diff --git a/fix_accountsd.patch b/fix_accountsd.patch
new file mode 100644
index 0000000..6558c5c
--- /dev/null
+++ b/fix_accountsd.patch
@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/accountsd.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/accountsd.fc
++++ fedora-policy/policy/modules/contrib/accountsd.fc
+@@ -1,6 +1,7 @@
+ /usr/lib/systemd/system/accountsd.*  --              gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+ 
+ /usr/libexec/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
++/usr/lib/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+ 
+ /usr/lib/accountsservice/accounts-daemon	--	gen_context(system_u:object_r:accountsd_exec_t,s0)
+ 
diff --git a/fix_automount.patch b/fix_automount.patch
new file mode 100644
index 0000000..a702fc7
--- /dev/null
+++ b/fix_automount.patch
@@ -0,0 +1,15 @@
+Index: fedora-policy/policy/modules/contrib/automount.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/automount.te
++++ fedora-policy/policy/modules/contrib/automount.te
+@@ -154,6 +154,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	networkmanager_read_pid_files(automount_t)
++')
++
++optional_policy(`
+ 	fstools_domtrans(automount_t)
+ ')
+ 
diff --git a/fix_colord.patch b/fix_colord.patch
new file mode 100644
index 0000000..c11b27b
--- /dev/null
+++ b/fix_colord.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/colord.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/colord.fc
++++ fedora-policy/policy/modules/contrib/colord.fc
+@@ -6,6 +6,8 @@
+ 
+ /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
+ /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
++/usr/lib/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
++/usr/lib/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
+ 
+ /usr/lib/systemd/system/colord.*  -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+ 
diff --git a/fix_corecommand.patch b/fix_corecommand.patch
index 6ee1497..5593a71 100644
--- a/fix_corecommand.patch
+++ b/fix_corecommand.patch
@@ -1,8 +1,20 @@
 Index: fedora-policy/policy/modules/kernel/corecommands.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/kernel/corecommands.fc	2020-02-24 08:46:26.205153437 +0000
-+++ fedora-policy/policy/modules/kernel/corecommands.fc	2020-02-24 13:44:00.711915017 +0000
-@@ -251,6 +251,21 @@ ifdef(`distro_gentoo',`
+--- fedora-policy.orig/policy/modules/kernel/corecommands.fc
++++ fedora-policy/policy/modules/kernel/corecommands.fc
+@@ -86,7 +86,10 @@ ifdef(`distro_redhat',`
+ 
+ /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
+ 
+-/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
++
++/etc/netconfig.d/.*		--	gen_context(system_u:object_r:bin_t,s0)
++
++/etc/mcelog/.*-error.*-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -251,6 +254,21 @@ ifdef(`distro_gentoo',`
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gnome-settings-daemon/.* --	gen_context(system_u:object_r:bin_t,s0)
@@ -24,7 +36,16 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc
  /usr/lib/gvfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -391,6 +406,7 @@ ifdef(`distro_debian',`
+@@ -313,6 +331,8 @@ ifdef(`distro_gentoo',`
+ 
+ /usr/lib/xen/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
++# also covers /usr/lib64/libexec due to equivalency rule '/usr/lib64 /usr/lib'
++/usr/lib/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -391,6 +411,7 @@ ifdef(`distro_debian',`
  /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
  ')
diff --git a/fix_cron.patch b/fix_cron.patch
new file mode 100644
index 0000000..523bc59
--- /dev/null
+++ b/fix_cron.patch
@@ -0,0 +1,36 @@
+Index: fedora-policy/policy/modules/contrib/cron.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/cron.fc
++++ fedora-policy/policy/modules/contrib/cron.fc
+@@ -34,7 +34,7 @@
+ 
+ /var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+-/var/spool/cron/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
++/var/spool/cron/tabs/USER   	--  gen_context(system_u:object_r:user_cron_spool_t,s0)
+ 
+ /var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/crontabs/.*	--	<<none>>
+@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',`
+ /var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+ /var/spool/cron/lastrun/[^/]*	--	<<none>>
+ ')
+-
+-ifdef(`distro_suse', `
+-/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun/[^/]*	--	<<none>>
+-/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
+-')
+Index: fedora-policy/policy/modules/contrib/cron.if
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/cron.if
++++ fedora-policy/policy/modules/contrib/cron.if
+@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo
+ #
+ interface(`cron_system_spool_entrypoint',`
+ 	gen_require(`
+-		attribute system_cron_spool_t;
++		type system_cron_spool_t;
+ 	')
+ 	allow $1 system_cron_spool_t:file entrypoint;
+ ')
diff --git a/fix_geoclue.patch b/fix_geoclue.patch
new file mode 100644
index 0000000..0d05684
--- /dev/null
+++ b/fix_geoclue.patch
@@ -0,0 +1,10 @@
+Index: fedora-policy/policy/modules/contrib/geoclue.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/geoclue.fc
++++ fedora-policy/policy/modules/contrib/geoclue.fc
+@@ -1,4 +1,4 @@
+-
++/usr/lib/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
+ /usr/libexec/geoclue		--	gen_context(system_u:object_r:geoclue_exec_t,s0)
+ 
+ /var/lib/geoclue(/.*)?		gen_context(system_u:object_r:geoclue_var_lib_t,s0)
diff --git a/fix_init.patch b/fix_init.patch
index 841dff0..b115e91 100644
--- a/fix_init.patch
+++ b/fix_init.patch
@@ -10,7 +10,15 @@ Index: fedora-policy/policy/modules/system/init.te
  
