From 6140a0daa8b8c8eed08c6264738360d3bfab68c2 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Tue, 16 Aug 2016 13:47:01 +0200
Subject: [PATCH] * Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com>
 3.13.1-209 - Fix lsm SELinux module - Dontaudit firewalld to create dirs in
 /root/ BZ(1340611) - Label /run/corosync-qdevice and /run/corosync-qnetd as
 corosync_var_run_t - Allow fprintd and cluster domains to cummunicate via
 dbus BZ(1355774) - Allow cupsd_config_t domain to read cupsd_var_run_t
 sock_file. BZ(1361299) - Add sys_admin capability to sbd domain - Allow
 vdagent to comunnicate with systemd-logind via dbus - Allow lsmd_plugin_t
 domain to create fixed_disk device. - Allow opendnssec domain to create and
 manage own tmp dirs/files - Allow opendnssec domain to read system state -
 Allow systemd_logind stop system init_t - Add interface init_stop() - Add
 interface userdom_dontaudit_create_admin_dir() - Label /var/run/storaged as
 lvm_var_run_t. - Allow unconfineduser to run ipa_helper_t.

---
 docker-selinux.tgz           | Bin 4314 -> 4314 bytes
 policy-rawhide-base.patch    |  63 +++++++++++++++++++++-----
 policy-rawhide-contrib.patch |  85 +++++++++++++++++++++++------------
 selinux-policy.spec          |  19 +++++++-
 4 files changed, 127 insertions(+), 40 deletions(-)

