diff -ru refpolicy-2.20180114/policy/modules/contrib/apt.te ./policy/modules/contrib/apt.te
--- refpolicy-2.20180114/policy/modules/contrib/apt.te	2017-08-06 02:59:39.000000000 +1000
+++ ./policy/modules/contrib/apt.te	2018-02-16 16:58:00.556174785 +1100
@@ -1,4 +1,4 @@
-policy_module(apt, 1.11.0)
+policy_module(apt, 1.11.1)
 
 ########################################
 #
@@ -135,6 +135,15 @@
 
 optional_policy(`
 	dbus_system_domain(apt_t, apt_exec_t)
+
+	optional_policy(`
+		# for packagekitd
+		policykit_dbus_chat(apt_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_send(apt_t)
+	')
 ')
 
 optional_policy(`
diff -ru refpolicy-2.20180114/policy/modules/contrib/dbus.te ./policy/modules/contrib/dbus.te
--- refpolicy-2.20180114/policy/modules/contrib/dbus.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/dbus.te	2018-02-20 17:09:49.913307964 +1100
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.24.0)
+policy_module(dbus, 1.24.2)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -136,6 +136,9 @@
 init_all_labeled_script_domtrans(system_dbusd_t)
 init_start_system(system_dbusd_t) # needed by dbus-broker
 
+# for powerdevil /usr/lib/x86_64-linux-gnu/libexec/kauth/*
+libs_exec_lib_files(system_dbusd_t)
+
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
@@ -184,6 +187,10 @@
 ')
 
 optional_policy(`
+	unconfined_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
 	xserver_read_xdm_lib_files(system_dbusd_t)
 	xserver_use_xdm_fds(system_dbusd_t)
 ')
diff -ru refpolicy-2.20180114/policy/modules/contrib/devicekit.te ./policy/modules/contrib/devicekit.te
--- refpolicy-2.20180114/policy/modules/contrib/devicekit.te	2018-01-15 06:08:07.000000000 +1100
+++ ./policy/modules/contrib/devicekit.te	2018-02-20 17:16:27.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.8.0)
+policy_module(devicekit, 1.8.2)
 
 ########################################
 #
@@ -151,6 +151,11 @@
 userdom_read_all_users_state(devicekit_disk_t)
 userdom_search_user_home_dirs(devicekit_disk_t)
 
+ifdef(`distro_debian',`
+	# /dev/mem is accessed by libparted to get EFI data
+	dev_read_raw_memory(devicekit_disk_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(devicekit_disk_t)
 
@@ -163,6 +168,11 @@
 	optional_policy(`
 		policykit_dbus_chat(devicekit_disk_t)
 	')
+
+	optional_policy(`
+		# gwenview triggers the need for this
+		xserver_dbus_chat_xdm(devicekit_disk_t)
+	')
 ')
 
 optional_policy(`
@@ -287,6 +297,7 @@
 
 optional_policy(`
 	dbus_system_bus_client(devicekit_power_t)
+	init_dbus_chat(devicekit_power_t)
 
 	allow devicekit_power_t devicekit_t:dbus send_msg;
 
diff -ru refpolicy-2.20180114/policy/modules/contrib/dictd.te ./policy/modules/contrib/dictd.te
--- refpolicy-2.20180114/policy/modules/contrib/dictd.te	2017-08-06 02:59:40.000000000 +1000
+++ ./policy/modules/contrib/dictd.te	2018-02-16 16:58:00.556174785 +1100
@@ -1,4 +1,4 @@
-policy_module(dictd, 1.11.0)
+policy_module(dictd, 1.11.1)
 
 ########################################
 #
@@ -57,6 +57,7 @@
 
 domain_use_interactive_fds(dictd_t)
 
+files_map_usr_files(dictd_t)
 files_read_etc_runtime_files(dictd_t)
 files_read_usr_files(dictd_t)
 files_search_var_lib(dictd_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/dpkg.if ./policy/modules/contrib/dpkg.if
--- refpolicy-2.20180114/policy/modules/contrib/dpkg.if	2017-04-30 01:04:12.000000000 +1000
+++ ./policy/modules/contrib/dpkg.if	2018-02-16 16:58:00.556174785 +1100
@@ -301,3 +301,21 @@
 	allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
 	allow $1 dpkg_script_tmp_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	map dpkg_script_tmp_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_map_script_tmp_files',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	allow $1 dpkg_script_tmp_t:file map;
+')
diff -ru refpolicy-2.20180114/policy/modules/contrib/dpkg.te ./policy/modules/contrib/dpkg.te
--- refpolicy-2.20180114/policy/modules/contrib/dpkg.te	2017-12-14 10:34:27.000000000 +1100
+++ ./policy/modules/contrib/dpkg.te	2018-02-16 16:58:00.556174785 +1100
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.12.0)
+policy_module(dpkg, 1.12.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/contrib/logrotate.te ./policy/modules/contrib/logrotate.te
--- refpolicy-2.20180114/policy/modules/contrib/logrotate.te	2018-01-15 06:08:06.000000000 +1100
+++ ./policy/modules/contrib/logrotate.te	2018-02-16 16:58:00.556174785 +1100
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.20.0)
+policy_module(logrotate, 1.20.1)
 