  dev_create_all_files(init_t)
  dev_create_all_chr_files(init_t)
-@@ -419,10 +420,15 @@ ifdef(`distro_redhat',`
+@@ -370,6 +371,7 @@ logging_manage_audit_config(init_t)
+ logging_create_syslog_netlink_audit_socket(init_t)
+ logging_write_var_log_dirs(init_t)
+ logging_manage_var_log_symlinks(init_t)
++logging_dgram_accept(init_t)
+ 
+ seutil_read_config(init_t)
+ seutil_read_login_config(init_t)
+@@ -419,10 +421,15 @@ ifdef(`distro_redhat',`
  corecmd_shell_domtrans(init_t, initrc_t)
  
  storage_raw_rw_fixed_disk(init_t)
@@ -26,7 +34,7 @@ Index: fedora-policy/policy/modules/system/init.te
      bootloader_domtrans(init_t)
  ')
  
-@@ -536,7 +542,7 @@ tunable_policy(`init_create_dirs',`
+@@ -536,7 +543,7 @@ tunable_policy(`init_create_dirs',`
  allow init_t self:system all_system_perms;
  allow init_t self:system module_load;
  allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -35,7 +43,7 @@ Index: fedora-policy/policy/modules/system/init.te
  allow init_t self:process { getcap setcap };
  allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
  allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
-@@ -598,6 +604,7 @@ files_delete_all_spool_sockets(init_t)
+@@ -598,6 +605,7 @@ files_delete_all_spool_sockets(init_t)
  files_create_var_lib_dirs(init_t)
  files_create_var_lib_symlinks(init_t)
  files_read_var_lib_symlinks(init_t)
@@ -43,7 +51,7 @@ Index: fedora-policy/policy/modules/system/init.te
  files_manage_urandom_seed(init_t)
  files_list_locks(init_t)
  files_list_spool(init_t)
-@@ -689,6 +696,7 @@ systemd_userdbd_runtime_manage_symlinks(
+@@ -689,6 +697,7 @@ systemd_userdbd_runtime_manage_symlinks(
  create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
  
  create_dirs_pattern(init_t, var_log_t, var_log_t)
@@ -51,7 +59,7 @@ Index: fedora-policy/policy/modules/system/init.te
  
  auth_use_nsswitch(init_t)
  auth_rw_login_records(init_t)
-@@ -1525,6 +1533,8 @@ optional_policy(`
+@@ -1525,6 +1534,8 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(initrc_t)
@@ -60,3 +68,15 @@ Index: fedora-policy/policy/modules/system/init.te
  ')
  
