diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index dc9e64c9..1d74ecc4 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8744,7 +8744,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..806e1cc 100644
+index cf04cb5..e0615d1 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8785,7 +8785,7 @@ index cf04cb5..806e1cc 100644
  
  # Transitions only allowed from domains to other domains
  neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
  allow domain self:dir list_dir_perms;
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
@@ -8827,13 +8827,14 @@ index cf04cb5..806e1cc 100644
 +# All executables should be able to search the directory they are in
 +corecmd_search_bin(domain)
 +
++
 +tunable_policy(`domain_kernel_load_modules',`
 +	kernel_request_load_module(domain)
 +')
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -8852,7 +8853,7 @@ index cf04cb5..806e1cc 100644
  ')
  
  optional_policy(`
-@@ -133,6 +190,9 @@ optional_policy(`
+@@ -133,6 +191,9 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -8862,7 +8863,7 @@ index cf04cb5..806e1cc 100644
  ')
  
  ########################################
-@@ -147,12 +207,18 @@ optional_policy(`
+@@ -147,12 +208,18 @@ optional_policy(`
  # Use/sendto/connectto sockets created by any domain.
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
@@ -8882,7 +8883,7 @@ index cf04cb5..806e1cc 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +233,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -9086,6 +9087,7 @@ index cf04cb5..806e1cc 100644
 +	systemd_filetrans_named_content(named_filetrans_domain)
 +	systemd_filetrans_named_hostname(named_filetrans_domain)
 +	systemd_filetrans_home_content(named_filetrans_domain)
++    systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
 +')
 +
 +optional_policy(`
@@ -27067,7 +27069,7 @@ index 3efd5b6..0bd3a26 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..73376ca 100644
+index 09b791d..ff0708e 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -27338,17 +27340,37 @@ index 09b791d..73376ca 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,42 @@ files_read_etc_files(nsswitch_domain)
  
  sysnet_dns_name_resolve(nsswitch_domain)
  
--tunable_policy(`authlogin_nsswitch_use_ldap',`
--	files_list_var_lib(nsswitch_domain)
 +systemd_hostnamed_read_config(nsswitch_domain)
++
++
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+-	files_list_var_lib(nsswitch_domain)
++    allow nsswitch_domain self:tcp_socket create_socket_perms;
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
++	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
++	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
++	corenet_tcp_connect_ldap_port(nsswitch_domain)
++	corenet_sendrecv_ldap_client_packets(nsswitch_domain)
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++	# Support for LDAPS
++	dev_read_rand(nsswitch_domain)
++	# LDAP Configuration using encrypted requires
++	dev_read_urand(nsswitch_domain)
++	sysnet_read_config(nsswitch_domain)
++')
  
 +tunable_policy(`authlogin_nsswitch_use_ldap',`
  	miscfiles_read_generic_certs(nsswitch_domain)
- 	sysnet_use_ldap(nsswitch_domain)
+-	sysnet_use_ldap(nsswitch_domain)
  ')
  
  optional_policy(`
@@ -27359,10 +27381,11 @@ index 09b791d..73376ca 100644
 +
 +optional_policy(`
 +	tunable_policy(`authlogin_nsswitch_use_ldap',`
++        ldap_read_certs(nsswitch_domain)
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +480,7 @@ optional_policy(`
+@@ -438,6 +501,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -27370,7 +27393,7 @@ index 09b791d..73376ca 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,10 +499,145 @@ optional_policy(`
+@@ -456,10 +520,145 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -31296,7 +31319,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..d6d434a 100644
+index 312cd04..3c62b4c 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -31493,7 +31516,7 @@ index 312cd04..d6d434a 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +325,22 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -31517,11 +31540,12 @@ index 312cd04..d6d434a 100644
 +optional_policy(`
 +	bind_read_dnssec_keys(ipsec_mgmt_t)
 +	bind_read_config(ipsec_mgmt_t)
++	bind_read_state(ipsec_mgmt_t)
 +')
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +364,10 @@ optional_policy(`
+@@ -322,6 +365,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31532,7 +31556,7 @@ index 312cd04..d6d434a 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +381,7 @@ optional_policy(`
+@@ -335,7 +382,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -31541,7 +31565,7 @@ index 312cd04..d6d434a 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +416,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -31561,7 +31585,7 @@ index 312cd04..d6d434a 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +446,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -31574,7 +31598,7 @@ index 312cd04..d6d434a 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +483,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -37506,7 +37530,7 @@ index 40edc18..a072ac2 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..1c0de21 100644
+index 2cea692..e094fc0 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -37843,17 +37867,22 @@ index 2cea692..1c0de21 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -763,6 +968,9 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+ 
+ 	# Support for LDAPS
+ 	dev_read_rand($1)
++	# LDAP Configuration using encrypted requires
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
 +
-+	# LDAP Configuration using encrypted requires
-+	dev_read_urand($1)
++	optional_policy(`
++		ldap_read_certs($1)
++	')
  ')
  
