diff -ru refpolicy-2.20180114/policy/constraints ./policy/constraints
--- refpolicy-2.20180114/policy/constraints	2017-08-06 00:37:08.000000000 +1000
+++ ./policy/constraints	2018-04-18 18:57:24.324127707 +1000
@@ -130,6 +130,7 @@
 
 exempted_ubac_constraint(socket, ubacsock)
 exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(sctp_socket, ubacsock)
 exempted_ubac_constraint(udp_socket, ubacsock)
 exempted_ubac_constraint(rawip_socket, ubacsock)
 exempted_ubac_constraint(netlink_socket, ubacsock)
diff -ru refpolicy-2.20180114/policy/flask/access_vectors ./policy/flask/access_vectors
--- refpolicy-2.20180114/policy/flask/access_vectors	2017-08-06 02:57:56.000000000 +1000
+++ ./policy/flask/access_vectors	2018-04-18 18:57:24.324127707 +1000
@@ -985,6 +985,8 @@
 inherits socket
 {
 	node_bind
+	name_connect
+	association
 }
 
 class icmp_socket
@@ -1079,3 +1081,12 @@
 
 class smc_socket
 inherits socket
+
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
diff -ru refpolicy-2.20180114/policy/flask/security_classes ./policy/flask/security_classes
--- refpolicy-2.20180114/policy/flask/security_classes	2017-08-06 02:57:56.000000000 +1000
+++ ./policy/flask/security_classes	2018-04-18 18:57:24.324127707 +1000
@@ -190,4 +190,6 @@
 
 class process2
 
+class bpf
+
 # FLASK
Only in policy/flask: userspace
diff -ru refpolicy-2.20180114/policy/mcs ./policy/mcs
--- refpolicy-2.20180114/policy/mcs	2017-11-05 05:00:56.000000000 +1100
+++ ./policy/mcs	2018-04-18 18:57:24.324127707 +1000
@@ -120,7 +120,7 @@
 mlsconstrain process { signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain key { create link read search setattr view write }
diff -ru refpolicy-2.20180114/policy/mls ./policy/mls
--- refpolicy-2.20180114/policy/mls	2017-12-13 12:07:27.000000000 +1100
+++ ./policy/mls	2018-04-18 18:57:24.324127707 +1000
@@ -166,13 +166,13 @@
 #
 
 # new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
 	( h1 dom h2 );
 
 # the socket "read+write" ops
 # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
 # require equal levels for unprivileged subjects, or read *and* write overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect }
 	(( l1 eq l2 ) or
 	 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	   ( t1 == mlsnetread )) and
@@ -182,7 +182,7 @@
 
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -193,14 +193,14 @@
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
 # used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -223,13 +223,13 @@
 	 ( t2 == mlstrustedsocket ));
 
 # these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #
-# { tcp_socket udp_socket rawip_socket } node_bind
+# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 #
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom }
 #
-# tcp_socket name_connect
+# { tcp_socket sctp_socket } name_connect
 #
 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/accountsd.if ./policy/modules/contrib/accountsd.if
--- refpolicy-2.20180114/policy/modules/contrib/accountsd.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/accountsd.if	2018-04-18 18:57:26.860124797 +1000
@@ -129,7 +129,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/accountsd.te ./policy/modules/contrib/accountsd.te
--- refpolicy-2.20180114/policy/modules/contrib/accountsd.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/accountsd.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(accountsd, 1.2.0)
+policy_module(accountsd, 1.2.1)
 
 gen_require(`
 	class passwd all_passwd_perms;
diff -ru refpolicy-2.20180114/policy/modules/contrib/alsa.te ./policy/modules/contrib/alsa.te
--- refpolicy-2.20180114/policy/modules/contrib/alsa.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/alsa.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(alsa, 1.18.0)
+policy_module(alsa, 1.18.1)
 
 ########################################
 #
@@ -73,7 +73,7 @@
 manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
 
 allow alsa_t alsa_var_lock_t:file manage_file_perms;
-files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
 
 kernel_read_system_state(alsa_t)
 
diff -ru refpolicy-2.20180114/policy/modules/contrib/apache.if ./policy/modules/contrib/apache.if
--- refpolicy-2.20180114/policy/modules/contrib/apache.if	2017-09-20 08:22:38.000000000 +1000
+++ ./policy/modules/contrib/apache.if	2018-04-18 18:57:26.864124792 +1000
@@ -373,6 +373,25 @@
 
 ########################################
 ## <summary>
+##	Read and write httpd unix domain
+##      stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and
 ##	write httpd TCP sockets.
 ## </summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/apache.te ./policy/modules/contrib/apache.te
--- refpolicy-2.20180114/policy/modules/contrib/apache.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/apache.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(apache, 2.14.0)
+policy_module(apache, 2.14.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/bugzilla.if ./policy/modules/contrib/bugzilla.if
--- refpolicy-2.20180114/policy/modules/contrib/bugzilla.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/bugzilla.if	2018-04-18 18:57:26.864124792 +1000
@@ -48,7 +48,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/bugzilla.te ./policy/modules/contrib/bugzilla.te
--- refpolicy-2.20180114/policy/modules/contrib/bugzilla.te	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/bugzilla.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(bugzilla, 1.1.0)
+policy_module(bugzilla, 1.1.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/ccs.if ./policy/modules/contrib/ccs.if
--- refpolicy-2.20180114/policy/modules/contrib/ccs.if	2015-10-25 23:42:38.000000000 +1100
+++ ./policy/modules/contrib/ccs.if	2018-04-18 18:57:26.864124792 +1000
@@ -99,7 +99,7 @@
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
 		type ccs_var_lib_t, ccs_var_log_t;
-		type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
+		type ccs_var_run_t, ccs_tmp_t;
 	')
 
 	allow $1 ccs_t:process { ptrace signal_perms };
@@ -108,7 +108,7 @@
 	init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t)
 
 	files_search_etc($1)
-	admin_pattern($1, ccs_conf_t)
+	admin_pattern($1, cluster_conf_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, ccs_var_lib_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/ccs.te ./policy/modules/contrib/ccs.te
--- refpolicy-2.20180114/policy/modules/contrib/ccs.te	2017-08-06 02:59:41.000000000 +1000
+++ ./policy/modules/contrib/ccs.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(ccs, 1.11.0)
+policy_module(ccs, 1.11.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/cfengine.if ./policy/modules/contrib/cfengine.if
--- refpolicy-2.20180114/policy/modules/contrib/cfengine.if	2015-10-25 23:42:38.000000000 +1100
+++ ./policy/modules/contrib/cfengine.if	2018-04-18 18:57:26.864124792 +1000
@@ -65,10 +65,10 @@
 #
 interface(`cfengine_dontaudit_write_log_files',`
 	gen_require(`
-		type cfengine_var_log_t;
+		type cfengine_log_t;
 	')
 