  optional_policy(`
+Index: fedora-policy/policy/modules/system/init.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/init.if
++++ fedora-policy/policy/modules/system/init.if
+@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content'
+ 	files_etc_filetrans($1, machineid_t, file, "machine-id" )
+ 	files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
++	init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late")
+ 	init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+ ')
+ 
diff --git a/fix_irqbalance.patch b/fix_irqbalance.patch
index 97b2679..34017eb 100644
--- a/fix_irqbalance.patch
+++ b/fix_irqbalance.patch
@@ -1,13 +1,18 @@
 Index: fedora-policy/policy/modules/contrib/irqbalance.te
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/irqbalance.te	2020-02-19 09:36:31.792283559 +0000
-+++ fedora-policy/policy/modules/contrib/irqbalance.te	2020-02-21 12:18:36.155848163 +0000
-@@ -28,6 +28,8 @@ allow irqbalance_t self:udp_socket creat
- manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
- files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+--- fedora-policy.orig/policy/modules/contrib/irqbalance.te
++++ fedora-policy/policy/modules/contrib/irqbalance.te
+@@ -25,8 +25,12 @@ dontaudit irqbalance_t self:capability s
+ allow irqbalance_t self:process { getcap getsched setcap signal_perms };
+ allow irqbalance_t self:udp_socket create_socket_perms;
  
-+init_nnp_daemon_domain(irqbalance_t)
++manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+ manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+-files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
++manage_sock_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
++files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, { dir file sock_file })
 +
++init_nnp_daemon_domain(irqbalance_t)
+ 
  kernel_read_network_state(irqbalance_t)
  kernel_read_system_state(irqbalance_t)
- kernel_read_kernel_sysctls(irqbalance_t)
diff --git a/fix_logging.patch b/fix_logging.patch
index d8a64a2..95c45a7 100644
--- a/fix_logging.patch
+++ b/fix_logging.patch
@@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/system/logging.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/system/logging.fc	2020-02-24 08:53:21.924002716 +0000
-+++ fedora-policy/policy/modules/system/logging.fc	2020-02-24 13:33:16.353371311 +0000
+--- fedora-policy.orig/policy/modules/system/logging.fc
++++ fedora-policy/policy/modules/system/logging.fc
 @@ -3,6 +3,8 @@
  /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
  /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -19,3 +19,30 @@ Index: fedora-policy/policy/modules/system/logging.fc
  /var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
  
