@@ -438,6 +437,7 @@ ifdef(`init_systemd',`
 	miscfiles_watch_localization(init_t)
 
 	mount_watch_runtime_dirs(init_t)
+	mount_watch_runtime_files_reads(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
Index: refpolicy-2.20210203/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210203/policy/modules/system/logging.te
@@ -507,6 +507,7 @@ seutil_read_config(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_runtime_root(syslogd_t)
 
 ifdef(`init_systemd',`
 	# for systemd-journal
@@ -551,6 +552,8 @@ ifdef(`init_systemd',`
 	systemd_search_user_runtime(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
+	userdom_list_user_tmp(syslogd_t)
+	userdom_read_user_tmp_symlinks(syslogd_t)
 
 	# journald traverses /run/user/UID (which is mode 0700) to read symlinks in /run/user/UID/systemd/units/
 	allow syslogd_t self:capability dac_read_search;
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210203/policy/modules/system/lvm.te
@@ -108,10 +108,13 @@ files_read_etc_files(clvmd_t)
 files_list_usr(clvmd_t)
 
 fs_getattr_all_fs(clvmd_t)
+fs_getattr_pstore_dirs(lvm_t)
 fs_search_auto_mountpoints(clvmd_t)
+fs_search_cgroup_dirs(lvm_t)
 fs_dontaudit_list_tmpfs(clvmd_t)
 fs_dontaudit_read_removable_files(clvmd_t)
 fs_rw_anon_inodefs_files(clvmd_t)
+fs_search_bpf(lvm_t)
 
 storage_dontaudit_getattr_removable_dev(clvmd_t)
 storage_manage_fixed_disk(clvmd_t)
@@ -170,7 +173,6 @@ optional_policy(`
 allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
-# LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
 allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file manage_fifo_file_perms;
@@ -301,6 +303,8 @@ selinux_compute_user_contexts(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 storage_dontaudit_read_removable_device(lvm_t)
+storage_getattr_removable_dev(lvm_t)
+
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
 # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
Index: refpolicy-2.20210203/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20210203/policy/modules/system/modutils.te
@@ -34,6 +34,7 @@ ifdef(`init_systemd',`
 #
 
 allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
+allow kmod_t self:lockdown confidentiality;
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;
Index: refpolicy-2.20210203/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.te
+++ refpolicy-2.20210203/policy/modules/system/mount.te
@@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
 files_dontaudit_write_all_mountpoints(mount_t)
 files_dontaudit_setattr_all_mountpoints(mount_t)
 
+fs_getattr_binfmt_misc_fs(mount_t)
 fs_getattr_xattr_fs(mount_t)
 fs_getattr_tmpfs(mount_t)
 fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
 fs_getattr_nfs(mount_t)
 fs_mount_all_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_all_fs(mount_t)
Index: refpolicy-2.20210203/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/raid.te
+++ refpolicy-2.20210203/policy/modules/system/raid.te
@@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
 files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
 files_dontaudit_getattr_all_files(mdadm_t)
+files_search_tmp(mdadm_t)
 
 fs_getattr_all_fs(mdadm_t)
 fs_list_auto_mountpoints(mdadm_t)
Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
@@ -346,6 +346,8 @@ allow restorecond_t self:fifo_file rw_fi
 allow restorecond_t restorecond_run_t:file manage_file_perms;
 files_runtime_filetrans(restorecond_t, restorecond_run_t, file)
 
+allow restorecond_t selinux_config_t:file watch;
+
 kernel_getattr_debugfs(restorecond_t)
 kernel_read_system_state(restorecond_t)
 kernel_rw_pipes(restorecond_t)
@@ -368,11 +370,14 @@ fs_list_inotifyfs(restorecond_t)
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_getattr_pstorefs(restorecond_t)
 
+logging_watch_generic_logs_dir(restorecond_t)
+
 selinux_validate_context(restorecond_t)
 selinux_compute_access_vector(restorecond_t)
 selinux_compute_create_context(restorecond_t)
 selinux_compute_relabel_context(restorecond_t)
 selinux_compute_user_contexts(restorecond_t)
+seutil_read_file_contexts(restorecond_t)
 
 files_relabel_non_auth_files(restorecond_t )
 files_dontaudit_read_all_symlinks(restorecond_t)
@@ -417,6 +422,8 @@ allow run_init_t self:netlink_audit_sock
 # the failed access to the current directory
 dontaudit run_init_t self:capability { dac_override dac_read_search };
 
+kernel_getattr_proc(run_init_t)
+
 corecmd_exec_bin(run_init_t)
 corecmd_exec_shell(run_init_t)
 
@@ -586,6 +593,7 @@ allow setfiles_t { policy_src_t policy_c
 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 allow setfiles_t file_context_t:file map;
 
