diff --git a/booleans-minimum.conf b/booleans-minimum.conf
index 5185257..2e00a7a 100644
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@@ -4,19 +4,19 @@ allow_execmem = false
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
-selinuxuser_execmod = false
+allow_execmod = false
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-selinuxuser_execstack = false
+allow_execstack = true
 
 # Allow ftpd to read cifs directories.
 # 
-ftpd_use_cifs = false
+allow_ftpd_use_cifs = false
 
 # Allow ftpd to read nfs directories.
 # 
-ftpd_use_nfs = false
+allow_ftpd_use_nfs = false
 
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
@@ -24,7 +24,7 @@ allow_ftpd_anon_write = false
 
 # Allow gssd to read temp directory.
 # 
-gssd_read_tmp = true
+allow_gssd_read_tmp = true
 
 # Allow Apache to modify public filesused for public file transfer services.
 # 
@@ -32,7 +32,7 @@ allow_httpd_anon_write = false
 
 # Allow Apache to use mod_auth_pam module
 # 
-httpd_mod_auth_pam = false
+allow_httpd_mod_auth_pam = false
 
 # Allow system to run with kerberos
 # 
@@ -44,7 +44,7 @@ allow_rsync_anon_write = false
 
 # Allow sasl to read shadow
 # 
-saslauthd_read_shadow  = false
+allow_saslauthd_read_shadow = false
 
 # Allow samba to modify public filesused for public file transfer services.
 # 
@@ -56,7 +56,7 @@ allow_ypbind = false
 
 # Allow zebra to write it own configuration files
 # 
-zebra_write_config = false
+allow_zebra_write_config = false
 
 # Enable extra rules in the cron domainto support fcron.
 # 
@@ -148,35 +148,55 @@ user_ping = false
 
 # allow host key based authentication
 # 
-ssh_keysign = false
+allow_ssh_keysign = false
 
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
 
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+# 
+read_untrusted_content = false
+
 # Allow spamd to write to users homedirs
 # 
 spamd_enable_home_dirs = false
 
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
-user_rw_noexattrfile = true
+user_rw_noexattrfile = false
 
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
 
+# Allow w to display everyone
+# 
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+# 
+write_untrusted_content = false
+
 # Allow all domains to talk to ttys
 # 
-daemons_use_tty = false
+allow_daemons_use_tty = false
 
 # Allow login domains to polyinstatiate directories
 # 
-polyinstantiation_enabled = false
+allow_polyinstantiation = false
 
 # Allow all domains to dump core
 # 
-daemons_dump_core = true
+allow_daemons_dump_core = true
 
 # Allow samba to act as the domain controller
 # 
@@ -188,24 +208,36 @@ samba_run_unconfined = false
 
 # Allows XServer to execute writable memory
 # 
-xserver_execmem = false
+allow_xserver_execmem = false
 
 # disallow guest accounts to execute files that they can create 
 # 
-guest_exec_content = false
-xguest_exec_content = false
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=false
 
 # Allow postfix locat to write to mail spool
 # 
-postfix_local_write_mail_spool = false
+allow_postfix_local_write_mail_spool=false
 
 # Allow common users to read/write noexattrfile systems
 # 
-user_rw_noexattrfile = true
+user_rw_noexattrfile=true
 
 # Allow qemu to connect fully to the network
 # 
-qemu_full_network = true
+qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true
 
 # System uses init upstart program
 # 
@@ -213,20 +245,9 @@ init_upstart = true
 
 # Allow mount to mount any file/dir
 # 
-mount_anyfile = true
+allow_mount_anyfile = true
 
 # Allow all domains to mmap files
 # 
 domain_can_mmap_files = true
 
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = true
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = true
diff --git a/booleans-mls.conf b/booleans-mls.conf
index 3892f99..6b75dd8 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -1,232 +1,6 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-# 
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-saslauthd_read_shadow  = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-# 
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-# 
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-# 
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network = true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
+kerberos_enabled = true
 mount_anyfile = true
-
-# Allow all domains to mmap files
-# 
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
-nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = false
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = false
+polyinstantiation_enabled = true
+ftpd_is_daemon = true
+selinuxuser_ping = true
+xserver_object_manager = true
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 5185257..d8cf568 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,232 +1,23 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-selinuxuser_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-selinuxuser_execstack = false
-
-# Allow ftpd to read cifs directories.
-# 
-ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
 gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-saslauthd_read_shadow  = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
 httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
 httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = true
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow all domains to talk to ttys
-# 
-daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-polyinstantiation_enabled = false
-
-# Allow all domains to dump core
-# 
-daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-guest_exec_content = false
-xguest_exec_content = false
-
-# Allow postfix locat to write to mail spool
-# 
-postfix_local_write_mail_spool = false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile = true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network = true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
+kerberos_enabled = true
 mount_anyfile = true
-
-# Allow all domains to mmap files
-# 
-domain_can_mmap_files = true
-
-# Allow confined applications to use nscd shared memory
-#
+nfs_export_all_ro = true
+nfs_export_all_rw = true
 nscd_use_shm = true
-
-# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-#
-unconfined_chrome_sandbox_transition = true
-
-# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
-#
-unconfined_mozilla_plugin_transition = true
+openvpn_enable_homedirs = true
+postfix_local_write_mail_spool= true
+pppd_can_insmod = false
+privoxy_connect_any = true
+selinuxuser_direct_dri_enabled = true
+selinuxuser_rw_noexattrfile = true
+selinuxuser_ping = true
+squid_connect_any = true
+telepathy_tcp_connect_generic_network_ports=true
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+xguest_exec_content = true
+mozilla_plugin_can_network_connect = true
+# Allow all domains to mmap files
+domain_can_mmap_files = true
diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch
deleted file mode 100644
index c11814e..0000000
--- a/distro_suse_to_distro_redhat.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc
-+++ fedora-policy-20221019/policy/modules/contrib/apache.fc
-@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
- /usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
- /usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
- 
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
-@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- ')
- 
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',`
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- ')
- 
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
-@@ -80,7 +80,7 @@ ifdef(`distro_redhat', `
- /var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
- 
- # SuSE
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
- /sbin/yast2			--	gen_context(system_u:object_r:rpm_exec_t,s0)
- /var/lib/YaST2(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc
-+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc
-@@ -462,7 +462,7 @@ ifdef(`distro_redhat', `
- /usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
- ')
- 
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ssh/.*			--	gen_context(system_u:object_r:bin_t,s0)
-@@ -491,7 +491,7 @@ ifdef(`distro_suse', `
- /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/kernel/devices.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc
-+++ fedora-policy-20221019/policy/modules/kernel/devices.fc
-@@ -148,7 +148,7 @@
- /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usbmon.+		-c	gen_context(system_u:object_r:usbmon_device_t,s0)
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
- ')
- /dev/vmci       -c  gen_context(system_u:object_r:vmci_device_t,s0)
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -22,7 +22,7 @@ ifdef(`distro_redhat',`
- /[^/]+			--	gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
- 
-@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
- /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- ')
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
-@@ -189,7 +189,7 @@ ifndef(`distro_debian',`
- /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
- /var/run/systemd/multi-session-x(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/authlogin.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20221019/policy/modules/system/authlogin.fc
-@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~		gen_co
- /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
- /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/init.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/init.fc
-+++ fedora-policy-20221019/policy/modules/system/init.fc
-@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', `
- /var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
- ')
- 
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/run/bootsplashctl	-p	gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/keymap		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
- /var/run/numlock-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/system/init.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
-@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',`
- 	')
- ')
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- 	optional_policy(`
- 		# set permissions on /tmp/.X11-unix
- 		xserver_setattr_xdm_tmp_dirs(initrc_t)
-Index: fedora-policy-20221019/policy/modules/system/libraries.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20221019/policy/modules/system/libraries.fc
-@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_
- /var/lib/spamassassin/compiled/.*\.so.* --	gen_context(system_u:object_r:lib_t,s0)
- /usr/lib/xfce4/.*\.so.*			-- 	gen_context(system_u:object_r:lib_t,s0)
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/locallogin.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/locallogin.te
-+++ fedora-policy-20221019/policy/modules/system/locallogin.te
-@@ -274,7 +274,7 @@ ifdef(`enable_mls',`
- ')
- 
- # suse and debian do not use pam with sulogin...
--ifdef(`distro_suse', `define(`sulogin_no_pam')')
-+ifdef(`distro_redhat', `define(`sulogin_no_pam')')
- ifdef(`distro_debian', `define(`sulogin_no_pam')')
- 
- allow sulogin_t self:capability sys_tty_config;
-Index: fedora-policy-20221019/policy/modules/system/logging.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20221019/policy/modules/system/logging.fc
-@@ -46,7 +46,7 @@
- /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh)
- /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- 
--ifdef(`distro_suse', `
-+ifdef(`distro_redhat', `
- /var/lib/stunnel/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/system/logging.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/logging.te
-+++ fedora-policy-20221019/policy/modules/system/logging.te
-@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',`
- 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
- ')
- 
--ifdef(`distro_suse',`
-+ifdef(`distro_redhat',`
- 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
- 	files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
- ')
diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch
deleted file mode 100644
index 031ead4..0000000
--- a/dontaudit_interface_kmod_tmpfs.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
-@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t)
- userdom_nnp_transition_login_userdomain(xdm_t)
- userdom_watch_user_home_dirs(xdm_t)
- 
-+# SUSE uses startproc to start the display manager. While checking for running processes
-+# it goes over all running instances, triggering AVCs
-+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t)
-+
- #userdom_home_manager(xdm_t)
- tunable_policy(`xdm_write_home',`
-     userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
-Index: fedora-policy-20221019/policy/modules/system/modutils.if
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/modutils.if
-+++ fedora-policy-20221019/policy/modules/system/modutils.if
-@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte
- 	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
- 	#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
- ')
-+
-+#######################################
-+## <summary>
-+## Don't audit accesses to tmp file type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`modutils_dontaudit_kmod_tmpfs_getattr',`
-+    gen_require(`
-+        type kmod_tmpfs_t;
-+    ')
-+
-+    dontaudit $1 kmod_tmpfs_t:file { getattr };
-+')
diff --git a/fedora-policy-20221019.tar.bz2 b/fedora-policy-20221019.tar.bz2
deleted file mode 100644
index 6fb0487..0000000
--- a/fedora-policy-20221019.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede
-size 733130
diff --git a/fedora-policy.20200717.tar.bz2 b/fedora-policy.20200717.tar.bz2
new file mode 100644
index 0000000..69fa9bc
--- /dev/null
+++ b/fedora-policy.20200717.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304
+size 752394
diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist
index beaff36..767073d 100644
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@@ -14,4 +14,3 @@
 /var/run/netconfig /etc
 /var/adm/netconfig/md5/etc /etc
 /var/adm/netconfig/md5/var /var
-/usr/etc /etc
diff --git a/fix_alsa.patch b/fix_alsa.patch
deleted file mode 100644
index 0e6b04c..0000000
--- a/fix_alsa.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/contrib/alsa.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te
-+++ fedora-policy-20221019/policy/modules/contrib/alsa.te
-@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al
- userdom_manage_unpriv_user_shared_mem(alsa_t)
- userdom_search_user_home_dirs(alsa_t)
- 
-+optional_policy(`
-+	gnome_read_home_config(alsa_t)
-+')
-+
- ifdef(`distro_debian',`
- 	term_dontaudit_use_unallocated_ttys(alsa_t)
- 
diff --git a/fix_apache.patch b/fix_apache.patch
index 6b24b83..e097a03 100644
--- a/fix_apache.patch
+++ b/fix_apache.patch
@@ -1,10 +1,10 @@
-Index: fedora-policy-20221019/policy/modules/contrib/apache.if
+Index: fedora-policy/policy/modules/contrib/apache.if
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/apache.if
-+++ fedora-policy-20221019/policy/modules/contrib/apache.if
-@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',`
+--- fedora-policy.orig/policy/modules/contrib/apache.if
++++ fedora-policy/policy/modules/contrib/apache.if
+@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets',
  