  /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+Index: fedora-policy/policy/modules/system/logging.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/logging.if
++++ fedora-policy/policy/modules/system/logging.if
+@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',`
+ 
+ 	allow $1 syslogd_t:unix_dgram_socket sendto;
+ ')
++
++########################################
++## <summary>
++##	Accept a message to syslogd over a unix domain
++##	datagram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`logging_dgram_accept',`
++	gen_require(`
++		type syslogd_t;
++	')
++
++	allow $1 syslogd_t:unix_dgram_socket accept;
++')
diff --git a/fix_mcelog.patch b/fix_mcelog.patch
new file mode 100644
index 0000000..66c37cf
--- /dev/null
+++ b/fix_mcelog.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/contrib/mcelog.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/mcelog.te
++++ fedora-policy/policy/modules/contrib/mcelog.te
+@@ -58,7 +58,7 @@ files_pid_file(mcelog_var_run_t)
+ # Local policy
+ #
+ 
+-allow mcelog_t self:capability sys_admin;
++allow mcelog_t self:capability { sys_admin setgid };
+ allow mcelog_t self:unix_stream_socket connected_socket_perms;
+ 
+ allow mcelog_t mcelog_etc_t:dir list_dir_perms;
diff --git a/fix_nagios.patch b/fix_nagios.patch
new file mode 100644
index 0000000..b5cf110
--- /dev/null
+++ b/fix_nagios.patch
@@ -0,0 +1,24 @@
+Index: fedora-policy/policy/modules/contrib/nagios.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nagios.fc
++++ fedora-policy/policy/modules/contrib/nagios.fc
+@@ -24,6 +24,7 @@
+ /var/log/pnp4nagios(/.*)?                   gen_context(system_u:object_r:nagios_log_t,s0)
+ 
+ /var/lib/pnp4nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
++/var/lib/nagios(/.*)?               gen_context(system_u:object_r:nagios_var_lib_t,s0)
+ 
+ /var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
+ 
+Index: fedora-policy/policy/modules/contrib/nagios.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nagios.te
++++ fedora-policy/policy/modules/contrib/nagios.te
+@@ -155,6 +155,7 @@ allow nagios_t nagios_spool_t:file map;
+ manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
++manage_sock_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
+ 
+ kernel_read_system_state(nagios_t)
diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch
index e78c78c..54cf282 100644
--- a/fix_networkmanager.patch
+++ b/fix_networkmanager.patch
@@ -12,13 +12,17 @@ Index: fedora-policy/policy/modules/contrib/networkmanager.te
  tunable_policy(`use_nfs_home_dirs',`
      fs_read_nfs_files(NetworkManager_t)
  ')
-@@ -250,6 +253,10 @@ optional_policy(`
+@@ -250,6 +253,14 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	packagekit_dbus_chat(NetworkManager_t)
 +')
 +
++optional_policy(`
++    networkmanager_dbus_chat(NetworkManager_t)
++')
++
 +optional_policy(`
  	bind_domtrans(NetworkManager_t)
  	bind_manage_cache(NetworkManager_t)
diff --git a/fix_openvpn.patch b/fix_openvpn.patch
new file mode 100644
index 0000000..3acf3e5
--- /dev/null
+++ b/fix_openvpn.patch
@@ -0,0 +1,41 @@
+Index: fedora-policy/policy/modules/contrib/openvpn.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/openvpn.te
++++ fedora-policy/policy/modules/contrib/openvpn.te
+@@ -28,6 +28,14 @@ gen_tunable(openvpn_enable_homedirs, fal
+ ## </desc>
+ gen_tunable(openvpn_can_network_connect, true)
+ 
++## <desc>
++##	<p>
++##	Determine whether openvpn can
++##	change sysctl values (e.g. rp_filter)
++##	</p>
++## </desc>
++gen_tunable(openvpn_allow_changing_sysctls, false)
++
+ attribute_role openvpn_roles;
+ 
+ type openvpn_t;
+@@ -176,6 +184,10 @@ userdom_attach_admin_tun_iface(openvpn_t
+ userdom_read_inherited_user_tmp_files(openvpn_t)
+ userdom_read_inherited_user_home_content_files(openvpn_t)
+ 
++tunable_policy(`openvpn_allow_changing_sysctls',`
++        kernel_rw_net_sysctls(openvpn_t)
++')
++
+ tunable_policy(`openvpn_enable_homedirs',`
+ 	userdom_search_user_home_dirs(openvpn_t)
+ ')
+@@ -195,6 +207,10 @@ tunable_policy(`openvpn_can_network_conn
+ ')
+ 
+ optional_policy(`
++	firewalld_dbus_chat(openvpn_t)
++')
++
++optional_policy(`
+ 	brctl_domtrans(openvpn_t)
+ ')
+ 
diff --git a/fix_postfix.patch b/fix_postfix.patch
index abd7860..ef8f91c 100644
--- a/fix_postfix.patch
+++ b/fix_postfix.patch
@@ -1,11 +1,12 @@
 Index: fedora-policy/policy/modules/contrib/postfix.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.fc	2020-02-25 10:34:35.875376865 +0000
-+++ fedora-policy/policy/modules/contrib/postfix.fc	2020-02-25 10:34:37.719407494 +0000
-@@ -2,36 +2,19 @@
- /etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
- /etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
- /etc/postfix/chroot-update --	gen_context(system_u:object_r:postfix_exec_t,s0)
+--- fedora-policy.orig/policy/modules/contrib/postfix.fc
++++ fedora-policy/policy/modules/contrib/postfix.fc
+@@ -1,37 +1,20 @@
+ # postfix
+-/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+-/etc/postfix.*		      	gen_context(system_u:object_r:postfix_etc_t,s0)
+-/etc/postfix/chroot-update --	gen_context(system_u:object_r:postfix_exec_t,s0)
 -ifdef(`distro_redhat', `
 -/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 -/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -22,7 +23,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
 -/usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 -/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 -', `
- /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 -/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 -/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 -/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -36,7 +37,11 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
 -/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 -/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
 -')
-+/usr/lib/postfix/bin/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/etc/rc\.d/init\.d/postfix    --  	gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
++/etc/postfix.*		      		gen_context(system_u:object_r:postfix_etc_t,s0)
++/etc/postfix/chroot-update 	--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib/postfix/bin/.*		--	gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib/postfix/bin/cleanup 	--	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 +/usr/lib/postfix/bin/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
 +/usr/lib/postfix/bin/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 +/usr/lib/postfix/bin/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
@@ -63,13 +68,14 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
  /var/spool/postfix.*		gen_context(system_u:object_r:postfix_spool_t,s0)
 Index: fedora-policy/policy/modules/contrib/postfix.te
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.te	2020-02-19 09:36:31.820284005 +0000
-+++ fedora-policy/policy/modules/contrib/postfix.te	2020-02-25 10:35:55.544700764 +0000
-@@ -447,6 +447,12 @@ logging_send_syslog_msg(postfix_map_t)
+--- fedora-policy.orig/policy/modules/contrib/postfix.te
++++ fedora-policy/policy/modules/contrib/postfix.te
+@@ -447,6 +447,13 @@ logging_send_syslog_msg(postfix_map_t)
  
