diff --git a/container-selinux.tgz b/container-selinux.tgz
index 6075220..3c76eaa 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 26d0b95..9439595 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -277,6 +277,15 @@ index c049e10..150f281 100644
 -system_u:system_r:svirt_t
 +system_u:system_r:svirt_t:s0
 +system_u:system_r:svirt_tcg_t:s0
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index d392dec..4565e9b 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -19,3 +19,4 @@
+ /usr/local/lib64 /usr/lib
+ /usr/local/lib /usr/lib
+ /var/run/lock /var/lock
++/sbin /usr/sbin
 diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
 deleted file mode 100644
 index 5bebd82..0000000
@@ -6455,7 +6464,7 @@ index 3f6e168..340e49f 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..1ed65a0 100644
+index b31c054..3ad1127 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -6498,7 +6507,7 @@ index b31c054..1ed65a0 100644
  /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 -/dev/mei		-c	gen_context(system_u:object_r:mei_device_t,s0)
 +/dev/media.*	-c	gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/mei        -c	gen_context(system_u:object_r:mei_device_t,s0)
++/dev/mei[0-9]*       -c	gen_context(system_u:object_r:mei_device_t,s0)
  /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 +/dev/memory_bandwidth   -c  gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -6573,7 +6582,12 @@ index b31c054..1ed65a0 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -172,15 +199,21 @@ ifdef(`distro_suse', `
+@@ -169,18 +196,26 @@ ifdef(`distro_suse', `
+ 
+ /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
+ 
++/dev/ss[0-9]+		-c	gen_context(system_u:object_r:gpfs_device_t,s0)
++
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -6595,7 +6609,7 @@ index b31c054..1ed65a0 100644
  
  ifdef(`distro_debian',`
  # this is a static /dev dir "backup mount"
-@@ -198,12 +231,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +233,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -6626,7 +6640,7 @@ index b31c054..1ed65a0 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..72f99c0 100644
+index 76f285e..47c1b4d 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8375,32 +8389,11 @@ index 76f285e..72f99c0 100644
  	')
  
  	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',`
+@@ -4351,7 +5313,159 @@ interface(`dev_list_usbfs',`
  
  ########################################
  ## <summary>
--##	Allow caller to get a list of usb hardware.
-+##	Allow caller to get a list of usb hardware.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_list_usbfs',`
-+	gen_require(`
-+		type usbfs_t;
-+	')
-+
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+')
-+
-+########################################
-+## <summary>
+-##	Set the attributes of usbfs filesystem.
 +##	Set the attributes of usbfs filesystem.
 +## </summary>
 +## <param name="domain">
@@ -8536,31 +8529,23 @@ index 76f285e..72f99c0 100644
 +## <summary>
 +##	Do not audit attempts to set the attributes
 +##	of video4linux device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`dev_list_usbfs',`
++##	</summary>
++## </param>
++#
 +interface(`dev_dontaudit_setattr_video_dev',`
- 	gen_require(`
--		type usbfs_t;
++	gen_require(`
 +		type v4l_device_t;
- 	')
- 
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
--	getattr_files_pattern($1, usbfs_t, usbfs_t)
--
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	')
++
 +	dontaudit $1 v4l_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of usbfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Read the video4linux devices.
  ## </summary>
  ## <param name="domain">
@@ -8883,7 +8868,7 @@ index 76f285e..72f99c0 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6015,1042 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -9000,6 +8985,24 @@ index 76f285e..72f99c0 100644
 +
 +########################################
 +## <summary>
++##	Allow read/write the hypervkvp device
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_gpfs',`
++	gen_require(`
++		type device_t, gpfs_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, gpfs_device_t)
++')
++
++########################################
++## <summary>
 +##	Allow read/write the hypervvssd device
 +## </summary>
 +## <param name="domain">
@@ -9137,6 +9140,7 @@ index 76f285e..72f99c0 100644
 +    type mptctl_device_t;
 +    type hypervkvp_device_t;
 +    type hypervvssd_device_t;
++    type gpfs_device_t;
 +')
 +
 +	dev_filetrans_printer_named_dev($1)
@@ -9839,6 +9843,7 @@ index 76f285e..72f99c0 100644
 +	filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
 +	filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
 +	filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
++	filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
 +	dev_filetrans_xserver_named_dev($1)
 +')
 +
@@ -9907,7 +9912,7 @@ index 76f285e..72f99c0 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..29965c3 100644
+index 0b1a871..9099db5 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -9954,7 +9959,7 @@ index 0b1a871..29965c3 100644
  type event_device_t;
  dev_node(event_device_t)
  