  ########################################
-@@ -784,7 +992,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -37861,7 +37890,7 @@ index 2cea692..1c0de21 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1003,115 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1005,115 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -37978,7 +38007,7 @@ index 2cea692..1c0de21 100644
 +	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..b0a854f 100644
+index a392fc4..f1782ee 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -38208,7 +38237,7 @@ index a392fc4..b0a854f 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -264,12 +312,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +312,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -38225,6 +38254,7 @@ index a392fc4..b0a854f 100644
 +can_exec(ifconfig_t, ifconfig_exec_t)
 +
 +manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
++manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t)
 +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir })
 +allow ifconfig_t ifconfig_var_run_t:file mounton;
@@ -38232,7 +38262,7 @@ index a392fc4..b0a854f 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -279,14 +338,31 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +339,32 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -38249,7 +38279,8 @@ index a392fc4..b0a854f 100644
 +dev_unmount_sysfs_fs(ifconfig_t)
  
  domain_use_interactive_fds(ifconfig_t)
- 
++domain_read_all_domains_state(ifconfig_t)
++
 +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
 +
 +files_dontaudit_rw_inherited_pipes(ifconfig_t)
@@ -38257,14 +38288,14 @@ index a392fc4..b0a854f 100644
 +files_dontaudit_read_root_files(ifconfig_t)
 +files_rw_inherited_tmp_file(ifconfig_t)
 +files_dontaudit_rw_var_files(ifconfig_t)
-+
+ 
  files_read_etc_files(ifconfig_t)
  files_read_etc_runtime_files(ifconfig_t)
 +files_read_usr_files(ifconfig_t)
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,24 +375,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -38292,8 +38323,13 @@ index a392fc4..b0a854f 100644
 +userdom_use_inherited_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
++optional_policy(`
++	hostname_exec(ifconfig_t)
++')
++
  ifdef(`distro_ubuntu',`
-@@ -325,7 +399,22 @@ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+ 		unconfined_domain(ifconfig_t)
  	')
  ')
  
@@ -38316,7 +38352,7 @@ index a392fc4..b0a854f 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -336,7 +425,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -38329,7 +38365,7 @@ index a392fc4..b0a854f 100644
  ')
  
  optional_policy(`
-@@ -350,7 +443,15 @@ optional_policy(`
+@@ -350,7 +449,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38346,7 +38382,7 @@ index a392fc4..b0a854f 100644
  ')
  
  optional_policy(`
-@@ -371,3 +472,13 @@ optional_policy(`
+@@ -371,3 +478,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -38417,10 +38453,10 @@ index 0000000..916c8ed
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..8bca1d7
+index 0000000..24b2af3
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1440 @@
+@@ -0,0 +1,1458 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -38792,6 +38828,24 @@ index 0000000..8bca1d7
 +
 +######################################
 +## <summary>
++##	Dontaudit attempts to write inherited logind sessions pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',`
++	gen_require(`
++		type systemd_logind_sessions_t;
++	')
++
++	dontaudit $1 systemd_logind_sessions_t:fifo_file write;
++')
++
++######################################
++## <summary>
 +##	Write systemd inhibit pipes.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 926732cd..f21df752 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -19874,7 +19874,7 @@ index dda905b..ccd0ba9 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index 62d22cb..2b84a85 100644
+index 62d22cb..89671dd 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -19999,7 +19999,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -103,91 +129,82 @@ template(`dbus_role_template',`
+@@ -103,91 +129,84 @@ template(`dbus_role_template',`
  #
  interface(`dbus_system_bus_client',`
  	gen_require(`
@@ -20021,6 +20021,8 @@ index 62d22cb..2b84a85 100644
 -	files_search_var_lib($1)
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 +	files_search_var_lib($1)
++
++	dev_read_urand($1)
  