  userdom_use_inherited_user_ptys(postfix_map_t)
  
 +corecmd_exec_bin(postfix_map_t)
++init_ioctl_stream_sockets(postfix_map_t)
 +
 +optional_policy(`
 +	mta_read_aliases(postfix_map_t)
diff --git a/fix_smartmon.patch b/fix_smartmon.patch
new file mode 100644
index 0000000..3d965d9
--- /dev/null
+++ b/fix_smartmon.patch
@@ -0,0 +1,9 @@
+Index: fedora-policy/policy/modules/contrib/smartmon.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/smartmon.fc
++++ fedora-policy/policy/modules/contrib/smartmon.fc
+@@ -5,3 +5,4 @@
+ /var/run/smartd\.pid	--	gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+ 
+ /var/lib/smartmontools(/.*)?	gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
++/var/lib/smartmontools/smartd_opts      --      gen_context(system_u:object_r:etc_t,s0)
diff --git a/fix_sslh.patch b/fix_sslh.patch
new file mode 100644
index 0000000..5a6e49a
--- /dev/null
+++ b/fix_sslh.patch
@@ -0,0 +1,33 @@
+Index: fedora-policy/policy/modules/contrib/sslh.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/sslh.te
++++ fedora-policy/policy/modules/contrib/sslh.te
+@@ -28,6 +28,7 @@ gen_tunable(sslh_can_bind_any_port, fals
+ type sslh_t;
+ type sslh_exec_t;
+ init_daemon_domain(sslh_t, sslh_exec_t)
++init_nnp_daemon_domain(sslh_t)
+ 
+ type sslh_config_t;
+ files_config_file(sslh_config_t)
+@@ -90,6 +91,7 @@ tunable_policy(`sslh_can_connect_any_por
+     # allow sslh to connect to any port
+     corenet_tcp_sendrecv_all_ports(sslh_t) 
+     corenet_tcp_connect_all_ports(sslh_t)
++    corenet_tcp_connect_all_ports(sslh_t)
+ ')
+ 
+ tunable_policy(`sslh_can_bind_any_port',`
+Index: fedora-policy/policy/modules/contrib/sslh.fc
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/sslh.fc
++++ fedora-policy/policy/modules/contrib/sslh.fc
+@@ -4,6 +4,8 @@
+ /etc/rc\.d/init\.d/sslh 	--	gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+ /etc/sslh(/.*)?                         gen_context(system_u:object_r:sslh_config_t,s0)
+ /etc/sslh\.cfg 			-- 	gen_context(system_u:object_r:sslh_config_t,s0)
++/etc/conf\.d/sslh               --      gen_context(system_u:object_r:sslh_config_t,s0)
++/etc/default/sslh               --      gen_context(system_u:object_r:sslh_config_t,s0)
+ /etc/sysconfig/sslh		-- 	gen_context(system_u:object_r:sslh_config_t,s0)
+ /usr/lib/systemd/system/sslh.*  --	gen_context(system_u:object_r:sslh_unit_file_t,s0)
+ /var/run/sslh.* 			gen_context(system_u:object_r:sslh_var_run_t,s0)
diff --git a/fix_systemd.patch b/fix_systemd.patch
index b7dc35f..c05508e 100644
--- a/fix_systemd.patch
+++ b/fix_systemd.patch
@@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/system/systemd.te
 ===================================================================
---- fedora-policy.orig/policy/modules/system/systemd.te	2020-02-19 09:36:25.444182470 +0000
-+++ fedora-policy/policy/modules/system/systemd.te	2020-02-24 10:56:11.762848157 +0000
+--- fedora-policy.orig/policy/modules/system/systemd.te
++++ fedora-policy/policy/modules/system/systemd.te
 @@ -328,6 +328,10 @@ userdom_manage_user_tmp_chr_files(system
  xserver_dbus_chat(systemd_logind_t)
  