-@@ -88,12 +92,33 @@ type framebuf_device_t;
+@@ -88,12 +92,39 @@ type framebuf_device_t;
  dev_node(framebuf_device_t)
  
  #
@@ -9967,6 +9972,12 @@ index 0b1a871..29965c3 100644
 +dev_node(hypervvssd_device_t)
 +
 +#
++# Type for /dev/ss0
++#
++type gpfs_device_t;
++dev_node(gpfs_device_t)
++
++#
  # Type for /dev/ipmi/0
  #
  type ipmi_device_t;
@@ -9988,7 +9999,7 @@ index 0b1a871..29965c3 100644
  # Type for /dev/kmsg
  #
  type kmsg_device_t;
-@@ -111,6 +136,7 @@ dev_node(ksm_device_t)
+@@ -111,6 +142,7 @@ dev_node(ksm_device_t)
  #
  type kvm_device_t;
  dev_node(kvm_device_t)
@@ -9996,7 +10007,7 @@ index 0b1a871..29965c3 100644
  
  #
  # Type for /dev/lirc
-@@ -118,6 +144,9 @@ dev_node(kvm_device_t)
+@@ -118,6 +150,9 @@ dev_node(kvm_device_t)
  type lirc_device_t;
  dev_node(lirc_device_t)
  
@@ -10006,7 +10017,7 @@ index 0b1a871..29965c3 100644
  type loop_control_device_t;
  dev_node(loop_control_device_t)
  
-@@ -150,12 +179,24 @@ type modem_device_t;
+@@ -150,12 +185,24 @@ type modem_device_t;
  dev_node(modem_device_t)
  
  #
@@ -10031,7 +10042,7 @@ index 0b1a871..29965c3 100644
  # Type for /dev/cpu/mtrr and /proc/mtrr
  #
  type mtrr_device_t;
-@@ -183,6 +224,12 @@ type nvram_device_t;
+@@ -183,6 +230,12 @@ type nvram_device_t;
  dev_node(nvram_device_t)
  
  #
@@ -10044,7 +10055,7 @@ index 0b1a871..29965c3 100644
  # Type for /dev/pmu
  #
  type power_device_t;
-@@ -227,6 +274,10 @@ files_mountpoint(sysfs_t)
+@@ -227,6 +280,10 @@ files_mountpoint(sysfs_t)
  fs_type(sysfs_t)
  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
  
@@ -10055,7 +10066,7 @@ index 0b1a871..29965c3 100644
  #
  # Type for /dev/tpm
  #
-@@ -266,6 +317,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +323,15 @@ dev_node(usbmon_device_t)
  type userio_device_t;
  dev_node(userio_device_t)
  
@@ -10071,7 +10082,7 @@ index 0b1a871..29965c3 100644
  type v4l_device_t;
  dev_node(v4l_device_t)
  
-@@ -274,6 +334,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +340,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -10079,7 +10090,7 @@ index 0b1a871..29965c3 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +380,8 @@ files_associate_tmp(device_node)
+@@ -319,5 +386,8 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -10442,10 +10453,10 @@ index 6a1e4d1..4b87be8 100644
 +	allow $1 domain:process rlimitinh;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ae8a257 100644
+index cf04cb5..3c25609 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
-@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
+@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0)
  #
  # Declarations
  #
@@ -10482,13 +10493,21 @@ index cf04cb5..ae8a257 100644
  ## </desc>
  gen_tunable(mmap_low_allowed, false)
  
++## <desc>
++## <p>
++##	Allow all domains write to kmsg_device,
++##  while kernel is executed with systemd.log_target=kmsg parameter.
++## </p>
++## </desc>
++gen_tunable(domain_can_write_kmsg, false)
++
  # Mark process types as domains
  attribute domain;
 +attribute named_filetrans_domain;
  
  # Transitions only allowed from domains to other domains
  neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,55 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +118,59 @@ neverallow ~{ domain unlabeled_t } *:process *;
  allow domain self:dir list_dir_perms;
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
@@ -10539,13 +10558,17 @@ index cf04cb5..ae8a257 100644
 +    userdom_search_admin_dir(domain)
 +')
 +
++tunable_policy(`domain_can_write_kmsg',`
++    dev_write_kmsg(domain)
++')
++
 +tunable_policy(`domain_kernel_load_modules',`
 +	kernel_request_load_module(domain)
 +')
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +177,19 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +189,19 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -10565,7 +10588,7 @@ index cf04cb5..ae8a257 100644
  ')
  
  optional_policy(`
-@@ -133,6 +200,9 @@ optional_policy(`
+@@ -133,6 +212,9 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -10575,7 +10598,7 @@ index cf04cb5..ae8a257 100644
  ')
  
  ########################################
-@@ -145,14 +215,21 @@ optional_policy(`
+@@ -145,14 +227,21 @@ optional_policy(`
  # be used on an attribute.
  
