diff --git a/policy/modules.conf b/policy/modules.conf
index c46c539c39..2ca1fa51ac 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -3113,3 +3113,10 @@ nvme_stas = module
 # coreos_installer
 #
 coreos_installer = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module
diff --git a/policy/modules/contrib/afterburn.te b/policy/modules/contrib/afterburn.te
index 14abb2968b..9e7734639b 100644
--- a/policy/modules/contrib/afterburn.te
+++ b/policy/modules/contrib/afterburn.te
@@ -12,8 +12,6 @@ init_daemon_domain(afterburn_t, afterburn_exec_t)
 type afterburn_unit_file_t;
 systemd_unit_file(afterburn_unit_file_t)
 
-permissive afterburn_t;
-
 ########################################
 #
 # afterburn local policy
@@ -21,7 +19,9 @@ permissive afterburn_t;
 allow afterburn_t self:capability { setgid setuid sys_admin };
 allow afterburn_t self:process { fork setpgid };
 allow afterburn_t self:fifo_file rw_fifo_file_perms;
+allow afterburn_t self:unix_dgram_socket create_socket_perms;
 
+kernel_dgram_send(afterburn_t)
 kernel_read_all_proc(afterburn_t)
 
 corenet_tcp_connect_http_port(afterburn_t)
@@ -34,10 +34,22 @@ optional_policy(`
 	auth_use_nsswitch(afterburn_t)
 ')
 
+optional_policy(`
+	logging_write_syslog_pid_socket(afterburn_t)
+')
+
 optional_policy(`
 	miscfiles_read_localization(afterburn_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(afterburn_t)
+')
+
+optional_policy(`
+	ssh_filetrans_home_content(afterburn_t)
+')
+
 optional_policy(`
 	sysnet_dns_name_resolve(afterburn_t)
 ')
diff --git a/policy/modules/contrib/bootupd.fc b/policy/modules/contrib/bootupd.fc
new file mode 100644
index 0000000000..00cdf3c091
--- /dev/null
+++ b/policy/modules/contrib/bootupd.fc
@@ -0,0 +1,7 @@
+/usr/bin/bootupctl			--	gen_context(system_u:object_r:bootupd_exec_t,s0)
+/usr/libexec/bootupd			--	gen_context(system_u:object_r:bootupd_exec_t,s0)
+
+/usr/lib/systemd/system/bootupd\.service	--	gen_context(system_u:object_r:bootupd_unit_file_t,s0)
+/usr/lib/systemd/system/bootupd\.socket		--	gen_context(system_u:object_r:bootupd_unit_file_t,s0)
+
+/var/run/bootupd\.sock			-s	gen_context(system_u:object_r:bootupd_var_run_t,s0)
diff --git a/policy/modules/contrib/bootupd.if b/policy/modules/contrib/bootupd.if
new file mode 100644
index 0000000000..d778b157a6
--- /dev/null
+++ b/policy/modules/contrib/bootupd.if
@@ -0,0 +1,39 @@
+## <summary>policy for bootupd</summary>
+
+########################################
+## <summary>
+##	Execute bootupd_exec_t in the bootupd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bootupd_domtrans',`
+	gen_require(`
+		type bootupd_t, bootupd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bootupd_exec_t, bootupd_t)
+')
+
+######################################
+## <summary>
+##	Execute bootupd in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##	Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`bootupd_exec',`
+	gen_require(`
+		type bootupd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, bootupd_exec_t)
+')
diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te
new file mode 100644
index 0000000000..bbe8a99dc3
--- /dev/null
+++ b/policy/modules/contrib/bootupd.te
@@ -0,0 +1,41 @@
+policy_module(bootupd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bootupd_t;
+type bootupd_exec_t;
+init_daemon_domain(bootupd_t, bootupd_exec_t)
+
+type bootupd_unit_file_t;
+systemd_unit_file(bootupd_unit_file_t)
+
+type bootupd_var_run_t;
+files_pid_file(bootupd_var_run_t)
+
+permissive bootupd_t;
+
+########################################
+#
+# bootupd local policy
+#
+allow bootupd_t self:capability { setgid setuid };
+allow bootupd_t self:process { fork setpgid };
+allow bootupd_t self:fifo_file rw_fifo_file_perms;
+allow bootupd_t self:unix_dgram_socket create_socket_perms;
+allow bootupd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_dgram_send(bootupd_t)
+
+domain_use_interactive_fds(bootupd_t)
+
+files_read_etc_files(bootupd_t)
+
+fs_getattr_all_fs(bootupd_t)
+fs_search_dos(bootupd_t)
+
+optional_policy(`
+	miscfiles_read_localization(bootupd_t)
+')
diff --git a/policy/modules/contrib/coreos_installer.te b/policy/modules/contrib/coreos_installer.te
index d6c3a808e8..ab720fa885 100644
--- a/policy/modules/contrib/coreos_installer.te
+++ b/policy/modules/contrib/coreos_installer.te
@@ -12,8 +12,6 @@ init_daemon_domain(coreos_installer_t, coreos_installer_exec_t)
 type coreos_installer_unit_file_t;
 systemd_unit_file(coreos_installer_unit_file_t)
 