@@ -12,4 +12,3 @@ Index: fedora-policy/policy/modules/system/systemd.te
 +optional_policy(`
  	apache_read_tmp_files(systemd_logind_t)
  ')
- 
diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch
index 511dfcd..60ea74b 100644
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@@ -1,8 +1,31 @@
 Index: fedora-policy/policy/modules/roles/unconfineduser.te
 ===================================================================
---- fedora-policy.orig/policy/modules/roles/unconfineduser.te	2020-02-19 09:36:25.436182342 +0000
-+++ fedora-policy/policy/modules/roles/unconfineduser.te	2020-02-25 08:24:07.992702226 +0000
-@@ -244,6 +244,10 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/roles/unconfineduser.te
++++ fedora-policy/policy/modules/roles/unconfineduser.te
+@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all'
+     domain_dyntrans(unconfined_t)
+ ')
+ 
++# FIXME this is probably caused by some wierd PAM interaction
++corecmd_entrypoint_all_executables(unconfined_t)
++# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative
++files_execmod_tmp(unconfined_t)
++
+ optional_policy(`
+ 	gen_require(`
+ 		type unconfined_t;
+@@ -210,6 +215,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    cron_system_spool_entrypoint(unconfined_t)
++')
++
++optional_policy(`
+ 	chrome_role_notrans(unconfined_r, unconfined_t)
+ 
+ 	tunable_policy(`unconfined_chrome_sandbox_transition',`
+@@ -244,6 +253,10 @@ optional_policy(`
  	dbus_stub(unconfined_t)
  
  	optional_policy(`
diff --git a/fix_usermanage.patch b/fix_usermanage.patch
new file mode 100644
index 0000000..b82e968
--- /dev/null
+++ b/fix_usermanage.patch
@@ -0,0 +1,29 @@
+Index: fedora-policy/policy/modules/admin/usermanage.te
+===================================================================
+--- fedora-policy.orig/policy/modules/admin/usermanage.te
++++ fedora-policy/policy/modules/admin/usermanage.te
+@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket
+ allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+ allow groupadd_t self:unix_dgram_socket sendto;
+ allow groupadd_t self:unix_stream_socket connectto;
++allow groupadd_t self:netlink_selinux_socket create_socket_perms;
+ 
+ fs_getattr_xattr_fs(groupadd_t)
+ fs_search_auto_mountpoints(groupadd_t)
+@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
+ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
++allow useradd_t self:netlink_selinux_socket create_socket_perms;
+ 
+ manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
+ manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
+@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+ 
++selinux_compute_access_vector(useradd_t)
++
+ corecmd_exec_shell(useradd_t)
+ # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+ corecmd_exec_bin(useradd_t)
diff --git a/selinux-policy.changes b/selinux-policy.changes
index 6342c60..adb9157 100644
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Mon Mar  9 09:01:22 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
+
+- New patches:
+  * fix_accountsd.patch
+  * fix_automount.patch
+  * fix_colord.patch
+  * fix_mcelog.patch
+  * fix_sslh.patch
+  * fix_nagios.patch
+  * fix_openvpn.patch
+  * fix_cron.patch
+  * fix_usermanage.patch
+  * fix_smartmon.patch
+  * fix_geoclue.patch
+  * suse_specific.patch
+  Default systems should now work without selinuxuser_execmod
+- Removed xdm_entrypoint_pam.patch, necessary change is in
+  fix_unconfineduser.patch
+- Enable SUSE specific settings again
+
 -------------------------------------------------------------------
 Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 98d15bf..49b2418 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -38,10 +38,6 @@
 