-	dontaudit $1 cfengine_var_log_t:file write_file_perms;
+	dontaudit $1 cfengine_log_t:file write_file_perms;
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/cfengine.te ./policy/modules/contrib/cfengine.te
--- refpolicy-2.20180114/policy/modules/contrib/cfengine.te	2017-08-06 02:59:39.000000000 +1000
+++ ./policy/modules/contrib/cfengine.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(cfengine, 1.3.0)
+policy_module(cfengine, 1.3.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/cobbler.if ./policy/modules/contrib/cobbler.if
--- refpolicy-2.20180114/policy/modules/contrib/cobbler.if	2017-08-07 05:46:40.000000000 +1000
+++ ./policy/modules/contrib/cobbler.if	2018-04-18 18:57:26.864124792 +1000
@@ -154,8 +154,8 @@
 interface(`cobbler_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+		type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
+		type cobbler_tmp_t;
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -176,5 +176,5 @@
 	admin_pattern($1, cobbler_var_log_t)
 
 	apache_search_sys_content($1)
-	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+	admin_pattern($1, cobbler_content_t)
 ')
diff -ru refpolicy-2.20180114/policy/modules/contrib/cobbler.te ./policy/modules/contrib/cobbler.te
--- refpolicy-2.20180114/policy/modules/contrib/cobbler.te	2017-12-14 10:34:22.000000000 +1100
+++ ./policy/modules/contrib/cobbler.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(cobbler, 1.3.0)
+policy_module(cobbler, 1.3.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/cron.if ./policy/modules/contrib/cron.if
--- refpolicy-2.20180114/policy/modules/contrib/cron.if	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/contrib/cron.if	2018-04-18 18:57:26.864124792 +1000
@@ -699,11 +699,11 @@
 #
 interface(`cron_manage_system_spool',`
 	gen_require(`
-		type cron_system_spool_t;
+		type system_cron_spool_t;
 	')
 
 	files_search_spool($1)
-	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+	manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/cron.te ./policy/modules/contrib/cron.te
--- refpolicy-2.20180114/policy/modules/contrib/cron.te	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/contrib/cron.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(cron, 2.13.0)
+policy_module(cron, 2.13.1)
 
 gen_require(`
 	class passwd rootok;
diff -ru refpolicy-2.20180114/policy/modules/contrib/cups.if ./policy/modules/contrib/cups.if
--- refpolicy-2.20180114/policy/modules/contrib/cups.if	2017-08-07 05:37:01.000000000 +1000
+++ ./policy/modules/contrib/cups.if	2018-04-18 18:57:26.864124792 +1000
@@ -352,7 +352,7 @@
 interface(`cups_admin',`
 	gen_require(`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
 		type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
 		type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
@@ -374,7 +374,6 @@
 	admin_pattern($1, cupsd_log_t)
 
 	files_list_spool($1)
-	admin_pattern($1, cupsd_spool_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, { cupsd_tmp_t  cupsd_lpd_tmp_t })
diff -ru refpolicy-2.20180114/policy/modules/contrib/cups.te ./policy/modules/contrib/cups.te
--- refpolicy-2.20180114/policy/modules/contrib/cups.te	2017-08-06 02:59:38.000000000 +1000
+++ ./policy/modules/contrib/cups.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(cups, 1.22.0)
+policy_module(cups, 1.22.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/dbus.if ./policy/modules/contrib/dbus.if
--- refpolicy-2.20180114/policy/modules/contrib/dbus.if	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/contrib/dbus.if	2018-04-18 18:57:26.864124792 +1000
@@ -248,7 +248,7 @@
 		class dbus send_msg;
 	')
 
-	allow $1 dbus_session_bus_type:dbus send_msg;
+	allow $1 session_bus_type:dbus send_msg;
 ')
 
 #######################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/dbus.te ./policy/modules/contrib/dbus.te
--- refpolicy-2.20180114/policy/modules/contrib/dbus.te	2018-04-18 18:58:03.000000000 +1000
+++ ./policy/modules/contrib/dbus.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.2)
+policy_module(dbus, 1.24.3)
 
 gen_require(`
 	class dbus all_dbus_perms;
diff -ru refpolicy-2.20180114/policy/modules/contrib/devicekit.if ./policy/modules/contrib/devicekit.if
--- refpolicy-2.20180114/policy/modules/contrib/devicekit.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/devicekit.if	2018-04-18 18:57:26.864124792 +1000
@@ -248,7 +248,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/devicekit.te ./policy/modules/contrib/devicekit.te
--- refpolicy-2.20180114/policy/modules/contrib/devicekit.te	2018-04-18 18:58:03.000000000 +1000
+++ ./policy/modules/contrib/devicekit.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.2)
+policy_module(devicekit, 1.8.3)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/djbdns.if ./policy/modules/contrib/djbdns.if
--- refpolicy-2.20180114/policy/modules/contrib/djbdns.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/djbdns.if	2018-04-18 18:57:26.864124792 +1000
@@ -71,8 +71,8 @@
 #
 interface(`djbdns_link_tinydns_keys',`
 	gen_require(`
-		type djbdns_tinydn_t;
+		type djbdns_tinydns_t;
 	')
 
-	allow $1 djbdns_tinydn_t:key link;
+	allow $1 djbdns_tinydns_t:key link;
 ')
diff -ru refpolicy-2.20180114/policy/modules/contrib/djbdns.te ./policy/modules/contrib/djbdns.te
--- refpolicy-2.20180114/policy/modules/contrib/djbdns.te	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/djbdns.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(djbdns, 1.6.0)
+policy_module(djbdns, 1.6.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/dspam.if ./policy/modules/contrib/dspam.if
--- refpolicy-2.20180114/policy/modules/contrib/dspam.if	2015-10-25 23:42:38.000000000 +1100
+++ ./policy/modules/contrib/dspam.if	2018-04-18 18:57:26.864124792 +1000
@@ -32,12 +32,12 @@
 #
 interface(`dspam_stream_connect',`
 	gen_require(`
-		type dspam_t, dspam_var_run_t, dspam_tmp_t;
+		type dspam_t, dspam_var_run_t;
 	')
 
 	files_search_pids($1)
 	files_search_tmp($1)
-	stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
+	stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/dspam.te ./policy/modules/contrib/dspam.te
--- refpolicy-2.20180114/policy/modules/contrib/dspam.te	2017-02-05 05:30:21.000000000 +1100
+++ ./policy/modules/contrib/dspam.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(dspam, 1.3.0)
+policy_module(dspam, 1.3.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/evolution.if ./policy/modules/contrib/evolution.if
--- refpolicy-2.20180114/policy/modules/contrib/evolution.if	2016-12-09 10:16:49.000000000 +1100
+++ ./policy/modules/contrib/evolution.if	2018-04-18 18:57:26.864124792 +1000
@@ -224,5 +224,5 @@
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, evolution_exec_t, evolution_t);
+	domtrans_pattern($1, evolution_exec_t, evolution_t)
 ')
diff -ru refpolicy-2.20180114/policy/modules/contrib/evolution.te ./policy/modules/contrib/evolution.te
--- refpolicy-2.20180114/policy/modules/contrib/evolution.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/evolution.te	2018-04-18 18:57:26.864124792 +1000
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.8.0)
+policy_module(evolution, 2.8.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/firewalld.if ./policy/modules/contrib/firewalld.if
--- refpolicy-2.20180114/policy/modules/contrib/firewalld.if	2016-12-12 06:13:21.000000000 +1100
+++ ./policy/modules/contrib/firewalld.if	2018-04-18 18:57:26.868124787 +1000
@@ -98,7 +98,7 @@
 interface(`firewalld_admin',`
 	gen_require(`
 		type firewalld_t, firewalld_initrc_exec_t;
-		type firewall_etc_rw_t, firewalld_var_run_t;
+		type firewalld_etc_rw_t, firewalld_var_run_t;
 		type firewalld_var_log_t;
 	')
 
