diff --git a/.container-selinux.metadata b/.container-selinux.metadata
index 498ccb6..ea41633 100644
--- a/.container-selinux.metadata
+++ b/.container-selinux.metadata
@@ -1 +1 @@
-39c035a0f8566c23e98963575f58180b6b96e52f SOURCES/container-selinux-79a6d70.tar.gz
+5534a7174675f7eeaaae1728f6d6f9d399706ee0 SOURCES/container-selinux-7a17443.tar.gz
diff --git a/.gitignore b/.gitignore
index 532aee0..000c092 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/container-selinux-79a6d70.tar.gz
+SOURCES/container-selinux-7a17443.tar.gz
diff --git a/SPECS/container-selinux.spec b/SPECS/container-selinux.spec
index 4c8f2b7..23bc98f 100644
--- a/SPECS/container-selinux.spec
+++ b/SPECS/container-selinux.spec
@@ -2,12 +2,7 @@
 
 # container-selinux
 %global git0 https://github.com/projectatomic/%{name}
-%if 0%{?fedora}
-%global commit0 33cb78bba67527b4977f88e7e2a8c02f2c621850
-%else
-# use upstream's RHEL-1.12 branch for RHEL 7 / CentOS 7
-%global commit0 79a6d708f29a1b8d631cbf717b99bb3b5226eda3
-%endif
+%global commit0 7a17443e9f13a6cb6c5ae565b49468070f9246dc
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # container-selinux stuff (prefix with ds_ for version/release etc.)
@@ -25,16 +20,12 @@
 %global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/docker* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/docker.service %{_unitdir}/docker-containerd.service %{_unitdir}/docker-latest.service %{_unitdir}/docker-latest-containerd.service %{_sysconfdir}/docker %{_libexecdir}/docker* &> /dev/null || :
 
 # Version of SELinux we were using
-%if 0%{?fedora} >= 22
-%global selinux_policyver 3.13.1-220
-%else
 %global selinux_policyver 3.13.1-39
-%endif
 
 Name: container-selinux
 Epoch: 2
-Version: 2.9
-Release: 4%{?dist}
+Version: 2.10
+Release: 2%{?dist}
 License: GPLv2
 URL: %{git0}
 Summary: SELinux policies for container runtimes
@@ -48,7 +39,8 @@ BuildRequires: selinux-policy-devel >= %{selinux_policyver}
 Requires: selinux-policy >= %{selinux_policyver}
 Requires(post): selinux-policy-base >= %{selinux_policyver}
 Requires(post): selinux-policy-targeted >= %{selinux_policyver}
-Requires(post): policycoreutils
+Requires(post): policycoreutils >= 2.5-11
+
 %if 0%{?fedora}
 Requires(post): policycoreutils-python-utils
 %else
@@ -117,6 +109,16 @@ fi
 %{_datadir}/selinux/*
 
 %changelog
+* Mon Mar 20 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.10-2
+- Make sure we have a late enough version of policycoreutils
+
+* Mon Mar 6 2017 Dan Walsh <dwalsh@fedoraproject.org> - 2:2.10-1
+- Update to the latest container-selinux patch from upstream
+- Label files under /usr/libexec/lxc as container_runtime_exec_t
+- Give container_t access to XFRM sockets
+- Allow spc_t to dbus chat with init system
+- Allow containers to read cgroup configuration mounted into a container
+
 * Tue Feb 21 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:2.9-4
 - Resolves: #1425574
 - built commit 79a6d70