 ########################################
 #
@@ -77,6 +77,7 @@
 domain_getattr_all_entry_files(logrotate_t)
 domain_read_all_domains_state(logrotate_t)
 
+files_map_etc_files(logrotate_t)
 files_read_usr_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/networkmanager.te ./policy/modules/contrib/networkmanager.te
--- refpolicy-2.20180114/policy/modules/contrib/networkmanager.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/contrib/networkmanager.te	2018-02-23 16:39:52.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.22.0)
+policy_module(networkmanager, 1.22.1)
 
 ########################################
 #
@@ -219,6 +219,7 @@
 
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+	init_dbus_chat(NetworkManager_t)
 
 	optional_policy(`
 		avahi_dbus_chat(NetworkManager_t)
diff -ru refpolicy-2.20180114/policy/modules/contrib/tor.te ./policy/modules/contrib/tor.te
--- refpolicy-2.20180114/policy/modules/contrib/tor.te	2017-08-06 02:59:41.000000000 +1000
+++ ./policy/modules/contrib/tor.te	2018-02-23 16:39:52.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(tor, 1.14.0)
+policy_module(tor, 1.14.1)
 
 ########################################
 #
@@ -55,6 +55,7 @@
 
 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+allow tor_t tor_var_lib_t:file map;
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
 
diff -ru refpolicy-2.20180114/policy/modules/kernel/files.if ./policy/modules/kernel/files.if
--- refpolicy-2.20180114/policy/modules/kernel/files.if	2017-10-26 08:16:06.000000000 +1100
+++ ./policy/modules/kernel/files.if	2018-02-16 16:57:58.392174734 +1100
@@ -2944,6 +2944,36 @@
 
 ########################################
 ## <summary>
+##	Map generic files in /etc.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to map generic files in /etc.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_read_etc_files()</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_map_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:file map;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write generic files in /etc.
 ## </summary>
 ## <param name="domain">
diff -ru refpolicy-2.20180114/policy/modules/kernel/files.te ./policy/modules/kernel/files.te
--- refpolicy-2.20180114/policy/modules/kernel/files.te	2018-01-15 06:08:05.000000000 +1100
+++ ./policy/modules/kernel/files.te	2018-02-16 16:57:58.396174735 +1100
@@ -1,4 +1,4 @@
-policy_module(files, 1.25.0)
+policy_module(files, 1.25.1)
 
 ########################################
 #
diff -ru refpolicy-2.20180114/policy/modules/system/init.te ./policy/modules/system/init.te
--- refpolicy-2.20180114/policy/modules/system/init.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/init.te	2018-02-23 14:04:20.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(init, 2.4.0)
+policy_module(init, 2.4.1)
 
 gen_require(`
 	class passwd rootok;
@@ -488,6 +488,10 @@
 
 optional_policy(`
 	dbus_system_bus_client(init_t)
+
+	optional_policy(`
+		unconfined_dbus_send(init_t)
+	')
 ')
 
 optional_policy(`
diff -ru refpolicy-2.20180114/policy/modules/system/locallogin.te ./policy/modules/system/locallogin.te
--- refpolicy-2.20180114/policy/modules/system/locallogin.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/locallogin.te	2018-02-20 17:17:01.649318103 +1100
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.17.0)
+policy_module(locallogin, 1.17.1)
 
 ########################################
 #
@@ -137,6 +137,7 @@
 ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
+	init_dbus_chat(local_login_t)
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_pid_pipes(local_login_t)
diff -ru refpolicy-2.20180114/policy/modules/system/logging.te ./policy/modules/system/logging.te
--- refpolicy-2.20180114/policy/modules/system/logging.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/logging.te	2018-02-23 16:39:52.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(logging, 1.27.0)
+policy_module(logging, 1.27.1)
 
 ########################################
 #
@@ -257,6 +257,7 @@
 
 domain_use_interactive_fds(audisp_t)
 
+files_map_etc_files(audisp_t)
 files_read_etc_files(audisp_t)
 files_read_etc_runtime_files(audisp_t)
 
@@ -418,6 +419,8 @@
 # manage temporary files
 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:file map;
+
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
@@ -426,6 +429,8 @@
 