 +	# For connecting to the bus
  	files_search_pids($1)
@@ -20123,7 +20125,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',`
  ##	</summary>
  ## </param>
  #
@@ -20148,7 +20150,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -211,57 +231,39 @@ interface(`dbus_session_bus_client',`
+@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',`
  ##	</summary>
  ## </param>
  #
@@ -20220,7 +20222,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -269,15 +271,19 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',`
  ##	</summary>
  ## </param>
  #
@@ -20246,7 +20248,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,44 +291,52 @@ interface(`dbus_send_session_bus',`
+@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',`
  ##	</summary>
  ## </param>
  #
@@ -20313,7 +20315,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -330,18 +344,18 @@ interface(`dbus_send_spec_session_bus',`
+@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',`
  ##	</summary>
  ## </param>
  #
@@ -20337,7 +20339,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -349,20 +363,18 @@ interface(`dbus_read_config',`
+@@ -349,20 +365,18 @@ interface(`dbus_read_config',`
  ##	</summary>
  ## </param>
  #
@@ -20363,7 +20365,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -370,26 +382,20 @@ interface(`dbus_read_lib_files',`
+@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -20396,7 +20398,7 @@ index 62d22cb..2b84a85 100644
  ## <param name="domain">
  ##	<summary>
  ##	Type to be used as a domain.
-@@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
+@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',`
  ## </param>
  ## <param name="entry_point">
  ##	<summary>
@@ -20506,7 +20508,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
+@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',`
  ##	</summary>
  ## </param>
  #
@@ -20530,7 +20532,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +492,80 @@ interface(`dbus_connect_system_bus',`
  ##	</summary>
  ## </param>
  #
@@ -20657,7 +20659,7 @@ index 62d22cb..2b84a85 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',`
+@@ -597,28 +573,49 @@ interface(`dbus_use_system_bus_fds',`
  ##	</summary>
  ## </param>
  #
@@ -22165,7 +22167,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..36e32aa 100644
+index 98a24b9..5b576ff 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -22194,23 +22196,39 @@ index 98a24b9..36e32aa 100644
  files_read_etc_runtime_files(dhcpd_t)
  files_search_var_lib(dhcpd_t)
  
-@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
+@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
  
  logging_send_syslog_msg(dhcpd_t)
  
 -miscfiles_read_localization(dhcpd_t)
 -
++sysnet_read_config(dhcpd_t)
  sysnet_read_dhcp_config(dhcpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
- 	sysnet_use_ldap(dhcpd_t)
- ')
+ userdom_dontaudit_search_user_home_dirs(dhcpd_t)
  