 %define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else  print "0" end }
 
-# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
-# It depends on the kernel, but apparently more so on the libsemanage version.
-%define POLICYVER 30
-
 # macros calling module_store have to be defined using global, not define, and
 # "lazy" evaluation
 %global module_store() %{_localstatedir}/lib/selinux/%%{1}
@@ -140,11 +136,22 @@ Patch027:       fix_unconfined.patch
 Patch028:       fix_unconfineduser.patch
 Patch029:       fix_chronyd.patch
 Patch030:       fix_networkmanager.patch
-Patch031:       xdm_entrypoint_pam.patch
+Patch032:       fix_accountsd.patch
+Patch033:       fix_automount.patch
+Patch034:       fix_colord.patch
+Patch035:       fix_mcelog.patch
+Patch036:       fix_sslh.patch
+Patch037:       fix_nagios.patch
+Patch038:       fix_openvpn.patch
+Patch039:       fix_cron.patch
+Patch040:       fix_usermanage.patch
+Patch041:       fix_smartmon.patch
+Patch042:       fix_geoclue.patch
+Patch043:       suse_specific.patch
 
 Patch100: 	sedoctool.patch
 
-Url:            http://oss.tresys.com/repos/refpolicy/
+Url:            https://github.com/fedora-selinux/selinux-policy.git
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 BuildRequires:  %fillup_prereq
@@ -378,9 +385,22 @@ systems and used as the basis for creating other policies.
 %patch028 -p1
 %patch029 -p1
 %patch030 -p1
-%patch031 -p1
+#% patch031 -p1
+%patch032 -p1
+%patch033 -p1
+%patch034 -p1
+%patch035 -p1
+%patch036 -p1
+%patch037 -p1
+%patch038 -p1
+%patch039 -p1
+%patch040 -p1
+%patch041 -p1
+%patch042 -p1
+%patch043 -p1
 
 %patch100 -p1
+find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
 
 %build
 
diff --git a/suse_specific.patch b/suse_specific.patch
new file mode 100644
index 0000000..00b9c83
--- /dev/null
+++ b/suse_specific.patch
@@ -0,0 +1,13 @@
+Index: fedora-policy/policy/modules/system/selinuxutil.if
+===================================================================
+--- fedora-policy.orig/policy/modules/system/selinuxutil.if
++++ fedora-policy/policy/modules/system/selinuxutil.if
+@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
+ 
+ 	dontaudit $1 selinux_config_t:dir search_dir_perms;
+ 	dontaudit $1 selinux_config_t:file read_file_perms;
++	# /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
++	dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
diff --git a/xdm_entrypoint_pam.patch b/xdm_entrypoint_pam.patch
deleted file mode 100644
index b56d11c..0000000
--- a/xdm_entrypoint_pam.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Index: fedora-policy/policy/modules/roles/unconfineduser.te
-===================================================================
---- fedora-policy.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy/policy/modules/roles/unconfineduser.te
-@@ -126,6 +126,10 @@ optional_policy(`
- 	')
- 
- 	optional_policy(`
-+		xdm_entrypoint(unconfined_t)
-+	')
-+
-+	optional_policy(`
- 		abrt_dbus_chat(unconfined_t)
- 		abrt_run_helper(unconfined_t, unconfined_r)
- 	')
-Index: fedora-policy/policy/modules/services/xserver.if
-===================================================================
---- fedora-policy.orig/policy/modules/services/xserver.if
-+++ fedora-policy/policy/modules/services/xserver.if
-@@ -507,6 +507,23 @@ interface(`xserver_domtrans_xdm',`
- 	domtrans_pattern($1, xdm_exec_t, xdm_t)
- ')
- 
-+########################################
-+## <summary>
-+##      Allow any xdm_exec_t to be an entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`xdm_entrypoint',`
-+        gen_require(`
-+                type xdm_exec_t;
-+        ')
-+        allow $1 xdm_exec_t:file entrypoint;
-+')
- 
- ########################################
- ## <summary>