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 3ecf0a874adbb9e1509609d4e6d639038983daf8..36c37c61d1bb6dcb9d32b3456329a9a37036fd19 100644
GIT binary patch
delta 4221
zcmV-@5Q6X8A=)8-ABzY8T>P?E00Zq@>yO(u63<uruMm;~**zrtN|OLd+ry!~5BK4K
z;@Xb|R9T{Jb@e)tTCXq2|9&%kiK0k7*4|`$X90<Aapp&II2z6jN1K%KEvYZk^|Qyj
zuHbt2?pyr4e*gB${DkY~?VC4mo?YL(fBWs*_wTOZ`_=V-&D-m%XTjAYj!9n)Wl<dj
z&$7EZT9MdGH`e|qy_PRt1mDpn&!c+(!>?Nslocsn)3T{!5=2#%rE$d4vIyd`U{P9-
zIv~XcJ}<tzRBTHCnRa!0gCC2(-;=muBuKa#25Awnt^SpiIrMnJnJx{k;JYfSqdX|0
zoP7UWP(A;Dp@;nwZwR6+D|aLbSQ)T7Drkz+ae-cPRQSG33r6a76qB>x#ZW@%gfqW<
z_4{(MAw^h|e>Z6j1k1&O?JG6rkiAmh2uv+xAD4@l=gZ|HE^89!Nk~al$J=m~7H8jF
zpDz~*IIJQDo#I^!LH}guON2VItYeVR(~>n#dsNPU)1(_m1*hyw^*~wv!aGu;%+ghm
zz$jx@)+wPgq_`N8Vid=Oa<s(^@ktrLm_~(o7u87D%8~aRd~@9+_yE%jBr<#rD^lka
zxYlV#sOnNubI~7DQ=gQ0x%zw=;kvX}GaV@6e~~CL<;xfH>q@qUA@RBKvCNmRR~Hu?
zSu{I;%&Z1_R3X!CRFfwoW<HvUf)=zB#GIv+p#nRlEK%&=qpLH*mld}U;GMpzy*2$C
ze~NMEq!o$NbxIPsdE%}|x|WM~n21$J<^%WK$1-OJXoJf}JwVJ3LH{!<q78XsHY(?X
zdK@byu^(oq6!+ls@OYN4zgSOZ!#0)-ZPO!vteDT_J)XFK1ltEzrd<62GN$OtM@sh4
zMMwU7q~E1%8$>|WFc2wA<ABe&_0hq0Azfq`wW?0<uoI;Gf-7ht%Ta_l3I{$$tb8iv
znp;*O5wyfH7tx%q1aBB;5v884cw4`(6_MQ~bNa*opF_Nj@{h9bpR>C0O%X}0ZdW9K
zEjE+7bvzTweoc#Molk@}YBjX}n;ZD|2L63}L`Ul9fBf_mb^`8wRB19}AE=wcV^si$
zPIXl|O8?GrLoQ0{yTkJ_gJSRH2xbMjd&)>2vur#e^U=D|6e;5pZr4JfCDIvE&|*PS
zB(F(UqSp*kNkLh7OCT@BELUz_3h)XIEX6LtwGlXW^k)p?1CxaVb$<`>who1=??UMO
zID*AX#AIz0CU!+7V9Z>Tg3S>xUj1$c#LO9{i@M!FvGXL9Lqy3>6uq%0yP9>Bh7BE+
z&&mx~dl#VGpj?34GAH&z%WX>TfqXum%?jIJ1<ysp1#mn+pNT->PS}OPTeES%E!GIH
z<17WKOAHXq23#sGAb%$cmz+Y#?&D71YCXLDt3bf$-vF56P1#8eDGkt_b-KAA#ocl6
zwk2iscu?HSJqlV)Xqnwz;Cv4R6pMg6y95H$SAzivqa;rYq3f84buOlO5){aVUdqD)
zy0R!_Fd?m0iT+m<z@C2}PzDAq=g$CPU-@)_4+RYtj(5g!*nd<9xZA-@C-`U%j<FuU
z{QP5k_(`Aax>WJxwLw}msqis%Rm5%XyM!=MZfeD}spZ~s@DC^+H6B41$YHT^)`ss)
zz^YKVZeUb_oF9)U_ye3m$FTqNghrvBC$NucT^9K)Pv8+2ijQ!9)Z)%1sihkTaIDQA
zc2UROP5-9YR)2;(WEo!spTLE!VTu7wH${{QuP*rfaY7IRu-xK0T2=qU88|Pyk!kZP
z^&qnhsx4*|;25_MGO{X{LNjm1dF7PtICq54So4usQw5Ir6!)S=m5d6jGE3t<S4$P&
z%77N4&4Q_v|GCjV692wDYJwt+8n%^3`Q0o9Z+S}P41av2lj}z~b^DMT(>$b-#DMAE
zJM1jXu_lL>l{|*URg<44{D)VT80^Q$ub>!}jirp|``5U=8s5lPcR9piG7fIU-B9xM
zYzds^*gmvS$S3Nsab=n5O<TsH${N^Sj_6t2fa4AGjfi96I_YJeby$^6kx*_#@RZ{?
z)?6IaXn***cDx<e^t7Te7u5vY^5G6J?Cw#qSD11e6!Qa*7dGg6UzIQg;V7q6O7P1m
zJbbUqjKooO>8U%=W1Lm$*K=(|qsXAQm|VhNyR`OCamid7Bahg}Nd5Qw8%O>3&6`vG
z_m{YYqaWsF0<rX&(1usR^~Kf2)hrved=dOa;(rVtfAo>TF<EjWkPsTn6N^foRS-=5
zgZC2bwgg<9TBqqFZl6@1fJgHX>i_!V&p}nzOrK{|($olOG#socqLm)K-r&GOz6#b+
zMhVQsGS4pi!cY2=h~#Av3R9>M?V|4UrDzXnv-%@UlQ7;!#fD&O&Lb$zs43AJ4v{TQ
zSAR+J;H@+186m$sY7A?>iBUzp?7Ijb`}f9Y=?^{3;ThgWH|u`ZX|+Ud99IY~J~v0K
z?mBZ&*;)J)H|2TBS%=W#ZW9=yNBNr%wVz{fWl02IrcNHtI?X*E-j#ibaAr2!YM57s
zJm81Pz#IDvYuaIfpB57mIArf$F-N+?WPj}Ymu`NW&VuRWqg1v)-#qJ6S^VuOqc}8V
z`!lP>V$g?QeO1$?iStaGG*PhfQ5Fc33HKv;>?j>OO0x9_@OYwCnx$+Xd<x=ixhsO(
