diff --git a/Changelog b/Changelog
index 95db6c1..6c85f15 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
- Patch for RadSec port from Glen Turner.
- Enable network_peer_controls policy capability from Paul Moore.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 98607ab..16c72d7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1935,6 +1935,24 @@ interface(`fs_read_rpc_sockets',`
type rpc_pipefs_t;
')
+ allow $1 rpc_pipefs_t:sock_file read;
+')
+
+########################################
+##
+## Read and write sockets of RPC file system pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_rpc_sockets',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
allow $1 rpc_pipefs_t:sock_file { read write };
')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index a95ed4b..cf66fb4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem, 1.11.1)
+policy_module(filesystem, 1.11.2)
########################################
#
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 02c3fcd..012cb34 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc, 1.10.2)
+policy_module(rpc, 1.10.3)
########################################
#
@@ -76,7 +76,7 @@ files_manage_mounttab(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
-fs_read_rpc_sockets(rpcd_t)
+fs_rw_rpc_sockets(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
@@ -163,7 +163,7 @@ kernel_search_network_sysctl(gssd_t)
corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
-fs_read_rpc_sockets(gssd_t)
+fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
files_list_tmp(gssd_t)