@@ -114,5 +114,5 @@
 	admin_pattern($1, firewalld_var_log_t)
 
 	files_search_etc($1)
-	admin_pattern($1, firewall_etc_rw_t)
+	admin_pattern($1, firewalld_etc_rw_t)
 ')
diff -ru refpolicy-2.20180114/policy/modules/contrib/firewalld.te ./policy/modules/contrib/firewalld.te
--- refpolicy-2.20180114/policy/modules/contrib/firewalld.te	2017-12-14 10:34:36.000000000 +1100
+++ ./policy/modules/contrib/firewalld.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(firewalld, 1.6.0)
+policy_module(firewalld, 1.6.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/ftp.te ./policy/modules/contrib/ftp.te
--- refpolicy-2.20180114/policy/modules/contrib/ftp.te	2017-08-06 02:59:40.000000000 +1000
+++ ./policy/modules/contrib/ftp.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.21.0)
+policy_module(ftp, 1.21.1)
 
 ########################################
 #
@@ -394,7 +394,7 @@
 	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
 
 	optional_policy(`
-		tcpd_domtrans(tcpd_t)
+		tcpd_domtrans(ftpd_t)
 	')
 ')
 
Only in ./policy/modules/contrib: .git
diff -ru refpolicy-2.20180114/policy/modules/contrib/gnome.fc ./policy/modules/contrib/gnome.fc
--- refpolicy-2.20180114/policy/modules/contrib/gnome.fc	2017-11-29 12:16:02.000000000 +1100
+++ ./policy/modules/contrib/gnome.fc	2018-04-18 18:57:26.868124787 +1000
@@ -20,3 +20,4 @@
 /run/user/%{USERID}/keyring(/.*)?		gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
 /run/user/[^/]*/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
 /run/user/%{USERID}/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/run/user/%{USERID}/dconf(/.*)?		gen_context(system_u:object_r:gconf_tmp_t,s0)
diff -ru refpolicy-2.20180114/policy/modules/contrib/gnome.te ./policy/modules/contrib/gnome.te
--- refpolicy-2.20180114/policy/modules/contrib/gnome.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/gnome.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(gnome, 2.9.0)
+policy_module(gnome, 2.9.1)
 
 ##############################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/ifplugd.te ./policy/modules/contrib/ifplugd.te
--- refpolicy-2.20180114/policy/modules/contrib/ifplugd.te	2017-08-06 02:59:41.000000000 +1000
+++ ./policy/modules/contrib/ifplugd.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.4.0)
+policy_module(ifplugd, 1.4.1)
 
 ########################################
 #
@@ -53,6 +53,8 @@
 
 auth_use_nsswitch(ifplugd_t)
 
+init_domtrans_script(ifplugd_t)
+
 logging_send_syslog_msg(ifplugd_t)
 
 miscfiles_read_localization(ifplugd_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/kismet.if ./policy/modules/contrib/kismet.if
--- refpolicy-2.20180114/policy/modules/contrib/kismet.if	2016-12-12 06:13:21.000000000 +1100
+++ ./policy/modules/contrib/kismet.if	2018-04-18 18:57:26.868124787 +1000
@@ -18,12 +18,12 @@
 template(`kismet_role',`
 	gen_require(`
 		type kismet_exec_t, kismet_home_t, kismet_tmp_t;
-		type kistmet_tmpfs_t, kismet_t;
+		type kismet_tmpfs_t, kismet_t;
 	')
 
 	kismet_run($1, $2)
 
-	allow $2 kistmet_t:process { ptrace signal_perms };
+	allow $2 kismet_t:process { ptrace signal_perms };
 	ps_process_pattern($2, kismet_t)
 
 	allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms };
diff -ru refpolicy-2.20180114/policy/modules/contrib/kismet.te ./policy/modules/contrib/kismet.te
--- refpolicy-2.20180114/policy/modules/contrib/kismet.te	2017-02-16 10:46:32.000000000 +1100
+++ ./policy/modules/contrib/kismet.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(kismet, 1.10.0)
+policy_module(kismet, 1.10.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/lsm.if ./policy/modules/contrib/lsm.if
--- refpolicy-2.20180114/policy/modules/contrib/lsm.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/lsm.if	2018-04-18 18:57:26.868124787 +1000
@@ -10,7 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/lsm.te ./policy/modules/contrib/lsm.te
--- refpolicy-2.20180114/policy/modules/contrib/lsm.te	2017-02-05 05:30:22.000000000 +1100
+++ ./policy/modules/contrib/lsm.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(lsm, 1.1.0)
+policy_module(lsm, 1.1.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/mojomojo.te ./policy/modules/contrib/mojomojo.te
--- refpolicy-2.20180114/policy/modules/contrib/mojomojo.te	2017-02-05 05:30:50.000000000 +1100
+++ ./policy/modules/contrib/mojomojo.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(mojomojo, 1.2.0)
+policy_module(mojomojo, 1.2.1)
 
 ########################################
 #
@@ -12,7 +12,7 @@
 # Local policy
 #
 
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+apache_rw_stream_sockets(httpd_mojomojo_script_t)
 
 corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
 corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/mozilla.te ./policy/modules/contrib/mozilla.te
--- refpolicy-2.20180114/policy/modules/contrib/mozilla.te	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/contrib/mozilla.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.13.0)
+policy_module(mozilla, 2.13.1)
 
 ########################################
 #
@@ -108,6 +108,7 @@
 manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+allow mozilla_t mozilla_plugin_tmpfs_t:file map;
 
 allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
 allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
@@ -347,6 +348,7 @@
 manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_t mozilla_home_t:file map;
 
 userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
 userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
@@ -370,6 +372,8 @@
 files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
 userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
 
+allow mozilla_plugin_t mozilla_tmp_t:file rw_file_perms;
+
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -479,6 +483,7 @@
 files_list_mnt(mozilla_plugin_t)
 files_read_config_files(mozilla_plugin_t)
 files_read_usr_files(mozilla_plugin_t)
+files_map_usr_files(mozilla_plugin_t)
 
 fs_getattr_all_fs(mozilla_plugin_t)
 # fs_read_hugetlbfs_files(mozilla_plugin_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/mta.fc ./policy/modules/contrib/mta.fc
--- refpolicy-2.20180114/policy/modules/contrib/mta.fc	2017-05-04 22:20:09.000000000 +1000
+++ ./policy/modules/contrib/mta.fc	2018-04-18 18:57:26.868124787 +1000
@@ -2,6 +2,7 @@
 HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.msmtprc	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/DovecotMail(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
@@ -10,10 +11,12 @@
 /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/mail(/.*)?	gen_context(system_u:object_r:etc_mail_t,s0)
 /etc/mail/aliases.*	--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/msmtprc		--	gen_context(system_u:object_r:etc_mail_t,s0)
 /etc/postfix/aliases.*	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 
 /usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/msmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/rmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/sendmail\.postfix	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 /usr/bin/sendmail(\.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
diff -ru refpolicy-2.20180114/policy/modules/contrib/mta.if ./policy/modules/contrib/mta.if
--- refpolicy-2.20180114/policy/modules/contrib/mta.if	2017-09-18 11:04:43.000000000 +1000
+++ ./policy/modules/contrib/mta.if	2018-04-18 18:57:26.868124787 +1000
@@ -530,6 +530,25 @@
 