z6wKHfz5&9T5|$=Gep{4DP!J~4f&3eUmb$`#->9P<V6rtpVm8gy8(2P-Uad(6`+rl0
z=~WkHo2=Uq2-jHM&DKFbb(ZES<2_P&fa>X0CwcH7*U0#YERu`El@8`zbZ-tpu(*0C
zYm@X?M|s+Hya`tPiKh*%NRfcO^+#}~L3fsO_BIrKn$)#quFArhy!}ehsQ{y=VSXU%
zOl;ablo@v9ey0g>06=gO77q>I;D7HP&rTb^*bsX8-)Up_Fk5?%XW)wY6AqjohX$YZ
z;q=tOZ|q;whwf*cpnXnu_bI%O*O<5JF!+3KKhP%62c^lP&JzqS0~BdI*L9h<h7`@;
zG#T>Ey8COY42M`J$k55&^(Z_Nl$;(3PM$aV8}{!Rb01`%Hvf?k$ld7x41ZO&bO6LE
zd-zP;$}F4tt7C@teq8Frw66!y57T$_tA`klX<EhxqYJ$9vME?uOnrX5@99j_qcQdg
zdgO(0Pgpk3H75SG(fz%UH#`+$4hLgcw1e*;OjqzJFcXw~3d|88CM@_MjC;{L?`zIj
zc3*+m(3lP~%Y#+o)1^EHp?^#A4#b(bT3#4e@!t@FOSXD0T*~hC@7J+fi@wuOQX5ra
zsAb>&EF)PNj2HoJJ6<ESg`Wk<<WZZ*0Pzzy!xoq%5IXM4`gV|pAO7!Y%rfer*dd0$
z9cD%2ElCEjG1@dul}u=1g)u)0h+>xBff6Pryd+BSbhAl#)xCrhEq}B(rKLKZ<!P#w
zk+3`OHqkA~GMf=6iBTmFyf^T(PU8^ba$=z<IttMrVBTrkbUl@F4k{))J+yqJT)vnP
z^$@A_=a#W*2u#t%Wu8|VxevMYJq$dAo-}_arDy&f+M#(N;gn_4bS^MyD7aP`$v~4t
zP_!B-b0tCv!RAgRwSQsJ;}YF&>awZ&-O6U+N6~$rrNym9AdhpSjvmAPPQRT_DJyHV
zuXVHwd7|bX{D>r_w<Zx!V&HRGP`XQ5yfqqS<%&H+@Kus>XM)IgWK=1D(ZpNuX44s3
zTNs6F#nE%RF-bZUV2Ut!1CoyalhW8&Ql6Yk{}b7Xb?%Gm0)L#2fJnnqX|)ovj+%@K
zKkL4uHzt|Tn-0jHqUI&iQwv3vvMB>e!3|Nm?jtyguIei9I*RAwo*3%NzHO1dbc3!z
zA<B%pMB(8`D~1Ovb6D`t2i*xx^5@3*@%QpYkln|kh7*sAMzg6&6o**MQKt#Pt#y+o
z_)%eg6h0gLxqqiJql({FWy$y#*nibmS*nQM_-L9`0?Q8+GVf3J%lE)u&7%_)mLH$!
z5FUP=d<?`k%kOv6k?wq?A{7ryH=F5%@#kTaP2HwpKe<w(0X}uYd7YTe{WOr2Z7Y9W
z0&+RmZTvV!+>bc@F_wAEBpsI4xcQx$jqru;(h45mVt-w_+@60ogtCyoBiK1fHHhQ@
z!yMELtg^$eQWOpc%0c0E&zgd}q+siLJw)deu}9K-uyrZc5<F0Ib1@w?qXmY6i3Dmj
zb3@eta^h;p?zmN8b!o%m8+VA<znzt3<!5pu%1v60HKh<Epg7!nxeQ0<Qn`JI9+_)b
zcT?(ce1Du&hul3<vD;AfesUj5suGfT8w>bHN!-+_5u&&dx&ya7AF%=V{1a$t3V&No
zd~Ji{*Fuu6mc52{yVDiZF<p4i6{kP8mV*0iGkrP!hjO+J=w-I*`fNNdM0ZR_18i>+
z==O@`_x63I=fKk)GH;cG_OvQ_HU*m882_k1$bY(hFVVDtC)BzFU=JzWwA>+nzAJn_
zzIys(x8qc`bTte0FZF`8fv8TSyxxQ+5FWC(O28o1ktN>f$CWLa5LpXpPs2&6GVhZJ
zEd_P?RGX?@TlkJ|1C07%$*Q3$TYz81tB$7QC<;M%+cxUAh=mbl?^yAVt7wjM@Ld57
zi+_hMX=f8~5#>?5O^eRvE9xg*eXP@(>|pH@_uyZ8MbhZ~r{h8Us0;3?7h;o)I=Kb2
zu`Tf&$Gl5x=7}Rjo9*-Sn_k6tHHQ@T+*Nt+gjS6`?Gz*`uQy1f6u3jhSJWhZ5v<D^
z{d>vPzCICBF=}g=uXJ&f9*wj}W=BRBFMk9TJQNXz8j=VLB2r#xY7EBqVa)-^#dTCt
zh~tz+hq$dUZSfa;wPg*OUToQH)S{`^>RmY)SGvNa?Iua0n7?=DChg>uT)6XUk0DCK
zR}P$&FWghaz|8WmtwW9AbH6-ysGP0$B1_Mc*QYhoR~_dtQtOh(Rto;wVjKQ>1Ajcn
z3k*Hq*@-PfBFB*d1V&~aSsocopOGyUQN)0uau)5MyG_x65jNh%@NF!dq1|0ZSbC-u
z97`T`jqnXy4)qqRHXE}QTgr{UB{EdnB?=>F*FKqSGYg<}T<XFyk|Mf-tgT9N?-uGk
zjiCdik+(~{4Z~+j2c!CrnGS~bo=H4C9C_d{Y7}(*U~2pvMKAPi_ejXj7ic<f0$5WR
zIaXCi)rXmojMcOwDN{xFwM*mwFD@bTi}ho^*f9M5$JLvgH}87ye_WlDtq&J}ALJiK
ztUt&HR91UZd_&~2q4nh|EiNU%V)6R*G!*$dGNM=@uZ!}o%$l6M7B+G^rum+;1_m!l
z0{ieE3g6;OcS?TBelBD>WBT}wBKYq3o%r@Vbbk-+Zg~j?UV@)pUi{_!uZw9wx`0-o
zz@BDEeHK#d*7Er)q}v99D|QTjB&i8^Ybw!(!Med>M^=akJNH9pDK>pQwif9(`~z9j
zb!G$$9S8uUM*x$5FY9<Sy%c&&XCe0dCPU|d;xfCBXW_{jY7=Gi01%({Ut%_G7M6<R
zTx#3C`VWYg{7-c~3M%?#M*s#iVH$qJzfU$F?`!Xlr|Wc`uG4k8PS@!eI$fvhbe*o#
Tb-GU1|Hk!S8(;rY0C)fZ4n8ZX