  # Use/sendto/connectto sockets created by any domain.
@@ -10598,7 +10621,7 @@ index cf04cb5..ae8a257 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -160,11 +237,386 @@ allow unconfined_domain_type domain:msg { send receive };
+@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive };
  
  # For /proc/pid
  allow unconfined_domain_type domain:dir list_dir_perms;
@@ -10987,7 +11010,7 @@ index cf04cb5..ae8a257 100644
 +	unconfined_server_stream_connect(domain)
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..03f9342 100644
+index b876c48..3690ce4 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -11127,7 +11150,7 @@ index b876c48..03f9342 100644
 +ifdef(`distro_redhat',`
 +/rhev			-d	gen_context(system_u:object_r:mnt_t,s0)
 +/rhev(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-+/rhev/[^/]*/.*			<<none>>
++/rhev/[^/]*/.*			gen_context(system_u:object_r:mnt_t,s0)
 +')
 +
  #
@@ -20548,7 +20571,7 @@ index e100d88..ff9e7ba 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..88c7112 100644
+index 8dbab4c..a2f0d06 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -20611,7 +20634,15 @@ index 8dbab4c..88c7112 100644
  type proc_xen_t, proc_type;
  files_mountpoint(proc_xen_t)
  genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
-@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+ 
+ # /proc/net/rpc directory and files
+ type sysctl_rpc_t, sysctl_type;
++fs_associate_proc(sysctl_rpc_t)
+ genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+ 
+ # /proc/sys/crypto directory and files
+@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
  type sysctl_kernel_t, sysctl_type;
  genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
  
@@ -20626,7 +20657,7 @@ index 8dbab4c..88c7112 100644
  # /proc/sys/net directory and files
  type sysctl_net_t, sysctl_type;
  genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
  type sysctl_vm_t, sysctl_type;
  genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
  
@@ -20637,7 +20668,7 @@ index 8dbab4c..88c7112 100644
  # /proc/sys/dev directory and files
  type sysctl_dev_t, sysctl_type;
  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
  type unlabeled_t;
  fs_associate(unlabeled_t)
  sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -20652,7 +20683,7 @@ index 8dbab4c..88c7112 100644
  
  # These initial sids are no longer used, and can be removed:
  sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -189,6 +222,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -189,6 +223,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
  # kernel local policy
  #
  
@@ -20660,7 +20691,7 @@ index 8dbab4c..88c7112 100644
  allow kernel_t self:capability ~sys_module;
  allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow kernel_t self:shm create_shm_perms;
-@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
  corenet_in_generic_if(unlabeled_t)
  corenet_in_generic_node(unlabeled_t)
  
@@ -20668,7 +20699,7 @@ index 8dbab4c..88c7112 100644
  corenet_all_recvfrom_netlabel(kernel_t)
  # Kernel-generated traffic e.g., ICMP replies:
  corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +278,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
  corenet_tcp_sendrecv_all_nodes(kernel_t)
  corenet_raw_send_generic_node(kernel_t)
  corenet_send_all_packets(kernel_t)
@@ -20694,7 +20725,7 @@ index 8dbab4c..88c7112 100644
  
  # Mount root file system. Used when loading a policy
  # from initrd, then mounting the root filesystem
-@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +301,8 @@ fs_unmount_all_fs(kernel_t)
  
  selinux_load_policy(kernel_t)
  
@@ -20704,7 +20735,7 @@ index 8dbab4c..88c7112 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -277,13 +315,23 @@ files_list_root(kernel_t)
+@@ -277,13 +316,23 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -20728,7 +20759,7 @@ index 8dbab4c..88c7112 100644
  
  ifdef(`distro_redhat',`
  	# Bugzilla 222337
-@@ -291,11 +339,29 @@ ifdef(`distro_redhat',`
+@@ -291,11 +340,29 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -20758,7 +20789,7 @@ index 8dbab4c..88c7112 100644
  ')
  
  optional_policy(`
-@@ -305,6 +371,19 @@ optional_policy(`
+@@ -305,6 +372,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -20778,7 +20809,7 @@ index 8dbab4c..88c7112 100644
  ')
  
  optional_policy(`
-@@ -312,6 +391,11 @@ optional_policy(`
+@@ -312,6 +392,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20790,7 +20821,7 @@ index 8dbab4c..88c7112 100644
  	# nfs kernel server needs kernel UDP access. It is less risky and painful
  	# to just give it everything.
  	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +416,6 @@ optional_policy(`
+@@ -332,9 +417,6 @@ optional_policy(`
  
  	sysnet_read_config(kernel_t)
  