-+ifdef(`distro_gentoo',`
-+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ tunable_policy(`dhcpd_use_ldap',`
+-	sysnet_use_ldap(dhcpd_t)
++    allow dhcpd_t self:tcp_socket create_socket_perms;
 +')
 +
++tunable_policy(`dhcpd_use_ldap',`
++    corenet_tcp_sendrecv_generic_if(dhcpd_t)
++    corenet_tcp_sendrecv_generic_node(dhcpd_t)
++    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
++    corenet_tcp_connect_ldap_port(dhcpd_t)
++    corenet_sendrecv_ldap_client_packets(dhcpd_t)
++')
++
++tunable_policy(`dhcpd_use_ldap',`
++	ldap_read_certs(dhcpd_t)
++')
++
++ifdef(`distro_gentoo',`
++	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ ')
+ 
  optional_policy(`
 +	# used for dynamic DNS
  	bind_read_dnssec_keys(dhcpd_t)
@@ -24089,10 +24107,10 @@ index 0000000..1048292
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..acaabd3
+index 0000000..4b54a05
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,267 @@
+@@ -0,0 +1,268 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -24319,6 +24337,7 @@ index 0000000..acaabd3
 +modutils_domtrans_insmod(docker_t)
 +
 +systemd_status_all_unit_files(docker_t)
++systemd_start_systemd_services(docker_t)
 +
 +userdom_stream_connect(docker_t)
 +userdom_search_user_home_content(docker_t)
@@ -28246,10 +28265,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..e6a1c7c
+index 0000000..7f1639a
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,105 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@@ -28277,7 +28296,7 @@ index 0000000..e6a1c7c
 +#
 +# gear local policy
 +#
-+allow gear_t self:capability chown;
++allow gear_t self:capability { chown net_admin fowner dac_override };
 +allow gear_t self:capability2 block_suspend;
 +allow gear_t self:process { getattr signal_perms };
 +allow gear_t self:fifo_file rw_fifo_file_perms;
@@ -28351,6 +28370,10 @@ index 0000000..e6a1c7c
 +optional_policy(`
 +	docker_stream_connect(gear_t)
 +')
++
++optional_policy(`
++	openshift_manage_lib_files(gear_t)
++')
 diff --git a/geoclue.fc b/geoclue.fc
 new file mode 100644
 index 0000000..a97f14f
@@ -28946,11 +28969,20 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index 5cd0909..a304d35 100644
+index 5cd0909..1464b4d 100644
 --- a/glance.te
 +++ b/glance.te
-@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
+@@ -5,10 +5,16 @@ policy_module(glance, 1.1.0)
+ # Declarations
+ #
  
++## <desc>
++## <p>
++## Allow glance domain to manage fuse files
++## </p>
++## </desc>
++gen_tunable(glance_use_fusefs, false)
++
  attribute glance_domain;
  
 -type glance_registry_t, glance_domain;
@@ -28959,7 +28991,7 @@ index 5cd0909..a304d35 100644
  init_daemon_domain(glance_registry_t, glance_registry_exec_t)
  
  type glance_registry_initrc_exec_t;
-@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
+@@ -17,8 +23,10 @@ init_script_file(glance_registry_initrc_exec_t)
  type glance_registry_tmp_t;
  files_tmp_file(glance_registry_tmp_t)
  
@@ -28972,7 +29004,7 @@ index 5cd0909..a304d35 100644
  init_daemon_domain(glance_api_t, glance_api_exec_t)
  
  type glance_api_initrc_exec_t;
-@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
+@@ -41,6 +49,7 @@ files_pid_file(glance_var_run_t)
  # Common local policy
  #
  
@@ -28980,7 +29012,7 @@ index 5cd0909..a304d35 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +65,38 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -29011,6 +29043,15 @@ index 5cd0909..a304d35 100644
 -
  sysnet_dns_name_resolve(glance_domain)
  
++tunable_policy(`glance_use_fusefs',`
++	fs_manage_fusefs_dirs(glance_domain)
++	fs_manage_fusefs_files(glance_domain)
++	fs_read_fusefs_symlinks(glance_domain)
++	fs_getattr_fusefs(glance_domain)
++')
++
++
++
 +optional_policy(`
 +    mysql_read_db_lnk_files(glance_domain)
 +')
@@ -29018,7 +29059,7 @@ index 5cd0909..a304d35 100644
  ########################################
  #
  # Registry local policy
-@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +106,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -29033,7 +29074,7 @@ index 5cd0909..a304d35 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +132,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -43398,10 +43439,10 @@ index 0000000..8d0e473
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 0000000..6568bfe
+index 0000000..f5b98e6
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,310 @@
+@@ -0,0 +1,311 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -43457,6 +43498,7 @@ index 0000000..6568bfe
 +	')
 +
 +	files_search_var_lib($1)
++    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +')
 +
@@ -43714,10 +43756,10 @@ index 0000000..6568bfe
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..fc64201
+index 0000000..1bf717f
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,277 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -43912,7 +43954,7 @@ index 0000000..fc64201
 +#
 +# mock_build local policy
 +#
-+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
 +dontaudit mock_build_t self:capability audit_write;
 +allow mock_build_t self:process { fork setsched setpgid signal_perms };
 +allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -43989,6 +44031,7 @@ index 0000000..fc64201
 +
 +libs_exec_ldconfig(mock_build_t)
 +
++term_use_all_inherited_terms(mock_build_t)
 +userdom_use_inherited_user_ptys(mock_build_t)
 +
 +tunable_policy(`mock_enable_homedirs',`
@@ -79241,7 +79284,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..c820b6f 100644
+index d32e1a2..54838ad 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -79262,7 +79305,7 @@ index d32e1a2..c820b6f 100644
  
  manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
  files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -50,25 +49,49 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  
  kernel_read_network_state(rhsmcertd_t)
@@ -79271,6 +79314,7 @@ index d32e1a2..c820b6f 100644
 +kernel_read_sysctl(rhsmcertd_t)
 +
 +corenet_tcp_connect_http_port(rhsmcertd_t)
++corenet_tcp_connect_http_cache_port(rhsmcertd_t)
 +corenet_tcp_connect_squid_port(rhsmcertd_t)
  
  corecmd_exec_bin(rhsmcertd_t)
@@ -88224,7 +88268,7 @@ index 12700b4..fde3c8d 100644
 +    unconfined_domain(unconfined_sendmail_t)
  ')
 diff --git a/sensord.fc b/sensord.fc
-index 8185d5a..97926d2 100644
+index 8185d5a..9be989a 100644
 --- a/sensord.fc
 +++ b/sensord.fc
 @@ -1,5 +1,9 @@
@@ -88234,7 +88278,7 @@ index 8185d5a..97926d2 100644
  
  /usr/sbin/sensord	--	gen_context(system_u:object_r:sensord_exec_t,s0)
  
-+/var/log/sensord\.rrd	--	gen_context(system_u:object_r:sensord_log_t,s0)
++/var/log/sensor.*		gen_context(system_u:object_r:sensord_log_t,s0)
 +
  /var/run/sensord\.pid	--	gen_context(system_u:object_r:sensord_var_run_t,s0)
 diff --git a/sensord.if b/sensord.if
@@ -89414,7 +89458,7 @@ index e2544e1..d3fbd78 100644
 +	xserver_xdm_append_log(shutdown_t)
  ')
 diff --git a/slocate.te b/slocate.te
-index 7292dc0..41c780f 100644
+index 7292dc0..ce903d6 100644
 --- a/slocate.te
 +++ b/slocate.te
 @@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
@@ -89425,6 +89469,15 @@ index 7292dc0..41c780f 100644
  
  ifdef(`enable_mls',`
  	files_dontaudit_getattr_all_dirs(locate_t)
+@@ -71,3 +70,8 @@ ifdef(`enable_mls',`
+ optional_policy(`
+ 	cron_system_entry(locate_t, locate_exec_t)
+ ')
++
++optional_policy(`
++	mock_getattr_lib(locate_t)
++')
++
 diff --git a/slpd.if b/slpd.if
 index ca32e89..98278dd 100644
 --- a/slpd.if
@@ -91463,7 +91516,7 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..c76586c 100644
+index cc58e35..4f35a1b 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -91937,17 +91990,17 @@ index cc58e35..c76586c 100644
  allow spamd_t self:unix_dgram_socket sendto;
 -allow spamd_t self:unix_stream_socket { accept connectto listen };
 -allow spamd_t self:tcp_socket { accept listen };
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+ 
 -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
 -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
- 
+-
 -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -92130,7 +92183,7 @@ index cc58e35..c76586c 100644
  ')
  
  optional_policy(`
-@@ -455,7 +533,12 @@ optional_policy(`
+@@ -455,7 +533,17 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -92141,10 +92194,15 @@ index cc58e35..c76586c 100644
 +	tunable_policy(`spamd_enable_home_dirs',`
 +		razor_manage_user_home_files(spamd_t)
 +	')
++')
++
++optional_policy(`
++    spamassassin_filetrans_home_content(spamd_t)
++    spamassassin_filetrans_admin_home_content(spamd_t)
  ')
  
  optional_policy(`
-@@ -463,9 +546,9 @@ optional_policy(`
+@@ -463,9 +551,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -92155,7 +92213,7 @@ index cc58e35..c76586c 100644
  ')
  
  optional_policy(`
-@@ -474,32 +557,32 @@ optional_policy(`
+@@ -474,32 +562,32 @@ optional_policy(`
  