delta 4221
zcmV-@5Q6X8A=)8-ABzY8#L2B!00Zq@>yO(u63<uruMm;~**zrtNYVt@v^^Z!`*0r)
zD6aijK$RuhR#&eRsrCAT{O>ozmne$VW9?10cNUP?7H57Whoj-laI{Go-;(+wT|axg
z>k6*-@899)^@ne-%ul%9eEat8+h^BrKEUU@cOS0aKD)Yqe)BDS1XqtZCVe%OMRgE7
z%kJuEMPe`ASo@#!TE2J@d`Fu+kLvvozivrTR-|}M%chP=5LH!{#t}=)B8ba^MQK6m
zfD{|}y!h@?u`K~)+STa|ek}fePvVA=AmM5lq(#8C`d3os(BlPXx-__g@2aSd@}P)v
z^8Ir`_56o_9`;YXA&9c9+>s<;Wx(pFpeatr1$xO*;rlWz7^&A$OwN86LkXc1&iwM#
z@5{x86k$#N-J~@TEEfy5uhf`B_DX#tFtw0<TrOUoFPDqBtVx_FAtg~AZ^KnuoPBeB
zzFa8au!<OTigzsp{ga(95$edYjzK<8OV&8;Q8`b4lWrUpoU$*~17-OO??{O<OIJYx
zql{Tur-aUs;$ldOQ5+M>(H1krCuIO*8WrMQR3lw0N8WSr&2^992BsHCWcV6Zq|PaD
zt<#K9)up87qCcjlJ}L2X_4zWwb!o3=I#9&_B2i+>moMbkm23?|;&bC;nJ-_jE-pB-
zXm*%?Sq=24LZ;iOCQnApd^8gUEodi*IZG)+1$IhVqS(JjS7(GTD{ddaJAGAqYx+0-
z6ywfGD-x&clq7QV#9fbcEf?=F5vz{O2kyC#WzG)J2A7R`fS4VE{%2G~8}h_#RL%$W
zI95txKg>=k?!o8b@hn|`v7XF^Z7dnurbk$RF`vnMJaPXBwhydKx%vZSOwpB(l<c94
zj{NsXzf0LRh=8hLAX1jb0iSW}ql4{2y2vnURh`~pCrJ4PSI|P1qX=;n4t$JQ`Bcg^
zx2!@UXo+JkqB&g&-Z0K0N<CfiwtinLBD+iG^oRdHhj<(1A7$S^XLaM7B9dC&u1H#c
zY$kQ<cqWwnnikVKp9pW%YH0m8Z{Xis`1kIJj?~Zp_~|L^1l;?m(qzUyP&b9gssIk1
z>Z)>-{+;87T$I#zhv#Dk#oo&i%nEY%l#x7U*?2<cqjjSxQpP3Ru7yBLq%)+T#e$?r
zUX!duuNkD0g0k?IKwgSjuH3p5;1yU5id}+hBXI2K&ltuHlZFFzf17w)heFkNA#{Em
z!Qv%ivNj46yP^^>X0A!W=7<-sem4VR<_yzC-EN@Rc@oMYqU0xv-q@2}%{ofMhK|Z-
z<%X-h3s7!QF2HS>6MLcMHYN8!J|E9!h3&6`=c3^PIG&%+M4)gd?84x!**M@9YlPQv
zmV(qJ1_)*YE)^G$e-njEP9bFXai?#!9^U>{AYk-w08H_w?4*X22I$T@-CU63?l^ec
zk}`TcDDLGR1+6Bu%<e95z6Sz|MZle10)gqP!2pC&lBb2xbxg!M7gIb53gkjB<zWF`
zSrjsukXEZi|0@b$&%X~S1A~_HXMnJ;e7eAgf(8r6JL5QPf2srA?O>)8d^88gSdU+R
z{;@s$q)&ETs(A9+AT63y_?WsX;x_kPLKrAFwPM=Ta&I~K4T?vNN6-awSgf42;X4zs
zDip387*!zW$0G{<0H@F~?EgHWQK;t$>|<J&MLx?Dc!Y)GBb*<#xN}Kr=>`HEYx9R)
z)NyyyzbUqre<2T9#uvdSaA9khVnEYP5oN-w3qF6G5QG3Mx44d0)&Fn?&dY9O+Pq3V
z$Si|uix~wt#w~=5tjeX(%$spuIb}P}9pN+9d?eOXfg?V}y{J(oqr$4p(s<9+QpLA2
zpoM6&U@GN*ZnTfYzb}uPpa`ReZRJsZH%q}=o>Dmje;?`O`VmguKIFzU52++EV7m7X
zI}3BH$)RN>k704u<fjS$;gux@`!Vt>C`M&tDdYM6HEyqlH}ch84sn=_gBx)-lsr9K
z0;f5)4=oh(i8^dtS!R0EmT{=E2DX<Yde%1Jc*A@n;#jy&dYNY(R%KHplp7H|<v5Nt
z7Y8*Oe}1kVZ^tz~t!T_eHNm!gxC0EkdsOTdrrZX_{J`Ud4Z7Y}B}_p$$|;o+{BjBp
z-|I3Xaa3J;>JIc6XO;T(TpQ6SGUzQPm+;pvt^HG6GMC24Bla;;|NY^OqyGE){i*)@
zOI*Uy5A!mCSo%z8!>i!>;_BjRmW^7z2!0}Qe+G{~`pDpzEV&U#2#w{5MJ3NF2&VqQ
zdkJ=10xnLi)ASLyPbyEqqj?DRfBo_2pek#o&oe4%Y6LVI4%QUWN{?P|a9|-{1?woI
z1ZHBHXP159Cw)mo^0EkpDO8AdQTO>$w1>1={Sl@~7;mFuL$EdH5tL@slxPiy$d;z7
ze<XSE)|vE-kY64(hBe>BsG?r>U4)PQd*ie8haTqe3~!^GbwBI0S|T@&D+Cvxn<G|t
zojIuNEPjfc^1S4%Luhfg2@KJr{LP2j&oQ{NB!VwfCl6<x<{l64%05ImGn;KS%qv44
z@WW)_jeUkS?XbX4iwOxFvUjhTBi&&#fA;-LH@{71!F2LbDqEm$p7p6L{`Qnn92&Cy
znbl%3=)<qRs_D|id8SR8C|LO@3xvsp`;k0$l#U%G+4=@No@kY3Dcc91f_Pi*ir_W{
zGq#3rfUu^7rAd(A7G)9?go$(@{|2F@t}x&?>Sza;Yz>f@O>^}ImQSTuYm&kKf0SW*
z)kWDR>ox?!HCA`Cb<j_prFqJDk5nF@dV1AK9z4i3GCm@U<l=CpgLxO-n?n#Rt{%$T
