Index: refpolicy-2.20241211/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20241211/policy/modules/roles/sysadm.te
@@ -36,11 +36,22 @@ ifndef(`enable_mls',`
 # for networkctl and possibly other networking tools
 allow sysadm_t self:netlink_route_socket rw_netlink_socket_perms;
 
+allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
+
+# for ptrace
+allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read };
+
+allow sysadm_t self:capability audit_write;
+allow sysadm_t self:system status;
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
 corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 
+domain_getsched_all_domains(sysadm_t)
+
+dev_read_cpuid(sysadm_t)
 dev_read_kmsg(sysadm_t)
 dev_rw_ipmi_dev(sysadm_t)
 
@@ -62,6 +73,9 @@ init_admin(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
 		init_run_daemon(sysadm_t, sysadm_r)
@@ -1074,6 +1088,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
 	tboot_run_txtstat(sysadm_t, sysadm_r)
 ')
 
@@ -1141,6 +1159,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dev_rw_generic_usb_dev(sysadm_t)
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20241211/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20241211/policy/modules/services/dbus.if
@@ -88,6 +88,7 @@ template(`dbus_role_template',`
 
 	allow $3 $1_dbusd_t:unix_stream_socket { connectto create_stream_socket_perms };
 	allow $3 $1_dbusd_t:dbus { acquire_svc send_msg };
+	allow $1_dbusd_t $3:dbus send_msg;
 	allow $3 $1_dbusd_t:fd use;
 
 	dontaudit $1_dbusd_t self:process getcap;
@@ -101,7 +102,14 @@ template(`dbus_role_template',`
 	allow $3 session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 	userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
 
+	userdom_delete_user_tmp_named_sockets($1_dbusd_t)
+	userdom_manage_user_tmp_dirs($1_dbusd_t)
+
+	# for app-at\x2dspi\x2ddbus\x2dbus@autostart.service
+	userdom_manage_user_tmp_sockets($1_dbusd_t)
+
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+	can_exec($1_dbusd_t, dbusd_exec_t)
 
 	ps_process_pattern($3, $1_dbusd_t)
 	allow $3 $1_dbusd_t:process { ptrace signal_perms };
@@ -121,18 +129,32 @@ template(`dbus_role_template',`
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
 
+	dev_read_sysfs($1_dbusd_t)
+
 	selinux_use_status_page($1_dbusd_t)
 
 	auth_use_nsswitch($1_dbusd_t)
 
 	dbus_exec($1_dbusd_t)
+	files_read_etc_runtime_files($1_dbusd_t)
 
 	optional_policy(`
 		systemd_read_logind_runtime_files($1_dbusd_t)
 		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
+		# dbus-broker-launch fails with no media on sd_bus_open_user() without this
+		systemd_user_daemon_domain_noatsecure($1, $1_dbusd_t)
+
 		systemd_user_send_systemd_notify($1, $1_dbusd_t)
 		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
 	')
+	optional_policy(`
+		init_dbus_chat($1_dbusd_t)
+		dbus_system_bus_client($1_dbusd_t)
+	')
+
+	optional_policy(`
+		xdg_read_data_files($1_dbusd_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20241211/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20241211/policy/modules/system/systemd.te
@@ -2026,6 +2026,7 @@ tunable_policy(`systemd_tmpfiles_manage_
 ')
 
 optional_policy(`
+	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
Index: refpolicy-2.20241211/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/services/cron.te
+++ refpolicy-2.20241211/policy/modules/services/cron.te
@@ -485,6 +485,7 @@ allow system_cronjob_t crond_tmp_t:file
 kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
+kernel_read_fs_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
Index: refpolicy-2.20241211/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20241211/policy/modules/services/ntp.te
@@ -132,6 +132,7 @@ term_use_ptmx(ntpd_t)
 auth_use_nsswitch(ntpd_t)
 
 init_exec_script_files(ntpd_t)
+init_get_generic_units_status(ntpd_t)
 
 logging_send_syslog_msg(ntpd_t)
 
Index: refpolicy-2.20241211/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20241211/policy/modules/system/unconfined.if
@@ -41,6 +41,7 @@ interface(`unconfined_domain_noaudit',`
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Manage most namespace capabilities
+	allow $1 self:user_namespace create;
 	allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
 	allow $1 self:cap2_userns { audit_read block_suspend bpf mac_admin mac_override perfmon syslog wake_alarm };
 
@@ -53,6 +54,12 @@ interface(`unconfined_domain_noaudit',`
 	# io_uring
 	allow $1 self:anon_inode { create map read write };
 