+kernel_read_kernel_sysctls(setfiles_t)
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 kernel_relabelfrom_unlabeled_files(setfiles_t)
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
@@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20210203/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210203/policy/modules/system/udev.te
@@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
 dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:capability2 { wake_alarm block_suspend };
+allow udev_t self:lockdown confidentiality;
 allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_
 manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 
 manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+allow udev_t udev_runtime_t:dir watch;
 manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
@@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
+files_read_var_lib_symlinks(udev_t)
 files_mmap_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
@@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
+fs_search_tmpfs(udev_t)
 fs_search_tracefs(udev_t)
 
 mcs_ptrace_all(udev_t)
@@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t)
 auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
+# for /run/console-setup
+fs_manage_tmpfs_dirs(udev_t)
+fs_manage_tmpfs_files(udev_t)
+
 init_read_utmp(udev_t)
 init_domtrans_script(udev_t)
 # systemd-udevd searches /run/systemd
@@ -260,9 +268,6 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		init_dbus_chat(udev_t)
 	')
-',`
-	fs_manage_tmpfs_dirs(udev_t)
-	fs_manage_tmpfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210203/policy/modules/system/unconfined.te
@@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t)
 logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
+mount_watch_runtime_files_reads(unconfined_t)
 
 seutil_run_setfiles(unconfined_t, unconfined_r)
 seutil_run_semanage(unconfined_t, unconfined_r)
Index: refpolicy-2.20210203/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20210203/policy/modules/admin/apt.fc
@@ -3,6 +3,7 @@
 /usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/apt-show-versions --	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
@@ -14,6 +15,7 @@ ifndef(`distro_redhat',`
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/libexec/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/var/cache/apt-show-versions(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
 /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
 /var/lib/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
 ')
Index: refpolicy-2.20210203/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20210203/policy/modules/kernel/kernel.te
@@ -232,6 +232,7 @@ allow kernel_t self:unix_stream_socket c
 allow kernel_t self:fifo_file rw_fifo_file_perms;
 allow kernel_t self:sock_file read_sock_file_perms;
 allow kernel_t self:fd use;
+allow kernel_t self:perf_event cpu;
 
 allow kernel_t debugfs_t:dir search_dir_perms;
 
Index: refpolicy-2.20210203/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20210203/policy/modules/apps/chromium.if
@@ -41,6 +41,7 @@ interface(`chromium_role',`
 	allow $2 chromium_sandbox_t:process signal_perms;
 	allow $2 chromium_naclhelper_t:process signal_perms;
 	allow chromium_t $2:process { signull signal };
+	allow chromium_t $2:unix_stream_socket { read write };
 
 	allow $2 chromium_t:unix_stream_socket connectto;
 
Index: refpolicy-2.20210203/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20210203/policy/modules/apps/chromium.te
@@ -114,6 +114,7 @@ allow chromium_t chromium_sandbox_t:unix
 allow chromium_t chromium_sandbox_t:file read_file_perms;
 
 allow chromium_t chromium_naclhelper_t:process { share };
+allow chromium_t chromium_naclhelper_t:process2 nnp_transition;
 
 # tmp has a wide class access (used for plugins)
 manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -183,6 +184,7 @@ files_read_usr_files(chromium_t)
 files_map_usr_files(chromium_t)
 files_read_etc_files(chromium_t)
 files_watch_etc_dirs(chromium_t)
+files_watch_root_dirs(chromium_t)
 # During find for /etc/whatever-release we get lots of output otherwise
 files_dontaudit_getattr_all_dirs(chromium_t)
 
@@ -255,6 +257,10 @@ tunable_policy(`chromium_read_system_inf
 ')
 
 optional_policy(`
+	alsa_read_config(chromium_t)
+')
+
+optional_policy(`
 	cups_read_config(chromium_t)
 	cups_stream_connect(chromium_t)
 ')
@@ -290,6 +296,7 @@ optional_policy(`
 
 optional_policy(`
 	networkmanager_dbus_chat(chromium_t)
+	networkmanager_watch_runtime_dirs(chromium_t)
 ')
 
 optional_policy(`
@@ -383,6 +390,9 @@ allow chromium_sandbox_t chromium_naclhe
 allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write };
 allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write };
 
+allow chromium_naclhelper_t self:cap_userns { sys_admin sys_chroot };
+allow chromium_naclhelper_t self:process { setcap signal };
+
 dev_read_sysfs(chromium_naclhelper_t)
 dev_read_urand(chromium_naclhelper_t)
 
Index: refpolicy-2.20210203/policy/modules/services/networkmanager.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.if
+++ refpolicy-2.20210203/policy/modules/services/networkmanager.if
@@ -305,6 +305,24 @@ interface(`networkmanager_read_runtime_f
 	read_files_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t)
 ')
 