- 	allow $1 httpd_t:sem r_sem_perms;
+     allow $1 httpd_t:unix_stream_socket ioctl;
  ')
 +
 +#######################################
diff --git a/fix_auditd.patch b/fix_auditd.patch
deleted file mode 100644
index d4d94e0..0000000
--- a/fix_auditd.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20211111/policy/modules/system/logging.if
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/system/logging.if
-+++ fedora-policy-20211111/policy/modules/system/logging.if
-@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config',
- 
- 	files_search_etc($1)
- 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-+	allow $1 auditd_etc_t:dir mounton;
- ')
- 
- ########################################
diff --git a/fix_authlogin.patch b/fix_authlogin.patch
index 7220120..a91f07d 100644
--- a/fix_authlogin.patch
+++ b/fix_authlogin.patch
@@ -1,10 +1,10 @@
-Index: fedora-policy-20211111/policy/modules/system/authlogin.fc
+Index: fedora-policy/policy/modules/system/authlogin.fc
 ===================================================================
---- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc
-+++ fedora-policy-20211111/policy/modules/system/authlogin.fc
-@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', `
- /usr/libexec/chkpwd/tcb_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
- /usr/libexec/chkpwd/tcb_updpwd	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
+--- fedora-policy.orig/policy/modules/system/authlogin.fc
++++ fedora-policy/policy/modules/system/authlogin.fc
+@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
+ /usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ 
  /usr/libexec/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
 +/usr/lib/utempter/utempter 	--	gen_context(system_u:object_r:utempter_exec_t,s0)
  
diff --git a/fix_bitlbee.patch b/fix_bitlbee.patch
deleted file mode 100644
index 2ce1749..0000000
--- a/fix_bitlbee.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
-===================================================================
---- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc
-+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc
-@@ -9,6 +9,5 @@
- 
- /var/log/bip.*	gen_context(system_u:object_r:bitlbee_log_t,s0)
- 
--/var/run/bitlbee\.pid	--	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
--/var/run/bitlbee\.sock	-s	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
- /var/run/bip(/.*)?	gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/fix_chronyd.patch b/fix_chronyd.patch
index beabc0d..5521738 100644
--- a/fix_chronyd.patch
+++ b/fix_chronyd.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
+Index: fedora-policy/policy/modules/contrib/chronyd.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te
-@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t)
+--- fedora-policy.orig/policy/modules/contrib/chronyd.te
++++ fedora-policy/policy/modules/contrib/chronyd.te
+@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t)
  userdom_dgram_send(chronyd_t)
  
  optional_policy(`
@@ -17,16 +17,15 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
      cron_dgram_send(chronyd_t)
  ')
  
-Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc
+Index: fedora-policy/policy/modules/contrib/chronyd.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc
-+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc
-@@ -6,6 +6,8 @@
+--- fedora-policy.orig/policy/modules/contrib/chronyd.fc
++++ fedora-policy/policy/modules/contrib/chronyd.fc
+@@ -6,6 +6,7 @@
  
  /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
  /usr/libexec/chrony-helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 +/usr/lib/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
-+/usr/libexec/chrony/helper	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
  
  /usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
  
diff --git a/fix_cloudform.patch b/fix_cloudform.patch
deleted file mode 100644
index cac7161..0000000
--- a/fix_cloudform.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy/policy/modules/contrib/cloudform.te
-===================================================================
---- cloudform.te	2022-07-18 14:06:56.735383426 +0200
-+++ cloudform.te.new	2022-07-18 14:07:36.003069544 +0200
-@@ -81,6 +81,8 @@
- 
- init_dbus_chat(cloud_init_t)
- 
-+snapper_dbus_chat(cloud_init_t)
-+
- kernel_read_network_state(cloud_init_t)
- 
- corenet_tcp_connect_http_port(cloud_init_t)
diff --git a/fix_colord.patch b/fix_colord.patch
index 763641f..c11b27b 100644
--- a/fix_colord.patch
+++ b/fix_colord.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
+Index: fedora-policy/policy/modules/contrib/colord.fc
 ===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc
-+++ fedora-policy-20211111/policy/modules/contrib/colord.fc
+--- fedora-policy.orig/policy/modules/contrib/colord.fc
++++ fedora-policy/policy/modules/contrib/colord.fc
 @@ -6,6 +6,8 @@
  
  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
@@ -11,15 +11,3 @@ Index: fedora-policy-20211111/policy/modules/contrib/colord.fc
  
  /usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
  
-Index: fedora-policy-20211111/policy/modules/contrib/colord.te
-===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/colord.te
-+++ fedora-policy-20211111/policy/modules/contrib/colord.te
-@@ -17,6 +17,7 @@ type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
- init_daemon_domain(colord_t, colord_exec_t)
-+init_nnp_daemon_domain(colord_t)
- 
- type colord_tmp_t;
- files_tmp_file(colord_tmp_t)
diff --git a/fix_corecommand.patch b/fix_corecommand.patch
index 60362f2..5593a71 100644
--- a/fix_corecommand.patch
+++ b/fix_corecommand.patch
@@ -45,16 +45,7 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc
  
  /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',`
- 
- /usr/lib/xfce4(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- 
-+/usr/lib/build/.*	--	gen_context(system_u:object_r:bin_t,s0)
-+
- /usr/Brother(/.*)?              gen_context(system_u:object_r:bin_t,s0)
- /usr/Printer(/.*)?              gen_context(system_u:object_r:bin_t,s0)
- /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
-@@ -391,6 +413,7 @@ ifdef(`distro_debian',`
+@@ -391,6 +411,7 @@ ifdef(`distro_debian',`
  /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
  ')
diff --git a/fix_cron.patch b/fix_cron.patch
index 203162a..523bc59 100644
--- a/fix_cron.patch
+++ b/fix_cron.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
+Index: fedora-policy/policy/modules/contrib/cron.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc
-+++ fedora-policy-20221019/policy/modules/contrib/cron.fc
+--- fedora-policy.orig/policy/modules/contrib/cron.fc
++++ fedora-policy/policy/modules/contrib/cron.fc
 @@ -34,7 +34,7 @@
  
  /var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
@@ -11,32 +11,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc
  
  /var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
  /var/spool/cron/crontabs/.*	--	<<none>>
-@@ -55,6 +55,10 @@ ifdef(`distro_redhat', `
- /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
- /var/spool/cron/lastrun/[^/]*	--	<<none>>
- /var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+
-+/var/spool/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/atjobs/.SEQ          --	gen_context(system_u:object_r:user_cron_spool_t,s0)
-+/var/spool/atjobs/[^/]*		--	<<none>>
- ')
- 
- ifdef(`distro_debian',`
-@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',`
+@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',`
  /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
  /var/spool/cron/lastrun/[^/]*	--	<<none>>
  ')
 -
--ifdef(`distro_redhat', `
+-ifdef(`distro_suse', `
 -/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 -/var/spool/cron/lastrun/[^/]*	--	<<none>>
 -/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 -')
-Index: fedora-policy-20221019/policy/modules/contrib/cron.if
+Index: fedora-policy/policy/modules/contrib/cron.if
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/cron.if
-+++ fedora-policy-20221019/policy/modules/contrib/cron.if
-@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo
+--- fedora-policy.orig/policy/modules/contrib/cron.if
++++ fedora-policy/policy/modules/contrib/cron.if
+@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo
  #
  interface(`cron_system_spool_entrypoint',`
  	gen_require(`
diff --git a/fix_dbus.patch b/fix_dbus.patch
index 64ab643..0387af9 100644
--- a/fix_dbus.patch
+++ b/fix_dbus.patch
@@ -1,11 +1,11 @@
-Index: fedora-policy-20211111/policy/modules/contrib/dbus.te
+Index: fedora-policy/policy/modules/contrib/dbus.te
 ===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te
-+++ fedora-policy-20211111/policy/modules/contrib/dbus.te
-@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst
+--- fedora-policy.orig/policy/modules/contrib/dbus.te	2020-02-25 08:22:02.846623845 +0000
++++ fedora-policy/policy/modules/contrib/dbus.te	2020-02-25 08:22:31.991108418 +0000
+@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d
+ manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
  manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file })
+ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 +allow system_dbusd_t system_dbusd_tmp_t:file execute;
  
  manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch
deleted file mode 100644
index 0471529..0000000
--- a/fix_dnsmasq.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
-===================================================================
---- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te
-+++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te
-@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t)
- logging_send_syslog_msg(dnsmasq_t)
- 
- miscfiles_read_public_files(dnsmasq_t)
-+sysnet_manage_config_dirs(dnsmasq_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
- userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
diff --git a/fix_dovecot.patch b/fix_dovecot.patch
deleted file mode 100644
index f88cff1..0000000
--- a/fix_dovecot.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc
-===================================================================
---- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc
-+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc
-@@ -34,6 +34,10 @@ ifdef(`distro_redhat', `
- /usr/libexec/dovecot/dovecot-auth --	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
- ')
- 
-+/usr/lib/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-+/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/lib/dovecot/dovecot-lda --	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+
- #
- # /var
- #
diff --git a/fix_firewalld.patch b/fix_firewalld.patch
index 1e455b7..5b5e67e 100644
--- a/fix_firewalld.patch
+++ b/fix_firewalld.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
+Index: fedora-policy/policy/modules/contrib/firewalld.te
 ===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te
-+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te
-@@ -131,6 +131,7 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/contrib/firewalld.te	2020-02-24 08:16:03.798820784 +0000
++++ fedora-policy/policy/modules/contrib/firewalld.te	2020-02-24 08:18:03.164764310 +0000
+@@ -129,6 +129,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -10,10 +10,10 @@ Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te
  	iptables_domtrans(firewalld_t)
  	iptables_read_var_run(firewalld_t)
  ')
-Index: fedora-policy-20211111/policy/modules/system/iptables.if
+Index: fedora-policy/policy/modules/system/iptables.if
 ===================================================================
---- fedora-policy-20211111.orig/policy/modules/system/iptables.if
-+++ fedora-policy-20211111/policy/modules/system/iptables.if
+--- fedora-policy.orig/policy/modules/system/iptables.if	2020-02-19 09:36:25.440182406 +0000
++++ fedora-policy/policy/modules/system/iptables.if	2020-02-24 08:17:53.076600108 +0000
 @@ -2,6 +2,25 @@
  