+	# used by Chrome for some reason
+	allow $1 self:dir manage_dir_perms;
+
+	# for io_uring
+	allow $1 self:anon_inode { create map read write };
+
 	# Userland object managers
 	allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv };
 	allow $1 self:dbus { acquire_svc send_msg };
@@ -67,6 +74,7 @@ interface(`unconfined_domain_noaudit',`
 	domain_dontaudit_ptrace_all_domains($1)
 	files_unconfined($1)
 	fs_unconfined($1)
+	fs_watch_memory_pressure($1)
 	selinux_unconfined($1)
 	files_get_etc_unit_status($1)
 	files_start_etc_service($1)
Index: refpolicy-2.20241211/policy/modules/apps/mozilla.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/apps/mozilla.te
+++ refpolicy-2.20241211/policy/modules/apps/mozilla.te
@@ -116,11 +116,13 @@ allow mozilla_t mozilla_plugin_rw_t:lnk_
 stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
 
 manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+allow mozilla_t mozilla_xdg_cache_t:file map;
 manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
 xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
 
 can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
 
+kernel_read_device_sysctls(mozilla_t)
 kernel_read_kernel_sysctls(mozilla_t)
 kernel_read_network_state(mozilla_t)
 kernel_read_system_state(mozilla_t)
@@ -133,6 +135,7 @@ corecmd_exec_bin(mozilla_t)
 corenet_all_recvfrom_netlabel(mozilla_t)
 corenet_tcp_sendrecv_generic_if(mozilla_t)
 corenet_tcp_sendrecv_generic_node(mozilla_t)
+corenet_udp_bind_generic_node(mozilla_t)
 
 corenet_sendrecv_http_client_packets(mozilla_t)
 corenet_tcp_connect_http_port(mozilla_t)
@@ -268,6 +271,7 @@ optional_policy(`
 optional_policy(`
 	dbus_all_session_bus_client(mozilla_t)
 	dbus_connect_all_session_bus(mozilla_t)
+	dbus_write_session_runtime_socket(mozilla_t)
 	dbus_system_bus_client(mozilla_t)
 
 	optional_policy(`
Index: refpolicy-2.20241211/policy/global_tunables
===================================================================
--- refpolicy-2.20241211.orig/policy/global_tunables
+++ refpolicy-2.20241211/policy/global_tunables
@@ -129,3 +129,11 @@ gen_tunable(user_tcp_server,false)
 ## </p>
 ## </desc>
 gen_tunable(user_udp_server,false)
+
+## <desc>
+## <p>
+## Allow users to execmod tmpfs files, KDE plasmashell needs this
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_execmod_tmpfs,false)
Index: refpolicy-2.20241211/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20241211/policy/modules/system/unconfined.te
@@ -76,6 +76,10 @@ ifdef(`init_systemd',`
 	')
 ')
 
+tunable_policy(`user_execmod_tmpfs', `
+	userdom_execmod_user_tmpfs_files(unconfined_t)
+')
+
 optional_policy(`
 	apache_run_helper(unconfined_t, unconfined_r)
 	apache_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
Index: refpolicy-2.20241211/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20241211/policy/modules/system/systemd.if
@@ -68,6 +68,9 @@ template(`systemd_role_template',`
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
 
+	allow $3 $1_systemd_t:dbus send_msg;
+	allow $1_systemd_t $3:dbus send_msg;
+
 	# systemctl --user rules
 	allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
 	allow $1_systemd_t systemd_user_activated_sock_file_type:dir manage_dir_perms;
@@ -93,7 +96,10 @@ template(`systemd_role_template',`
 	allow $1_systemd_t $3:file read_file_perms;
 	allow $1_systemd_t $3:lnk_file read_lnk_file_perms;
 
+	dev_getattr_sound_dev($1_systemd_t)
 	dev_read_urand($1_systemd_t)
+	storage_getattr_removable_dev($1_systemd_t)
+	term_dontaudit_getattr_unallocated_ttys($1_systemd_t)
 
 	files_search_home($1_systemd_t)
 	files_watch_etc_dirs($1_systemd_t)
@@ -103,6 +109,8 @@ template(`systemd_role_template',`
 	fs_watch_cgroup_files($1_systemd_t)
 
 	kernel_dontaudit_getattr_proc($1_systemd_t)
+	kernel_read_psi($1_systemd_t)
+
 	# if systemd exists in the initrd, the journal socket stays labeled kernel_t
 	# without this access, user services cannot log to the journal
 	kernel_stream_connect($1_systemd_t)
@@ -223,8 +231,22 @@ template(`systemd_role_template',`
 	systemd_watch_passwd_runtime_dirs($3)
 
 	optional_policy(`
+		gpg_stream_connect_agent($1_systemd_t)
+	')
+
+	optional_policy(`
+		modemmanager_dbus_chat($1_systemd_t)
+	')
+
+	optional_policy(`
+		pulseaudio_domtrans($1_systemd_t)
+		pulseaudio_manage_tmp_dirs($1_systemd_t)
+	')
+
+	optional_policy(`
 		xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
 		xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
+		xdg_read_cache_files($1_systemd_t)
 		xdg_read_config_files($1_systemd_t)
 		xdg_read_data_files($1_systemd_t)
 	')
@@ -262,6 +284,30 @@ template(`systemd_user_daemon_domain',`
 ')
 
