This may cause some problems as this tightens up the policy quite a 
bit.   I have tried
many daemons out but only starting an stopping them.  Please test this 
policy out.
It is available on ftp://people.redhat.com/dwalsh/Fedora

selinux-policy-*-1.17.36-1

Biggest change is removal of nscd and ability to connect provided in 
can_network.
So if you have an Application or daemon that needs to do a network connect,
it will have to call
can_network(app_t)
allow app_t self:{ tcp_socket udp_network } connect;

can_network now calls can_tcp_network and can_udp_network.  I have begun 
to break
daemons out to call can_tcp_network or can_udp_network where 
appropriate.  Any help
on this would be great.

A tcp only app that needs to connect can be written as
can_tcp_network(app_t)
allow app_t self:tcp_socket connect;