diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 77f76d5..3795792 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 7e8426d..8a3b713 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9549,7 +9549,7 @@ index 2b9a3a1..49accb6 100644
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
-index 531a8f2..0b86f2f 100644
+index 531a8f2..3fcf187 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
@@ -9617,7 +9617,7 @@ index 531a8f2..0b86f2f 100644
## Search bind cache directories.
##
##
-@@ -310,6 +354,27 @@ interface(`bind_read_zone',`
+@@ -310,6 +354,47 @@ interface(`bind_read_zone',`
########################################
##
@@ -9642,10 +9642,30 @@ index 531a8f2..0b86f2f 100644
+
+########################################
+##
++## Create, read, write, and delete
++## bind zone files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_manage_zone_dirs',`
++ gen_require(`
++ type named_zone_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir manage_dir_perms;
++')
++
++########################################
++##
## Create, read, write, and delete
## bind zone files.
##
-@@ -344,6 +409,25 @@ interface(`bind_udp_chat_named',`
+@@ -344,6 +429,25 @@ interface(`bind_udp_chat_named',`
########################################
##
@@ -9671,28 +9691,28 @@ index 531a8f2..0b86f2f 100644
## All of the rules required to
## administrate an bind environment.
##
-@@ -364,11 +448,17 @@ interface(`bind_admin',`
+@@ -364,11 +468,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
- type named_keytab_t;
+ type named_keytab_t, named_unit_file_t;
-+ ')
-+
+ ')
+
+- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { named_t ndc_t })
+ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
- ')
-
-- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { named_t ndc_t })
++ ')
++
+ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -384,11 +474,15 @@ interface(`bind_admin',`
+@@ -384,11 +494,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
@@ -9710,7 +9730,7 @@ index 531a8f2..0b86f2f 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..dcaf16b 100644
+index 1241123..bf5ad4a 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9800,10 +9820,14 @@ index 1241123..dcaf16b 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,7 +206,13 @@ optional_policy(`
+@@ -187,7 +206,17 @@ optional_policy(`
')
optional_policy(`
++ ipa_manage_lib(named_t)
++')
++
++optional_policy(`
+ ipsec_rw_inherited_pipes(named_t)
+')
+
@@ -9814,7 +9838,7 @@ index 1241123..dcaf16b 100644
kerberos_use(named_t)
')
-@@ -215,7 +240,8 @@ optional_policy(`
+@@ -215,7 +244,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9824,7 +9848,7 @@ index 1241123..dcaf16b 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +255,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +259,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9836,7 +9860,7 @@ index 1241123..dcaf16b 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +267,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +271,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9846,7 +9870,7 @@ index 1241123..dcaf16b 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +285,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +289,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -37977,14 +38001,19 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
-index 0000000..ce135f3
+index 0000000..e1ddda0
--- /dev/null
+++ b/ipa.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,19 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
++/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0)
++
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
++/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
++/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0)
++
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
@@ -38181,10 +38210,10 @@ index 0000000..904782d
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..af46439
+index 0000000..5fad85e
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,195 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -38201,9 +38230,16 @@ index 0000000..af46439
+type ipa_otpd_exec_t;
+init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
+
++type ipa_dnskey_t, ipa_domain;
++type ipa_dnskey_exec_t;
++init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
++
+type ipa_otpd_unit_file_t;
+systemd_unit_file(ipa_otpd_unit_file_t)
+
++type ipa_dnskey_unit_file_t;
++systemd_unit_file(ipa_dnskey_unit_file_t)
++
+type ipa_log_t;
+logging_log_file(ipa_log_t)
+
@@ -38220,6 +38256,9 @@ index 0000000..af46439
+init_system_domain(ipa_helper_t, ipa_helper_exec_t)
+role ipa_helper_roles types ipa_helper_t;
+
++type ipa_tmp_t;
++files_tmp_file(ipa_tmp_t)
++
+########################################
+#
+# ipa_otpd local policy
@@ -38315,6 +38354,61 @@ index 0000000..af46439
+optional_policy(`
+ sssd_manage_lib_files(ipa_helper_t)
+')
++
++########################################
++#
++# ipa-dnskey local policy
++#
++allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms;
++allow ipa_dnskey_t self:udp_socket create_socket_perms;
++allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
++allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
++
++manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
++setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
++list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