-permissive coreos_installer_t;
-
 ########################################
 #
 # coreos_installer local policy
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 80419572cc..821121b9ad 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -1079,3 +1079,39 @@ interface(`cron_system_spool_entrypoint',`
 	')
 	allow $1 system_cron_spool_t:file entrypoint;
 ')
+
+########################################
+## <summary>
+##	Execute crontab in the crontab domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`crontab_domtrans',`
+	gen_require(`
+		type crontab_exec_t, crontab_t;
+	')
+
+	domtrans_pattern($1, crontab_exec_t, crontab_t)
+')
+
+########################################
+## <summary>
+##	Execute crontab in the admin crontab domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`crontab_admin_domtrans',`
+	gen_require(`
+		type crontab_exec_t, admin_crontab_t;
+	')
+
+	domtrans_pattern($1, crontab_exec_t, admin_crontab_t)
+')
diff --git a/policy/modules/contrib/mptcpd.te b/policy/modules/contrib/mptcpd.te
index cabf749a69..e7ed82f331 100644
--- a/policy/modules/contrib/mptcpd.te
+++ b/policy/modules/contrib/mptcpd.te
@@ -13,8 +13,6 @@ init_nnp_daemon_domain(mptcpd_t)
 type mptcpd_etc_t;
 files_config_file(mptcpd_etc_t)
 
-permissive mptcpd_t;
-
 ########################################
 #
 # mptcpd local policy
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index 97f923b252..b0f92f8162 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -24,6 +24,7 @@ files_pid_file(numad_var_run_t)
 #
 
 allow numad_t self:capability { ipc_owner kill sys_nice sys_ptrace } ;
+allow numad_t self:cap_userns sys_ptrace;
 allow numad_t self:fifo_file rw_fifo_file_perms;
 allow numad_t self:msgq create_msgq_perms;
 allow numad_t self:msg { send receive };
diff --git a/policy/modules/contrib/rshim.te b/policy/modules/contrib/rshim.te
index 7225deead9..c40af4e66d 100644
--- a/policy/modules/contrib/rshim.te
+++ b/policy/modules/contrib/rshim.te
@@ -12,8 +12,6 @@ init_daemon_domain(rshim_t, rshim_exec_t)
 type rshim_unit_file_t;
 systemd_unit_file(rshim_unit_file_t)
 
-permissive rshim_t;
-
 ########################################
 #
 # rshim local policy
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 488804c40f..bcf8cbcb3e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -371,6 +371,7 @@ allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
 allow svirt_t virtlogd_t:unix_stream_socket connectto;
 
 kernel_request_load_module(svirt_t)
+kernel_read_vm_sysctls(svirt_t)
 
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index f50225ee23..78b723f4c2 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -32,6 +32,7 @@
 /dev/megaraid_sas_ioctl_node -c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/megadev.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk[0-9]+rpmb	-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mtd.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2303b2b7da..9f67c92c1c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -322,6 +322,9 @@ optional_policy(`
 
 optional_policy(`
 	sudo_role_template(staff, staff_r, staff_t)
+	optional_policy(`
+		crontab_domtrans(staff_sudo_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 04b4bdcf72..f288c7500a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -602,6 +602,9 @@ optional_policy(`
 
 optional_policy(`
 	sudo_role_template(sysadm, sysadm_r, sysadm_t)
+	optional_policy(`
+		crontab_admin_domtrans(sysadm_sudo_t)
+	')
 ')
 
 optional_policy(`