@@ -20800,7 +20831,7 @@ index 8dbab4c..88c7112 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +424,7 @@ optional_policy(`
+@@ -343,9 +425,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -20811,7 +20842,7 @@ index 8dbab4c..88c7112 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +433,7 @@ optional_policy(`
+@@ -354,7 +434,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -20820,7 +20851,7 @@ index 8dbab4c..88c7112 100644
  	')
  ')
  
-@@ -364,9 +443,22 @@ optional_policy(`
+@@ -364,9 +444,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20843,7 +20874,7 @@ index 8dbab4c..88c7112 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -388,6 +480,8 @@ optional_policy(`
+@@ -388,6 +481,8 @@ optional_policy(`
  if( ! secure_mode_insmod ) {
  	allow can_load_kernmodule self:capability sys_module;
  
@@ -20852,7 +20883,7 @@ index 8dbab4c..88c7112 100644
  	# load_module() calls stop_machine() which
  	# calls sched_setscheduler()
  	allow can_load_kernmodule self:capability sys_nice;
-@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +494,38 @@ if( ! secure_mode_insmod ) {
  # Rules for unconfined acccess to this module
  #
  
@@ -37508,10 +37539,10 @@ index 312cd04..102b975 100644
 +userdom_use_inherited_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..63c7fc0 100644
+index 73a1c4e..1ca98b8 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,48 @@
+@@ -1,22 +1,49 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -37574,6 +37605,7 @@ index 73a1c4e..63c7fc0 100644
 +/var/lib/ebtables(/.*)?			gen_context(system_u:object_r:iptables_var_lib_t,s0)
 +
 +/var/lock/subsys/iptables      --      gen_context(system_u:object_r:iptables_lock_t,s0)
++/var/lock/subsys/ip6tables      --      gen_context(system_u:object_r:iptables_lock_t,s0)
 +
 +/var/run/xtables.*       --  gen_context(system_u:object_r:iptables_var_run_t,s0)
 diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
@@ -37854,7 +37886,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..5d62107 100644
+index 73bb3c0..f36d28b 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -38032,7 +38064,7 @@ index 73bb3c0..5d62107 100644
  
  /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +315,158 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -38186,6 +38218,8 @@ index 73bb3c0..5d62107 100644
 +
 +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
++/usr/lib64/erlang/erts-[^/]*/bin/epmd  --  gen_context(system_u:object_r:lib_t,s0)
++
 +/usr/lib/nsr/(.*/)?.*\.so		-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/lgtonmc/bin/.*\.so(\.[0-9])?  	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40644,10 +40678,10 @@ index 79048c4..262c9ec 100644
  	udev_read_pid_files(lvm_t)
  ')
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..cf3a4a6 100644
+index 9fe8e01..c62c761 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,15 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',`
  # /etc
  #
  /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
@@ -40659,13 +40693,14 @@ index 9fe8e01..cf3a4a6 100644
 +/etc/locale.conf	--	gen_context(system_u:object_r:locale_t,s0)
  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
  /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
++/etc/(letsencrypt|certbot)/(live|archive)(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 +/etc/ipa/nssdb(/.*)?			gen_context(system_u:object_r:cert_t,s0)
  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 +/etc/vconsole.conf	--	gen_context(system_u:object_r:locale_t,s0)
  
  ifdef(`distro_redhat',`
  /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +41,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +42,20 @@ ifdef(`distro_redhat',`
  
  /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
  
@@ -40695,7 +40730,7 @@ index 9fe8e01..cf3a4a6 100644
  
  /usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
  
-@@ -77,7 +77,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +78,7 @@ ifdef(`distro_redhat',`
  
  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
@@ -40704,7 +40739,7 @@ index 9fe8e01..cf3a4a6 100644
  
  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
  
-@@ -90,6 +90,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
  ')
  
  ifdef(`distro_redhat',`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 73e49d8..94a80b3 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -13596,7 +13596,7 @@ index 32e8265..ac74503 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..bc73da9 100644
+index e5b621c..eba4e6d 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -13627,7 +13627,16 @@ index e5b621c..bc73da9 100644
  allow chronyd_t chronyd_keys_t:file read_file_perms;
  
  manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+ kernel_read_system_state(chronyd_t)
+ kernel_read_network_state(chronyd_t)
+ 
++clock_read_adjtime(chronyd_t)
++
+ corenet_all_recvfrom_unlabeled(chronyd_t)
+ corenet_all_recvfrom_netlabel(chronyd_t)
+ corenet_udp_sendrecv_generic_if(chronyd_t)
+@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
  corenet_udp_bind_chronyd_port(chronyd_t)
  corenet_udp_sendrecv_chronyd_port(chronyd_t)
  
