Index: refpolicy-2.20221101/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20221101/policy/modules/kernel/corecommands.fc
@@ -307,7 +307,6 @@ ifdef(`distro_debian',`
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm\.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb\.py.* --	gen_context(system_u:object_r:bin_t,s0)
@@ -364,6 +363,7 @@ ifdef(`distro_debian',`
 /usr/share/texlive/texmf-dist/scripts/yplan/yplan -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf-dist/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/unattended-upgrades/.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20221101/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20221101/policy/modules/kernel/devices.if
@@ -4388,6 +4388,24 @@ interface(`dev_remount_sysfs',`
 
 ########################################
 ## <summary>
+##     unmount a sysfs filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_unmount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
 ##	Do not audit getting the attributes of sysfs filesystem
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/kernel/domain.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/domain.if
+++ refpolicy-2.20221101/policy/modules/kernel/domain.if
@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state
 
 ########################################
 ## <summary>
-##	Get the attributes of all domains of all domains.
+##	Get the attributes of all domains
 ## </summary>
 ## <param name="domain">
 ##	<summary>
Index: refpolicy-2.20221101/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20221101/policy/modules/kernel/files.if
@@ -5676,6 +5676,25 @@ interface(`files_delete_kernel_symbol_ta
 
 ########################################
 ## <summary>
+##	Delete a system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir search_dir_perms;
+	allow $1 system_map_t:file mounton_file_perms;
+')
+
+########################################
+## <summary>
 ##	Search the contents of /var.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/kernel/selinux.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/selinux.if
+++ refpolicy-2.20221101/policy/modules/kernel/selinux.if
@@ -159,6 +159,24 @@ interface(`selinux_unmount_fs',`
 
 ########################################
 ## <summary>
+##	Mount on the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_mounton_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir mounton_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the selinuxfs filesystem
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20221101/policy/modules/system/authlogin.te
@@ -114,6 +114,7 @@ dontaudit chkpwd_t self:process getcap;
 allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
 
+kernel_read_kernel_sysctls(chkpwd_t)
 kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
 kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
 kernel_dontaudit_getattr_proc(chkpwd_t)
@@ -129,6 +130,7 @@ files_read_etc_files(chkpwd_t)
 files_dontaudit_search_var(chkpwd_t)
 
 fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+fs_read_tmpfs_symlinks(chkpwd_t)
 
 selinux_get_enforce_mode(chkpwd_t)
 
Index: refpolicy-2.20221101/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20221101/policy/modules/system/fstools.te
@@ -161,6 +161,8 @@ miscfiles_read_localization(fsadm_t)
 # for /run/mount/utab
 mount_getattr_runtime_files(fsadm_t)
 
+mount_rw_runtime_files(fsadm_t)
+
 seutil_read_config(fsadm_t)
 
 userdom_use_user_terminals(fsadm_t)
Index: refpolicy-2.20221101/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/init.if
+++ refpolicy-2.20221101/policy/modules/system/init.if
@@ -3645,6 +3645,24 @@ interface(`init_linkable_keyring',`
 
 ########################################
 ## <summary>
+##	stat systemd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	allow $1 systemdunit:file getattr;
+')
+
+########################################
+## <summary>
 ##      Allow unconfined access to send instructions to init
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20221101/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/init.te
+++ refpolicy-2.20221101/policy/modules/system/init.te
@@ -158,6 +158,9 @@ allow init_t self:capability2 { wake_ala
 
 allow init_t self:fifo_file rw_fifo_file_perms;
 
+# for /run/systemd/unit-root/proc/$PID/loginuid
+allow init_t self:file mounton;
+
 # Re-exec itself
 can_exec(init_t, init_exec_t)
 
@@ -310,6 +313,9 @@ ifdef(`init_systemd',`
 	# slices when containers are started and stopped
 	domain_setpriority_all_domains(init_t)
 
+	# init opens device nodes for getty and needs to be inherited everywhere
+	domain_interactive_fd(init_t)
+
 	allow init_t init_runtime_t:{ dir file } watch;
 	manage_files_pattern(init_t, init_runtime_t, init_runtime_t)
 	manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t)
@@ -1138,6 +1144,7 @@ ifdef(`init_systemd',`
 	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
 	init_rw_stream_sockets(initrc_t)
+	init_stop_system(initrc_t)
 
 	# Create /etc/audit.rules.prev after firstboot remediation
 	logging_manage_audit_config(initrc_t)
Index: refpolicy-2.20221101/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/logging.te
+++ refpolicy-2.20221101/policy/modules/system/logging.te
@@ -528,7 +528,8 @@ ifdef(`init_systemd',`
 	allow syslogd_t self:capability audit_control;
 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
 	allow syslogd_t self:capability2 audit_read;
-	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+	allow syslogd_t self:capability { chown setgid setuid sys_ptrace audit_control };
+	allow syslogd_t self:cap_userns sys_ptrace;
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
 