  ########################################
diff --git a/fix_gift.patch b/fix_gift.patch
new file mode 100644
index 0000000..191375e
--- /dev/null
+++ b/fix_gift.patch
@@ -0,0 +1,9 @@
+Index: fedora-policy/policy/modules/contrib/gift.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/gift.te	2019-08-05 09:39:48.645670248 +0200
++++ fedora-policy/policy/modules/contrib/gift.te	2019-08-05 10:05:44.787808191 +0200
+@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t)
+ sysnet_dns_name_resolve(giftd_t)
+ 
+ userdom_use_inherited_user_terminals(giftd_t)
+-userdom_home_manager(gitd_t)
diff --git a/fix_hadoop.patch b/fix_hadoop.patch
new file mode 100644
index 0000000..b679cd8
--- /dev/null
+++ b/fix_hadoop.patch
@@ -0,0 +1,30 @@
+Index: fedora-policy/policy/modules/roles/sysadm.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/sysadm.te
++++ fedora-policy/policy/modules/roles/sysadm.te
+@@ -293,10 +293,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	hadoop_role(sysadm_r, sysadm_t)
+-')
+-
+-optional_policy(`
+     iotop_run(sysadm_t, sysadm_r)
+ ')
+ 
+Index: fedora-policy/policy/modules/roles/unprivuser.te
+===================================================================
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te
++++ fedora-policy/policy/modules/roles/unprivuser.te
+@@ -200,10 +200,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		hadoop_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		irc_role(user_r, user_t)
+ 	')
+ 
diff --git a/fix_hypervkvp.patch b/fix_hypervkvp.patch
deleted file mode 100644
index 3cac649..0000000
--- a/fix_hypervkvp.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
-===================================================================
---- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc
-+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc
-@@ -3,8 +3,10 @@
- /usr/lib/systemd/system/hypervvssd.*      --  gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
- 
- /usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
-+/usr/lib/hyper-v/bin/.*kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
- /usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
- 
- /usr/sbin/hypervvssd        --  gen_context(system_u:object_r:hypervvssd_exec_t,s0)
-+/usr/lib/hyper-v/bin/.*vss_daemon	--	gen_context(system_u:object_r:hypervvssd_exec_t,s0)
- 
- /var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
diff --git a/fix_init.patch b/fix_init.patch
index 29df1c9..ffbff36 100644
--- a/fix_init.patch
+++ b/fix_init.patch
@@ -1,17 +1,16 @@
-Index: fedora-policy-20221019/policy/modules/system/init.te
+Index: fedora-policy/policy/modules/system/init.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/init.te
-+++ fedora-policy-20221019/policy/modules/system/init.te
-@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
+--- fedora-policy.orig/policy/modules/system/init.te
++++ fedora-policy/policy/modules/system/init.te
+@@ -257,6 +257,7 @@ corecmd_exec_bin(init_t)
  corenet_all_recvfrom_netlabel(init_t)
  corenet_tcp_bind_all_ports(init_t)
  corenet_udp_bind_all_ports(init_t)
 +corenet_udp_bind_generic_node(init_t)
-+corenet_tcp_bind_generic_node(init_t)
  
  dev_create_all_files(init_t)
  dev_create_all_chr_files(init_t)
-@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t)
+@@ -378,6 +379,7 @@ logging_manage_audit_config(init_t)
  logging_create_syslog_netlink_audit_socket(init_t)
  logging_write_var_log_dirs(init_t)
  logging_manage_var_log_symlinks(init_t)
@@ -19,7 +18,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
  
  seutil_read_config(init_t)
  seutil_read_login_config(init_t)
-@@ -450,9 +453,19 @@ ifdef(`distro_redhat',`
+@@ -427,10 +429,15 @@ ifdef(`distro_redhat',`
  corecmd_shell_domtrans(init_t, initrc_t)
  
  storage_raw_rw_fixed_disk(init_t)
@@ -27,19 +26,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
  
  sysnet_read_dhcpc_state(init_t)
  
-+# bsc#1197610, find a better, generic solution
-+optional_policy(`
-+    mta_getattr_spool(init_t)
-+')
-+
-+optional_policy(`
-+    networkmanager_initrc_read_lnk_files(init_t)
-+')
-+
  optional_policy(`
- 	anaconda_stream_connect(init_t)
- 	anaconda_create_unix_stream_sockets(init_t)
-@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',`
++	networkmanager_initrc_read_lnk_files(init_t)
++')
++
++optional_policy(`
+     bootloader_domtrans(init_t)
+ ')
+ 
+@@ -544,7 +551,7 @@ tunable_policy(`init_create_dirs',`
  allow init_t self:system all_system_perms;
  allow init_t self:system module_load;
  allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -47,12 +42,8 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
 +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
  allow init_t self:process { getcap setcap };
  allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
--allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
-+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow init_t self:netlink_selinux_socket create_socket_perms;
- allow init_t self:unix_dgram_socket lock;
- # Until systemd is fixed
-@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t)
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
+@@ -606,6 +613,7 @@ files_delete_all_spool_sockets(init_t)
  files_create_var_lib_dirs(init_t)
  files_create_var_lib_symlinks(init_t)
  files_read_var_lib_symlinks(init_t)
@@ -60,16 +51,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
  files_manage_urandom_seed(init_t)
  files_list_locks(init_t)
  files_list_spool(init_t)
-@@ -684,7 +698,7 @@ fs_list_all(init_t)
- fs_list_auto_mountpoints(init_t)
- fs_register_binary_executable_type(init_t)
- fs_relabel_tmpfs_sock_file(init_t)
--fs_rw_tmpfs_files(init_t)	
-+fs_rw_tmpfs_files(init_t)
- fs_relabel_cgroup_dirs(init_t)
- fs_search_cgroup_dirs(init_t)
- # for network namespaces
-@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_
+@@ -698,6 +706,7 @@ systemd_write_inherited_logind_sessions_
  create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
  
  create_dirs_pattern(init_t, var_log_t, var_log_t)
@@ -77,7 +59,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
  
  auth_use_nsswitch(init_t)
  auth_rw_login_records(init_t)
-@@ -1596,6 +1611,8 @@ optional_policy(`
+@@ -1543,6 +1552,8 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(initrc_t)
@@ -86,3 +68,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te
  ')
  
  optional_policy(`
+Index: fedora-policy/policy/modules/system/init.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/init.if
++++ fedora-policy/policy/modules/system/init.if
+@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content'
+ 	files_etc_filetrans($1, machineid_t, file, "machine-id" )
+ 	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
++	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late")
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+ ')
+ 
diff --git a/fix_iptables.patch b/fix_iptables.patch
index bb149fd..5100015 100644
--- a/fix_iptables.patch
+++ b/fix_iptables.patch
@@ -1,9 +1,9 @@
-Index: fedora-policy-20220428/policy/modules/system/iptables.te
+Index: fedora-policy/policy/modules/system/iptables.te
 ===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/iptables.te
-+++ fedora-policy-20220428/policy/modules/system/iptables.te
-@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t)
- kernel_read_kernel_sysctls(iptables_t)
+--- fedora-policy.orig/policy/modules/system/iptables.te	2020-02-19 09:36:25.440182406 +0000
++++ fedora-policy/policy/modules/system/iptables.te	2020-02-21 12:19:23.060595602 +0000
+@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t)
+ kernel_read_usermodehelper_state(iptables_t)
  kernel_use_fds(iptables_t)
  kernel_rw_net_sysctls(iptables_t)
 +kernel_rw_pipes(iptables_t)
diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch
deleted file mode 100644
index 4769ca5..0000000
--- a/fix_kernel_sysctl.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -242,6 +242,8 @@ ifdef(`distro_redhat',`
- /usr/lib/ostree-boot(/.*)?                gen_context(system_u:object_r:usr_t,s0)
- /usr/lib/modules(/.*)/vmlinuz         -- 	gen_context(system_u:object_r:usr_t,s0)
- /usr/lib/modules(/.*)/initramfs.img   --	gen_context(system_u:object_r:usr_t,s0)
-+/usr/lib/modules(/.*)/sysctl.conf     --	gen_context(system_u:object_r:usr_t,s0)
-+/usr/lib/modules(/.*)/System.map      --	gen_context(system_u:object_r:system_map_t,s0)
- 
- /usr/doc(/.*)?/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
- 
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t)
- logging_send_syslog_msg(systemd_sysctl_t)
- 
- systemd_read_efivarfs(systemd_sysctl_t)
-+# kernel specific sysctl.conf may be in modules dir
-+allow systemd_sysctl_t modules_object_t:dir search;
- 
- #######################################
- #
diff --git a/fix_libraries.patch b/fix_libraries.patch
deleted file mode 100644
index a6a228f..0000000
--- a/fix_libraries.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy-20210419/policy/modules/system/libraries.fc
-===================================================================
---- fedora-policy-20210419.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20210419/policy/modules/system/libraries.fc
-@@ -124,6 +124,8 @@ ifdef(`distro_redhat',`
- 
- /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
- 
-+/usr/lib/libreoffice/program/resource.* --	gen_context(system_u:object_r:lib_t,s0)
-+
- /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- /usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/fix_locallogin.patch b/fix_locallogin.patch
index cdee73c..6247e22 100644
--- a/fix_locallogin.patch
+++ b/fix_locallogin.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20220624/policy/modules/system/locallogin.te
+Index: fedora-policy/policy/modules/system/locallogin.te
 ===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/locallogin.te
-+++ fedora-policy-20220624/policy/modules/system/locallogin.te
+--- fedora-policy.orig/policy/modules/system/locallogin.te	2020-02-19 09:36:25.440182406 +0000
++++ fedora-policy/policy/modules/system/locallogin.te	2020-02-21 08:52:35.961803038 +0000
 @@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t)
  kernel_read_kernel_sysctls(local_login_t)
  kernel_search_key(local_login_t)
@@ -10,11 +10,3 @@ Index: fedora-policy-20220624/policy/modules/system/locallogin.te
  
  corecmd_list_bin(local_login_t)
  corecmd_read_bin_symlinks(local_login_t)
-@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t)
- auth_manage_pam_console_data(local_login_t)
- auth_domtrans_pam_console(local_login_t)
- auth_use_nsswitch(local_login_t)
-+auth_read_shadow(local_login_t)
- 
- init_dontaudit_use_fds(local_login_t)
- init_stream_connect(local_login_t)
diff --git a/fix_logging.patch b/fix_logging.patch
index 8a74cb7..95c45a7 100644
--- a/fix_logging.patch
+++ b/fix_logging.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20220624/policy/modules/system/logging.fc
+Index: fedora-policy/policy/modules/system/logging.fc
 ===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/logging.fc
-+++ fedora-policy-20220624/policy/modules/system/logging.fc
+--- fedora-policy.orig/policy/modules/system/logging.fc
++++ fedora-policy/policy/modules/system/logging.fc
 @@ -3,6 +3,8 @@
  /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
  /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -19,11 +19,11 @@ Index: fedora-policy-20220624/policy/modules/system/logging.fc
  /var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
  
  /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
-Index: fedora-policy-20220624/policy/modules/system/logging.if
+Index: fedora-policy/policy/modules/system/logging.if
 ===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/logging.if
-+++ fedora-policy-20220624/policy/modules/system/logging.if
-@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',`
+--- fedora-policy.orig/policy/modules/system/logging.if
++++ fedora-policy/policy/modules/system/logging.if
+@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',`
  
  	allow $1 syslogd_t:unix_dgram_socket sendto;
  ')
diff --git a/fix_logrotate.patch b/fix_logrotate.patch
index 7cb2f23..1b6fe37 100644
--- a/fix_logrotate.patch
+++ b/fix_logrotate.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te
+Index: fedora-policy/policy/modules/contrib/logrotate.te
 ===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te
-+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te
-@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log
+--- fedora-policy.orig/policy/modules/contrib/logrotate.te
++++ fedora-policy/policy/modules/contrib/logrotate.te
+@@ -107,6 +107,7 @@ files_var_lib_filetrans(logrotate_t, log
  
  kernel_read_system_state(logrotate_t)
  kernel_read_kernel_sysctls(logrotate_t)
diff --git a/fix_nagios.patch b/fix_nagios.patch
index 08fdbf0..ddb660c 100644
--- a/fix_nagios.patch
+++ b/fix_nagios.patch
@@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/nagios.te
 +++ fedora-policy/policy/modules/contrib/nagios.te
-@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
+@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map;
  manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
  manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
  manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch
index 91a7087..40b77db 100644
--- a/fix_networkmanager.patch
+++ b/fix_networkmanager.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
+Index: fedora-policy/policy/modules/contrib/networkmanager.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
-@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t
+--- fedora-policy.orig/policy/modules/contrib/networkmanager.te
++++ fedora-policy/policy/modules/contrib/networkmanager.te
+@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t
  userdom_read_user_home_content_files(NetworkManager_t)
  userdom_dgram_send(NetworkManager_t)
  
