diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index 7bc9f6a..4cde0ce 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -544,7 +544,7 @@ class apache::mod::passenger {
         }
     }
 
-    file { "/var/lib/passenger":
+    file { [ "/var/lib/passenger", "/var/run/passenger", ]:
         ensure => directory,
         mode   => "0755",
         owner  => "root",
diff --git a/ntpd/manifests/init.pp b/ntpd/manifests/init.pp
index a5b8096..a48a792 100644
--- a/ntpd/manifests/init.pp
+++ b/ntpd/manifests/init.pp
@@ -3,7 +3,8 @@
 # === Global variables
 #
 #   $ntp_server:
-#       Array of NTP servers.
+#       Array of NTP servers using [] will disable external servers.
+#       Defaults to pool.ntp.org.
 #
 #   $ntp_client_networks:
 #       Array of networks that are allowed to query this server in format
diff --git a/puppet/bootstrap-server.sh b/puppet/bootstrap-server.sh
index 74d287f..755a56d 100755
--- a/puppet/bootstrap-server.sh
+++ b/puppet/bootstrap-server.sh
@@ -39,6 +39,7 @@ mkdir -p /etc/puppet/manifests/node
 
 if [ ! -s /etc/puppet/manifests/site.pp ]; then
     cat > /etc/puppet/manifests/site.pp << EOF
+import "/srv/puppet/files/common/packages/manifests/*.pp"
 import "node/*.pp"
 
 \$puppet_server = "${FQDN}"
diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp
index bcd3c49..73d46b4 100644
--- a/puppet/manifests/init.pp
+++ b/puppet/manifests/init.pp
@@ -195,11 +195,9 @@ class puppet::server {
 class puppet::server::common inherits puppet::client {
 
     if $::operatingsystem in ["CentOS","RedHat"] and $::operatingsystemrelease =~ /^[1-5]\..*/ {
-        $seltype_readonly = "var_lib_t"
-        $seltype_writable = "var_lib_t"
+        $seltype = "var_lib_t"
     } else {
-        $seltype_readonly = "puppetmaster_t"
-        $seltype_writable = "puppet_var_lib_t"
+        $seltype = "puppet_var_lib_t"
     }
 
     case $::operatingsystem {
@@ -276,7 +274,7 @@ class puppet::server::common inherits puppet::client {
                     mode    => "0750",
                     owner   => $user,
                     group   => $group,
-                    seltype => $seltype_readonly,
+                    seltype => $seltype,
                     require => File["/srv/puppet"],
                 }
             }
@@ -294,8 +292,6 @@ class puppet::server::common inherits puppet::client {
         }
     }
 
-    include ruby::rrd
-
     if $puppet_datadir {
         file { $puppet_datadir:
             ensure  => directory,
@@ -305,27 +301,23 @@ class puppet::server::common inherits puppet::client {
                 "openbsd" => "wheel",
                 default   => "root",
             },
-            seltype => $seltype_readonly,
+            seltype => $seltype,
             require => Package["puppetmaster"],
         }
         selinux::manage_fcontext { "${puppet_datadir}(/.*)?":
-            type   => $seltype_readonly,
+            type   => $seltype,
             before => File[$puppet_datadir],
         }
-        selinux::manage_fcontext { [
-          "${puppet_datadir}/bucket(/.*)?",
-          "${puppet_datadir}/reports(/.*)?",
-          "${puppet_datadir}/rrd(/.*)?",
-        ]:
-            type   => $seltype_writable,
-            before => File["/srv/puppet/reports"],
-        }
         file { "/srv/puppet":
             ensure  => link,
             target  => $puppet_datadir,
-            seltype => $seltype_readonly,
+            seltype => "usr_t",
             require => File[$puppet_datadir],
         }
+        selinux::manage_fcontext { "/srv/puppet(/.*)?":
+            type   => "usr_t",
+            before => File["/srv/puppet"],
+        }
     } else {
         file { "/srv/puppet":
             ensure  => directory,
@@ -335,35 +327,29 @@ class puppet::server::common inherits puppet::client {
                 "openbsd" => "wheel",
                 default   => "root",
             },
-            seltype => $seltype_readonly,
+            seltype => $seltype,
             require => Package["puppetmaster"],
         }
-    }
-    selinux::manage_fcontext { "/srv/puppet(/.*)?":
-        type   => $seltype_readonly,
-        before => File["/srv/puppet"],
-    }
-    selinux::manage_fcontext { [
-      "/srv/puppet/bucket(/.*)?",
-      "/srv/puppet/reports(/.*)?",
-      "/srv/puppet/rrd(/.*)?",
-    ]:
-        type   => $seltype_writable,
-        before => File["/srv/puppet/reports"],
+        selinux::manage_fcontext { "/srv/puppet(/.*)?":
+            type   => $seltype,  
+            before => File["/srv/puppet"],
+        }
     }
 