 	# remove /run/log/journal when switching to permanent storage
@@ -547,6 +548,7 @@ ifdef(`init_systemd',`
 
 	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)
+	domain_signull_all_domains(syslogd_t)
 
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
Index: refpolicy-2.20221101/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20221101/policy/modules/system/lvm.te
@@ -238,6 +238,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	apt_use_fds(lvm_t)
+
 	dpkg_script_rw_pipes(lvm_t)
 ')
 
Index: refpolicy-2.20221101/policy/modules/system/miscfiles.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/miscfiles.fc
+++ refpolicy-2.20221101/policy/modules/system/miscfiles.fc
@@ -14,6 +14,8 @@ ifdef(`distro_gentoo',`
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
+/etc/letsencrypt(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`
Index: refpolicy-2.20221101/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20221101/policy/modules/system/modutils.te
@@ -33,7 +33,7 @@ ifdef(`init_systemd',`
 # insmod local policy
 #
 
-allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;
@@ -109,6 +109,7 @@ init_use_script_ptys(kmod_t)
 logging_send_syslog_msg(kmod_t)
 logging_search_logs(kmod_t)
 
+miscfiles_read_generic_certs(kmod_t)
 miscfiles_read_localization(kmod_t)
 
 seutil_read_file_contexts(kmod_t)
@@ -140,6 +141,8 @@ optional_policy(`
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
 	dpkg_read_script_tmp_symlinks(kmod_t)
+	apt_use_fds(kmod_t)
+	apt_use_ptys(kmod_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20221101/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/mount.te
+++ refpolicy-2.20221101/policy/modules/system/mount.te
@@ -229,6 +229,14 @@ optional_policy(`
 	samba_run_smbmount(mount_t, mount_roles)
 ')
 
+optional_policy(`
+	ssh_rw_pipes(mount_t)
+')
+
+optional_policy(`
+	xen_read_image_files(mount_t)
+')
+
 ########################################
 #
 # Unconfined mount local policy
Index: refpolicy-2.20221101/policy/modules/system/raid.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/raid.fc
+++ refpolicy-2.20221101/policy/modules/system/raid.fc
@@ -11,6 +11,8 @@
 /usr/bin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /usr/bin/raid-check	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 
+/usr/share/mdadm/checkarray --	gen_context(system_u:object_r:mdadm_exec_t,s0)
+
 # Systemd unit files
 /usr/lib/systemd/system/[^/]*mdadm-.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
 /usr/lib/systemd/system/[^/]*mdmon.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
Index: refpolicy-2.20221101/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/raid.te
+++ refpolicy-2.20221101/policy/modules/system/raid.te
@@ -55,6 +55,7 @@ dev_dontaudit_getattr_all_blk_files(mdad
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 
+domain_dontaudit_search_all_domains_state(mdadm_t)
 domain_use_interactive_fds(mdadm_t)
 
 files_read_etc_files(mdadm_t)
@@ -91,6 +92,7 @@ userdom_dontaudit_search_user_home_conte
 
 optional_policy(`
 	cron_system_entry(mdadm_t, mdadm_exec_t)
+	cron_rw_tmp_files(mdadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20221101/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20221101/policy/modules/system/systemd.fc
@@ -5,7 +5,6 @@
 
 /run/log/journal(/.*)?				gen_context(system_u:object_r:systemd_journal_t,s0)
 
-/usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
 /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
 /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 /usr/bin/systemd-hwdb			--	gen_context(system_u:object_r:systemd_hw_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20221101/policy/modules/system/systemd.te
@@ -418,7 +418,7 @@ ifdef(`enable_mls',`
 # coredump local policy
 #
 
-allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace };
+allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
 allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
@@ -449,6 +449,7 @@ files_mounton_root(systemd_coredump_t)
 fs_getattr_xattr_fs(systemd_coredump_t)
 fs_getattr_nsfs_files(systemd_coredump_t)
 fs_search_cgroup_dirs(systemd_coredump_t)
+fs_search_tmpfs(systemd_coredump_t)
 fs_getattr_cgroup(systemd_coredump_t)
 
 selinux_getattr_fs(systemd_coredump_t)
@@ -471,6 +472,8 @@ allow systemd_generator_t self:fifo_file
 allow systemd_generator_t self:capability { dac_override sys_admin };
 allow systemd_generator_t self:process setfscreate;
 
