diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 5869eb50b..ebd73aca9 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -910,6 +910,24 @@ interface(`kernel_getattr_proc',`
allow $1 proc_t:filesystem getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes of the proc filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_getattr_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:filesystem getattr;
+')
+
########################################
##
## Mount on proc directories.
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index a2d1cc5e4..16fa4e527 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -207,6 +207,7 @@ optional_policy(`
optional_policy(`
mta_manage_spool(dovecot_t)
+ mta_watch_spool(dovecot_t)
mta_manage_mail_home_rw_content(dovecot_t)
mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
@@ -255,6 +256,8 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+kernel_dontaudit_getattr_proc(dovecot_auth_t)
+
files_search_runtime(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index b0ce28b55..b9723aa98 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -955,6 +955,24 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
+########################################
+##
+## Watch mail spool content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_watch_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ allow $1 mail_spool_t:{ dir file } watch;
+')
+
#######################################
##
## Create specified objects in the
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 4baf0cfe2..3518d44fe 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -262,6 +262,8 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
auth_use_pam_motd_dynamic(sshd_t)
+',`
+ dontaudit sshd_t self:process { getcap setcap };
')
ifdef(`init_systemd',`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 753e31ace..9b6a32870 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -104,6 +104,9 @@ allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
+kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_getattr_proc(chkpwd_t)
domain_dontaudit_use_interactive_fds(chkpwd_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 29771968d..86aa42f1f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -496,6 +496,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
+kernel_dontaudit_getattr_proc(semanage_t)
corecmd_exec_bin(semanage_t)
corecmd_exec_shell(semanage_t)