@@ -19268,7 +19277,7 @@ index 1303b30..f13c532 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 7de3859..e8010ba 100644
+index 7de3859..65e947c 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -11,46 +11,54 @@ gen_require(`
@@ -19985,7 +19994,7 @@ index 7de3859..e8010ba 100644
  ')
  
  optional_policy(`
-@@ -598,7 +618,23 @@ optional_policy(`
+@@ -598,7 +618,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20006,10 +20015,14 @@ index 7de3859..e8010ba 100644
 +
 +optional_policy(`
 +    rkhunter_manage_lib_files(system_cronjob_t)
++')
++
++optional_policy(`
++    rhsmcertd_dbus_chat(system_cronjob_t)
  ')
  
  optional_policy(`
-@@ -607,7 +643,12 @@ optional_policy(`
+@@ -607,7 +647,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20022,7 +20035,7 @@ index 7de3859..e8010ba 100644
  ')
  
  optional_policy(`
-@@ -615,12 +656,27 @@ optional_policy(`
+@@ -615,12 +660,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20052,7 +20065,7 @@ index 7de3859..e8010ba 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +688,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -20086,7 +20099,7 @@ index 7de3859..e8010ba 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +721,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -23908,14 +23921,14 @@ index 583a527..91c4104 100644
 +	gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/devicekit.fc b/devicekit.fc
-index ae49c9d..6eb0842 100644
+index ae49c9d..99a54eb 100644
 --- a/devicekit.fc
 +++ b/devicekit.fc
 @@ -11,6 +11,8 @@
  /usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
  /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
  /usr/libexec/upowerd	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-+/usr/libexec/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_exec_t,s0)
++/usr/libexec/udisks2/udisksd		--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 +/usr/bin/udisksctl		--	gen_context(system_u:object_r:devicekit_exec_t,s0)
  
  /var/lib/DeviceKit-.*	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -30736,10 +30749,10 @@ index 0000000..daef190
 +')
 diff --git a/fwupd.te b/fwupd.te
 new file mode 100644
-index 0000000..e0bb02d
+index 0000000..77a7b23
 --- /dev/null
 +++ b/fwupd.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,69 @@
 +policy_module(fwupd, 1.0.0)
 +
 +########################################
@@ -30785,13 +30798,18 @@ index 0000000..e0bb02d
 +manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
 +files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir })
 +
++kernel_dgram_send(fwupd_t)
++
 +auth_read_passwd(fwupd_t)
 +
 +dev_rw_sysfs(fwupd_t)
 +dev_rw_generic_usb_dev(fwupd_t)
++dev_read_raw_memory(fwupd_t)
 +
 +fs_getattr_all_fs(fwupd_t)
 +
++logging_send_syslog_msg(fwupd_t)
++
 +udev_read_pid_files(fwupd_t)
 +
 +optional_policy(`
@@ -31051,10 +31069,10 @@ index 0000000..d9ba5fa
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 0000000..20b9fcf
+index 0000000..4125c8d
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,71 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@@ -31102,6 +31120,11 @@ index 0000000..20b9fcf
 +corenet_udp_bind_nfs_port(ganesha_t)
 +corenet_udp_bind_all_rpc_ports(ganesha_t)
 +corenet_tcp_bind_all_rpc_ports(ganesha_t)
++corenet_tcp_bind_mountd_port(ganesha_t)
++corenet_udp_bind_mountd_port(ganesha_t)
++
++dev_read_infiniband_dev(ganesha_t)
++dev_read_gpfs(ganesha_t)
 +
 +logging_send_syslog_msg(ganesha_t)
 +
@@ -31112,6 +31135,11 @@ index 0000000..20b9fcf
 +	dbus_connect_system_bus(ganesha_t)
 +')
 +
++
++optional_policy(`
++    kerberos_read_keytab(ganesha_t)
++')
++
 +optional_policy(`
 +	rpc_manage_nfs_state_data_dir(ganesha_t)
 +	rpcbind_stream_connect(ganesha_t)
@@ -67899,12 +67927,14 @@ index 9b15730..cb00f20 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..34682ff 100644
+index 44dbc99..e1fbbd9 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
-@@ -9,11 +9,8 @@ type openvswitch_t;
+@@ -8,12 +8,10 @@ policy_module(openvswitch, 1.1.1)
+ type openvswitch_t;
  type openvswitch_exec_t;
  init_daemon_domain(openvswitch_t, openvswitch_exec_t)
++init_initrc_domain(openvswitch_t)
  