+allow systemd_generator_t systemd_unit_t:file getattr;
+
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
 
@@ -483,6 +486,7 @@ files_read_etc_files(systemd_generator_t
 files_search_runtime(systemd_generator_t)
 files_list_boot(systemd_generator_t)
 files_read_boot_files(systemd_generator_t)
+files_read_config_files(systemd_generator_t)
 files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 files_dontaudit_getattr_all_dirs(systemd_generator_t)
@@ -492,6 +496,8 @@ fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
+init_read_all_script_files(systemd_generator_t)
+init_getattr_all_unit_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
 init_manage_runtime_symlinks(systemd_generator_t)
 init_read_runtime_files(systemd_generator_t)
@@ -879,6 +885,7 @@ init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
+init_watch_utmp(systemd_logind_t)
 
 miscfiles_read_localization(systemd_logind_t)
 
@@ -1167,6 +1174,9 @@ allow systemd_nspawn_t self:capability {
 allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
+allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
+allow systemd_nspawn_t self:udp_socket { create ioctl };
 
 allow systemd_nspawn_t systemd_journal_t:dir search;
 
@@ -1203,6 +1213,9 @@ dev_getattr_fs(systemd_nspawn_t)
 dev_manage_sysfs_dirs(systemd_nspawn_t)
 dev_mounton_sysfs_dirs(systemd_nspawn_t)
 dev_mount_sysfs(systemd_nspawn_t)
+dev_remount_sysfs(systemd_nspawn_t)
+dev_unmount_sysfs(systemd_nspawn_t)
+dev_read_sysfs(systemd_nspawn_t)
 dev_read_rand(systemd_nspawn_t)
 dev_read_urand(systemd_nspawn_t)
 
@@ -1215,6 +1228,7 @@ files_mounton_tmp(systemd_nspawn_t)
 files_read_kernel_symbol_table(systemd_nspawn_t)
 files_setattr_runtime_dirs(systemd_nspawn_t)
 
+fs_getattr_cgroup(systemd_nspawn_t)
 fs_getattr_tmpfs(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
@@ -1238,6 +1252,7 @@ init_write_runtime_socket(systemd_nspawn
 init_spec_domtrans_script(systemd_nspawn_t)
 
 miscfiles_manage_localization(systemd_nspawn_t)
+udev_read_runtime_files(systemd_nspawn_t)
 
 # for writing inside chroot
 sysnet_manage_config(systemd_nspawn_t)
@@ -1254,8 +1269,14 @@ tunable_policy(`systemd_nspawn_labeled_n
 	# manage etc symlinks for /etc/localtime
 	files_manage_etc_symlinks(systemd_nspawn_t)
 	files_mounton_runtime_dirs(systemd_nspawn_t)
+	files_mounton_kernel_symbol_table(systemd_nspawn_t)
 	files_search_home(systemd_nspawn_t)
 
+	files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
+	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
+	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
+	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+
 	fs_getattr_cgroup(systemd_nspawn_t)
 	fs_manage_cgroup_dirs(systemd_nspawn_t)
 	fs_manage_tmpfs_dirs(systemd_nspawn_t)
@@ -1273,6 +1294,7 @@ tunable_policy(`systemd_nspawn_labeled_n
 	selinux_getattr_fs(systemd_nspawn_t)
 	selinux_remount_fs(systemd_nspawn_t)
 	selinux_search_fs(systemd_nspawn_t)
+	selinux_mounton_fs(systemd_nspawn_t)
 
 	init_domtrans(systemd_nspawn_t)
 
@@ -1300,7 +1322,7 @@ optional_policy(`
 # systemd_passwd_agent_t local policy
 #
 
-allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override sys_resource };
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
@@ -1311,14 +1333,19 @@ manage_sock_files_pattern(systemd_passwd
 manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
 
+can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
 kernel_read_system_state(systemd_passwd_agent_t)
 kernel_stream_connect(systemd_passwd_agent_t)
 
 dev_create_generic_dirs(systemd_passwd_agent_t)
 dev_read_generic_files(systemd_passwd_agent_t)
+dev_read_sysfs(systemd_passwd_agent_t)
+dev_write_sysfs_dirs(systemd_passwd_agent_t)
 dev_write_generic_sock_files(systemd_passwd_agent_t)
 dev_write_kmsg(systemd_passwd_agent_t)
 