+########################################
+## <summary>
+##	watch networkmanager runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_watch_runtime_dirs',`
+	gen_require(`
+		type NetworkManager_runtime_t;
+	')
+
+	allow $1 NetworkManager_runtime_t:dir watch;
+')
+
 ####################################
 ## <summary>
 ##  Connect to networkmanager over
Index: refpolicy-2.20210203/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20210203/policy/modules/admin/usermanage.te
@@ -438,6 +438,9 @@ files_read_etc_runtime_files(sysadm_pass
 # for nscd lookups
 files_dontaudit_search_runtime(sysadm_passwd_t)
 
+files_etc_filetrans_etc(sysadm_passwd_t, file, "passwd.edit")
+files_etc_filetrans_etc(sysadm_passwd_t, file, "group.edit")
+
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
Index: refpolicy-2.20210203/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210203/policy/modules/kernel/files.if
@@ -3413,6 +3413,35 @@ interface(`files_etc_filetrans',`
 
 ########################################
 ## <summary>
+##	Create objects in /etc with type etc_t with specified
+##	name to overide default transition
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_etc_filetrans_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	filetrans_pattern($1, etc_t, etc_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a boot flag.
 ## </summary>
 ## <desc>
Index: refpolicy-2.20210203/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20210203/policy/modules/system/unconfined.if
@@ -44,6 +44,8 @@ interface(`unconfined_domain_noaudit',`
 	# Transition to myself, to make get_ordered_context_list happy.
 	allow $1 self:process transition;
 
+	allow $1 self:lockdown { integrity confidentiality };
+
 	# Write access is for setting attributes under /proc/self/attr.
 	allow $1 self:file rw_file_perms;
 
Index: refpolicy-2.20210203/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20210203/policy/modules/admin/netutils.te
@@ -39,6 +39,7 @@ allow netutils_t self:process { getcap s
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
 # For tcpdump.
+allow netutils_t self:netlink_generic_socket create_socket_perms;
 allow netutils_t self:netlink_netfilter_socket create_socket_perms;
 allow netutils_t self:packet_socket { create_socket_perms map };
 allow netutils_t self:udp_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/apps/wm.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/wm.if
+++ refpolicy-2.20210203/policy/modules/apps/wm.if
@@ -101,6 +101,10 @@ template(`wm_role_template',`
 	optional_policy(`
 		pulseaudio_run($1_wm_t, $2)
 	')
+
+	optional_policy(`
+		xdg_watch_config_files($1_wm_t)
+	')
 ')
 
 ########################################
Index: refpolicy-2.20210203/policy/modules/apps/wm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/wm.te
+++ refpolicy-2.20210203/policy/modules/apps/wm.te
@@ -39,6 +39,7 @@ files_tmp_filetrans(wm_domain, wm_tmp_t,
 manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
 manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
 mmap_read_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+allow wm_domain wm_tmpfs_t:file execmod;
 manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
 fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
 
Index: refpolicy-2.20210203/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20210203/policy/modules/system/xdg.if
@@ -389,6 +389,24 @@ interface(`xdg_watch_config_dirs',`
 
 ########################################
 ## <summary>
+##	Watch the xdg config home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_watch_config_files',`
+	gen_require(`
+		type xdg_config_t;
+	')
+
+	allow $1 xdg_config_t:file watch;
+')
+
+########################################
+## <summary>
 ##	Watch all the xdg config home directories
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210203/policy/modules/services/cron.te
@@ -507,6 +507,7 @@ files_read_usr_files(system_cronjob_t)
 files_read_var_files(system_cronjob_t)
 files_dontaudit_search_runtime(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
+files_manage_var_lib_dirs(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
 files_read_var_lib_symlinks(system_cronjob_t)
 
Index: refpolicy-2.20210203/policy/modules/apps/pulseaudio.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/pulseaudio.if
+++ refpolicy-2.20210203/policy/modules/apps/pulseaudio.if
@@ -205,6 +205,24 @@ interface(`pulseaudio_stream_connect',`
 	stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_runtime_t }, { pulseaudio_tmp_t pulseaudio_runtime_t }, pulseaudio_t)
 ')
 
+#####################################
+## <summary>
+##	Manage pulseaudio_tmp_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_manage_tmp_dirs',`
+	gen_require(`
+		type pulseaudio_tmp_t;
+	')
+
+	allow $1 pulseaudio_tmp_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -1760,5 +1760,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	pulseaudio_manage_tmp_dirs(systemd_user_runtime_dir_t)
+')
+
+optional_policy(`
 	userdom_delete_all_user_runtime_named_sockets(systemd_user_runtime_dir_t)
 ')