 ######################################
+## <summary>
+##   Allow the specified domain to not have the atsecure setting when started
+##   as a daemon by the specified systemd user instance
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain that is entered with noatsecure
+##	</summary>
+## </param>
+#
+template(`systemd_user_daemon_domain_noatsecure',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	allow $1_systemd_t $2:process noatsecure;
+')
+
+######################################
 ## <summary>
 ##   Associate the specified file type to be a type whose sock files
 ##   can be managed by systemd user instances for socket activation.
Index: refpolicy-2.20241211/policy/modules/apps/gnome.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/apps/gnome.if
+++ refpolicy-2.20241211/policy/modules/apps/gnome.if
@@ -101,6 +101,8 @@ template(`gnome_role_template',`
 	optional_policy(`
 		dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
 		dbus_system_bus_client($1_gkeyringd_t)
+		dbus_write_session_runtime_socket($1_gkeyringd_t)
+		dbus_getattr_session_runtime_socket($1_gkeyringd_t)
 
 		optional_policy(`
 			evolution_dbus_chat($1_gkeyringd_t)
Index: refpolicy-2.20241211/policy/modules/apps/wm.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/apps/wm.if
+++ refpolicy-2.20241211/policy/modules/apps/wm.if
@@ -53,15 +53,19 @@ template(`wm_role_template',`
 	# Policy
 	#
 
+	allow $1_wm_t self:process getcap;
+
 	allow $3 $1_wm_t:fd use;
 
-	allow $1_wm_t $3:unix_stream_socket connectto;
-	allow $3 $1_wm_t:unix_stream_socket connectto;
+	allow $1_wm_t $3:unix_stream_socket { connectto read write getopt getattr accept };
+	allow $3 $1_wm_t:unix_stream_socket { connectto read write getopt };
 
-	allow $3 $1_wm_t:process { ptrace signal_perms };
+	# ptrace here would allow messing with keyboard
+	allow $3 $1_wm_t:process { signal_perms };
 	ps_process_pattern($3, $1_wm_t)
 
-	allow $1_wm_t $3:process { sigkill signull };
+	allow $1_wm_t $3:process { sigkill signull signal };
+	ps_process_pattern($1_wm_t, $3)
 
 	domtrans_pattern($3, wm_exec_t, $1_wm_t)
 
@@ -74,10 +78,14 @@ template(`wm_role_template',`
 	mls_xwin_write_all_levels($1_wm_t)
 	mls_fd_use_all_levels($1_wm_t)
 
+	auth_domtrans_chk_passwd($1_wm_t)
 	auth_use_nsswitch($1_wm_t)
 
 	miscfiles_manage_fonts_cache($1_wm_t)
 
+	userdom_rw_user_tmpfs_files($1_wm_t)
+	userdom_map_user_tmpfs_files($1_wm_t)
+
 	xserver_role($1, $1_wm_t, $3, $4)
 	xserver_manage_core_devices($1_wm_t)
 
@@ -98,6 +106,10 @@ template(`wm_role_template',`
 	')
 
 	optional_policy(`
+		modemmanager_dbus_chat($1_wm_t)
+	')
+
+	optional_policy(`
 		networkmanager_watch_etc_dirs($1_wm_t)
 	')
 
@@ -111,7 +123,9 @@ template(`wm_role_template',`
 	')
 
 	optional_policy(`
+		systemd_read_logind_state($1_wm_t)
 		systemd_user_app_status($1, $1_wm_t)
+		systemd_write_inherited_logind_inhibit_pipes($1_wm_t)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20241211/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20241211/policy/modules/kernel/corecommands.fc
@@ -341,6 +341,7 @@ ifdef(`distro_debian',`
 /usr/share/hal/scripts(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ifupdown2/__main__\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/libalpm/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/libpam-kwallet-common/pam_kwallet_init -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/Modules/init(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/org\.gnome\.Weather/org\.gnome\.Weather\.Application	--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20241211/policy/modules/apps/xscreensaver.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/apps/xscreensaver.if
+++ refpolicy-2.20241211/policy/modules/apps/xscreensaver.if
@@ -100,3 +100,22 @@ interface(`xscreensaver_run',`
 	xscreensaver_domtrans($1)
 	roleattribute $2 xscreensaver_roles;
 ')
+
+########################################
+## <summary>
+##	Transition to xscreensaver_helper_t when running xscreensaver_helper_exec_t
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xscreensaver_run_helper', `
+	gen_require(`
+		type xscreensaver_helper_exec_t, xscreensaver_helper_t;
+	')
+
+	domtrans_pattern($1, xscreensaver_helper_exec_t, xscreensaver_helper_t)
+	allow xscreensaver_helper_t $1:fd use;
+')
Index: refpolicy-2.20241211/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20241211/policy/modules/apps/pulseaudio.te
@@ -51,6 +51,9 @@ files_type(pulseaudio_var_lib_t)
 type pulseaudio_xdg_config_t;
 xdg_config_content(pulseaudio_xdg_config_t)
 