+corecmd_search_bin(systemd_passwd_agent_t)
 files_read_etc_files(systemd_passwd_agent_t)
 
 fs_getattr_xattr_fs(systemd_passwd_agent_t)
@@ -1327,6 +1354,7 @@ selinux_get_enforce_mode(systemd_passwd_
 selinux_getattr_fs(systemd_passwd_agent_t)
 
 term_read_console(systemd_passwd_agent_t)
+term_use_unallocated_ttys(systemd_passwd_agent_t)
 
 auth_use_nsswitch(systemd_passwd_agent_t)
 
@@ -1385,7 +1413,7 @@ logging_send_syslog_msg(systemd_pstore_t
 # Rfkill local policy
 #
 
-allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
+allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
@@ -1596,6 +1624,8 @@ allow systemd_tmpfiles_t systemd_tmpfile
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
+allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
+
 kernel_getattr_proc(systemd_tmpfiles_t)
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
@@ -1912,6 +1942,8 @@ userdom_delete_all_user_runtime_chr_file
 userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t)
 userdom_manage_user_tmp_files(systemd_user_runtime_dir_t)
 
+userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
 userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
 userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
 userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20221101/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/udev.te
+++ refpolicy-2.20221101/policy/modules/system/udev.te
@@ -401,6 +401,10 @@ dev_read_urand(udevadm_t)
 
 domain_use_interactive_fds(udevadm_t)
 
+fs_getattr_cgroup(udevadm_t)
+fs_getattr_tmpfs(udevadm_t)
+fs_search_cgroup_dirs(udevadm_t)
+
 files_read_etc_files(udevadm_t)
 files_read_usr_files(udevadm_t)
 
Index: refpolicy-2.20221101/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20221101/policy/modules/system/unconfined.te
@@ -90,6 +90,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	certbot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	cron_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
Index: refpolicy-2.20221101/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20221101.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20221101/policy/support/obj_perm_sets.spt
@@ -142,6 +142,7 @@ define(`manage_dir_perms',`{ create open
 define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
 define(`relabelto_dir_perms',`{ getattr relabelto }')
 define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+define(`mounton_dir_perms',`{ getattr mounton }')
 
 #
 # Regular file (file)
@@ -170,6 +171,7 @@ define(`manage_file_perms',`{ create ope
 define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_file_perms',`{ getattr relabelto }')
 define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+define(`mounton_file_perms',`{ getattr mounton }')
 
 #
 # Symbolic link (lnk_file)
Index: refpolicy-2.20221101/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20221101/policy/modules/system/lvm.if
@@ -61,6 +61,7 @@ interface(`lvm_run',`
 
 	lvm_domtrans($1)
 	role $2 types lvm_t;
+	allow $1 lvm_t:sem rw_sem_perms;
 ')
 
 ########################################
Index: refpolicy-2.20221101/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy-2.20221101/policy/modules/kernel/corenetwork.if.in
@@ -1440,10 +1440,10 @@ interface(`corenet_udp_bind_generic_port
 #
 interface(`corenet_tcp_connect_generic_port',`
 	gen_require(`
-		type port_t;
+		type port_t, unreserved_port_t;
 	')
 
-	allow $1 port_t:tcp_socket name_connect;
+	allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
 ')
 
 ########################################
Index: refpolicy-2.20221101/policy/modules/kernel/storage.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/kernel/storage.fc
+++ refpolicy-2.20221101/policy/modules/kernel/storage.fc
@@ -32,6 +32,7 @@
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mpt[23]?ctl	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mtd.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
Index: refpolicy-2.20221101/policy/modules/system/iptables.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/iptables.te
+++ refpolicy-2.20221101/policy/modules/system/iptables.te
@@ -151,3 +151,7 @@ optional_policy(`
 	# this is for iptables_t to inherit a file handle from xen vif-bridge
 	udev_manage_runtime_files(iptables_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(iptables_t)
+')
Index: refpolicy-2.20221101/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20221101/policy/modules/services/rpc.te
@@ -306,7 +306,7 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource };
 
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
Index: refpolicy-2.20221101/policy/modules/system/fstools.fc
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/system/fstools.fc
+++ refpolicy-2.20221101/policy/modules/system/fstools.fc
@@ -73,6 +73,7 @@
 /usr/sbin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fstrim		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/gdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
Index: refpolicy-2.20221101/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20221101/policy/modules/admin/usermanage.te
@@ -202,6 +202,10 @@ allow groupadd_t self:unix_stream_socket
 allow groupadd_t self:unix_dgram_socket sendto;
 allow groupadd_t self:unix_stream_socket connectto;
 
+kernel_getattr_proc(groupadd_t)
+kernel_read_kernel_sysctls(groupadd_t)
+kernel_search_fs_sysctls(groupadd_t)
+
 fs_getattr_xattr_fs(groupadd_t)
 fs_search_auto_mountpoints(groupadd_t)
 