 -type openvswitch_initrc_exec_t;
 -init_script_file(openvswitch_initrc_exec_t)
@@ -67916,7 +67946,7 @@ index 44dbc99..34682ff 100644
  
  type openvswitch_var_lib_t;
  files_type(openvswitch_var_lib_t)
-@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
+@@ -27,20 +25,29 @@ files_tmp_file(openvswitch_tmp_t)
  type openvswitch_var_run_t;
  files_pid_file(openvswitch_var_run_t)
  
@@ -67942,19 +67972,19 @@ index 44dbc99..34682ff 100644
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow openvswitch_t self:netlink_generic_socket create_socket_perms;
++
++can_exec(openvswitch_t, openvswitch_exec_t)
  
 -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-+can_exec(openvswitch_t, openvswitch_exec_t)
-+
 +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
  
  manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +55,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
  files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -67965,7 +67995,7 @@ index 44dbc99..34682ff 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -63,35 +68,56 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
@@ -68021,6 +68051,10 @@ index 44dbc99..34682ff 100644
  sysnet_dns_name_resolve(openvswitch_t)
  
  optional_policy(`
++    hostname_exec(openvswitch_t)
++')
++
++optional_policy(`
  	iptables_domtrans(openvswitch_t)
  ')
 +
@@ -75334,7 +75368,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..501c935 100644
+index 5cfb83e..6167c01 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -75959,7 +75993,7 @@ index 5cfb83e..501c935 100644
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
  
-@@ -584,19 +503,26 @@ optional_policy(`
+@@ -584,19 +503,28 @@ optional_policy(`
  
  ########################################
  #
@@ -75979,11 +76013,13 @@ index 5cfb83e..501c935 100644
  rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
 +rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
  
-+postfix_list_spool(postfix_postdrop_t)
- manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t)
  
 -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
--
++postfix_list_spool(postfix_postdrop_t)
++manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ 
 -mcs_file_read_all(postfix_postdrop_t)
 -mcs_file_write_all(postfix_postdrop_t)
 +corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
@@ -75991,7 +76027,7 @@ index 5cfb83e..501c935 100644
  
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -611,10 +537,7 @@ optional_policy(`
+@@ -611,10 +539,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -76003,7 +76039,7 @@ index 5cfb83e..501c935 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -629,17 +552,24 @@ optional_policy(`
+@@ -629,17 +554,24 @@ optional_policy(`
  
  #######################################
  #
@@ -76031,7 +76067,7 @@ index 5cfb83e..501c935 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +585,78 @@ optional_policy(`
+@@ -655,69 +587,78 @@ optional_policy(`
  
  ########################################
  #
@@ -76128,7 +76164,7 @@ index 5cfb83e..501c935 100644
  ')
  
  optional_policy(`
-@@ -730,28 +669,32 @@ optional_policy(`
+@@ -730,28 +671,32 @@ optional_policy(`
  
  ########################################
  #
@@ -76169,7 +76205,7 @@ index 5cfb83e..501c935 100644
  
  optional_policy(`
  	dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +707,7 @@ optional_policy(`
+@@ -764,6 +709,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -76177,7 +76213,7 @@ index 5cfb83e..501c935 100644
  ')
  