  ########################################
  #
@@ -92198,7 +92256,7 @@ index cc58e35..c76586c 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +596,21 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -95958,7 +96016,7 @@ index 5406b6e..dc5b46e 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index d010963..5ecc3bf 100644
+index d010963..3822bc7 100644
 --- a/tgtd.te
 +++ b/tgtd.te
 @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -95970,8 +96028,11 @@ index d010963..5ecc3bf 100644
  allow tgtd_t self:capability2 block_suspend;
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,13 +58,13 @@ kernel_read_system_state(tgtd_t)
+@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+ 
+ kernel_read_system_state(tgtd_t)
  kernel_read_fs_sysctls(tgtd_t)
++kernel_read_network_state(tgtd_t)
  
  corenet_all_recvfrom_netlabel(tgtd_t)
 -corenet_all_recvfrom_unlabeled(tgtd_t)
@@ -95985,7 +96046,7 @@ index d010963..5ecc3bf 100644
  corenet_tcp_sendrecv_iscsi_port(tgtd_t)
  
  corenet_sendrecv_iscsi_client_packets(tgtd_t)
-@@ -72,16 +72,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
+@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
  
  dev_read_sysfs(tgtd_t)
  
@@ -101047,7 +101108,7 @@ index facdee8..88dcafb 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..fe84861 100644
+index f03dcf5..25f4104 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,212 @@
@@ -101909,7 +101970,7 @@ index f03dcf5..fe84861 100644
  
  tunable_policy(`virt_use_samba',`
 -	fs_manage_cifs_files(virtd_t)
-+	fs_manage_nfs_files(virtd_t)
++	fs_manage_cifs_dirs(virtd_t)
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
@@ -102020,16 +102081,7 @@ index f03dcf5..fe84861 100644
 +allow virt_domain self:tcp_socket create_stream_socket_perms;
 +allow virt_domain self:udp_socket create_socket_perms;
 +allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
- 
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
--allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
--
--manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
 +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
 +read_files_pattern(virt_domain, virt_content_t, virt_content_t)
 +dontaudit virt_domain virt_content_t:file write_file_perms;
@@ -102047,17 +102099,30 @@ index f03dcf5..fe84861 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
-+
-+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
-+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+-allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+-
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-
 -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+ 
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -102089,18 +102154,15 @@ index f03dcf5..fe84861 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
  
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
  
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-allow virsh_t svirt_lxc_domain:process transition;
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
--allow virsh_t svirt_lxc_domain:process transition;
-+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
- 
 -can_exec(virsh_t, virsh_exec_t)
++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@@ -102132,7 +102194,7 @@ index f03dcf5..fe84861 100644
 +files_read_mnt_symlinks(virt_domain)
 +files_read_var_files(virt_domain)
 +files_search_all(virt_domain)
- 
++
 +fs_getattr_xattr_fs(virt_domain)
 +fs_getattr_tmpfs(virt_domain)
 +fs_rw_anon_inodefs_files(virt_domain)
@@ -102221,7 +102283,7 @@ index f03dcf5..fe84861 100644
 +	fs_read_cifs_symlinks(virt_domain)
 +	fs_getattr_cifs(virt_domain)
 +')
-+
+ 
 +tunable_policy(`virt_use_usb',`
 +	dev_rw_usbfs(virt_domain)
 +	dev_read_sysfs(virt_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dafc7a58..150d0410 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 47%{?dist}
+Release: 48%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,20 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Apr 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-48
+- Fix virt_use_samba boolean
+- Looks like all domains that use dbus libraries are now reading /dev/urand
+- Add glance_use_fusefs() boolean
+- Allow tgtd to read /proc/net/psched
+- Additional access required for gear management of openshift directories
+- Allow sys_ptrace for mock-build
+- Fix mock_read_lib_files() interface
+- Allow mock-build to write all inherited ttys and ptys
+- Allow spamd to create razor home dirs with correct labeling
+- Clean up sysnet_use_ldap()
+- systemd calling needs to be optional
+- Allow init_t to setattr/relabelfrom dhcp state files
+
 * Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
 - mongod should not be a part of cloudforms.pp
 - Fix labeling in snapper.fc