diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index a202ae8..055871f 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1778,6 +1778,76 @@ index 93804ac..1451903 100644
 -        except ValueError, e:
 +        except ValueError as e:
              self.error(e.args[0])
+diff --git a/policycoreutils-2.4/hll/pp/pp.c b/policycoreutils-2.4/hll/pp/pp.c
+index b863346..d994891 100644
+--- a/policycoreutils-2.4/hll/pp/pp.c
++++ b/policycoreutils-2.4/hll/pp/pp.c
+@@ -1995,12 +1995,23 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
+ 			// one of these roles in base, the declaration will not appeaer in
+ 			// the resulting policy, likely resulting in a compilation error in
+ 			// CIL.
++			//
++			// To make things more complicated, the auditadm_r and secadm_r
++			// roles could actually be in either the base module or a non-base
++			// module, or both. So we can't rely on this same behavior. So for
++			// these roles, don't declare them here, even if they are in a base
++			// or non-base module. Instead we will just declare them in the
++			// base module elsewhere.
+ 			int is_base_role = (!strcmp(key, "user_r") ||
+ 			                    !strcmp(key, "staff_r") ||
+ 			                    !strcmp(key, "sysadm_r") ||
+ 			                    !strcmp(key, "system_r") ||
+ 			                    !strcmp(key, "unconfined_r"));
+-			if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) {
++			int is_builtin_role = (!strcmp(key, "auditadm_r") ||
++			                       !strcmp(key, "secadm_r"));
++			if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
++			    (!is_base_role && !is_builtin_role)) {
++
+ 				cil_println(indent, "(role %s)", key);
+ 			}
+ 		}
+@@ -2051,7 +2062,9 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
+ 
+ 
+ 		for (i = 0; i < num_types; i++) {
+-			cil_println(indent, "(roletype %s %s)", key, types[i]);
++			if (is_id_in_scope(pdb, decl_stack, types[i], SYM_TYPES)) {
++				cil_println(indent, "(roletype %s %s)", key, types[i]);
++			}
+ 		}
+ 
+ 		break;
+@@ -3594,6 +3607,17 @@ static int generate_default_object(void)
+ 	return 0;
+ }
+ 
++static int generate_builtin_roles(void)
++{
++	// due to inconsistentencies between policies and CIL not allowing
++	// duplicate roles, some roles are always created, regardless of if they
++	// are declared in modules or not
++	cil_println(0, "(role auditadm_r)");
++	cil_println(0, "(role secadm_r)");
++
++	return 0;
++}
++
+ static int generate_gen_require_attribute(void)
+ {
+ 	cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
+@@ -3679,6 +3703,11 @@ static int module_package_to_cil(struct sepol_module_package *mod_pkg)
+ 			goto exit;
+ 		}
+ 
++		rc = generate_builtin_roles();
++		if (rc != 0) {
++			goto exit;
++		}
++
+ 		// default attribute to be used to mimic gen_require in CIL
+ 		rc = generate_gen_require_attribute();
+ 		if (rc != 0) {
 diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c
 index 94794e9..55e8d39 100644
 --- a/policycoreutils-2.4/newrole/newrole.c
@@ -662731,7 +662801,7 @@ index 2a7cfa3..95fba09 100644
  			char path[PATH_MAX + 1];
  
 diff --git a/policycoreutils-2.4/setfiles/setfiles.c b/policycoreutils-2.4/setfiles/setfiles.c
-index 86d3f28..a9c182c 100644
+index 86d3f28..e39b500 100644
 --- a/policycoreutils-2.4/setfiles/setfiles.c
 +++ b/policycoreutils-2.4/setfiles/setfiles.c
 @@ -153,6 +153,9 @@ int main(int argc, char **argv)
@@ -662744,7 +662814,23 @@ index 86d3f28..a9c182c 100644
  	
  	memset(&r_opts, 0, sizeof(r_opts));
  
-@@ -225,8 +228,13 @@ int main(int argc, char **argv)
+@@ -196,6 +199,7 @@ int main(int argc, char **argv)
+ 		r_opts.add_assoc = 1;
+ 		r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
+ 		ctx_validate = 1;
++		opts = sopts;
+ 	} else {
+ 		/*
+ 		 * restorecon:  
+@@ -215,6 +219,7 @@ int main(int argc, char **argv)
+ 		r_opts.add_assoc = 0;
+ 		r_opts.fts_flags = FTS_PHYSICAL;
+ 		ctx_validate = 0;
++		opts = ropts;
+ 
+ 		/* restorecon only:  silent exit if no SELinux.
+ 		   Allows unconditional execution by scripts. */
+@@ -225,8 +230,13 @@ int main(int argc, char **argv)
  	/* This must happen before getopt. */
  	r_opts.nfile = exclude_non_seclabel_mounts();
  
@@ -662759,16 +662845,27 @@ index 86d3f28..a9c182c 100644
  		switch (opt) {
  		case 'c':
  			{
-@@ -326,7 +334,7 @@ int main(int argc, char **argv)
+@@ -315,18 +325,13 @@ int main(int argc, char **argv)
+ 				recurse = 1;
+ 				break;
+ 			}
+-			if (optind + 1 >= argc) {
+-				fprintf(stderr, "usage:  %s -r rootpath\n",
+-					argv[0]);
+-				exit(-1);
+-			}
+ 			if (NULL != r_opts.rootpath) {
+ 				fprintf(stderr,
+ 					"%s: only one -r can be specified\n",
  					argv[0]);
  				exit(-1);
  			}
 -			set_rootpath(argv[optind++]);
-+			set_rootpath(argv[optind]);
++			set_rootpath(optarg);
  			break;
  		case 's':
  			use_input_file = 1;
-@@ -337,7 +345,7 @@ int main(int argc, char **argv)
+@@ -337,7 +342,7 @@ int main(int argc, char **argv)
  			if (r_opts.progress) {
  				fprintf(stderr,
  					"Progress and Verbose mutually exclusive\n");