diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e1fe78fe..c10ad38b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22530,7 +22530,7 @@ index 6bf0ecc..d740738 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..31450f4 100644
+index 2696452..63fd06a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22876,7 +22876,7 @@ index 2696452..31450f4 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,107 @@ optional_policy(`
+@@ -299,64 +408,108 @@ optional_policy(`
# XDM Local policy
#
@@ -22899,6 +22899,7 @@ index 2696452..31450f4 100644
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow xdm_t self:netlink_selinux_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
@@ -22994,7 +22995,7 @@ index 2696452..31450f4 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +518,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -23024,7 +23025,7 @@ index 2696452..31450f4 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +548,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23077,7 +23078,7 @@ index 2696452..31450f4 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +599,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +600,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23106,7 +23107,7 @@ index 2696452..31450f4 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +629,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +630,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23155,7 +23156,7 @@ index 2696452..31450f4 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +676,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +677,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23306,7 +23307,7 @@ index 2696452..31450f4 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +827,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +828,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23333,11 +23334,12 @@ index 2696452..31450f4 100644
')
optional_policy(`
-@@ -514,12 +854,55 @@ optional_policy(`
+@@ -514,12 +855,56 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(xdm_t)
++ dbus_connect_system_bus(xdm_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
@@ -23389,7 +23391,7 @@ index 2696452..31450f4 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +920,78 @@ optional_policy(`
+@@ -537,28 +922,78 @@ optional_policy(`
')
optional_policy(`
@@ -23477,7 +23479,7 @@ index 2696452..31450f4 100644
')
optional_policy(`
-@@ -570,6 +1003,14 @@ optional_policy(`
+@@ -570,6 +1005,14 @@ optional_policy(`
')
optional_policy(`
@@ -23492,7 +23494,7 @@ index 2696452..31450f4 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1035,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1037,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23505,7 +23507,7 @@ index 2696452..31450f4 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1052,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1054,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23521,7 +23523,7 @@ index 2696452..31450f4 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1068,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1070,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23532,7 +23534,7 @@ index 2696452..31450f4 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1083,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1085,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23554,7 +23556,7 @@ index 2696452..31450f4 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1103,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1105,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23568,7 +23570,7 @@ index 2696452..31450f4 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1129,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1131,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23600,7 +23602,7 @@ index 2696452..31450f4 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1161,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1163,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23618,7 +23620,7 @@ index 2696452..31450f4 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1184,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1186,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23642,7 +23644,7 @@ index 2696452..31450f4 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1203,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1205,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23651,7 +23653,7 @@ index 2696452..31450f4 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1247,44 @@ optional_policy(`
+@@ -775,16 +1249,44 @@ optional_policy(`
')
optional_policy(`
@@ -23697,7 +23699,7 @@ index 2696452..31450f4 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1293,10 @@ optional_policy(`
+@@ -793,6 +1295,10 @@ optional_policy(`
')
optional_policy(`
@@ -23708,7 +23710,7 @@ index 2696452..31450f4 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1312,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1314,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23722,7 +23724,7 @@ index 2696452..31450f4 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1323,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1325,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23731,7 +23733,7 @@ index 2696452..31450f4 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1336,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1338,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23766,7 +23768,7 @@ index 2696452..31450f4 100644
')
optional_policy(`
-@@ -902,7 +1401,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1403,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23775,7 +23777,7 @@ index 2696452..31450f4 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1455,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1457,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23807,7 +23809,7 @@ index 2696452..31450f4 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1501,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1503,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -31566,7 +31568,7 @@ index 9fe8e01..83acb32 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..18451e8 100644