zBt6zqo^~DI1S|f;(}q^0NWk9uBRJEbJIgtH8;U+n>RK{aW#LTTekJHsfYH-1Kah1M
zHf<it3_Eha(}XwxAUFw&hlX$Pe|L{(r;T512)+F8w6S}bt-Z%HaK-!y2hNW}gU|YK
zdg|ae_OIzf_p?sWJ}0~T6yC>c%v*IBd_K1yXp`qgX|kyE1cS=}MH<g_UFNMJMe{dJ
zhJ3T`{+cSoA=U{pbh39n3XcROr$>U5=Z*e`{d>mT2id31e`Ex5cRBz=f0ZpA0I|v*
zJ`=Yx%Vz%Sn4!HNmpU=+>jCt`^d0@`A%<g`ma)O;0<XMm3RV_VpC9jgI@9!MjD3P0
zc_G{rmd$gGiGOW$e=p<>PlcGn!59|p;5!J@6?_WJ1SOvWa|DP93qA<rUi8lUnlqN&
zS0FYtri0A#V3qiEDUU(uf0DcdaVD;o7sgfmH-zAlt)2^)vU~meb*$E+@AQ+@MpYPU
z*|$H-NLB_TMnKz+*9dLlXF)P~)Fv`O{KU<$1ttlEj=QqH9i-uh|9cv<j5;WGh~aOC
zS<!e)k^yXtHce9{6Ixhd%#Q-1n5B21goz0+i4r{BY!Y5|FX2QBf9*|asZM8knrdYv
z?9RJQbW5_#X2eNiRLKMH4g9RrIE1*ISSX5)Li7iicbYa`Po<oLipfq7EgvbDFD67i
zL@NEcWvm(kQ*?2e=T%1TLoR&}0}r7m&EHAsnSY0NXkJJ-WtlXc3rrdcu2n`d&?FHQ
ztp>_miBLkYxf4lke^~UmM7Nu|Y^r{@vRU|1bf0HwacdFC<J_pD$8f*XZ>Lkr${Ou!
z9qmG%sJRC}B1!43NyL*F_*@p0?ot+SjYe6yV$TqKm89I6Ao3j<RSIA<@fN(<bcWUz
zM&Vj<^qg)?k`4u!A`ISuq~rgjG&Yu$C+E`tM0R4G`=Yu4f2SiL(y&xot%R(jCS$_S
zy6@<XNhb8B1G1;6d5QGYLQ$n`%0N<ZLzJ%j2#%twy2`tb;<>mdhPtwETcj`DpleWw
zGNUe0csSCE;laur7X0%;cS4i=xiNnHy?ha5_pzwq#N(pTY-$q4Ar^DgX+m&o-J}VA
zRG1%y&jx?)f2qu<;<r^<GX4ejU-ea%Dxx<&nkJRN@&kp;`;-0hJ+N2v=tPC($0s_3
zhhHZj1F_BW`<-;8J0Gb?#lzCgW;$W~dDvuAw`tf<u9RqiPn~dHCuVa$4J2jT%3qg&
zT+VeHKaLUiBTj#eWgat0hov=cey3(5e4)Fvg2%U5f0r(|=id#XEadM9c1}_aB00b?
z2lWE0?C`4;g~NezP<Y+5rr<6q*m_<M(K$uzk@OyHU5d2?57gXTOh?UVfni`Gfm+Sn
zP&I&@xEiuMZWUNv+OYV>9U}H`XJuLWncRqSlU8F*DZ~gU4)<Oz!;!gEZXcpY=GxWW
zlsX(Ae<#%;caK!;HdMWz+=r5?ge2a^0{&4FH+5=+C@zHVz%9>5Y`{JL1X`NH-&PY}
z+u-=Mkff_+uc6)Ubj5T`7v6Kl>5r|Y;6B?-UylEwoNWVonXS4$8;=Xo9n;YO+nWTs
zy<+*jeP8K0@N|dFTjiiVtxBFvfhIS`KPnKie{SDPG;QDsweA4eLkc%7cZi?w3ZIX!
zo<7;_I8`lO%|iW4y<lx1s?#X1H=zlHhwQBqFi3S|i8uOjWlJVR)<W9Ta8jzw`y@h3
zL0vx8rfSy~zT?{fqkdSjYN*N<;8*dgqv<$`LJ;1zjruKOVMN(GR{Y~Cn&TXNS3tw!
zf1yj-*#ulfc@%HcqO<vm`bk$G>$E02Si8hM_?KRhG<yH(c+fuTf_v(P*d(J)ZozD9
zOFYLh@6wui;t0`Z`~3W-SMgoVA%#76Ro*+HRbx*(1&PY*4H78@?oja+HA!Ct>#|1w
zUUIdsPlQyA+8X97UEHKcBQ28Ik<rBqe?bKgMTDV-B*KD-loy&BgRy;Ba{zL29hDT~
zIAzfxZYxY%`~_caS%an*TQ(cDXzI0kR}RLNt}to4Ns=h$@7=jcJ2@p6?!4M#h|=(t
z183z6_Y^TOv;1r8P$T%<FV7t+XY0Ml((~l?X^r$%$2pADy5zByg1@%dhJW4wf6ws(
zL(g}1V#|=oaby62k(o!9M+VbpWJ^U9F<_{iMf>M&Q#4?NjdwA88w+P>cb5^Co+$;#
zl1E)5e8ZMQy~V1{#%#rwa^r7_43&0?!pPaRPbS;U0w^7qy0DC-h^`=OtCHNig?dk8
z=m2Tt?GkUp@R`!VsQzQ7gQ2}AN>2|*9yp8|1sy+_8b3$T3w_%?60-9Jn$DX5))YpL
zRn<}TVJ0MFHSI{sRMCCy()j<2OUV3U{g^K{48Q+z_4du%_xAfA?>?N9tq&J}H}Vf7
z);ID2mDQdU-w?TMXnna#i%SWxSiF8c4Mo0=j3^e!>!Q3XvnD66g^iq!X};&Ifx%0X
zz&`wk!ngR+osyrjp9`7Jm_B}^2);XhC%!!o-QPpITV8^Jm*8iY7k@eb>tY&^E}#`C
zu%{VPpM})AwS4{x>9&F3iX8)gNovB~no6``ux_x}krg7s&i&9?icMdStws6`|3KDs
zof*MG2Liz85y0f%%R1gnFNNOHS%^Kq$<R5VxXkY3S$MLB+C<qr0K}*LmzYhPg{9&+
zm)f?k{sZDA|5II$f{K3G5r6?rn1<i*?~~2P``WwX={jAf>vWy2({;KSPS@!=U8n1G
TovzdMzj6H+@A+_>0C)fZN<2FQ

