diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ba6795e..5022173 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12360,7 +12360,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287..814aeca 100644
+index 550b287..10b00ba 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t)
@@ -12475,7 +12475,7 @@ index 550b287..814aeca 100644
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
-+ kerberos_manage_config(certmonger_t)
++ kerberos_manage_kdc_config(certmonger_t)
')
optional_policy(`
@@ -42767,7 +42767,7 @@ index 4fe75fd..3504a9b 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..192df56 100644
+index f6c00d8..b7e477d 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -42984,7 +42984,7 @@ index f6c00d8..192df56 100644
##
##
##
-@@ -210,47 +207,63 @@ interface(`kerberos_manage_krb5_home_files',`
+@@ -210,220 +207,252 @@ interface(`kerberos_manage_krb5_home_files',`
##
##
#
@@ -43033,23 +43033,32 @@ index f6c00d8..192df56 100644
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read kerberos key table files.
+## Create a derived type for kerberos keytab
-+##
+ ##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`kerberos_read_keytab',`
+- gen_require(`
+- type krb5_keytab_t;
+- ')
+-
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file read_file_perms;
+template(`kerberos_keytab_template',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ kerberos_read_keytab($2)
@@ -43058,16 +43067,17 @@ index f6c00d8..192df56 100644
########################################
##
--## Read kerberos key table files.
+-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
-@@ -259,18 +272,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
+ ## Domain allowed access.
+ ##
##
- ##
++##
#
--interface(`kerberos_read_keytab',`
+-interface(`kerberos_rw_keytab',`
+interface(`kerberos_read_kdc_config',`
gen_require(`
- type krb5_keytab_t;
@@ -43075,39 +43085,81 @@ index f6c00d8..192df56 100644
')
files_search_etc($1)
-- allow $1 krb5_keytab_t:file read_file_perms;
+- allow $1 krb5_keytab_t:file rw_file_perms;
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
')
########################################
##
--## Read and write kerberos key table files.
+-## Create, read, write, and delete
+-## kerberos key table files.
++## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`kerberos_manage_keytab_files',`
++interface(`kerberos_manage_kdc_config',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ list_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ ')
+
+ ########################################
+ ##
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
-@@ -278,49 +291,122 @@ interface(`kerberos_read_keytab',`
+ ## Domain allowed access.
##
##
+-##
+-##
+-## Class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
#
--interface(`kerberos_rw_keytab',`
+-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_read_host_rcache',`
gen_require(`
- type krb5_keytab_t;
+ type krb5_host_rcache_t;
')
-
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file rw_file_perms;
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
')
########################################
##
--## Create, read, write, and delete
--## kerberos key table files.
+-## Create a derived type for kerberos
+-## keytab files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
+-##
+-##
+-## The prefix to be used for deriving type names.
+-##
+-##
##
##
## Domain allowed access.
@@ -43115,15 +43167,15 @@ index f6c00d8..192df56 100644
##
+##
#
--interface(`kerberos_manage_keytab_files',`
+-template(`kerberos_keytab_template',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- kerberos_read_keytab($2)
+- kerberos_use($2)
+interface(`kerberos_manage_host_rcache',`
- gen_require(`
-- type krb5_keytab_t;
++ gen_require(`
+ type krb5_host_rcache_t;
- ')
-
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file manage_file_perms;
++ ')
++
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
@@ -43144,9 +43196,7 @@ index f6c00d8..192df56 100644
########################################
##
--## Create specified objects in generic
--## etc directories with the kerberos
--## keytab file type.
+-## Read kerberos kdc configuration files.
+## All of the rules required to administrate
+## an kerberos environment
##
@@ -43155,24 +43205,26 @@ index f6c00d8..192df56 100644
## Domain allowed access.
##
##
--##
+##
- ##
--## Class of the object being created.
++##
+## The role to be allowed to manage the kerberos domain.
+##
+##
-+##
-+#
+ ##
+ #
+-interface(`kerberos_read_kdc_config',`
+interface(`kerberos_admin',`
-+ gen_require(`
+ gen_require(`
+- type krb5kdc_conf_t;
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ ')
-+
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -43212,74 +43264,14 @@ index f6c00d8..192df56 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
-+')
-+
-+########################################
-+##
-+## Type transition files created in /tmp
-+## to the krb5_host_rcache type.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- ##
-@@ -329,60 +415,63 @@ interface(`kerberos_manage_keytab_files',`
- ##
- ##
- #
--interface(`kerberos_etc_filetrans_keytab',`
-+interface(`kerberos_tmp_filetrans_host_rcache',`
- gen_require(`
-- type krb5_keytab_t;
-+ type krb5_host_rcache_t;
- ')
-
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
##
--## Create a derived type for kerberos
--## keytab files.
+-## Create, read, write, and delete
+-## kerberos host rcache files.
+## Type transition files created in /tmp
-+## to the kadmind_tmp type.