@@ -12,18 +12,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
  tunable_policy(`use_nfs_home_dirs',`
      fs_read_nfs_files(NetworkManager_t)
  ')
-@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',`
- ')
- 
- optional_policy(`
-+    nis_systemctl_ypbind(NetworkManager_t)
-+')
-+
-+optional_policy(`
- 	avahi_domtrans(NetworkManager_t)
- 	avahi_kill(NetworkManager_t)
- 	avahi_signal(NetworkManager_t)
-@@ -292,6 +299,14 @@ optional_policy(`
+@@ -253,6 +256,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38,39 +27,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
  	bind_domtrans(NetworkManager_t)
  	bind_manage_cache(NetworkManager_t)
  	bind_kill(NetworkManager_t)
-@@ -419,6 +434,8 @@ optional_policy(`
- 	nscd_kill(NetworkManager_t)
- 	nscd_initrc_domtrans(NetworkManager_t)
- 	nscd_systemctl(NetworkManager_t)
-+	nscd_socket_use(NetworkManager_dispatcher_tlp_t)
-+	nscd_socket_use(NetworkManager_dispatcher_custom_t)
- ')
- 
- optional_policy(`
-@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di
- 
- init_status(NetworkManager_dispatcher_cloud_t)
- init_status(NetworkManager_dispatcher_ddclient_t)
-+init_status(NetworkManager_dispatcher_custom_t)
- init_append_stream_sockets(networkmanager_dispatcher_plugin)
- init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
- init_stream_connect(networkmanager_dispatcher_plugin)
-@@ -621,6 +639,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
-+')
-+
-+optional_policy(`
- 	cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
- ')
- 
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
+Index: fedora-policy/policy/modules/contrib/networkmanager.if
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
-@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
+--- fedora-policy.orig/policy/modules/contrib/networkmanager.if
++++ fedora-policy/policy/modules/contrib/networkmanager.if
+@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran
          init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
  ')
  
@@ -95,15 +56,3 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
  ########################################
  ## <summary>
  ##	Execute NetworkManager server in the NetworkManager domain.
-Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc
-+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
-@@ -24,6 +24,7 @@
- /usr/lib/NetworkManager/dispatcher\.d/04-iscsi	--	gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/10-sendmail	--	gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/11-dhclient	--	gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
-+/usr/lib/NetworkManager/dispatcher\.d/20-chrony	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
- /usr/lib/NetworkManager/dispatcher\.d/30-winbind	--	gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
diff --git a/fix_nscd.patch b/fix_nscd.patch
index 56a7c50..1bea723 100644
--- a/fix_nscd.patch
+++ b/fix_nscd.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
+Index: fedora-policy/policy/modules/contrib/nscd.fc
 ===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc
+--- fedora-policy.orig/policy/modules/contrib/nscd.fc
++++ fedora-policy/policy/modules/contrib/nscd.fc
 @@ -8,8 +8,10 @@
  /var/log/nscd\.log.*	--	gen_context(system_u:object_r:nscd_log_t,s0)
  
@@ -14,11 +14,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc
  
  /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 +
-Index: fedora-policy-20210628/policy/modules/contrib/nscd.te
+Index: fedora-policy/policy/modules/contrib/nscd.te
 ===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te
-+++ fedora-policy-20210628/policy/modules/contrib/nscd.te
-@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
+--- fedora-policy.orig/policy/modules/contrib/nscd.te
++++ fedora-policy/policy/modules/contrib/nscd.te
+@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns
  userdom_dontaudit_search_user_home_dirs(nscd_t)
  
  optional_policy(`
diff --git a/fix_policykit.patch b/fix_policykit.patch
new file mode 100644
index 0000000..1ce0185
--- /dev/null
+++ b/fix_policykit.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/policykit.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/policykit.te	2020-02-21 13:28:23.080385220 +0000
++++ fedora-policy/policy/modules/contrib/policykit.te	2020-02-21 13:31:09.023086041 +0000
+@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t)
+ userdom_read_all_users_state(policykit_t)
+ userdom_dontaudit_search_admin_dir(policykit_t)
+ 
++policykit_dbus_chat(policykit_t)
++
+ optional_policy(`
+ 	dbus_system_domain(policykit_t, policykit_exec_t)
+ 
diff --git a/fix_postfix.patch b/fix_postfix.patch
index 9b7fb86..3f9b14f 100644
--- a/fix_postfix.patch
+++ b/fix_postfix.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
+Index: fedora-policy/policy/modules/contrib/postfix.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc
-@@ -1,37 +1,21 @@
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc
++++ fedora-policy/policy/modules/contrib/postfix.fc
+@@ -1,37 +1,20 @@
  # postfix
 -/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 -/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
@@ -41,7 +41,6 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
 +/etc/postfix.*		      		gen_context(system_u:object_r:postfix_etc_t,s0)
 +/etc/postfix/chroot-update 	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/.*		--	gen_context(system_u:object_r:postfix_exec_t,s0)
-+/usr/lib/postfix/systemd/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/cleanup 	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 +/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 +/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -57,7 +56,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
  /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
  /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
  /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
+@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
  /usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
  /usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
  
@@ -67,28 +66,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc
  /var/lib/postfix.*		gen_context(system_u:object_r:postfix_data_t,s0)
  
  /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/defer(/.*)? 	  gen_context(system_u:object_r:postfix_spool_t,s0)
- /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
--/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
-+/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
- /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
- /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
- /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
+Index: fedora-policy/policy/modules/contrib/postfix.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te
-+++ fedora-policy-20221019/policy/modules/contrib/postfix.te
-@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c
- allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
- allow postfix_master_t postfix_etc_t:file rw_file_perms;
- mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
-+# SUSE also runs this on /etc/alias
-+mta_filetrans_aliases(postfix_master_t, etc_t)
- 
- can_exec(postfix_master_t, postfix_exec_t)
- 
-@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t)
+--- fedora-policy.orig/policy/modules/contrib/postfix.te
++++ fedora-policy/policy/modules/contrib/postfix.te
+@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
  
  userdom_use_inherited_user_ptys(postfix_map_t)
  
@@ -103,7 +85,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.te
  optional_policy(`
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
-@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m
+@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
diff --git a/fix_rpm.patch b/fix_rpm.patch
index 67cf3c4..6dc895d 100644
--- a/fix_rpm.patch
+++ b/fix_rpm.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
+Index: fedora-policy/policy/modules/contrib/rpm.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc
-@@ -18,6 +18,10 @@
+--- fedora-policy.orig/policy/modules/contrib/rpm.fc
++++ fedora-policy/policy/modules/contrib/rpm.fc
+@@ -17,6 +17,10 @@
  /usr/bin/repoquery		--	gen_context(system_u:object_r:rpm_exec_t,s0)		
  /usr/bin/zif 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
@@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
  /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt  --  gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -56,6 +60,8 @@ ifdef(`distro_redhat', `
+@@ -54,6 +58,8 @@ ifdef(`distro_redhat', `
  /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
  /var/cache/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
  
@@ -22,11 +22,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
  /var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
  /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
-Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
+Index: fedora-policy/policy/modules/contrib/rpm.if
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if
-+++ fedora-policy-20221019/policy/modules/contrib/rpm.if
-@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',`
+--- fedora-policy.orig/policy/modules/contrib/rpm.if
++++ fedora-policy/policy/modules/contrib/rpm.if
+@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',`
  	logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
  	logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
  	logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
@@ -37,11 +37,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.if
  	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
  	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
  	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
-Index: fedora-policy-20221019/policy/modules/kernel/files.fc
+Index: fedora-policy/policy/modules/kernel/files.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc
-+++ fedora-policy-20221019/policy/modules/kernel/files.fc
-@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
+--- fedora-policy.orig/policy/modules/kernel/files.fc
++++ fedora-policy/policy/modules/kernel/files.fc
+@@ -67,6 +67,7 @@ ifdef(`distro_suse',`
  /etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
  /etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
  /etc/yum\.repos\.d(/.*)?                        gen_context(system_u:object_r:system_conf_t,s0)
diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch
index 84e87ac..fb0148d 100644
--- a/fix_selinuxutil.patch
+++ b/fix_selinuxutil.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
+Index: fedora-policy/policy/modules/system/selinuxutil.te
 ===================================================================
---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te
+--- fedora-policy.orig/policy/modules/system/selinuxutil.te	2020-02-19 09:36:25.444182470 +0000
++++ fedora-policy/policy/modules/system/selinuxutil.te	2020-02-24 07:57:26.556813139 +0000
 @@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',`
  ')
  
@@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
  	portage_dontaudit_use_fds(load_policy_t)
  ')
  
-@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t)
+@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t)
  logging_send_syslog_msg(setfiles_t)
  
  optional_policy(`
@@ -24,16 +24,3 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te
      cloudform_dontaudit_write_cloud_log(setfiles_t)
  ')
  
-Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if
-===================================================================
---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if
-+++ fedora-policy-20210628/policy/modules/system/selinuxutil.if
-@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config'
- 
- 	dontaudit $1 selinux_config_t:dir search_dir_perms;
- 	dontaudit $1 selinux_config_t:file read_file_perms;
-+	# /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
-+	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
diff --git a/fix_snapper.patch b/fix_snapper.patch
index 045bc12..e52343a 100644
--- a/fix_snapper.patch
+++ b/fix_snapper.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
+Index: fedora-policy/policy/modules/contrib/snapper.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.te
+--- fedora-policy.orig/policy/modules/contrib/snapper.te
++++ fedora-policy/policy/modules/contrib/snapper.te
 @@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t)
  type snapperd_data_t;
  files_type(snapperd_data_t)
@@ -23,25 +23,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/snapper.te
  kernel_setsched(snapperd_t)
  
  domain_read_all_domains_state(snapperd_t)
-@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t)
+@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t)
  auth_use_nsswitch(snapperd_t)
  
  optional_policy(`
 +	packagekit_dbus_chat(snapperd_t)
 +')
 +
-+optional_policy(`
-+        rpm_dbus_chat(snapperd_t)
-+')
-+
 +optional_policy(`
      cron_system_entry(snapperd_t, snapperd_exec_t)
  ')
  
-Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc
+Index: fedora-policy/policy/modules/contrib/snapper.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc
-+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc
+--- fedora-policy.orig/policy/modules/contrib/snapper.fc
++++ fedora-policy/policy/modules/contrib/snapper.fc
 @@ -7,9 +7,17 @@
  
  /var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch
index b7f0b13..844d87f 100644
--- a/fix_sysnetwork.patch
+++ b/fix_sysnetwork.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc
+Index: fedora-policy/policy/modules/system/sysnetwork.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc
-+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc
-@@ -103,6 +103,8 @@ ifdef(`distro_debian',`
+--- fedora-policy.orig/policy/modules/system/sysnetwork.fc
++++ fedora-policy/policy/modules/system/sysnetwork.fc
+@@ -102,6 +102,8 @@ ifdef(`distro_debian',`
  /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
  ')
  
diff --git a/fix_systemd.patch b/fix_systemd.patch
index 1576754..5dbba95 100644
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
+Index: fedora-policy/policy/modules/system/systemd.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system
+--- fedora-policy.orig/policy/modules/system/systemd.te
++++ fedora-policy/policy/modules/system/systemd.te
+@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system
  xserver_dbus_chat(systemd_logind_t)
  
  optional_policy(`
@@ -13,8 +13,8 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te
  	apache_read_tmp_files(systemd_logind_t)
  ')
  
-@@ -863,6 +867,10 @@ optional_policy(`
- 	dbus_system_bus_client(systemd_localed_t)
+@@ -823,6 +827,10 @@ optional_policy(`
+         dbus_connect_system_bus(systemd_hostnamed_t)
  ')
  