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 47a5feab..0404fcaf 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -27111,10 +27111,10 @@ index 0000000..15b42ae
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..270e9a8
+index 0000000..a298e23
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,350 @@
+@@ -0,0 +1,354 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -27422,6 +27422,10 @@ index 0000000..270e9a8
 +')
 +
 +optional_policy(`
++	ipa_run_helper(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
 +	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
 +	oddjob_run(unconfined_t, unconfined_r)
 +')
@@ -35568,7 +35572,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..9926eaf 100644
+index 79a45f6..d092e6e 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -36611,7 +36615,7 @@ index 79a45f6..9926eaf 100644
  ')
  
  ########################################
-@@ -1806,37 +2294,690 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2294,708 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -37039,6 +37043,24 @@ index 79a45f6..9926eaf 100644
 +
 +########################################
 +## <summary>
++##	Stop system from init
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_stop',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:system stop;
++')
++
++########################################
++## <summary>
 +##	Start  system from init
 +## </summary>
 +## <param name="domain">
@@ -41815,7 +41837,7 @@ index 59b04c1..6810e0b 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..7c98978 100644
+index 6b91740..7724116 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
 @@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@@ -41936,7 +41958,7 @@ index 6b91740..7c98978 100644
  
  #
  # /var
-@@ -98,5 +174,9 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +174,11 @@ ifdef(`distro_gentoo',`
  /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
  /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
  /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -41946,6 +41968,8 @@ index 6b91740..7c98978 100644
  /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
  /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
++
++/var/run/storaged(/.*)?   gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
 index 58bc27f..9e86fce 100644
 --- a/policy/modules/system/lvm.if
@@ -48905,10 +48929,10 @@ index 0000000..16cd1ac
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..ceca7a3
+index 0000000..e77911b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,964 @@
+@@ -0,0 +1,965 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -49137,6 +49161,7 @@ index 0000000..ceca7a3
 +
 +init_status(systemd_logind_t)
 +init_start(systemd_logind_t)
++init_stop(systemd_logind_t)
 +init_signal(systemd_logind_t)
 +init_reboot(systemd_logind_t)
 +init_halt(systemd_logind_t)
@@ -51288,7 +51313,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..420907f 100644
+index 9dc60c6..beadc1e 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -54590,7 +54615,7 @@ index 9dc60c6..420907f 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3435,4 +4628,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4628,1799 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
@@ -54782,6 +54807,24 @@ index 9dc60c6..420907f 100644
 +
 +########################################
 +## <summary>
++##	dontaudit create dirs /root
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_create_admin_dir',`
++	gen_require(`
++		type admin_home_t;
++	')
++
++	dontaudit $1 admin_home_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
 +##	RW unpriviledged user SysV sempaphores.
 +## </summary>
 +## <param name="domain">
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 40b3d801..12515dbd 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -16971,7 +16971,7 @@ index bd18063..47c8fd0 100644
  optional_policy(`
  	policykit_domtrans_auth(consolekit_t)
 diff --git a/corosync.fc b/corosync.fc
-index da39f0f..6a96733 100644
+index da39f0f..b26d3e0 100644
 --- a/corosync.fc
 +++ b/corosync.fc
 @@ -1,5 +1,7 @@
@@ -16982,6 +16982,12 @@ index da39f0f..6a96733 100644
  /usr/sbin/corosync	--	gen_context(system_u:object_r:corosync_exec_t,s0)
  /usr/sbin/corosync-notifyd	--	gen_context(system_u:object_r:corosync_exec_t,s0)
  