+index fc28bc3..416ac0f 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -31606,7 +31608,7 @@ index fc28bc3..18451e8 100644
+##
+##
+#
-+interface(`corecmd_dontaudit_access_check_cert',`
++interface(`miscfiles_dontaudit_access_check_cert',`
+ gen_require(`
+ type cert_t;
+ ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 7791c887..13a4016e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4534,7 +4534,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..a68bd53 100644
+index 1a82e29..2becd8b 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5222,7 +5222,7 @@ index 1a82e29..a68bd53 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5339,9 +5339,10 @@ index 1a82e29..a68bd53 100644
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
--seutil_dontaudit_search_config(httpd_t)
-
+-seutil_dontaudit_search_config(httpd_t)
++miscfiles_dontaudit_access_check_cert(httpd_t)
+
userdom_use_unpriv_users_fds(httpd_t)
-ifdef(`TODO',`
@@ -5452,7 +5453,7 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5512,7 +5513,7 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5597,7 +5598,7 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5678,7 +5679,7 @@ index 1a82e29..a68bd53 100644
')
optional_policy(`
-@@ -743,14 +864,6 @@ optional_policy(`
+@@ -743,14 +865,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5693,7 +5694,7 @@ index 1a82e29..a68bd53 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +878,23 @@ optional_policy(`
+@@ -765,6 +879,23 @@ optional_policy(`
')
optional_policy(`
@@ -5717,7 +5718,7 @@ index 1a82e29..a68bd53 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +911,42 @@ optional_policy(`
+@@ -781,34 +912,42 @@ optional_policy(`
')
optional_policy(`
@@ -5771,7 +5772,7 @@ index 1a82e29..a68bd53 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +954,18 @@ optional_policy(`
+@@ -816,8 +955,18 @@ optional_policy(`
')
optional_policy(`
@@ -5790,7 +5791,7 @@ index 1a82e29..a68bd53 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +974,7 @@ optional_policy(`
+@@ -826,6 +975,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5798,7 +5799,7 @@ index 1a82e29..a68bd53 100644
')
optional_policy(`
-@@ -836,20 +985,39 @@ optional_policy(`
+@@ -836,20 +986,39 @@ optional_policy(`
')
optional_policy(`
@@ -5844,7 +5845,7 @@ index 1a82e29..a68bd53 100644
')
optional_policy(`
-@@ -857,19 +1025,35 @@ optional_policy(`
+@@ -857,19 +1026,35 @@ optional_policy(`
')
optional_policy(`
@@ -5880,7 +5881,7 @@ index 1a82e29..a68bd53 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1061,170 @@ optional_policy(`
+@@ -877,65 +1062,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6073,7 +6074,7 @@ index 1a82e29..a68bd53 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1234,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6228,7 +6229,7 @@ index 1a82e29..a68bd53 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1317,104 @@ optional_policy(`
+@@ -1077,172 +1318,104 @@ optional_policy(`
')
')
@@ -6464,7 +6465,7 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1423,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6561,7 +6562,7 @@ index 1a82e29..a68bd53 100644
########################################
#
-@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1498,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6578,7 +6579,7 @@ index 1a82e29..a68bd53 100644
')
########################################
-@@ -1324,49 +1513,36 @@ optional_policy(`
+@@ -1324,49 +1514,36 @@ optional_policy(`
# User content local policy
#
@@ -6642,7 +6643,7 @@ index 1a82e29..a68bd53 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1553,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -8267,7 +8268,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..e3dbd11 100644
+index 076ffee..9977c4d 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8308,7 +8309,15 @@ index 076ffee..e3dbd11 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -170,6 +173,11 @@ tunable_policy(`named_write_master_zones',`
+@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+ dev_read_urand(named_t)
++dev_dontaudit_write_urand(named_t)
+
+ domain_use_interactive_fds(named_t)
+
+@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -8320,7 +8329,7 @@ index 076ffee..e3dbd11 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +191,7 @@ optional_policy(`
+@@ -183,6 +192,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -8328,7 +8337,7 @@ index 076ffee..e3dbd11 100644
')
optional_policy(`
-@@ -209,7 +218,8 @@ optional_policy(`
+@@ -209,7 +219,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -8338,7 +8347,7 @@ index 076ffee..e3dbd11 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +233,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -8350,7 +8359,7 @@ index 076ffee..e3dbd11 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +260,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -23353,7 +23362,7 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..fd440f8 100644
+index f0388cb..7d63acb 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
@@ -23385,7 +23394,7 @@ index f0388cb..fd440f8 100644
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,17 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,19 @@ fs_search_auto_mountpoints(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
@@ -23397,6 +23406,8 @@ index f0388cb..fd440f8 100644
-miscfiles_read_localization(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
++sysnet_dns_name_resolve(fetchmail_t)
++
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_search_user_home_dirs(fetchmail_t)
+
@@ -25028,10 +25039,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..cbe51a9
+index 0000000..3156ad4
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,166 @@
+policy_module(glusterfs, 1.0.1)
+
+##