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+allow syslogd_t syslogd_var_run_t:file map;
+
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
diff -ru refpolicy-2.20180114/policy/modules/system/lvm.te ./policy/modules/system/lvm.te
--- refpolicy-2.20180114/policy/modules/system/lvm.te	2017-08-07 08:45:21.000000000 +1000
+++ ./policy/modules/system/lvm.te	2018-02-16 16:57:58.404174735 +1100
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.20.0)
+policy_module(lvm, 1.20.1)
 
 ########################################
 #
@@ -211,6 +211,8 @@
 files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
 
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+allow lvm_t lvm_etc_t:file map;
+
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
diff -ru refpolicy-2.20180114/policy/modules/system/modutils.te ./policy/modules/system/modutils.te
--- refpolicy-2.20180114/policy/modules/system/modutils.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/modutils.te	2018-02-16 16:57:58.408174735 +1100
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.19.0)
+policy_module(modutils, 1.19.1)
 
 ########################################
 #
@@ -132,7 +132,9 @@
 ')
 
 optional_policy(`
+	# for postinst of a new kernel package
 	dpkg_manage_script_tmp_files(kmod_t)
+	dpkg_map_script_tmp_files(kmod_t)
 ')
 
 optional_policy(`
diff -ru refpolicy-2.20180114/policy/modules/system/systemd.if ./policy/modules/system/systemd.if
--- refpolicy-2.20180114/policy/modules/system/systemd.if	2017-12-08 10:50:30.000000000 +1100
+++ ./policy/modules/system/systemd.if	2018-02-23 16:39:52.000000000 +1100
@@ -366,6 +366,7 @@
 
 	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
 	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+	allow $1 systemd_journal_t:file map;
 ')
 
 
diff -ru refpolicy-2.20180114/policy/modules/system/systemd.te ./policy/modules/system/systemd.te
--- refpolicy-2.20180114/policy/modules/system/systemd.te	2018-01-15 06:08:08.000000000 +1100
+++ ./policy/modules/system/systemd.te	2018-02-23 16:39:52.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.5.0)
+policy_module(systemd, 1.5.3)
 
 #########################################
 #
@@ -308,6 +308,7 @@
 optional_policy(`
 	dbus_connect_system_bus(systemd_hostnamed_t)
 	dbus_system_bus_client(systemd_hostnamed_t)
+	init_dbus_chat(systemd_hostnamed_t)
 ')
 
 optional_policy(`
@@ -450,6 +451,8 @@
 userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
 userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
 userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
+# user_tmp_t is for the dbus-1 directory
+userdom_list_user_tmp(systemd_logind_t)
 userdom_manage_user_runtime_dirs(systemd_logind_t)
 userdom_manage_user_runtime_root_dirs(systemd_logind_t)
 userdom_mounton_user_runtime_dirs(systemd_logind_t)
@@ -476,10 +479,15 @@
 ')
 
 optional_policy(`
+	devicekit_dbus_chat_disk(systemd_logind_t)
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
 
 optional_policy(`
+	modemmanager_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
 	networkmanager_dbus_chat(systemd_logind_t)
 ')
 
@@ -749,6 +757,10 @@
 	allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
 
 	dbus_system_bus_client(systemd_nspawn_t)
+
+	optional_policy(`
+		unconfined_dbus_send(systemd_machined_t)
+	')
 ')
 
 optional_policy(`
diff -ru refpolicy-2.20180114/policy/modules/system/unconfined.te ./policy/modules/system/unconfined.te
--- refpolicy-2.20180114/policy/modules/system/unconfined.te	2017-08-07 08:45:21.000000000 +1000
+++ ./policy/modules/system/unconfined.te	2018-02-23 14:04:20.000000000 +1100
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.10.0)
+policy_module(unconfined, 3.10.1)
 
 ########################################
 #
@@ -116,6 +116,10 @@
 ')
 
 optional_policy(`
+	modemmanager_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
 	modutils_run(unconfined_t, unconfined_r)
 ')
 
diff -ru refpolicy-2.20180114/policy/policy_capabilities ./policy/policy_capabilities
--- refpolicy-2.20180114/policy/policy_capabilities	2017-09-18 00:44:40.000000000 +1000
+++ ./policy/policy_capabilities	2018-01-30 01:23:57.243819747 +1100
@@ -89,12 +89,12 @@
 #
 # Added checks:
 # (none)
-#policycap cgroup_seclabel;
+policycap cgroup_seclabel;
 
 # Enable NoNewPrivileges support.  Requires libsepol 2.7+
-# and kernel 4.14 (estimated).
+# and kernel 4.14.
 #
 # Checks enabled;
 # process2: nnp_transition, nosuid_transition
 #
-#policycap nnp_nosuid_transition;
+policycap nnp_nosuid_transition;