+@@ -10,3 +12,5 @@
+ /var/run/cman_.*	-s	gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/corosync\.pid	--	gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/rsctmp(/.*)?	gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/corosync-qdevice(/.*)?	gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/corosync-qnetd(/.*)?	gen_context(system_u:object_r:corosync_var_run_t,s0)
 diff --git a/corosync.if b/corosync.if
 index 694a037..d859681 100644
 --- a/corosync.if
@@ -20797,7 +20803,7 @@ index 3023be7..4f0fe46 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..8aececf 100644
+index c91813c..71b61c4 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21199,7 +21205,11 @@ index c91813c..8aececf 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+@@ -367,23 +431,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+ 
+ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
++allow cupsd_config_t cupsd_var_run_t:sock_file read_file_perms;
  
  manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
@@ -21223,7 +21233,7 @@ index c91813c..8aececf 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +456,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -21244,7 +21254,7 @@ index c91813c..8aececf 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +473,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -21256,7 +21266,7 @@ index c91813c..8aececf 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +499,12 @@ optional_policy(`
+@@ -449,9 +500,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21270,7 +21280,7 @@ index c91813c..8aececf 100644
  ')
  
  optional_policy(`
-@@ -467,6 +520,10 @@ optional_policy(`
+@@ -467,6 +521,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21281,7 +21291,7 @@ index c91813c..8aececf 100644
  	rpm_read_db(cupsd_config_t)
  ')
  
-@@ -487,10 +544,6 @@ optional_policy(`
+@@ -487,10 +545,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -21292,7 +21302,7 @@ index c91813c..8aececf 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +562,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -21310,7 +21320,7 @@ index c91813c..8aececf 100644
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
  corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +591,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -21320,7 +21330,7 @@ index c91813c..8aececf 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -550,7 +600,6 @@ optional_policy(`
+@@ -550,7 +601,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21328,7 +21338,7 @@ index c91813c..8aececf 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +616,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -21480,7 +21490,7 @@ index c91813c..8aececf 100644
  
  ########################################
  #
-@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +660,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -21488,7 +21498,7 @@ index c91813c..8aececf 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +669,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -21502,7 +21512,7 @@ index c91813c..8aececf 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +681,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -21511,7 +21521,7 @@ index c91813c..8aececf 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +692,4 @@ optional_policy(`
+@@ -773,3 +693,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -28863,7 +28873,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..9670e41 100644
+index 98072a3..e42654a 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28907,7 +28917,7 @@ index 98072a3..9670e41 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,23 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,25 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -28935,10 +28945,12 @@ index 98072a3..9670e41 100644
 +sysnet_manage_config(firewalld_t)
 +sysnet_relabelfrom_net_conf(firewalld_t)
 +sysnet_relabelto_net_conf(firewalld_t)
++
++userdom_dontaudit_create_admin_dir(firewalld_t)
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +112,10 @@ optional_policy(`
+@@ -95,6 +114,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29267,7 +29279,7 @@ index 5010f04..3b73741 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index 92a6479..59a65a4 100644
+index 92a6479..f064c94 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
@@ -29303,7 +29315,7 @@ index 92a6479..59a65a4 100644
  
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +58,17 @@ optional_policy(`
+@@ -54,8 +58,21 @@ optional_policy(`
  	')
  ')
  