 ########################################
 ## <summary>
+##	Make sendmail usable as an entry
+##      point for the domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be entered.
+##	</summary>
+## </param>
+#
+interface(`mta_sendmail_entry_point',`
+	gen_require(`
+		type sendmail_exec_t;
+	')
+
+	domain_entry_file($1, sendmail_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read mail server configuration content.
 ## </summary>
 ## <param name="domain">
diff -ru refpolicy-2.20180114/policy/modules/contrib/mta.te ./policy/modules/contrib/mta.te
--- refpolicy-2.20180114/policy/modules/contrib/mta.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/mta.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(mta, 2.10.0)
+policy_module(mta, 2.10.2)
 
 ########################################
 #
@@ -109,6 +109,7 @@
 
 logging_send_syslog_msg(user_mail_domain)
 
+miscfiles_read_all_certs(user_mail_domain)
 miscfiles_read_localization(user_mail_domain)
 
 tunable_policy(`use_samba_home_dirs',`
diff -ru refpolicy-2.20180114/policy/modules/contrib/obex.if ./policy/modules/contrib/obex.if
--- refpolicy-2.20180114/policy/modules/contrib/obex.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/obex.if	2018-04-18 18:57:26.868124787 +1000
@@ -24,7 +24,7 @@
 template(`obex_role_template',`
 	gen_require(`
 		attribute_role obex_roles;
-		type obex_t, obex_exec_exec_t;
+		type obex_t, obex_exec_t;
 	')
 
 	########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/obex.te ./policy/modules/contrib/obex.te
--- refpolicy-2.20180114/policy/modules/contrib/obex.te	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/obex.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(obex, 1.1.0)
+policy_module(obex, 1.1.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/plymouthd.if ./policy/modules/contrib/plymouthd.if
--- refpolicy-2.20180114/policy/modules/contrib/plymouthd.if	2017-05-02 08:34:47.000000000 +1000
+++ ./policy/modules/contrib/plymouthd.if	2018-04-18 18:57:26.868124787 +1000
@@ -242,7 +242,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/plymouthd.te ./policy/modules/contrib/plymouthd.te
--- refpolicy-2.20180114/policy/modules/contrib/plymouthd.te	2017-08-06 02:59:39.000000000 +1000
+++ ./policy/modules/contrib/plymouthd.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(plymouthd, 1.5.0)
+policy_module(plymouthd, 1.5.1)
 
 ########################################
 #
@@ -92,7 +92,6 @@
 ')
 
 optional_policy(`
-	xserver_manage_xdm_spool_files(plymouthd_t)
 	xserver_read_xdm_state(plymouthd_t)
 ')
 
diff -ru refpolicy-2.20180114/policy/modules/contrib/portage.te ./policy/modules/contrib/portage.te
--- refpolicy-2.20180114/policy/modules/contrib/portage.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/portage.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(portage, 1.16.0)
+policy_module(portage, 1.16.1)
 
 ########################################
 #
@@ -232,8 +232,6 @@
 # seems to work ok without these
 dontaudit portage_t device_t:{ blk_file chr_file } getattr;
 dontaudit portage_t proc_t:dir setattr_dir_perms;
-dontaudit portage_t device_type:chr_file read_chr_file_perms;
-dontaudit portage_t device_type:blk_file read_blk_file_perms;
 ')
 
 ##########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/qemu.te ./policy/modules/contrib/qemu.te
--- refpolicy-2.20180114/policy/modules/contrib/qemu.te	2017-08-06 02:59:40.000000000 +1000
+++ ./policy/modules/contrib/qemu.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.10.0)
+policy_module(qemu, 1.10.1)
 
 ########################################
 #
@@ -26,7 +26,7 @@
 init_unit_file(qemu_unit_t)
 
 type qemu_var_run_t;
-files_pid_file(qemu_var_run_t);
+files_pid_file(qemu_var_run_t)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/rabbitmq.if ./policy/modules/contrib/rabbitmq.if
--- refpolicy-2.20180114/policy/modules/contrib/rabbitmq.if	2015-10-25 23:42:38.000000000 +1100
+++ ./policy/modules/contrib/rabbitmq.if	2018-04-18 18:57:26.868124787 +1000
@@ -12,11 +12,13 @@
 #
 interface(`rabbitmq_domtrans',`
 	gen_require(`
-		type rabbitmq_t, rabbitmq_exec_t;
+		type rabbitmq_epmd_t, rabbitmq_epmd_exec_t;
+		type rabbitmq_beam_t, rabbitmq_beam_exec_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+	domtrans_pattern($1, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+	domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/rabbitmq.te ./policy/modules/contrib/rabbitmq.te
--- refpolicy-2.20180114/policy/modules/contrib/rabbitmq.te	2017-02-05 05:30:24.000000000 +1100
+++ ./policy/modules/contrib/rabbitmq.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(rabbitmq, 1.3.0)
+policy_module(rabbitmq, 1.3.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/rpm.if ./policy/modules/contrib/rpm.if
--- refpolicy-2.20180114/policy/modules/contrib/rpm.if	2017-08-07 01:44:36.000000000 +1000
+++ ./policy/modules/contrib/rpm.if	2018-04-18 18:57:26.868124787 +1000
@@ -613,7 +613,7 @@
 interface(`rpm_admin',`
 	gen_require(`
 		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-		type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
 		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
 		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
 	')
@@ -626,7 +626,7 @@
 	admin_pattern($1, rpm_file_t)
 
 	files_list_var($1)
-	admin_pattern($1, rpm_cache_t)
+	admin_pattern($1, rpm_var_cache_t)
 
 	files_list_tmp($1)
 	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff -ru refpolicy-2.20180114/policy/modules/contrib/rpm.te ./policy/modules/contrib/rpm.te
--- refpolicy-2.20180114/policy/modules/contrib/rpm.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/rpm.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.21.0)
+policy_module(rpm, 1.21.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/rsync.if ./policy/modules/contrib/rsync.if
--- refpolicy-2.20180114/policy/modules/contrib/rsync.if	2016-12-05 04:48:16.000000000 +1100
+++ ./policy/modules/contrib/rsync.if	2018-04-18 18:57:26.868124787 +1000
@@ -247,7 +247,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/rsync.te ./policy/modules/contrib/rsync.te
--- refpolicy-2.20180114/policy/modules/contrib/rsync.te	2017-08-06 02:59:39.000000000 +1000
+++ ./policy/modules/contrib/rsync.te	2018-04-18 18:57:26.868124787 +1000
@@ -1,4 +1,4 @@
-policy_module(rsync, 1.16.0)
+policy_module(rsync, 1.16.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/samba.if ./policy/modules/contrib/samba.if
--- refpolicy-2.20180114/policy/modules/contrib/samba.if	2016-12-12 06:13:21.000000000 +1100
+++ ./policy/modules/contrib/samba.if	2018-04-18 18:57:26.872124782 +1000
@@ -684,7 +684,7 @@
 interface(`samba_admin',`
 	gen_require(`
 		type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
-		type smbd_t, smbd_tmp_t, smbd_spool_t;
+		type smbd_t, smbd_tmp_t;
 		type samba_log_t, samba_var_t, samba_secrets_t;
 		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
 		type swat_var_run_t, swat_tmp_t, winbind_log_t;
@@ -707,7 +707,6 @@
 	admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
 