  optional_policy(`
-@@ -774,31 +718,100 @@ optional_policy(`
+@@ -774,31 +720,100 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -105874,40 +105910,47 @@ index 0000000..80c6480
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
-diff --git a/stapserver.te b/stapserver.te
-new file mode 100644
-index 0000000..e847ea3
---- /dev/null
+diff --git a/systemtap.te b/stapserver.te
+similarity index 64%
+rename from systemtap.te
+rename to stapserver.te
+index ffde368..e847ea3 100644
+--- a/systemtap.te
 +++ b/stapserver.te
-@@ -0,0 +1,114 @@
+@@ -1,4 +1,4 @@
+-policy_module(systemtap, 1.1.0)
 +policy_module(stapserver, 1.1.1)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type stapserver_t;
-+type stapserver_exec_t;
-+init_daemon_domain(stapserver_t, stapserver_exec_t)
-+
-+type stapserver_var_lib_t;
-+files_type(stapserver_var_lib_t)
-+
-+type stapserver_log_t;
-+logging_log_file(stapserver_log_t)
-+
-+type stapserver_var_run_t;
-+files_pid_file(stapserver_var_run_t)
-+
+ 
+ ########################################
+ #
+@@ -9,12 +9,6 @@ type stapserver_t;
+ type stapserver_exec_t;
+ init_daemon_domain(stapserver_t, stapserver_exec_t)
+ 
+-type stapserver_initrc_exec_t;
+-init_script_file(stapserver_initrc_exec_t)
+-
+-type stapserver_conf_t;
+-files_config_file(stapserver_conf_t)
+-
+ type stapserver_var_lib_t;
+ files_type(stapserver_var_lib_t)
+ 
+@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t)
+ type stapserver_var_run_t;
+ files_pid_file(stapserver_var_run_t)
+ 
 +type stapserver_tmp_t;
 +files_tmp_file(stapserver_tmp_t)
 +
-+########################################
-+#
+ ########################################
+ #
+-# Local policy
 +# stapserver local policy
-+#
-+
+ #
+ 
+-allow stapserver_t self:capability { dac_override kill setuid setgid };
+-allow stapserver_t self:process { setrlimit setsched signal };
 +#runuser
 +allow stapserver_t self:capability { setuid setgid };
 +allow stapserver_t self:process setsched;
@@ -105915,84 +105958,84 @@ index 0000000..e847ea3
 +allow stapserver_t self:capability { dac_override kill sys_ptrace};
 +allow stapserver_t self:process { setrlimit signal };
 +
-+allow stapserver_t self:fifo_file rw_fifo_file_perms;
-+allow stapserver_t self:key write;
+ allow stapserver_t self:fifo_file rw_fifo_file_perms;
+ allow stapserver_t self:key write;
+-allow stapserver_t self:unix_stream_socket { accept listen };
+-allow stapserver_t self:tcp_socket create_stream_socket_perms;
+-
+-allow stapserver_t stapserver_conf_t:file read_file_perms;
 +allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
 +allow stapserver_t self:tcp_socket { accept listen };
-+
-+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
-+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
-+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
-+
-+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+ 
+ manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
+ manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
+ files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
+ 
+ manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
 +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
-+logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
-+
+ logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
+ 
 +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
 +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
 +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
 +files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir })
 +
-+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
-+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
-+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
-+
-+kernel_read_system_state(stapserver_t)
+ manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+ manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+ files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
+ 
+-kernel_read_kernel_sysctls(stapserver_t)
+ kernel_read_system_state(stapserver_t)
 +kernel_read_kernel_sysctls(stapserver_t)
-+
-+corecmd_exec_bin(stapserver_t)
-+corecmd_exec_shell(stapserver_t)
-+
-+domain_read_all_domains_state(stapserver_t)
+ 
+ corecmd_exec_bin(stapserver_t)
+ corecmd_exec_shell(stapserver_t)
+ 
+ domain_read_all_domains_state(stapserver_t)
 +domain_use_interactive_fds(stapserver_t)
-+
-+dev_read_sysfs(stapserver_t)
+ 
+-dev_read_rand(stapserver_t)
+ dev_read_sysfs(stapserver_t)
 +dev_read_rand(stapserver_t)
-+dev_read_urand(stapserver_t)
-+
-+files_list_tmp(stapserver_t)
-+files_search_kernel_modules(stapserver_t)
-+
+ dev_read_urand(stapserver_t)
+ 
+ files_list_tmp(stapserver_t)
+-files_read_usr_files(stapserver_t)
+ files_search_kernel_modules(stapserver_t)
+ 
 +fs_search_cgroup_dirs(stapserver_t)
 +fs_getattr_all_fs(stapserver_t)
 +
-+auth_use_nsswitch(stapserver_t)
-+
-+init_read_utmp(stapserver_t)
-+
-+logging_send_audit_msgs(stapserver_t)