@@ -29316,6 +29328,10 @@ index 92a6479..59a65a4 100644
 +')
 +
 +optional_policy(`
++	rhcs_dbus_chat_cluster(fprintd_t)
++')
++
++optional_policy(`
 +	udev_read_db(fprintd_t)
 +')
 +
@@ -46858,7 +46874,7 @@ index d314333..27ede09 100644
 +	')
  ')
 diff --git a/lsm.te b/lsm.te
-index 4ec0eea..693d9ae 100644
+index 4ec0eea..1400ca8 100644
 --- a/lsm.te
 +++ b/lsm.te
 @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -46900,7 +46916,7 @@ index 4ec0eea..693d9ae 100644
  allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
  
  manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-@@ -26,4 +44,71 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,72 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
  manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
  files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
  
@@ -46969,6 +46985,7 @@ index 4ec0eea..693d9ae 100644
 +sysnet_read_config(lsmd_plugin_t)
 +
 +storage_raw_rw_fixed_disk(lsmd_plugin_t)
++storage_create_fixed_disk_dev(lsmd_plugin_t)
 +storage_read_scsi_generic(lsmd_plugin_t)
 +storage_write_scsi_generic(lsmd_plugin_t)
 +storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
@@ -64243,10 +64260,10 @@ index 0000000..eac3932
 +')
 diff --git a/opendnssec.te b/opendnssec.te
 new file mode 100644
-index 0000000..83507cf
+index 0000000..e246d45
 --- /dev/null
 +++ b/opendnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,68 @@
 +policy_module(opendnssec, 1.0.0)
 +
 +########################################
@@ -64267,6 +64284,9 @@ index 0000000..83507cf
 +type opendnssec_var_run_t;
 +files_pid_file(opendnssec_var_run_t)
 +
++type opendnssec_tmp_t;
++files_tmp_file(opendnssec_tmp_t)
++
 +type opendnssec_unit_file_t;
 +systemd_unit_file(opendnssec_unit_file_t)
 +
@@ -64292,6 +64312,12 @@ index 0000000..83507cf
 +manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
 +files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
 +
++manage_dirs_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
++manage_files_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
++files_tmp_filetrans(opendnssec_t, opendnssec_tmp_t, { file dir })
++
++kernel_read_system_state(opendnssec_t)
++
 +auth_use_nsswitch(opendnssec_t)
 +
 +corecmd_exec_bin(opendnssec_t)
@@ -97645,7 +97671,7 @@ index 0000000..7a058a8
 +')
 diff --git a/sbd.te b/sbd.te
 new file mode 100644
-index 0000000..f6e5b0f
+index 0000000..95a5182
 --- /dev/null
 +++ b/sbd.te
 @@ -0,0 +1,52 @@
@@ -97670,7 +97696,7 @@ index 0000000..f6e5b0f
 +#
 +# sbd local policy
 +#
-+allow sbd_t self:capability { dac_override ipc_lock sys_nice };
++allow sbd_t self:capability { dac_override ipc_lock sys_nice sys_admin};
 +allow sbd_t self:process { fork setsched signal_perms };
 +allow sbd_t self:fifo_file rw_fifo_file_perms;
 +allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -110953,7 +110979,7 @@ index 31c752e..ef52235 100644
  	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/vdagent.te b/vdagent.te
-index 87da8a2..4ca0271 100644
+index 87da8a2..4be1fcb 100644
 --- a/vdagent.te
 +++ b/vdagent.te
 @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -110964,7 +110990,7 @@ index 87da8a2..4ca0271 100644
  allow vdagent_t self:fifo_file rw_fifo_file_perms;
  allow vdagent_t self:unix_stream_socket { accept listen };
  
-@@ -39,23 +40,28 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,23 +40,29 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
  setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
  logging_log_filetrans(vdagent_t, vdagent_log_t, file)
  
@@ -110985,6 +111011,7 @@ index 87da8a2..4ca0271 100644
 -logging_send_syslog_msg(vdagent_t)
 +systemd_read_logind_sessions_files(vdagent_t)
 +systemd_login_read_pid_files(vdagent_t)
++systemd_dbus_chat_logind(vdagent_t)
  
 -miscfiles_read_localization(vdagent_t)
 +logging_send_syslog_msg(vdagent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7a4b7ab..95fbdfcd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 208%{?dist}
+Release: 209%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -648,6 +648,23 @@ exit 0
 %endif
 
 %changelog
+* Tue Aug 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-209
+- Fix lsm SELinux module
+- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
+- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
+- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
+- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
+- Add sys_admin capability to sbd domain
+- Allow vdagent to comunnicate with systemd-logind via dbus
+- Allow lsmd_plugin_t domain to create fixed_disk device.
+- Allow opendnssec domain to create and manage own tmp dirs/files
+- Allow opendnssec domain to read system state
+- Allow systemd_logind stop system init_t
+- Add interface init_stop()
+- Add interface userdom_dontaudit_create_admin_dir()
+- Label /var/run/storaged as lvm_var_run_t.
+- Allow unconfineduser to run ipa_helper_t.
+
 * Fri Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-208
 - Allow cups_config_t domain also mange sock_files. BZ(1361299)
 - Add wake_alarm capability to fprintd domain BZ(1362430)