- ##
--##
-+##
- ##
--## The prefix to be used for deriving type names.
-+## Domain allowed access.
- ##
- ##
--##
-+##
- ##
--## Domain allowed access.
-+## The name of the object being created.
- ##
- ##
- #
--template(`kerberos_keytab_template',`
-- refpolicywarn(`$0($*) has been deprecated.')
-- kerberos_read_keytab($2)
-- kerberos_use($2)
-+interface(`kerberos_tmp_filetrans_kadmin',`
-+ gen_require(`
-+ type kadmind_tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
-+ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
- ')
-
- ########################################
- ##
--## Read kerberos kdc configuration files.
-+## read kerberos homedir content (.k5login)
++## to the krb5_host_rcache type.
##
##
##
@@ -43287,38 +43279,16 @@ index f6c00d8..192df56 100644
##
##
-##
- #
--interface(`kerberos_read_kdc_config',`
-+interface(`kerberos_read_home_content',`
- gen_require(`
-- type krb5kdc_conf_t;
-+ type krb5_home_t;
- ')
-
-- files_search_etc($1)
-- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete
--## kerberos host rcache files.
-+## Manage the kerberos kdc /var/lib files
-+## and directories.
- ##
- ##
- ##
-@@ -391,141 +480,88 @@ interface(`kerberos_read_kdc_config',`
- ##
- ##
++##
++##
++## The name of the object being created.
++##
++##
#
-interface(`kerberos_manage_host_rcache',`
-+interface(`kerberos_manage_kdc_var_lib',`
++interface(`kerberos_tmp_filetrans_host_rcache',`
gen_require(`
-- type krb5_host_rcache_t;
-+ type krb5kdc_var_lib_t;
+ type krb5_host_rcache_t;
')
- domain_obj_id_change_exemption($1)
@@ -43333,9 +43303,8 @@ index f6c00d8..192df56 100644
- files_search_tmp($1)
- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
-+ files_search_etc($1)
-+ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
-+ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
')
########################################
@@ -43343,8 +43312,8 @@ index f6c00d8..192df56 100644
-## Create objects in generic temporary
-## directories with the kerberos host
-## rcache type.
-+## create kerberos content in the in the /root directory
-+## with an correct label.
++## Type transition files created in /tmp
++## to the kadmind_tmp type.
##
##
##
@@ -43354,36 +43323,34 @@ index f6c00d8..192df56 100644
-##
-##
-## Class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
+## Domain allowed access.
##
##
+ ##
+@@ -432,17 +461,18 @@ interface(`kerberos_manage_host_rcache',`
+ ##
+ ##
#
-interface(`kerberos_tmp_filetrans_host_rcache',`
-+interface(`kerberos_filetrans_admin_home_content',`
++interface(`kerberos_tmp_filetrans_kadmin',`
gen_require(`
- type krb5_host_rcache_t;
-+ type krb5_home_t;
++ type kadmind_tmp_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
++ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
++ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
')
########################################
##
-## Connect to krb524 service.
-+## Transition to kerberos named content
++## read kerberos homedir content (.k5login)
##
##
##
--## Domain allowed access.
-+## Domain allowed access.
+@@ -450,82 +480,109 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
##
##
#
@@ -43398,25 +43365,25 @@ index f6c00d8..192df56 100644
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
-+interface(`kerberos_filetrans_home_content',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
')
########################################
##
-## All of the rules required to
-## administrate an kerberos environment.
-+## Transition to kerberos named content
++## Manage the kerberos kdc /var/lib files
++## and directories.
##
##
##
--## Domain allowed access.
-+## Domain allowed access.
+ ## Domain allowed access.
##
##
-##
@@ -43424,17 +43391,17 @@ index f6c00d8..192df56 100644
-## Role allowed access.
-##
-##
--##
+ ##
#
-interface(`kerberos_admin',`
-+interface(`kerberos_filetrans_named_content',`
++interface(`kerberos_manage_kdc_var_lib',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ type krb5kdc_principal_t;
++ type krb5kdc_var_lib_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
@@ -43444,13 +43411,35 @@ index f6c00d8..192df56 100644
- domain_system_change_exemption($1)
- role_transition $2 kerberos_initrc_exec_t system_r;
- allow $2 system_r;
--
++ files_search_etc($1)
++ manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
++ manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
++')
+
- logging_list_logs($1)
- admin_pattern($1, kadmind_log_t)
--
++########################################
++##
++## create kerberos content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_admin_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
+
- files_list_tmp($1)
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
--
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
++')
+
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
@@ -43459,13 +43448,45 @@ index f6c00d8..192df56 100644
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
--
++########################################
++##
++## Transition to kerberos named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
+
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
--
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
++')
+
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
--
++########################################
++##
++## Transition to kerberos named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_named_content',`
++ gen_require(`
++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
++ type krb5kdc_principal_t;
++ ')
+
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })