diff --git a/container-selinux.tgz b/container-selinux.tgz
index 1eb1b31b..c35637b8 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 98ad5a38..7022531d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..9823c5a68 100644
+index 1d732f1e7..ae2fa67f8 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3376,7 +3376,7 @@ index 1d732f1e7..9823c5a68 100644
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
++allow passwd_t self:capability { chown dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
@@ -35722,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..abcc39a8c 100644
+index f6743ea19..8c64a7e19 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@@ -35747,7 +35747,7 @@ index f6743ea19..abcc39a8c 100644
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-+allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid };
++allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -41173,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa9908..a0d1b1ff7 100644
+index 446fa9908..31ffd73ab 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -41208,7 +41208,7 @@ index 446fa9908..a0d1b1ff7 100644
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -50091,10 +50091,10 @@ index 000000000..634d9596a
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 000000000..3660fe1c4
+index 000000000..e83a61cca
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1025 @@
+@@ -0,0 +1,1027 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -50582,7 +50582,7 @@ index 000000000..3660fe1c4
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -51029,6 +51029,8 @@ index 000000000..3660fe1c4
+dev_read_sysfs(systemd_resolved_t)
+
+sysnet_manage_config(systemd_resolved_t)
++sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
++sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
+
+userdom_dbus_send_all_users(systemd_resolved_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a5dfd76c..55371764 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -111760,10 +111760,10 @@ index 000000000..368e18842
+')
diff --git a/tlp.te b/tlp.te
new file mode 100644
-index 000000000..761cc35b0
+index 000000000..1ef713150
--- /dev/null
+++ b/tlp.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,84 @@
+policy_module(tlp, 1.0.0)
+
+########################################
@@ -111844,6 +111844,10 @@ index 000000000..761cc35b0
+optional_policy(`
+ mount_domtrans(tlp_t)
+')
++
++optional_policy(`
++ sssd_stream_connect(tlp_t)
++')
diff --git a/tmpreaper.te b/tmpreaper.te
index 585a77f95..9858c8b8d 100644
--- a/tmpreaper.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bad78440..bbbab847 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 288%{?dist}
+Release: 289%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,11 @@ exit 0
%endif
%changelog
+* Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289
+- Allow tlp_t domain stream connect to sssd_t domain
+- Add missing dac_override capability
+- Add systemd_tmpfiles_t dac_override capability
+
* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288
- Remove all unnecessary dac_override capability in SELinux modules