 	files_list_spool($1)
-	admin_pattern($1, smbd_spool_t)
 
 	files_list_pids($1)
 	admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
diff -ru refpolicy-2.20180114/policy/modules/contrib/samba.te ./policy/modules/contrib/samba.te
--- refpolicy-2.20180114/policy/modules/contrib/samba.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/samba.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(samba, 1.22.0)
+policy_module(samba, 1.22.2)
 
 #################################
 #
@@ -114,7 +114,7 @@
 
 type samba_var_run_t;
 typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
-files_pid_file(samba_var_run_t)
+init_daemon_pid_file(samba_var_run_t, dir, "samba")
 
 type samba_etc_t;
 files_config_file(samba_etc_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/samhain.if ./policy/modules/contrib/samhain.if
--- refpolicy-2.20180114/policy/modules/contrib/samhain.if	2015-10-25 23:42:38.000000000 +1100
+++ ./policy/modules/contrib/samhain.if	2018-04-18 18:57:26.872124782 +1000
@@ -203,7 +203,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/samhain.te ./policy/modules/contrib/samhain.te
--- refpolicy-2.20180114/policy/modules/contrib/samhain.te	2017-08-06 02:59:40.000000000 +1000
+++ ./policy/modules/contrib/samhain.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.5.0)
+policy_module(samhain, 1.5.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/sectoolm.if ./policy/modules/contrib/sectoolm.if
--- refpolicy-2.20180114/policy/modules/contrib/sectoolm.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/sectoolm.if	2018-04-18 18:57:26.872124782 +1000
@@ -4,7 +4,7 @@
 ## <summary>
 ##	Role access for sectoolm.
 ## </summary>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/contrib/sectoolm.te ./policy/modules/contrib/sectoolm.te
--- refpolicy-2.20180114/policy/modules/contrib/sectoolm.te	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/sectoolm.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(sectoolm, 1.1.0)
+policy_module(sectoolm, 1.1.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/sendmail.te ./policy/modules/contrib/sendmail.te
--- refpolicy-2.20180114/policy/modules/contrib/sendmail.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/sendmail.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(sendmail, 1.16.0)
+policy_module(sendmail, 1.16.1)
 
 ########################################
 #
@@ -32,7 +32,8 @@
 role sendmail_roles types sendmail_t;
 
 type unconfined_sendmail_t;
-application_domain(unconfined_sendmail_t, sendmail_exec_t)
+application_type(unconfined_sendmail_t)
+mta_sendmail_entry_point(unconfined_sendmail_t)
 role sendmail_unconfined_roles types unconfined_sendmail_t;
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/setroubleshoot.if ./policy/modules/contrib/setroubleshoot.if
--- refpolicy-2.20180114/policy/modules/contrib/setroubleshoot.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/setroubleshoot.if	2018-04-18 18:57:26.872124782 +1000
@@ -133,6 +133,11 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role" unused="true">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`setroubleshoot_admin',`
diff -ru refpolicy-2.20180114/policy/modules/contrib/setroubleshoot.te ./policy/modules/contrib/setroubleshoot.te
--- refpolicy-2.20180114/policy/modules/contrib/setroubleshoot.te	2017-08-06 02:59:40.000000000 +1000
+++ ./policy/modules/contrib/setroubleshoot.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(setroubleshoot, 1.16.0)
+policy_module(setroubleshoot, 1.16.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/shorewall.if ./policy/modules/contrib/shorewall.if
--- refpolicy-2.20180114/policy/modules/contrib/shorewall.if	2016-03-26 00:51:37.000000000 +1100
+++ ./policy/modules/contrib/shorewall.if	2018-04-18 18:57:26.872124782 +1000
@@ -62,38 +62,28 @@
 ## <summary>
 ##	Read shorewall pid files.
 ## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`shorewall_read_pid_files',`
-	gen_require(`
-		type shorewall_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+	refpolicywarn(`$0($*) has been deprecated')
 ')
 
 #######################################
 ## <summary>
 ##	Read and write shorewall pid files.
 ## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`shorewall_rw_pid_files',`
-	gen_require(`
-		type shorewall_var_run_t;
-	')
-
-	files_search_pids($1)
-	rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+	refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ######################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/shorewall.te ./policy/modules/contrib/shorewall.te
--- refpolicy-2.20180114/policy/modules/contrib/shorewall.te	2017-08-06 02:59:38.000000000 +1000
+++ ./policy/modules/contrib/shorewall.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.7.0)
+policy_module(shorewall, 1.7.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/sosreport.if ./policy/modules/contrib/sosreport.if
--- refpolicy-2.20180114/policy/modules/contrib/sosreport.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/sosreport.if	2018-04-18 18:57:26.872124782 +1000
@@ -42,7 +42,7 @@
 	')
 
 	sosreport_domtrans($1)
-	roleattribute $2 sospreport_roles;
+	roleattribute $2 sosreport_roles;
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/contrib/sosreport.te ./policy/modules/contrib/sosreport.te
--- refpolicy-2.20180114/policy/modules/contrib/sosreport.te	2017-08-06 02:59:39.000000000 +1000
+++ ./policy/modules/contrib/sosreport.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(sosreport, 1.5.0)
+policy_module(sosreport, 1.5.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/sssd.if ./policy/modules/contrib/sssd.if
--- refpolicy-2.20180114/policy/modules/contrib/sssd.if	2015-10-25 23:42:38.000000000 +1100
+++ ./policy/modules/contrib/sssd.if	2018-04-18 18:57:26.872124782 +1000
@@ -336,7 +336,7 @@
 	gen_require(`
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
 		type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
-		type sssd_log_t;
+		type sssd_var_log_t;
 	')
 
 	allow $1 sssd_t:process { ptrace signal_perms };
@@ -354,5 +354,5 @@
 	admin_pattern($1, sssd_var_run_t)
 
 	logging_search_logs($1)
-	admin_pattern($1, sssd_log_t)
+	admin_pattern($1, sssd_var_log_t)
 ')
diff -ru refpolicy-2.20180114/policy/modules/contrib/sssd.te ./policy/modules/contrib/sssd.te
--- refpolicy-2.20180114/policy/modules/contrib/sssd.te	2017-08-06 02:59:39.000000000 +1000
+++ ./policy/modules/contrib/sssd.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(sssd, 1.5.0)
+policy_module(sssd, 1.5.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/tftp.if ./policy/modules/contrib/tftp.if
--- refpolicy-2.20180114/policy/modules/contrib/tftp.if	2015-10-19 10:13:41.000000000 +1100
+++ ./policy/modules/contrib/tftp.if	2018-04-18 18:57:26.872124782 +1000
@@ -105,10 +105,10 @@
 #
 interface(`tftp_etc_filetrans_config',`
 	gen_require(`
-		type tftp_conf_t;
+		type tftpd_conf_t;
 	')
 