-+logging_send_syslog_msg(stapserver_t)
-+
+ auth_use_nsswitch(stapserver_t)
+ 
+ init_read_utmp(stapserver_t)
+@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t)
+ logging_send_audit_msgs(stapserver_t)
+ logging_send_syslog_msg(stapserver_t)
+ 
+-miscfiles_read_localization(stapserver_t)
 +#lspci
-+miscfiles_read_hwdata(stapserver_t)
-+
+ miscfiles_read_hwdata(stapserver_t)
+ 
 +systemd_dbus_chat_logind(stapserver_t)
 +
-+userdom_use_user_terminals(stapserver_t)
-+
-+optional_policy(`
+ userdom_use_user_terminals(stapserver_t)
+ 
+ optional_policy(`
 +    avahi_dbus_chat(stapserver_t)
 +')
 +
 +optional_policy(`
-+	consoletype_exec(stapserver_t)
-+')
-+
-+optional_policy(`
-+	dbus_system_bus_client(stapserver_t)
-+')
-+
-+optional_policy(`
-+	hostname_exec(stapserver_t)
-+')
-+
-+optional_policy(`
-+	plymouthd_exec_plymouth(stapserver_t)
-+')
-+
-+optional_policy(`
-+	rpm_exec(stapserver_t)
-+')
+ 	consoletype_exec(stapserver_t)
+ ')
+ 
+@@ -99,3 +111,4 @@ optional_policy(`
+ optional_policy(`
+ 	rpm_exec(stapserver_t)
+ ')
 +
 diff --git a/stunnel.fc b/stunnel.fc
 index 49dd63c..ae2e798 100644
@@ -106811,113 +106854,6 @@ index c755e2d..0000000
 -	files_search_pids($1)
 -	admin_pattern($1, stapserver_var_run_t)
 -')
-diff --git a/systemtap.te b/systemtap.te
-deleted file mode 100644
-index ffde368..0000000
---- a/systemtap.te
-+++ /dev/null
-@@ -1,101 +0,0 @@
--policy_module(systemtap, 1.1.0)
--
--########################################
--#
--# Declarations
--#
--
--type stapserver_t;
--type stapserver_exec_t;
--init_daemon_domain(stapserver_t, stapserver_exec_t)
--
--type stapserver_initrc_exec_t;
--init_script_file(stapserver_initrc_exec_t)
--
--type stapserver_conf_t;
--files_config_file(stapserver_conf_t)
--
--type stapserver_var_lib_t;
--files_type(stapserver_var_lib_t)
--
--type stapserver_log_t;
--logging_log_file(stapserver_log_t)
--
--type stapserver_var_run_t;
--files_pid_file(stapserver_var_run_t)
--
--########################################
--#
--# Local policy
--#
--
--allow stapserver_t self:capability { dac_override kill setuid setgid };
--allow stapserver_t self:process { setrlimit setsched signal };
--allow stapserver_t self:fifo_file rw_fifo_file_perms;
--allow stapserver_t self:key write;
--allow stapserver_t self:unix_stream_socket { accept listen };
--allow stapserver_t self:tcp_socket create_stream_socket_perms;
--
--allow stapserver_t stapserver_conf_t:file read_file_perms;
--
--manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
--manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
--files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
--
--manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
--append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
--create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
--setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
--logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
--
--manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
--manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
--files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
--
--kernel_read_kernel_sysctls(stapserver_t)
--kernel_read_system_state(stapserver_t)
--
--corecmd_exec_bin(stapserver_t)
--corecmd_exec_shell(stapserver_t)
--
--domain_read_all_domains_state(stapserver_t)
--
--dev_read_rand(stapserver_t)
--dev_read_sysfs(stapserver_t)
--dev_read_urand(stapserver_t)
--
--files_list_tmp(stapserver_t)
--files_read_usr_files(stapserver_t)
--files_search_kernel_modules(stapserver_t)
--
--auth_use_nsswitch(stapserver_t)
--
--init_read_utmp(stapserver_t)
--
--logging_send_audit_msgs(stapserver_t)
--logging_send_syslog_msg(stapserver_t)
--
--miscfiles_read_localization(stapserver_t)
--miscfiles_read_hwdata(stapserver_t)
--
--userdom_use_user_terminals(stapserver_t)
--
--optional_policy(`
--	consoletype_exec(stapserver_t)
--')
--
--optional_policy(`
--	dbus_system_bus_client(stapserver_t)
--')
--
--optional_policy(`
--	hostname_exec(stapserver_t)
--')
--
--optional_policy(`
--	plymouthd_exec_plymouth(stapserver_t)
--')
--
--optional_policy(`
--	rpm_exec(stapserver_t)
--')
 diff --git a/targetd.fc b/targetd.fc
 new file mode 100644
 index 0000000..c1ef053
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7ca849d..f0cd6e4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 243%{?dist}
+Release: 244%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,15 @@ exit 0
 %endif
 
 %changelog
+* Tue Mar 07 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-244
+- Update fwupd policy
+- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t
+- Update ganesha policy
+- Allow chronyd to read adjtime
+- Merge pull request #194 from hogarthj/certbot_policy
+- get the correct cert_t context on certbot certificates bz#1289778
+- Label /dev/ss0 as gpfs_device_t
+
 * Thu Mar 02 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-243
 -  Allow abrt_t to send mails.