 +optional_policy(`
@@ -23,22 +23,4 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te
 +
  #######################################
  #
- # Hostnamed policy
-@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
- # systemd_gpt_generator domain
- #
- 
--allow systemd_gpt_generator_t self:capability sys_rawio;
-+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
- allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
- 
- dev_read_sysfs(systemd_gpt_generator_t)
-@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_
- systemd_create_unit_file_dirs(systemd_gpt_generator_t)
- systemd_create_unit_file_lnk(systemd_gpt_generator_t)
- 
-+kernel_dgram_send(systemd_gpt_generator_t)
-+
- optional_policy(`
- 	udev_read_pid_files(systemd_gpt_generator_t)
- ')
+ # rfkill policy
diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch
deleted file mode 100644
index 530f381..0000000
--- a/fix_systemd_watch.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Index: fedora-policy-20221019/policy/modules/system/systemd.te
-===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20221019/policy/modules/system/systemd.te
-@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t)
- storage_getattr_fixed_disk_dev(systemd_sleep_t)
- storage_getattr_removable_dev(systemd_sleep_t)
- 
-+#######################################
-+#
-+# Allow systemd to watch certificate dir for ca-certificates
-+# 
-+watch_dirs_pattern(init_t,cert_t,cert_t)
-+
- optional_policy(`
- 	sysstat_domtrans(systemd_sleep_t)
- ')
diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch
index 159afc4..0e2ee48 100644
--- a/fix_thunderbird.patch
+++ b/fix_thunderbird.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te
+Index: fedora-policy/policy/modules/contrib/thunderbird.te
 ===================================================================
---- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te
-+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te
-@@ -138,7 +138,6 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te
++++ fedora-policy/policy/modules/contrib/thunderbird.te
+@@ -139,7 +139,6 @@ optional_policy(`
  optional_policy(`
  	gnome_stream_connect_gconf(thunderbird_t)
  	gnome_domtrans_gconfd(thunderbird_t)
diff --git a/fix_unconfined.patch b/fix_unconfined.patch
index 815055b..468bdf3 100644
--- a/fix_unconfined.patch
+++ b/fix_unconfined.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/system/unconfined.te
+Index: fedora-policy/policy/modules/system/unconfined.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/system/unconfined.te
-+++ fedora-policy-20221019/policy/modules/system/unconfined.te
+--- fedora-policy.orig/policy/modules/system/unconfined.te
++++ fedora-policy/policy/modules/system/unconfined.te
 @@ -1,5 +1,10 @@
  policy_module(unconfined, 3.5.0)
  
@@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/system/unconfined.te
  ########################################
  #
  # Declarations
-@@ -45,3 +50,6 @@ optional_policy(`
+@@ -39,3 +44,6 @@ optional_policy(`
  optional_policy(`
  	container_runtime_domtrans(unconfined_service_t)
  ')
diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch
index 017c8f7..36ae7e1 100644
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
+Index: fedora-policy/policy/modules/roles/unconfineduser.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te
-@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
+--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
++++ fedora-policy/policy/modules/roles/unconfineduser.te
+@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all'
      domain_dyntrans(unconfined_t)
  ')
  
@@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
  optional_policy(`
  	gen_require(`
  		type unconfined_t;
-@@ -214,6 +219,10 @@ optional_policy(`
+@@ -210,6 +215,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
  	chrome_role_notrans(unconfined_r, unconfined_t)
  
  	tunable_policy(`unconfined_chrome_sandbox_transition',`
-@@ -248,6 +257,18 @@ optional_policy(`
+@@ -244,6 +253,18 @@ optional_policy(`
  	dbus_stub(unconfined_t)
  
  	optional_policy(`
diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch
index 70fe21e..28f2e24 100644
--- a/fix_unprivuser.patch
+++ b/fix_unprivuser.patch
@@ -1,8 +1,8 @@
-Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te
+Index: fedora-policy/policy/modules/roles/unprivuser.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te
-+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te
-@@ -300,6 +300,13 @@ ifndef(`distro_redhat',`
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te
++++ fedora-policy/policy/modules/roles/unprivuser.te
+@@ -289,6 +289,13 @@ ifndef(`distro_redhat',`
  ')
  
  optional_policy(`
diff --git a/fix_userdomain.patch b/fix_userdomain.patch
deleted file mode 100644
index 6691ad8..0000000
--- a/fix_userdomain.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: fedora-policy-20220624/policy/modules/system/userdomain.if
-===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
-+++ fedora-policy-20220624/policy/modules/system/userdomain.if
-@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
- 
- 	# port access is audited even if dac would not have allowed it, so dontaudit it here
- #	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+	corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
- 	# Need the following rule to allow users to run vpnc
- 	corenet_tcp_bind_xserver_port($1_t)
- 	corenet_tcp_bind_generic_node($1_usertype)
diff --git a/fix_usermanage.patch b/fix_usermanage.patch
index a7d1bee..b82e968 100644
--- a/fix_usermanage.patch
+++ b/fix_usermanage.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
+Index: fedora-policy/policy/modules/admin/usermanage.te
 ===================================================================
---- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te
-+++ fedora-policy-20220428/policy/modules/admin/usermanage.te
+--- fedora-policy.orig/policy/modules/admin/usermanage.te
++++ fedora-policy/policy/modules/admin/usermanage.te
 @@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
  allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
  allow groupadd_t self:unix_dgram_socket sendto;
@@ -10,7 +10,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
  
  fs_getattr_xattr_fs(groupadd_t)
  fs_search_auto_mountpoints(groupadd_t)
-@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c
+@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
  allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
@@ -18,7 +18,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te
  
  manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
  manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
-@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v
+@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
diff --git a/fix_wine.patch b/fix_wine.patch
deleted file mode 100644
index 17698f2..0000000
--- a/fix_wine.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Index: fedora-policy-20220428/policy/modules/system/libraries.fc
-===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/libraries.fc
-+++ fedora-policy-20220428/policy/modules/system/libraries.fc
-@@ -90,7 +90,7 @@ ifdef(`distro_redhat',`
- /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
- /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
--/opt/cx.*/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/cx.*/lib/wine/.+\.(so|dll)		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
- /opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -173,7 +173,8 @@ ifdef(`distro_redhat',`
- /usr/lib/systemd/libsystemd-.+\.so.*	--	gen_context(system_u:object_r:lib_t,s0)
- 
- /usr/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
--/usr/lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/wine/*-windows/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
diff --git a/fix_xserver.patch b/fix_xserver.patch
index a8fd6e8..14f6700 100644
--- a/fix_xserver.patch
+++ b/fix_xserver.patch
@@ -1,7 +1,7 @@
-Index: fedora-policy-20221019/policy/modules/services/xserver.fc
+Index: fedora-policy/policy/modules/services/xserver.fc
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20221019/policy/modules/services/xserver.fc
+--- fedora-policy.orig/policy/modules/services/xserver.fc
++++ fedora-policy/policy/modules/services/xserver.fc
 @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@@ -18,15 +18,7 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc
  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
  /usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
-@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
- /usr/bin/Xwayland	--	gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/x11vnc		--	gen_context(system_u:object_r:xserver_exec_t,s0)
- /usr/bin/nvidia.*	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/greetd		--	gen_context(system_u:object_r:xdm_exec_t,s0)
- 
- /usr/libexec/Xorg\.bin  --  gen_context(system_u:object_r:xserver_exec_t,s0)   
- /usr/libexec/Xorg\.wrap  --  gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
+@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.*	--	gen_context(system_
  /usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
  /usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
  
@@ -34,30 +26,13 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc
  ifndef(`distro_debian',`
  /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  ')
-@@ -155,6 +159,7 @@ ifndef(`distro_debian',`
- /var/lib/[mxkwg]dm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
- /var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
-+/var/lib/greetd(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
- 
- /var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
- /var/cache/[mg]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
-@@ -184,6 +189,8 @@ ifndef(`distro_debian',`
- /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/sddm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/greetd[^/]*\.sock	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/greetd\.run		--	gen_context(system_u:object_r:xdm_var_run_t,s0)
- 
- /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
- /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
-Index: fedora-policy-20221019/policy/modules/services/xserver.te
+Index: fedora-policy/policy/modules/services/xserver.te
 ===================================================================
---- fedora-policy-20221019.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20221019/policy/modules/services/xserver.te
-@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi
- 
- kernel_read_vm_sysctls(xdm_t)
+--- fedora-policy.orig/policy/modules/services/xserver.te
++++ fedora-policy/policy/modules/services/xserver.te
+@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x
+ userdom_signull_unpriv_users(xdm_t)
+ userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
  
 +files_manage_generic_pids_symlinks(xdm_t)
 +userdom_manage_user_home_content_dirs(xdm_t)
diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf
index 853e975..8774301 100644
--- a/modules-minimum-base.conf
+++ b/modules-minimum-base.conf
@@ -392,6 +392,13 @@ udev = module
 # 
 unconfined = module
 
+# Layer: system
+# Module: kdbus
+#
+# Policy for kdbus.
+#
+kdbus = module
+
 # Layer: admin
 # Module: rpm
 #
@@ -412,3 +419,4 @@ packagekit = module
 # Name service cache daemon
 # 
 nscd = module
+
diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf
index cde391b..1be2194 100644
--- a/modules-minimum-contrib.conf
+++ b/modules-minimum-contrib.conf
@@ -342,6 +342,13 @@ cmirrord = module
 # 
 cobbler = module
 
+# Layer: contrib
+# Module: cockpit
+#
+# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
+# 
+cockpit = module
+
 # Layer: services
 # Module: collectd
 #
@@ -2360,6 +2367,13 @@ minissdpd = module
 #
 freeipmi = module
 
+# Layer: contrib
+# Module: freeipmi
+# 
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
+
 # Layer: contrib
 # Module: mirrormanager
 # 
diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf
index 5e255b5..202da6f 100644
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@@ -392,6 +392,13 @@ udev = module
 # 
 unconfined = module
 
+# Layer: system
+# Module: kdbus
+#
+# Policy for kdbus.
+#
+kdbus = module
+
 # Layer: contrib
 # Module: packagekit
 #
@@ -412,10 +419,3 @@ rtorrent = module
 # Policy for wicked
 #
 wicked = module
-
-# Layer: system
-# Module: rebootmgr
-#
-# Policy for rebootmgr
-#
-rebootmgr = module
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 54a2b38..9182671 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -342,6 +342,13 @@ cmirrord = module
 # 
 cobbler = module
 
+# Layer: contrib
+# Module: cockpit
+#
+# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
+# 
+cockpit = module
+
 # Layer: services
 # Module: collectd
 #
@@ -2374,6 +2381,13 @@ minissdpd = module
 #
 freeipmi = module
 
+# Layer: contrib
+# Module: freeipmi
+# 
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
+
 # Layer: contrib
 # Module: mirrormanager
 # 
diff --git a/rebootmgr.fc b/rebootmgr.fc
deleted file mode 100644
index 156f78f..0000000
--- a/rebootmgr.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/rebootmgrd		--	gen_context(system_u:object_r:rebootmgr_exec_t,s0)
diff --git a/rebootmgr.if b/rebootmgr.if
deleted file mode 100644
index bb42f80..0000000
--- a/rebootmgr.if
+++ /dev/null
@@ -1,61 +0,0 @@
-
-## <summary>policy for rebootmgr</summary>
-
-########################################
-## <summary>
-##	Execute rebootmgr_exec_t in the rebootmgr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rebootmgr_domtrans',`
-	gen_require(`
-		type rebootmgr_t, rebootmgr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
-')
-
-######################################
-## <summary>
-##	Execute rebootmgr in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rebootmgr_exec',`
-	gen_require(`
-		type rebootmgr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, rebootmgr_exec_t)
-')
-
-########################################
-## <summary>
-##	Send and receive messages from
-##	rebootmgr over dbus.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rebootmgr_dbus_chat',`
-	gen_require(`
-		type rebootmgr_t;
-		class dbus send_msg;
-	')
-
-	allow $1 rebootmgr_t:dbus send_msg;
-	allow rebootmgr_t $1:dbus send_msg;
-')
diff --git a/rebootmgr.te b/rebootmgr.te
deleted file mode 100644
index 4b4e6ab..0000000
--- a/rebootmgr.te
+++ /dev/null
@@ -1,37 +0,0 @@
-policy_module(rebootmgr, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type rebootmgr_t;
-type rebootmgr_exec_t;
-init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
-
-########################################
-#
-# rebootmgr local policy
-#
-allow rebootmgr_t self:process { fork };
-allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
-allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
-
-domain_use_interactive_fds(rebootmgr_t)
-
-files_manage_etc_files(rebootmgr_t)
-
-logging_send_syslog_msg(rebootmgr_t)
-
-miscfiles_read_localization(rebootmgr_t)
-
-systemd_start_power_services(rebootmgr_t)
-
-systemd_dbus_chat_logind(rebootmgr_t)
-
-unconfined_dbus_chat(rebootmgr_t)
-
-optional_policy(`
-	dbus_system_bus_client(rebootmgr_t)
-	dbus_connect_system_bus(rebootmgr_t)
-')
diff --git a/rtorrent.fc b/rtorrent.fc
index 562f8ad..24f879f 100644
--- a/rtorrent.fc
+++ b/rtorrent.fc
@@ -1 +1 @@
-/usr/bin/rtorrent		--	gen_context(system_u:object_r:rtorrent_exec_t,s0)
+/usr/bin/rtorrent	--	gen_context(system_u:object_r:rtorrent_exec_t,s0)
diff --git a/rtorrent.if b/rtorrent.if
index 9ea4193..830e349 100644
--- a/rtorrent.if
+++ b/rtorrent.if
@@ -1,71 +1,6 @@
+## <summary>Policy for rtorrent.</summary>
 
-## <summary>policy for rtorrent</summary>
-
-########################################
-## <summary>
-##	Execute rtorrent_exec_t in the rtorrent domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`rtorrent_domtrans',`
-	gen_require(`
-		type rtorrent_t, rtorrent_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
-')
-
-######################################
-## <summary>
-##	Execute rtorrent in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`rtorrent_exec',`
-	gen_require(`
-		type rtorrent_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, rtorrent_exec_t)
-')
-
-########################################
-## <summary>
-##	Execute rtorrent in the rtorrent domain, and
-##	allow the specified role the rtorrent domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed the rtorrent domain.
-##	</summary>
-## </param>
-#
-interface(`rtorrent_run',`
-	gen_require(`
-		type rtorrent_t;
-		attribute_role rtorrent_roles;
-	')
-
-	rtorrent_domtrans($1)
-	roleattribute $2 rtorrent_roles;
-')
-
-########################################
+############################################################
 ## <summary>
 ##	Role access for rtorrent
 ## </summary>
@@ -82,14 +17,95 @@ interface(`rtorrent_run',`
 #
 interface(`rtorrent_role',`
 	gen_require(`
-		type rtorrent_t;
-		attribute_role rtorrent_roles;
+	    attribute_role rtorrent_roles;
+	    type rtorrent_t, rtorrent_exec_t;
 	')
 
 	roleattribute $1 rtorrent_roles;
 
-	rtorrent_domtrans($2)
+	# transition from the userdomain to the derived domain
+	domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
 
+	# allow ps to show rtorrent
 	ps_process_pattern($2, rtorrent_t)
-	allow $2 rtorrent_t:process { signull signal sigkill };
+	allow $2 rtorrent_t:process { signull sigstop signal sigkill };
+
+	ifdef(`hide_broken_symptoms',`
+		#Leaked File Descriptors
+		dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Transition to a user torrent domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rtorrent_domtrans',`
+	gen_require(`
+		type rtorrent_t, rtorrent_exec_t;
+	')
+
+	domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
+')
+
+######################################
+## <summary>
+##	Execute torrent in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtorrent_exec',`
+	gen_require(`
+		type rtorrent_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rtorrent_exec_t)
+')
+
+######################################
+## <summary>
+##  Make rtorrent an entrypoint for
+##  the specified domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The domain for which cifs_t is an entrypoint.
+##  </summary>
+## </param>
+#
+interface(`rtorrent_entry_type',`
+    gen_require(`
+        type rtorrent_exec_t;
+    ')
+
+    domain_entry_file($1, rtorrent_exec_t)
+')
+
+########################################
+## <summary>
+##	Send generic signals to user rtorrent processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rtorrent_signal',`
+	gen_require(`
+		type rtorrent_t;
+	')
+
+	allow $1 rtorrent_t:process signal;
 ')
diff --git a/rtorrent.te b/rtorrent.te
index 996f7a7..dcf4d43 100644
--- a/rtorrent.te
+++ b/rtorrent.te
@@ -1,4 +1,4 @@
-policy_module(rtorrent, 1.0.0)
+policy_module(rtorrent, 1.0.1)
 
 ########################################
 #
@@ -18,84 +18,81 @@ gen_tunable(rtorrent_send_mails, false)
 ## </desc>
 gen_tunable(rtorrent_enable_rutorrent, false)
 
-## <desc>
-## <p>
-## Allow rtorrent to execute helper scripts in home directories
-## </p>
-## </desc>
-gen_tunable(rtorrent_exec_scripts, false)
+attribute rtorrentdomain;
 
 attribute_role rtorrent_roles;
 roleattribute system_r rtorrent_roles;
 
 type rtorrent_t;
 type rtorrent_exec_t;
-application_domain(rtorrent_t, rtorrent_exec_t)
+userdom_user_application_domain(rtorrent_t, rtorrent_exec_t)
 role rtorrent_roles types rtorrent_t;
 
 ########################################
 #
 # rtorrent local policy
 #
-allow rtorrent_t self:process { fork signal_perms };
 
-allow rtorrent_t self:fifo_file manage_fifo_file_perms;
-allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
-
-domain_use_interactive_fds(rtorrent_t)
-
-files_read_etc_files(rtorrent_t)
-
-miscfiles_read_localization(rtorrent_t)
-
-sysnet_dns_name_resolve(rtorrent_t)
-
-optional_policy(`
-	gen_require(`
-		type staff_t;
-		role staff_r;
-	')
-
-	rtorrent_run(staff_t, staff_r)
-')
+corenet_tcp_bind_commplex_main_port(rtorrent_t)
 
 type rtorrent_port_t;
 corenet_port(rtorrent_port_t)
 allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
 
 userdom_read_user_home_content_symlinks(rtorrent_t)
-userdom_manage_user_home_content_files(rtorrent_t)
-userdom_manage_user_home_content_dirs(rtorrent_t)
 
-allow rtorrent_t self:tcp_socket { accept listen };
+allow rtorrent_t self:process setpgid;
+allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+allow rtorrent_t self:fifo_file rw_fifo_file_perms;
+allow rtorrent_t self:tcp_socket create_stream_socket_perms;
+allow rtorrent_t self:unix_stream_socket connectto;
 
+allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read };
+allow rtorrent_t self:udp_socket { connect create getattr };
+nscd_shm_use(rtorrent_t)
+
+#corecmd_exec_shell(rtorrent_t)
+corecmd_exec_bin(rtorrent_t)
+# execute helper scripts
+userdom_exec_user_bin_files(rtorrent_t)
+
+corenet_all_recvfrom_netlabel(rtorrent_t)
+corenet_tcp_sendrecv_generic_if(rtorrent_t)
+corenet_udp_sendrecv_generic_if(rtorrent_t)
+corenet_tcp_sendrecv_generic_node(rtorrent_t)
+corenet_udp_sendrecv_generic_node(rtorrent_t)
+corenet_tcp_sendrecv_all_ports(rtorrent_t)
+corenet_udp_sendrecv_all_ports(rtorrent_t)
 corenet_tcp_connect_all_ports(rtorrent_t)
+corenet_sendrecv_all_client_packets(rtorrent_t)
+corenet_udp_bind_all_unreserved_ports(rtorrent_t)
 
+domain_use_interactive_fds(rtorrent_t)
+auth_use_nsswitch(rtorrent_t)
+miscfiles_map_generic_certs(rtorrent_t)
 fs_getattr_xattr_fs(rtorrent_t)
 
 userdom_use_inherited_user_terminals(rtorrent_t)
-# this might be to much
+userdom_manage_user_home_content_files(rtorrent_t)
+userdom_manage_user_home_content_dirs(rtorrent_t)
 userdom_home_manager(rtorrent_t)
 userdom_filetrans_home_content(rtorrent_t)
+userdom_stream_connect(rtorrent_t)
 
 optional_policy(`
-        tunable_policy(`rtorrent_send_mails',`
-                userdom_exec_user_bin_files(rtorrent_t)
-                userdom_exec_user_home_content_files(rtorrent_t)
-                files_manage_generic_tmp_files(rtorrent_t)
-                mta_send_mail(rtorrent_t)
-        ')
+	tunable_policy(`rtorrent_send_mails',`
+		userdom_exec_user_bin_files(rtorrent_t)
+		userdom_exec_user_home_content_files(rtorrent_t)
+		files_manage_generic_tmp_files(rtorrent_t)
+		mta_send_mail(rtorrent_t)
+	')
 ')
 
 optional_policy(`
+    apache_manage_sys_content(rtorrent_t)
+
     tunable_policy(`rtorrent_enable_rutorrent',`
-	apache_manage_sys_content(rtorrent_t)
         apache_exec_sys_content(rtorrent_t)
     ')
 ')
 