-	files_etc_filetrans($1, tftp_conf_t, $2, $3)
+	files_etc_filetrans($1, tftpd_conf_t, $2, $3)
 ')
 
 ########################################
@@ -156,6 +156,11 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role" unused="true">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`tftp_admin',`
diff -ru refpolicy-2.20180114/policy/modules/contrib/tftp.te ./policy/modules/contrib/tftp.te
--- refpolicy-2.20180114/policy/modules/contrib/tftp.te	2017-08-06 02:59:41.000000000 +1000
+++ ./policy/modules/contrib/tftp.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(tftp, 1.14.0)
+policy_module(tftp, 1.14.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/virt.te ./policy/modules/contrib/virt.te
--- refpolicy-2.20180114/policy/modules/contrib/virt.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/virt.te	2018-04-18 18:57:26.872124782 +1000
@@ -1,4 +1,4 @@
-policy_module(virt, 1.13.0)
+policy_module(virt, 1.13.1)
 
 ########################################
 #
@@ -471,6 +471,7 @@
 allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow virtd_t self:rawip_socket create_socket_perms;
 allow virtd_t self:packet_socket create_socket_perms;
+allow virtd_t self:netlink_generic_socket create_socket_perms;
 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow virtd_t self:netlink_route_socket nlmsg_write;
 
@@ -489,6 +490,7 @@
 
 manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
 manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+files_var_filetrans(virtd_t, virt_cache_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/wm.if ./policy/modules/contrib/wm.if
--- refpolicy-2.20180114/policy/modules/contrib/wm.if	2017-10-11 10:54:42.000000000 +1100
+++ ./policy/modules/contrib/wm.if	2018-04-18 18:57:26.876124779 +1000
@@ -245,7 +245,7 @@
 #
 interface(`wm_write_pipes',`
 	gen_require(`
-		type $1_t;
+		type $1_wm_t;
 	')
 
 	allow $2 $1_wm_t:fifo_file write;
diff -ru refpolicy-2.20180114/policy/modules/contrib/wm.te ./policy/modules/contrib/wm.te
--- refpolicy-2.20180114/policy/modules/contrib/wm.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/wm.te	2018-04-18 18:57:26.876124779 +1000
@@ -1,4 +1,4 @@
-policy_module(wm, 1.8.0)
+policy_module(wm, 1.8.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/kernel/corenetwork.if.in ./policy/modules/kernel/corenetwork.if.in
--- refpolicy-2.20180114/policy/modules/kernel/corenetwork.if.in	2017-09-07 00:59:28.000000000 +1000
+++ ./policy/modules/kernel/corenetwork.if.in	2018-04-18 18:57:24.324127707 +1000
@@ -636,6 +636,24 @@
 
 ########################################
 ## <summary>
+##	Send and receive SCTP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { sendto recvfrom };
+')
+
+########################################
+## <summary>
 ##	Receive raw IP packets on all interfaces.
 ## </summary>
 ## <param name="domain">
@@ -843,6 +861,24 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:sctp_socket node_bind;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to generic nodes.
 ## </summary>
 ## <desc>
@@ -1037,6 +1073,24 @@
 
 ########################################
 ## <summary>
+##	Send and receive SCTP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { sendto recvfrom };
+')
+
+########################################
+## <summary>
 ##	Receive UDP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
@@ -1229,6 +1283,25 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:sctp_socket node_bind;
+')
+
+
+########################################
+## <summary>
 ##	Do not audit send and receive TCP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">
@@ -1436,6 +1509,26 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 { port_t unreserved_port_t }:sctp_socket name_bind;
+	dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Receive UDP network traffic on all ports.
 ## </summary>
 ## <param name="domain">
@@ -1493,6 +1586,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to bind SCTP
+##	sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t;
+	')
+
+	dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to all ports.
 ## </summary>
 ## <param name="domain">
@@ -1549,6 +1661,24 @@
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t }:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attepts to bind UDP sockets to any ports.
 ## </summary>
 ## <param name="domain">
@@ -1720,6 +1850,25 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
 ##	Bind UDP sockets to generic reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1757,6 +1906,24 @@
 
 ########################################
 ## <summary>
+##	Do not audit attepts to bind SCTP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1826,6 +1993,24 @@
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1900,6 +2085,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to connect SCTP sockets
+##	to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to all ports > 1024.
 ## </summary>
 ## <param name="domain">
@@ -1954,6 +2158,24 @@
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Connect TCP sockets to all ports > 1024.
 ## </summary>
 ## <param name="domain">
@@ -2028,6 +2250,25 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
 ##	Read the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
@@ -2085,6 +2326,24 @@
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or write the TUN/TAP
 ##	virtual network device.
 ## </summary>
@@ -2215,6 +2474,25 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
 ##	Receive TCP packets from a NetLabel connection.
 ## </summary>
 ## <param name="domain">
@@ -2254,6 +2532,24 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to receive TCP packets from a NetLabel
 ##	connection.
 ## </summary>
@@ -2334,6 +2630,24 @@
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to receive UDP packets from a NetLabel
 ##	connection.
 ## </summary>
@@ -2434,6 +2748,24 @@
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to receive Raw IP packets from an unlabeled
 ##	connection.
 ## </summary>
@@ -2541,6 +2873,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to connect SCTP sockets
+##	all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to receive packets from a NetLabel
 ##	connection.
 ## </summary>
@@ -2670,6 +3021,7 @@
 ## </param>
 #
 interface(`corenet_all_recvfrom_labeled',`
+	corenet_sctp_recvfrom_labeled($1, $2)
 	corenet_tcp_recvfrom_labeled($1, $2)
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
@@ -2942,6 +3294,24 @@
 
 ########################################
 ## <summary>
+##	Receive SCTP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+')
+
+########################################
+## <summary>
 ##	Receive all server packets.
 ## </summary>
 ## <param name="domain">
@@ -2993,6 +3363,21 @@
 
 ########################################
 ## <summary>
+##	Receive SCTP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_unlabeled',`
+	kernel_recvfrom_unlabeled_peer($1)
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
 ##	Send all packets.
 ## </summary>
 ## <param name="domain">
@@ -3125,6 +3510,34 @@
 ')
 
 ########################################
+## <summary>
+##	Rules for receiving labeled SCTP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:association recvfrom;
+	allow $2 $1:association recvfrom;
+
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_sctp_recvfrom_netlabel($1)
+	corenet_sctp_recvfrom_netlabel($2)
+')
+
+########################################
 ## <summary>
 ##	Unconfined access to network objects.
 ## </summary>
diff -ru refpolicy-2.20180114/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in
--- refpolicy-2.20180114/policy/modules/kernel/corenetwork.te.in	2017-08-14 06:21:53.000000000 +1000
+++ ./policy/modules/kernel/corenetwork.te.in	2018-04-18 18:57:24.324127707 +1000
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.24.0)
+policy_module(corenetwork, 1.24.1)
 