     file { [ "/srv/puppet/bucket",
-             "/srv/puppet/reports",
-             "/srv/puppet/rrd", ]:
+             "/srv/puppet/reports", ]:
         ensure  => directory,
         mode    => "0750",
         owner   => $user,
         group   => $group,
-        seltype => $seltype_writable,
+        seltype => $seltype,
         require => File["/srv/puppet"],
     }
     file { [ "/srv/puppet/files",
-             "/srv/puppet/templates" ]:
+             "/srv/puppet/files/common",
+             "/srv/puppet/files/common/packages",
+             "/srv/puppet/files/common/packages/manifests",
+             "/srv/puppet/templates", ]:
         ensure  => directory,
         mode    => "0755",
         owner   => "root",
@@ -371,26 +357,26 @@ class puppet::server::common inherits puppet::client {
             "openbsd" => "wheel",
             default   => "root",
         },
-        seltype => $seltype_readonly,
+        seltype => $seltype,
         require => File["/srv/puppet"],
     }
-    file { "/srv/puppet/files/common":
-        ensure  => directory,
-        mode    => "0755",
+    file { "/srv/puppet/files/common/packages/manifests/init.pp":
+        ensure  => present,
+        mode    => "0644",
         owner   => "root",
         group   => $::operatingsystem ? {
             "openbsd" => "wheel",
             default   => "root",
         },
-        seltype => $seltype_readonly,
-        require => File["/srv/puppet/files"],
+        seltype => $seltype,
+        require => File["/srv/puppet/files/common/packages/manifests"],
     }
     file { "/srv/puppet/files/private":
         ensure  => directory,
         mode    => "0750",
         owner   => "root",
         group   => $group,
-        seltype => $seltype_readonly,
+        seltype => $seltype,
         require => File["/srv/puppet/files"],
     }
 
diff --git a/puppet/templates/passenger-httpd.conf.erb b/puppet/templates/passenger-httpd.conf.erb
index ab9ea1e..f9903f0 100644
--- a/puppet/templates/passenger-httpd.conf.erb
+++ b/puppet/templates/passenger-httpd.conf.erb
@@ -47,6 +47,7 @@ Listen 8140
   PassengerGroup puppet
   PassengerHighPerformance On
   PassengerMaxRequests 1000
+  PassengerTempDir /var/run/passenger
   DocumentRoot /var/lib/passenger/puppet/public
   <Directory "/var/lib/passenger/puppet">
       Options None
diff --git a/puppet/templates/puppetmaster.conf.erb b/puppet/templates/puppetmaster.conf.erb
index b7b4722..494c3d0 100644
--- a/puppet/templates/puppetmaster.conf.erb
+++ b/puppet/templates/puppetmaster.conf.erb
@@ -5,10 +5,7 @@
 [puppetmasterd]
 <% end -%>
     # Enable reporting on server.
-    reports = tagmail,store,rrdgraph
-
-    rrdgraph = true
-    rrddir = /srv/puppet/rrd
+    reports = tagmail,store
 
     report = true
     reportdir = /srv/puppet/reports
diff --git a/sudo/manifests/init.pp b/sudo/manifests/init.pp
index 8ff64f5..0118199 100644
--- a/sudo/manifests/init.pp
+++ b/sudo/manifests/init.pp
@@ -65,3 +65,19 @@ define sudo::sudoer($where="ALL", $as_whom="ALL", $what="ALL") {
     }
 
 }
+
+
+# Disable sudo
+#
+# Cannot remove sudo package itself due to depencies
+#
+class sudo::disable {
+
+    exec { "chmod 0000 /usr/bin/sudo":
+        user   => "root",
+        path   => "/bin:/usr/bin:/sbin:/usr/sbin",
+        onlyif => "test -u /usr/bin/sudo",
+    }
+
+}
+