+type pulseaudio_xdg_cache_t;
+xdg_cache_content(pulseaudio_xdg_cache_t)
+
 ########################################
 #
 # Local policy
@@ -75,6 +78,7 @@ userdom_user_home_dir_filetrans(pulseaud
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+allow pulseaudio_t pulseaudio_tmp_t:file map;
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
 files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, { dir sock_file })
 userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
@@ -102,6 +106,11 @@ manage_dirs_pattern(pulseaudio_t, pulsea
 manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
 allow pulseaudio_t pulseaudio_xdg_config_t:file map;
 
+manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_cache_t, pulseaudio_xdg_cache_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_xdg_cache_t, pulseaudio_xdg_cache_t)
+allow pulseaudio_t pulseaudio_xdg_cache_t:file map;
+xdg_cache_filetrans(pulseaudio_t, pulseaudio_xdg_cache_t, dir)
+
 xdg_config_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
 
 allow pulseaudio_t pulseaudio_client:process signull;
@@ -118,11 +127,16 @@ corecmd_exec_bin(pulseaudio_t)
 
 dev_watch_dev_dirs(pulseaudio_t)
 dev_read_sound(pulseaudio_t)
+dev_read_video_dev(pulseaudio_t)
 dev_write_sound(pulseaudio_t)
 dev_read_sysfs(pulseaudio_t)
 dev_read_urand(pulseaudio_t)
+dev_rw_dri(pulseaudio_t)
+dev_read_video_dev(pulseaudio_t)
+dev_write_video_dev(pulseaudio_t)
 
 files_read_usr_files(pulseaudio_t)
+files_map_usr_files(pulseaudio_t)
 
 fs_getattr_tmpfs(pulseaudio_t)
 fs_getattr_all_fs(pulseaudio_t)
@@ -135,6 +149,9 @@ term_use_all_ptys(pulseaudio_t)
 
 auth_use_nsswitch(pulseaudio_t)
 
+# for /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner
+libs_exec_lib_files(pulseaudio_t)
+
 logging_send_syslog_msg(pulseaudio_t)
 
 miscfiles_read_localization(pulseaudio_t)
@@ -201,6 +218,7 @@ optional_policy(`
 	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
 	dbus_all_session_bus_client(pulseaudio_t)
 	dbus_connect_all_session_bus(pulseaudio_t)
+	dbus_getattr_session_runtime_socket(pulseaudio_t)
 
 	optional_policy(`
 		policykit_dbus_chat(pulseaudio_t)
Index: refpolicy-2.20241211/policy/modules/apps/pulseaudio.fc
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/apps/pulseaudio.fc
+++ refpolicy-2.20241211/policy/modules/apps/pulseaudio.fc
@@ -2,6 +2,7 @@ HOME_DIR/\.esd_auth	--	gen_context(syste
 HOME_DIR/\.pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.config/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0)
+HOME_DIR/\.cache/gstreamer-[0-9\.]+(/.*)?        gen_context(system_u:object_r:pulseaudio_xdg_cache_t, s0)
 
 /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 
Index: refpolicy-2.20241211/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20241211/policy/modules/system/userdomain.if
@@ -152,6 +152,11 @@ template(`userdom_base_user_template',`
 	')
 
 	optional_policy(`
+		# allow all users to register fingerprints
+		fprintd_dbus_chat($1_t)
+	')
+
+	optional_policy(`
 		kerneloops_dbus_chat($1_t)
 	')
 ')
@@ -990,6 +995,8 @@ template(`userdom_login_user_template',
 
 	allow $1_t self:context contains;
 
+	allow $1_t self:anon_inode { create read write map };
+
 	kernel_dontaudit_read_system_state($1_t)
 
 	dev_read_sysfs($1_t)
Index: refpolicy-2.20241211/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20241211.orig/policy/modules/system/init.te
+++ refpolicy-2.20241211/policy/modules/system/init.te
@@ -196,6 +196,7 @@ allow init_t initrc_runtime_t:file { rw_
 allow init_t init_tmpfs_t:file manage_file_perms;
 fs_tmpfs_filetrans(init_t, init_tmpfs_t, file)
 
+kernel_read_psi(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