 ########################################
 #
@@ -307,9 +307,12 @@
 portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 
 ########################################
 #
@@ -355,11 +358,12 @@
 allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
 allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
 # Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
 
 # Infiniband
 corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff -ru refpolicy-2.20180114/policy/modules/kernel/devices.if ./policy/modules/kernel/devices.if
--- refpolicy-2.20180114/policy/modules/kernel/devices.if	2017-10-10 04:57:47.000000000 +1100
+++ ./policy/modules/kernel/devices.if	2018-04-18 18:57:24.324127707 +1000
@@ -3374,18 +3374,14 @@
 ## <summary>
 ##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
 ## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`dev_read_printk',`
-	gen_require(`
-		type device_t, printk_device_t;
-	')
-
-	read_chr_files_pattern($1, device_t, printk_device_t)
+	refpolicywarn(`$0() has been deprecated.')
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/kernel/devices.te ./policy/modules/kernel/devices.te
--- refpolicy-2.20180114/policy/modules/kernel/devices.te	2018-01-15 06:08:05.000000000 +1100
+++ ./policy/modules/kernel/devices.te	2018-04-18 18:57:24.324127707 +1000
@@ -1,4 +1,4 @@
-policy_module(devices, 1.22.0)
+policy_module(devices, 1.22.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/kernel/files.fc ./policy/modules/kernel/files.fc
--- refpolicy-2.20180114/policy/modules/kernel/files.fc	2017-11-02 09:59:17.000000000 +1100
+++ ./policy/modules/kernel/files.fc	2018-04-18 18:57:24.324127707 +1000
@@ -270,8 +270,3 @@
 /var/tmp/systemd-private-[^/]+/tmp	-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /var/tmp/systemd-private-[^/]+/tmp/.*	<<none>>
 /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
-
-ifdef(`distro_debian',`
-/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-')
diff -ru refpolicy-2.20180114/policy/modules/kernel/files.te ./policy/modules/kernel/files.te
--- refpolicy-2.20180114/policy/modules/kernel/files.te	2018-04-18 18:58:03.000000000 +1000
+++ ./policy/modules/kernel/files.te	2018-04-18 18:57:24.324127707 +1000
@@ -1,4 +1,4 @@
-policy_module(files, 1.25.1)
+policy_module(files, 1.25.2)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/kernel/terminal.fc ./policy/modules/kernel/terminal.fc
--- refpolicy-2.20180114/policy/modules/kernel/terminal.fc	2017-08-06 00:37:08.000000000 +1000
+++ ./policy/modules/kernel/terminal.fc	2018-04-18 18:57:24.328127704 +1000
@@ -24,7 +24,6 @@
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 
 /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-/dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
 # if /dev/ptmx is a symlink to /dev/pts/ptmx then we need to have /dev/pts/ptmx
 # relabelled before sshd etc are ready to accept connections
 /dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
diff -ru refpolicy-2.20180114/policy/modules/kernel/terminal.te ./policy/modules/kernel/terminal.te
--- refpolicy-2.20180114/policy/modules/kernel/terminal.te	2018-01-15 06:08:05.000000000 +1100
+++ ./policy/modules/kernel/terminal.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.18.0)
+policy_module(terminal, 1.18.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
--- refpolicy-2.20180114/policy/modules/services/xserver.if	2017-12-09 08:46:57.000000000 +1100
+++ ./policy/modules/services/xserver.if	2018-04-18 18:57:24.328127704 +1000
@@ -851,19 +851,14 @@
 ##	Create, read, write, and delete
 ##	xdm_spool files.
 ## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`xserver_manage_xdm_spool_files',`
-	gen_require(`
-		type xdm_spool_t;
-	')
-
-	files_search_spool($1)
-	manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+	refpolicywarn(`$0() has been deprecated.')
 ')
 
 ########################################
diff -ru refpolicy-2.20180114/policy/modules/services/xserver.te ./policy/modules/services/xserver.te
--- refpolicy-2.20180114/policy/modules/services/xserver.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/services/xserver.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.15.0)
+policy_module(xserver, 3.15.1)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
diff -ru refpolicy-2.20180114/policy/modules/system/authlogin.fc ./policy/modules/system/authlogin.fc
--- refpolicy-2.20180114/policy/modules/system/authlogin.fc	2017-09-17 03:05:53.000000000 +1000
+++ ./policy/modules/system/authlogin.fc	2018-04-18 18:57:24.328127704 +1000
@@ -36,10 +36,8 @@
 /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 
 /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
-/var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/lastlog	--	gen_context(system_u:object_r:lastlog_t,s0)
-/var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/tallylog	--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 
diff -ru refpolicy-2.20180114/policy/modules/system/authlogin.te ./policy/modules/system/authlogin.te
--- refpolicy-2.20180114/policy/modules/system/authlogin.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/authlogin.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.12.0)
+policy_module(authlogin, 2.12.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/system/init.fc ./policy/modules/system/init.fc
--- refpolicy-2.20180114/policy/modules/system/init.fc	2017-12-11 06:44:48.000000000 +1100
+++ ./policy/modules/system/init.fc	2018-04-18 18:57:24.328127704 +1000
@@ -34,6 +34,7 @@
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
+/run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -68,6 +69,8 @@
 ifdef(`distro_debian',`
 /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /etc/network/if-pre-up\.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/network/if-up\.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/network/if-down\.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
diff -ru refpolicy-2.20180114/policy/modules/system/init.te ./policy/modules/system/init.te
--- refpolicy-2.20180114/policy/modules/system/init.te	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/system/init.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(init, 2.4.1)
+policy_module(init, 2.4.4)
 
 gen_require(`
 	class passwd rootok;
@@ -228,6 +228,7 @@
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
 	allow init_t self:capability2 audit_read;
+	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 
 	# for /run/systemd/inaccessible/{chr,blk}
 	allow init_t init_var_run_t:blk_file { create getattr };
@@ -280,6 +281,7 @@
 	kernel_read_all_sysctls(init_t)
 	kernel_read_software_raid_state(init_t)
 	kernel_unmount_debugfs(init_t)
+	kernel_search_key(init_t)
 	kernel_setsched(init_t)
 	kernel_rw_unix_sysctls(init_t)
 
diff -ru refpolicy-2.20180114/policy/modules/system/ipsec.te ./policy/modules/system/ipsec.te
--- refpolicy-2.20180114/policy/modules/system/ipsec.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/ipsec.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.19.0)
+policy_module(ipsec, 1.19.1)
 
 ########################################
 #
@@ -59,7 +59,7 @@
 
 type ipsec_supervisor_t;
 type ipsec_supervisor_exec_t;
-init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t)
 role system_r types ipsec_supervisor_t;
 
 type racoon_t;
@@ -122,7 +122,7 @@
 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 
 kernel_read_kernel_sysctls(ipsec_t)
-kernel_rw_net_sysctls(ipsec_t);
+kernel_rw_net_sysctls(ipsec_t)
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -245,7 +245,7 @@
 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
-domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t)
 allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
@@ -467,7 +467,7 @@
 allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
 
 allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
-read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t)
 
 manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
 
@@ -479,23 +479,23 @@
 manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
 files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
 
-domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t)
 
 kernel_read_network_state(ipsec_supervisor_t)
 kernel_read_system_state(ipsec_supervisor_t)
-kernel_rw_net_sysctls(ipsec_supervisor_t);
+kernel_rw_net_sysctls(ipsec_supervisor_t)
 
-corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_bin(ipsec_supervisor_t)
 corecmd_exec_shell(ipsec_supervisor_t)
 
-dev_read_rand(ipsec_supervisor_t);
-dev_read_urand(ipsec_supervisor_t);
+dev_read_rand(ipsec_supervisor_t)
+dev_read_urand(ipsec_supervisor_t)
 
-files_read_etc_files(ipsec_supervisor_t);
+files_read_etc_files(ipsec_supervisor_t)
 
-logging_send_syslog_msg(ipsec_supervisor_t);
+logging_send_syslog_msg(ipsec_supervisor_t)
 
-miscfiles_read_localization(ipsec_supervisor_t);
+miscfiles_read_localization(ipsec_supervisor_t)
 
 optional_policy(`
 	modutils_domtrans(ipsec_supervisor_t)
diff -ru refpolicy-2.20180114/policy/modules/system/logging.fc ./policy/modules/system/logging.fc
--- refpolicy-2.20180114/policy/modules/system/logging.fc	2017-09-12 08:57:23.000000000 +1000
+++ ./policy/modules/system/logging.fc	2018-04-18 18:57:24.328127704 +1000
@@ -51,6 +51,8 @@
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
+/var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
+/var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
diff -ru refpolicy-2.20180114/policy/modules/system/logging.te ./policy/modules/system/logging.te
--- refpolicy-2.20180114/policy/modules/system/logging.te	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/system/logging.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(logging, 1.27.1)
+policy_module(logging, 1.27.3)
 
 ########################################
 #
@@ -31,7 +31,7 @@
 init_script_file(auditd_initrc_exec_t)
 
 type auditd_unit_t;
-init_unit_file(auditd_unit_t);
+init_unit_file(auditd_unit_t)
 
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
@@ -434,6 +434,7 @@
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
+kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
diff -ru refpolicy-2.20180114/policy/modules/system/sysnetwork.if ./policy/modules/system/sysnetwork.if
--- refpolicy-2.20180114/policy/modules/system/sysnetwork.if	2018-04-18 18:58:12.000000000 +1000
+++ ./policy/modules/system/sysnetwork.if	2018-04-18 18:57:24.328127704 +1000
@@ -348,6 +348,8 @@
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 
+	systemd_read_resolved_runtime($1)
+
 	ifdef(`distro_debian',`
 		files_search_pids($1)
 		allow $1 net_conf_t:dir list_dir_perms;
diff -ru refpolicy-2.20180114/policy/modules/system/sysnetwork.te ./policy/modules/system/sysnetwork.te
--- refpolicy-2.20180114/policy/modules/system/sysnetwork.te	2018-04-18 18:58:12.000000000 +1000
+++ ./policy/modules/system/sysnetwork.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.22.0)
+policy_module(sysnetwork, 1.22.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/system/systemd.fc ./policy/modules/system/systemd.fc
--- refpolicy-2.20180114/policy/modules/system/systemd.fc	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/system/systemd.fc	2018-04-18 18:57:24.328127704 +1000
@@ -49,7 +49,6 @@
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
-/run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
diff -ru refpolicy-2.20180114/policy/modules/system/systemd.if ./policy/modules/system/systemd.if
--- refpolicy-2.20180114/policy/modules/system/systemd.if	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/system/systemd.if	2018-04-18 18:57:24.328127704 +1000
@@ -715,3 +715,22 @@
 
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
+
+#######################################
+## <summary>
+##  Allow domain to read resolv.conf file generated by systemd_resolved
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_resolved_runtime',`
+	gen_require(`
+		type systemd_resolved_var_run_t;
+	')
+
+	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+')
+
diff -ru refpolicy-2.20180114/policy/modules/system/systemd.te ./policy/modules/system/systemd.te
--- refpolicy-2.20180114/policy/modules/system/systemd.te	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/system/systemd.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.5.3)
+policy_module(systemd, 1.5.5)
 
 #########################################
 #
@@ -776,10 +776,10 @@
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
-manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
-manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
 init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
 
 kernel_read_system_state(systemd_passwd_agent_t)
diff -ru refpolicy-2.20180114/policy/modules/system/udev.te ./policy/modules/system/udev.te
--- refpolicy-2.20180114/policy/modules/system/udev.te	2018-04-18 18:58:12.000000000 +1000
+++ ./policy/modules/system/udev.te	2018-04-18 18:57:24.328127704 +1000
@@ -1,4 +1,4 @@
-policy_module(udev, 1.23.0)
+policy_module(udev, 1.23.1)
 
 ########################################
 #
@@ -96,9 +96,11 @@
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
 kernel_search_debugfs(udev_t)
+kernel_search_key(udev_t)
 
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
+kernel_read_crypto_sysctls(udev_t)
 kernel_read_network_state(udev_t)
 kernel_read_software_raid_state(udev_t)
 kernel_dontaudit_search_unlabeled(udev_t)
diff -ru refpolicy-2.20180114/policy/modules/system/userdomain.fc ./policy/modules/system/userdomain.fc
--- refpolicy-2.20180114/policy/modules/system/userdomain.fc	2017-08-06 00:37:08.000000000 +1000
+++ ./policy/modules/system/userdomain.fc	2018-04-18 18:57:24.328127704 +1000
@@ -10,3 +10,5 @@
 # new genhomedircon required for these patterns
 /run/user/%{USERID}	-d	gen_context(system_u:object_r:user_runtime_t,s0)
 /run/user/%{USERID}/.+	<<none>>
+
+/dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
diff -ru refpolicy-2.20180114/policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
--- refpolicy-2.20180114/policy/modules/system/userdomain.if	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/modules/system/userdomain.if	2018-04-18 18:57:24.332127699 +1000
@@ -157,7 +157,7 @@
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	The user role
 ##	</summary>
@@ -228,7 +228,7 @@
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	The user role
 ##	</summary>
@@ -300,7 +300,7 @@
 ## <summary>
 ##	Manage user temporary files
 ## </summary>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
@@ -363,7 +363,7 @@
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="role">
+## <param name="role" unused="true">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
diff -ru refpolicy-2.20180114/policy/modules/system/userdomain.te ./policy/modules/system/userdomain.te
--- refpolicy-2.20180114/policy/modules/system/userdomain.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/userdomain.te	2018-04-18 18:57:24.332127699 +1000
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.15.0)
+policy_module(userdomain, 4.15.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/support/obj_perm_sets.spt ./policy/support/obj_perm_sets.spt
--- refpolicy-2.20180114/policy/support/obj_perm_sets.spt	2018-04-18 18:58:11.000000000 +1000
+++ ./policy/support/obj_perm_sets.spt	2018-04-18 18:57:24.332127699 +1000
@@ -44,12 +44,12 @@
 #
 # Stream socket classes.
 #
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
 
 #
 # Unprivileged socket classes (exclude rawip, netlink, packet).
 #
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
 
 
 ########################################