-tunable_policy(`rtorrent_exec_scripts',`
-    # execute helper scripts
-    corecmd_exec_bin(rtorrent_t)
-    userdom_exec_user_bin_files(rtorrent_t)
-')
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 66c1d72..8ba73f0 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,438 +1,3 @@
--------------------------------------------------------------------
-Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20221019. Refreshed:
-  * distro_suse_to_distro_redhat.patch
-  * fix_apache.patch
-  * fix_chronyd.patch
-  * fix_cron.patch
-  * fix_init.patch
-  * fix_kernel_sysctl.patch
-  * fix_networkmanager.patch
-  * fix_rpm.patch
-  * fix_sysnetwork.patch
-  * fix_systemd.patch
-  * fix_systemd_watch.patch
-  * fix_unconfined.patch
-  * fix_unconfineduser.patch
-  * fix_unprivuser.patch
-  * fix_xserver.patch
-- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
-- Remove the ipa module, freeip ships their own module
-- Added fix_alsa.patch to allow reading of config files in home directories
-- Extended fix_networkmanager.patch and fix_postfix.patch to account
-  for SUSE systems
-- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
-  queries the running processes
-- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus
-
--------------------------------------------------------------------
-Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Updated quilt couldn't unpack tarball. This will cause ongoing issues
-  so drop the sed statement in the %prep section and add 
-  distro_suse_to_distro_redhat.patch to add the necessary changes
-  via a patch
-
--------------------------------------------------------------------
-Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update fix_networkmanager.patch to ensure NetworkManager chrony
-  dispatcher is properly labled and update fix_chronyd.patch to ensure
-  chrony helper script has proper label to be used by NetworkManager.
-  Also allow NetworkManager_dispatcher_custom_t to query systemd status
-  (bsc#1203824)
-
--------------------------------------------------------------------
-Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
-
-- Update fix_xserver.patch to add greetd support (bsc#1198559)
-
--------------------------------------------------------------------
-Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Revamped rtorrent module
-
--------------------------------------------------------------------
-Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
-
-- Move SUSE directory from manual page section to html docu
-
--------------------------------------------------------------------
-Wed Jul 27 14:00:55 UTC 2022 - Hu <cathy.hu@suse.com>
-
-- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t 
-  and NetworkManager_dispatcher_custom_t to access nscd socket 
-  (bsc#1201741)
-
--------------------------------------------------------------------
-Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala <zkubala@suse.com>
-
-- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper 
-  (bnc#1201015)
-
--------------------------------------------------------------------
-Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20220714. Refreshed:
-  * fix_init.patch
-  * fix_systemd_watch.patch
-
--------------------------------------------------------------------
-Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
-  systemd_gpt_generator_t (bsc#1200911)
-
--------------------------------------------------------------------
-Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- postfix: Label PID files and some helpers correctly (bsc#1197242)
-
--------------------------------------------------------------------
-Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
-
--------------------------------------------------------------------
-Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20220624. Refreshed:
-  * fix_init.patch
-  * fix_kernel_sysctl.patch
-  * fix_logging.patch
-  * fix_networkmanager.patch
-  * fix_unprivuser.patch
-  Dropped fix_hadoop.patch, not necessary anymore
-* Updated fix_locallogin.patch to allow accesses for nss-systemd 
-  (bsc#1199630)
-
--------------------------------------------------------------------
-Fri May 20 13:46:47 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20220520 to pass stricter 3.4 toolchain checks
-
--------------------------------------------------------------------
-Fri May 20 09:14:58 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20220428. Refreshed:
-  * fix_apache.patch
-  * fix_hadoop.patch
-  * fix_init.patch
-  * fix_iptables.patch
-  * fix_kernel_sysctl.patch
-  * fix_networkmanager.patch
-  * fix_systemd.patch
-  * fix_systemd_watch.patch
-  * fix_unprivuser.patch
-  * fix_usermanage.patch
-  * fix_wine.patch
-
--------------------------------------------------------------------
-Thu May 19 12:25:31 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-- Add fix_dnsmasq.patch to fix problems with virtualization on Microos
-  (bsc#1199518)
-
--------------------------------------------------------------------
-Tue May  3 13:18:38 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Modified fix_init.patch to allow init to setup contrained environment
-  for accountsservice. This needs a better, more general solution
-  (bsc#1197610)
-
--------------------------------------------------------------------
-Mon May  2 11:27:49 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition.
-  This happens in certain boot conditions (bsc#1182500)
-- Changed fix_unconfineduser.patch to not transition into ldconfig_t
-  from unconfined_t (bsc#1197169)
--------------------------------------------------------------------
-Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf <kkaempf@suse.com>
-
-- use %license tag for COPYING file
-
--------------------------------------------------------------------
-Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683)
-
--------------------------------------------------------------------
-Wed Feb  9 16:04:09 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>
-
-- Fix bitlbee runtime directory (bsc#1193230)
-  * add fix_bitlbee.patch
-
--------------------------------------------------------------------
-Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20220124. Refreshed:
-  * fix_hadoop.patch
-  * fix_init.patch
-  * fix_kernel_sysctl.patch
-  * fix_systemd.patch
-  * fix_systemd_watch.patch
-- Added fix_hypervkvp.patch to fix issues with hyperv labeling 
-  (bsc#1193987)
-
--------------------------------------------------------------------
-Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
-
-- Allow colord to use systemd hardenings (bsc#1194631)
-
--------------------------------------------------------------------
-Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20211111. Refreshed:
-  * fix_dbus.patch
-  * fix_systemd.patch
-  * fix_authlogin.patch
-  * fix_auditd.patch
-  * fix_kernel_sysctl.patch
-  * fix_networkmanager.patch
-  * fix_chronyd.patch
-  * fix_unconfineduser.patch
-  * fix_unconfined.patch
-  * fix_firewalld.patch
-  * fix_init.patch
-  * fix_xserver.patch
-  * fix_logging.patch
-  * fix_hadoop.patch
-
--------------------------------------------------------------------
-Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner <meissner@suse.com>
-
-- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976)
-
--------------------------------------------------------------------
-Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Fix auditd service start with systemd hardening directives (boo#1190918)
-  * add fix_auditd.patch
-
--------------------------------------------------------------------
-Thu Sep  2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Modified fix_systemd.patch to allow systemd gpt generator access to
-  udev files (bsc#1189280)
-
--------------------------------------------------------------------
-Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
-
-- fix rebootmgr does not trigger the reboot properly (boo#1189878)
-  * fix managing /etc/rebootmgr.conf
-  * allow rebootmgr_t to cope with systemd and dbus messaging
-
--------------------------------------------------------------------
-Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Properly label cockpit files
-- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
-
--------------------------------------------------------------------
-Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
-
-- Added policy module for rebootmgr (jsc#SMO-28) 
-
--------------------------------------------------------------------
-Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
-
-- Allow systemd-sysctl to read kernel specific sysctl.conf
-  (fix_kernel_sysctl.patch, boo#1184804)
-
--------------------------------------------------------------------
-Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
-
-- Fix quoting in postInstall macro
-
--------------------------------------------------------------------
-Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20210716
-- Remove interfaces for container module before building the package
-  (bsc#1188184)
-- Updated
-  * fix_init.patch
-  * fix_systemd_watch.patch
-  to adapt to upstream changes
-
--------------------------------------------------------------------
-Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
-
-- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing
-  here
-
--------------------------------------------------------------------
-Tue Jul  6 13:55:19 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
-
-- Add tabrmd SELinux modules from upstream (bsc#1187925)
-  https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
-- Automatic spec-cleaner to fix ordering and misaligned spaces
-
--------------------------------------------------------------------
-Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20210419
-- Dropped fix_gift.patch, module was removed
-- Updated wicked.te to removed dropped interface
-- Refreshed:
-  * fix_cockpit.patch
-  * fix_hadoop.patch
-  * fix_init.patch
-  * fix_logging.patch
-  * fix_logrotate.patch
-  * fix_networkmanager.patch
-  * fix_nscd.patch
-  * fix_rpm.patch
-  * fix_selinuxutil.patch
-  * fix_systemd.patch
-  * fix_systemd_watch.patch
-  * fix_thunderbird.patch
-  * fix_unconfined.patch
-  * fix_unconfineduser.patch
-  * fix_unprivuser.patch
-  * fix_xserver.patch
-
--------------------------------------------------------------------
-Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
-
-- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
-  that trigger on changes in those.
-  Added fix_systemd_watch.patch
-- own /usr/share/selinux/packages/$SELINUXTYPE/ and
-  /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
-  files there
-
--------------------------------------------------------------------
-Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
-
-- allow cockpit socket to bind nodes (fix_cockpit.patch)
-- use %autosetup to get rid of endless patch lines
-
--------------------------------------------------------------------
-Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Updated fix_networkmanager.patch to allow NetworkManager to watch
-  its configuration directories
-- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207)
-
--------------------------------------------------------------------
-Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Added Recommends for selinux-autorelabel (bsc#1181837)
-- Prevent libreoffice fonts from changing types on every relabel 
-  (bsc#1185265). Added fix_libraries.patch
-
--------------------------------------------------------------------
-Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Transition unconfined users to ldconfig type (bsc#1183121).
-  Extended fix_unconfineduser.patch
-
--------------------------------------------------------------------
-Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20210419
-- Refreshed:
-  * fix_dbus.patch
-  * fix_hadoop.patch
-  * fix_init.patch
-  * fix_unprivuser.patch
-
--------------------------------------------------------------------
-Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
-
-- Adjust fix_init.patch to allow systemd to do sd-listen on 
-  tcp socket [bsc#1183177]
-
--------------------------------------------------------------------
-Tue Mar  9 13:39:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20210309
-- Refreshed
-  * fix_systemd.patch
-  * fix_selinuxutil.patch
-  * fix_iptables.patch
-  * fix_init.patch
-  * fix_logging.patch
-  * fix_nscd.patch
-  * fix_hadoop.patch
-  * fix_unconfineduser.patch
-  * fix_chronyd.patch
-  * fix_networkmanager.patch
-  * fix_cron.patch
-  * fix_usermanage.patch
-  * fix_unprivuser.patch
-  * fix_rpm.patch
-- Ensure that /usr/etc is labeled according to /etc rules
-
--------------------------------------------------------------------
-Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
-
-- Update to version 20210223
-- Change name of tar file to a more common schema to allow
-  parallel installation of several source versions
-- Adjust fix_init.patch
-
--------------------------------------------------------------------
-Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
-
-- Update to version 20210111
-  - Drop fix_policykit.patch (integrated upstream)
-  - Adjust fix_iptables.patch
-  - update container policy
-
--------------------------------------------------------------------
-Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
-
-- Updated fix_corecommand.patch to set correct types for the OBS
-  build tools
-
--------------------------------------------------------------------
-Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
-
-- wicked.fc: add libexec directories
-- Update to version 20201029
-  - update container policy
-
--------------------------------------------------------------------
-Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
-
-- Update to version 20201016
-- Use python3 to build (fc_sort.c was replaced by fc_sort.py which
-  uses python3)
-- Drop SELINUX=disabled, "selinux=0" kernel commandline option has
-  to be used instead. New default is "permissive" [bsc#1176923].
-
--------------------------------------------------------------------
-Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
-
-- Update to version 20200910. Refreshed
-  * fix_authlogin.patch
-  * fix_nagios.patch
-  * fix_systemd.patch
-  * fix_usermanage.patch
-- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
-- Cleanup of booleans-* presets
-  * Enabled
-    user_rw_noexattrfile
-    unconfined_chrome_sandbox_transition
-    unconfined_mozilla_plugin_transition
-    for the minimal policy
-  * Disabled
-    xserver_object_manager
-    for the MLS policy
-  * Disabled
-    openvpn_enable_homedirs
-    privoxy_connect_any
-    selinuxuser_direct_dri_enabled
-    selinuxuser_ping (aka user_ping)
-    squid_connect_any
-    telepathy_tcp_connect_generic_network_ports
-    for the targeted policy
-  Change your local config if you need them
-- Build HTML version of manpages for the -devel package
-
 -------------------------------------------------------------------
 Thu Sep  3 07:47:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5da319d..4bc4815 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package selinux-policy
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,12 +12,12 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-
+# TODO: This turns on distro-specific policies.
 # There are almost no SUSE specific modifications available in the policy, so we utilize the
-# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch)
+# ones used by redhat and include also the SUSE specific ones (see sed statement below)
 %define distro redhat
 %define ubac n
 %define polyinstatiate n
@@ -33,9 +33,9 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20221019
+Version:        20200717
 Release:        0
-Source:         fedora-policy-%{version}.tar.bz2
+Source:         fedora-policy.%{version}.tar.bz2
 Source1:        selinux-policy-rpmlintrc
 
 Source10:       modules-targeted-base.conf
@@ -65,6 +65,7 @@ Source52:       users-minimum
 
 Source60:       selinux-policy.conf
 
+Source90:       selinux-policy-rpmlintrc
 Source91:       Makefile.devel
 Source92:       customizable_types
 #Source93:       config.tgz
@@ -81,23 +82,22 @@ Source125:      rtorrent.fc
 Source126:      wicked.te
 Source127:      wicked.if
 Source128:      wicked.fc
-Source129:      rebootmgr.te
-Source130:      rebootmgr.if
-Source131:      rebootmgr.fc
 
-Patch000:       distro_suse_to_distro_redhat.patch
 Patch001:       fix_djbdns.patch
 Patch002:       fix_dbus.patch
+Patch003:       fix_gift.patch
 Patch004:       fix_java.patch
+Patch005:       fix_hadoop.patch
 Patch006:       fix_thunderbird.patch
-Patch007:       fix_postfix.patch
-Patch008:       fix_nscd.patch
-Patch009:       fix_sysnetwork.patch
-Patch010:       fix_logging.patch
+Patch007: 	fix_postfix.patch
+Patch008: 	fix_nscd.patch
+Patch009: 	fix_sysnetwork.patch
+Patch010: 	fix_logging.patch
 Patch011:       fix_xserver.patch
 Patch012:       fix_miscfiles.patch
 Patch013:       fix_init.patch
 Patch014:       fix_locallogin.patch
+Patch015:       fix_policykit.patch
 Patch016:       fix_iptables.patch
 Patch017:       fix_irqbalance.patch
 Patch018:       fix_ntp.patch
@@ -123,33 +123,17 @@ Patch039:       fix_cron.patch
 Patch040:       fix_usermanage.patch
 Patch041:       fix_smartmon.patch
 Patch042:       fix_geoclue.patch
+Patch043:       suse_specific.patch
 Patch044:       fix_authlogin.patch
 Patch045:       fix_screen.patch
 Patch046:       fix_unprivuser.patch
 Patch047:       fix_rpm.patch
 Patch048:       fix_apache.patch
 Patch049:       fix_nis.patch
-Patch050:       fix_libraries.patch
-Patch051:       fix_dovecot.patch
-# https://github.com/cockpit-project/cockpit/pull/15758
-#Patch052:       fix_cockpit.patch
-Patch053:       fix_systemd_watch.patch
-# kernel specific sysctl.conf (boo#1184804)
-Patch054:       fix_kernel_sysctl.patch
-Patch055:       fix_auditd.patch
-Patch056:       fix_wine.patch
-Patch057:       fix_hypervkvp.patch
-Patch058:       fix_bitlbee.patch
-Patch059:       systemd_domain_dyntrans_type.patch
-Patch060:       fix_dnsmasq.patch
-Patch061:       fix_userdomain.patch
-Patch062:       fix_cloudform.patch
-Patch063:       fix_alsa.patch
-Patch064:       dontaudit_interface_kmod_tmpfs.patch
 
-Patch100:       sedoctool.patch
+Patch100: 	sedoctool.patch
 
-URL:            https://github.com/fedora-selinux/selinux-policy.git
+Url:            https://github.com/fedora-selinux/selinux-policy.git
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 BuildRequires:  checkpolicy
@@ -157,9 +141,8 @@ BuildRequires:  gawk
 BuildRequires:  libxml2-tools
 BuildRequires:  m4
 BuildRequires:  policycoreutils
-BuildRequires:  policycoreutils-devel
-BuildRequires:  python3
 BuildRequires:  python3-policycoreutils
+BuildRequires:  policycoreutils-devel
 # we need selinuxenabled
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre):  pam-config
@@ -170,9 +153,7 @@ Recommends:     audit
 Recommends:     selinux-tools
 # for audit2allow
 Recommends:     python3-policycoreutils
-Recommends:     container-selinux
 Recommends:     policycoreutils-python-utils
-Recommends:     selinux-autorelabel
 
 %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
 
@@ -198,7 +179,6 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
 %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
-%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
@@ -226,8 +206,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
 %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \
 %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \
-%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \
-%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
 %dir %{_sysconfdir}/selinux/%1/policy/ \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
@@ -268,7 +246,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
 %dir %{_datadir}/selinux/%1 \
-%dir %{_datadir}/selinux/packages/%1 \
 %{_datadir}/selinux/%1/base.lst \
 %{_datadir}/selinux/%1/modules-base.lst \
 %{_datadir}/selinux/%1/modules-contrib.lst \
@@ -280,7 +257,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %{_sharedstatedir}/selinux/%1/active/seusers \
 %{_sharedstatedir}/selinux/%1/active/file_contexts \
 %{_sharedstatedir}/selinux/%1/active/policy.kern \
-%{_sharedstatedir}/selinux/%1/active/modules_checksum \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
@@ -320,9 +296,9 @@ fi;
 
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
-if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
-  rm %{_sysconfdir}/selinux/%2/.rebuild; \
-  /usr/sbin/semodule -B -n -s %2; \
+if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
+  rm %{_sysconfdir}/selinux/%%2/.rebuild; \
+  /usr/sbin/semodule -B -n -s %%2; \
 fi; \
 if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
   touch /etc/selinux/.autorelabel \
@@ -370,18 +346,18 @@ creating other policies.
 
 %files
 %defattr(-,root,root,-)
-%license COPYING
+%doc COPYING
 %dir %{_datadir}/selinux
 %dir %{_datadir}/selinux/packages
 %dir %{_sysconfdir}/selinux
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
+#%ghost %{_sysconfdir}/sysconfig/selinux-policy
 %{_tmpfilesdir}/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
 
 %package sandbox
-Summary:        SELinux policy sandbox
-Group:          System/Management
-Requires(pre):  selinux-policy-targeted = %{version}-%{release}
+Summary: SELinux policy sandbox
+Requires(pre): selinux-policy-targeted = %{version}-%{release}
 
 %description sandbox
 SELinux sandbox policy used for the policycoreutils-sandbox package
@@ -408,13 +384,66 @@ fi;
 exit 0
 
 %prep
-%autosetup -n fedora-policy-%{version} -p1
+%setup -n fedora-policy
+%patch001 -p1
+%patch002 -p1
+%patch003 -p1
+%patch004 -p1
+%patch005 -p1
+%patch006 -p1
+%patch007 -p1
+%patch008 -p1
+%patch009 -p1
+%patch010 -p1
+%patch011 -p1
+%patch012 -p1
+%patch013 -p1
+%patch014 -p1
+%patch015 -p1
+%patch016 -p1
+%patch017 -p1
+%patch018 -p1
+%patch019 -p1
+%patch020 -p1
+%patch021 -p1
+%patch022 -p1
+%patch024 -p1
+%patch025 -p1
+%patch026 -p1
+%patch027 -p1
+%patch028 -p1
+%patch029 -p1
+%patch030 -p1
+#% patch031 -p1
+%patch032 -p1
+%patch033 -p1
+%patch034 -p1
+%patch035 -p1
+%patch036 -p1
+%patch037 -p1
+%patch038 -p1
+%patch039 -p1
+%patch040 -p1
+%patch041 -p1
+%patch042 -p1
+%patch043 -p1
+%patch044 -p1
+%patch045 -p1
+%patch046 -p1
+%patch047 -p1
+%patch048 -p1
+%patch049 -p1
+
+%patch100 -p1
+find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
 
 %build
 
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 touch %{buildroot}%{_sysconfdir}/selinux/config
+#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
+#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy
 mkdir -p %{buildroot}%{_tmpfilesdir}
 cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}
 
@@ -428,14 +457,15 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig
 mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
 
-mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
+mkdir -p %{buildroot}%{_datadir}/selinux/packages
+
 
 mkdir selinux_config
 for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
  cp $i selinux_config
 done
 
-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
  cp $i policy/modules/contrib
 done
 
@@ -482,13 +512,11 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
-%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
-mkdir %{buildroot}%{_datadir}/selinux/devel/html
-mv %{buildroot}%{_datadir}/man/man8/SUSE %{buildroot}%{_datadir}/selinux/devel/html
-mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
-mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
-rm %{buildroot}%{_mandir}/man8/container_selinux.8*
-rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
+#XXX what's missing for html?
+#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
+#mkdir %{buildroot}%{_datadir}/selinux/devel/html
+#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
+#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
 
 %post
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
@@ -497,15 +525,14 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then
     if [ -f  %{_sysconfdir}/sysconfig/selinux-policy ]; then
 	mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
     else
+	# XXX right default for SELINUXTYPE?
 	echo "
 # This file controls the state of SELinux on the system.
-# SELinux can be completly disabled with the \"selinux=0\" kernel
-# commandline option.
-#
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
-SELINUX=permissive
+#     disabled - No SELinux policy is loaded.
+SELINUX=disabled
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected.
@@ -532,7 +559,9 @@ if [ $1 -eq 0 ]; then \
   if [ "$SELINUXTYPE" = "$2" ]; then \
     %{_sbindir}/setenforce 0 2> /dev/null \
     if [ -s %{_sysconfdir}/selinux/config ]; then \
-      sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
+      sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \
+    else \
+      echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \
     fi \
   fi \
   pam-config -d --selinux \
@@ -542,12 +571,15 @@ exit 0
 %postun
 if [ $1 = 0 ]; then
      %{_sbindir}/setenforce 0 2> /dev/null
-     if [ -s %{_sysconfdir}/selinux/config ]; then
-          sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
+     if [ ! -s %{_sysconfdir}/selinux/config ]; then
+          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
+     else
+          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
      fi
 fi
 exit 0
 
+
 %package devel
 Summary:        SELinux policy devel
 Group:          System/Management
@@ -562,10 +594,7 @@ SELinux policy development and man page package
 %files devel
 %defattr(-,root,root,-)
 %doc %{_datadir}/man/ru/man8/*
-%doc %{_datadir}/man/man8/*
 %dir %{_datadir}/selinux/devel
-%dir %{_datadir}/selinux/devel/html/
-%doc %{_datadir}/selinux/devel/html/*
 %dir %{_datadir}/selinux/devel/include
 %{_datadir}/selinux/devel/include/*
 %{_datadir}/selinux/devel/Makefile
@@ -625,6 +654,7 @@ Requires(pre):  /usr/bin/awk
 Requires(pre):  selinux-policy = %{version}-%{release}
 Requires:       selinux-policy = %{version}-%{release}
 
+
 %description minimum
 SELinux Reference policy minimum base module.
 
diff --git a/suse_specific.patch b/suse_specific.patch
new file mode 100644
index 0000000..00b9c83
--- /dev/null
+++ b/suse_specific.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/system/selinuxutil.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/selinuxutil.if
++++ fedora-policy/policy/modules/system/selinuxutil.if
+@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
+ 
+ 	dontaudit $1 selinux_config_t:dir search_dir_perms;
+ 	dontaudit $1 selinux_config_t:file read_file_perms;
++	# /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
++	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch
deleted file mode 100644
index 8376c95..0000000
--- a/systemd_domain_dyntrans_type.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-policy-20220124/policy/modules/system/init.te
-===================================================================
---- fedora-policy-20220124.orig/policy/modules/system/init.te
-+++ fedora-policy-20220124/policy/modules/system/init.te
-@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac
- allow init_t self:packet_socket create_socket_perms;
- allow init_t self:key manage_key_perms;
- allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
-+domain_dyntrans_type(init_t)
-+allow init_t self:process { dyntransition setcurrent };
- 
- # is ~sys_module really needed? observed:
- # sys_boot
diff --git a/update.sh b/update.sh
index 92f709c..3db7a02 100644
--- a/update.sh
+++ b/update.sh
@@ -4,19 +4,21 @@ date=$(date '+%Y%m%d')
 
 echo Update to $date
 
-rm -rf fedora-policy container-selinux
+rm -rf fedora-policy container-selinux selinux-policy-contrib
 
 git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git
+git clone --depth 1 https://github.com/fedora-selinux/selinux-policy-contrib.git
 git clone --depth 1 https://github.com/containers/container-selinux.git
 
-mv selinux-policy fedora-policy-$date
-rm -rf fedora-policy-$date/.git*
-mv container-selinux/container.* fedora-policy-$date/policy/modules/services/
+mv selinux-policy fedora-policy
+rm -rf fedora-policy/.git*
+mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/
+mv container-selinux/* fedora-policy/policy/modules/contrib/
 
-rm -f fedora-policy?$date.tar*
-tar cf fedora-policy-$date.tar fedora-policy-$date
-bzip2 fedora-policy-$date.tar
-rm -rf fedora-policy-$date container-selinux
+rm -f fedora-policy.$date.tar*
+tar cf fedora-policy.$date.tar fedora-policy
+bzip2 fedora-policy.$date.tar
+rm -rf fedora-policy container-selinux selinux-policy-contrib
 
 sed -i -e "s/^Version:.*/Version:        $date/" selinux-policy.spec
 
diff --git a/users-minimum b/users-minimum
index 8ccacae..e49103c 100644
--- a/users-minimum
+++ b/users-minimum
@@ -36,4 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/users-mls b/users-mls
index 167ba7c..4de9d57 100644
--- a/users-mls
+++ b/users-mls
@@ -36,5 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/users-targeted b/users-targeted
index e943336..e49103c 100644
--- a/users-targeted
+++ b/users-targeted
@@ -36,6 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/wicked.fc b/wicked.fc
index 95a44f8..1f98ad1 100644
--- a/wicked.fc
+++ b/wicked.fc
@@ -19,7 +19,6 @@
 /usr/sbin/rcwicked.*		--	gen_context(system_u:object_r:wicked_initrc_exec_t,s0)
 
 /usr/lib/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
-/usr/libexec/wicked/bin(/.*)?		gen_context(system_u:object_r:wicked_exec_t,s0)
 
 #/usr/lib64/libwicked-0.6.63.so
 
diff --git a/wicked.te b/wicked.te
index a5f49ed..3e9849b 100644
--- a/wicked.te
+++ b/wicked.te
@@ -326,6 +326,10 @@ optional_policy(`
     fcoe_dgram_send_fcoemon(wicked_t)
 ')
 
+optional_policy(`
+	hal_write_log(wicked_t)
+')
+
 optional_policy(`
 	howl_signal(wicked_t)
 ')
@@ -494,10 +498,6 @@ optional_policy(`
 	virt_dbus_chat(wicked_t)
 ')
 
-optional_policy(`
-	networkmanager_dbus_chat(wicked_t)
-')
-
 #tunable_policy(`use_ecryptfs_home_dirs',`
 #fs_manage_ecryptfs_files(wicked_t)
 #')