++
++manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t)
++files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file })
++
++kernel_dgram_send(ipa_dnskey_t)
++
++auth_use_nsswitch(ipa_dnskey_t)
++
++corecmd_exec_bin(ipa_dnskey_t)
++corecmd_exec_shell(ipa_dnskey_t)
++
++corenet_tcp_bind_generic_node(ipa_dnskey_t)
++corenet_tcp_connect_kerberos_port(ipa_dnskey_t)
++corenet_tcp_connect_rndc_port(ipa_dnskey_t)
++
++dev_read_rand(ipa_dnskey_t)
++
++libs_exec_ldconfig(ipa_dnskey_t)
++
++logging_send_syslog_msg(ipa_dnskey_t)
++
++miscfiles_read_certs(ipa_dnskey_t)
++
++sysnet_read_config(ipa_dnskey_t)
++
++optional_policy(`
++ bind_domtrans_ndc(ipa_dnskey_t)
++ bind_read_dnssec_keys(ipa_dnskey_t)
++ bind_manage_zone(ipa_dnskey_t)
++ bind_manage_zone_dirs(ipa_dnskey_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(ipa_dnskey_t)
++')
++
++optional_policy(`
++ opendnssec_domtrans(ipa_dnskey_t)
++ opendnssec_manage_config(ipa_dnskey_t)
++ opendnssec_manage_var_files(ipa_dnskey_t)
++ opendnssec_filetrans_etc_content(ipa_dnskey_t)
++')
diff --git a/ipmievd.fc b/ipmievd.fc
new file mode 100644
index 0000000..caf1fe5
@@ -63355,6 +63449,299 @@ index 3b6920e..3e9b17f 100644
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
+diff --git a/opendnssec.fc b/opendnssec.fc
+new file mode 100644
+index 0000000..08d0e79
+--- /dev/null
++++ b/opendnssec.fc
+@@ -0,0 +1,14 @@
++/usr/lib/systemd/system/ods-enforcerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
++
++/usr/lib/systemd/system/ods-signerd.service -- gen_context(system_u:object_r:opendnssec_unit_file_t,s0)
++
++/usr/sbin/ods-control -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
++/usr/sbin/ods-enforcerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
++/usr/sbin/ods-signer -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
++/usr/sbin/ods-signerd -- gen_context(system_u:object_r:opendnssec_exec_t,s0)
++
++/etc/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_conf_t,s0)
++
++/var/run/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_run_t,s0)
++
++/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0)
+diff --git a/opendnssec.if b/opendnssec.if
+new file mode 100644
+index 0000000..fb0141d
+--- /dev/null
++++ b/opendnssec.if
+@@ -0,0 +1,206 @@
++
++## policy for opendnssec
++
++########################################
++##
++## Execute opendnssec_exec_t in the opendnssec domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`opendnssec_domtrans',`
++ gen_require(`
++ type opendnssec_t, opendnssec_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, opendnssec_exec_t, opendnssec_t)
++')
++
++######################################
++##
++## Execute opendnssec in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`opendnssec_exec',`
++ gen_require(`
++ type opendnssec_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, opendnssec_exec_t)
++')
++
++########################################
++##
++## Read the opendnssec configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`opendnssec_read_config',`
++ gen_require(`
++ type opendnssec_conf_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 opendnssec_conf_t:file read_file_perms;
++')
++
++########################################
++##
++## Read the opendnssec configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`opendnssec_manage_config',`
++ gen_require(`
++ type opendnssec_conf_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 opendnssec_conf_t:file manage_file_perms;
++')
++
++########################################
++##
++## Allow the specified domain to
++## read and write opendnssec /var files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`opendnssec_manage_var_files',`
++ gen_require(`
++ type opendnssec_var_t;
++ ')
++
++ files_search_var($1)
++ files_search_var_lib($1)
++ manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t)
++')
++
++########################################
++##
++## Read opendnssec PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`opendnssec_read_pid_files',`
++ gen_require(`
++ type opendnssec_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t)
++')
++
++########################################
++##
++## Execute opendnssec server in the opendnssec domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`opendnssec_systemctl',`
++ gen_require(`
++ type opendnssec_t;
++ type opendnssec_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 opendnssec_unit_file_t:file read_file_perms;
++ allow $1 opendnssec_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, opendnssec_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an opendnssec environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`opendnssec_admin',`
++ gen_require(`
++ type opendnssec_t;
++ type opendnssec_var_run_t;
++ type opendnssec_unit_file_t;
++ ')
++
++ allow $1 opendnssec_t:process { signal_perms };
++ ps_process_pattern($1, opendnssec_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 opendnssec_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, opendnssec_var_run_t)
++
++ opendnssec_systemctl($1)
++ admin_pattern($1, opendnssec_unit_file_t)
++ allow $1 opendnssec_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
++
++########################################
++##
++## Transition to quota named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`opendnssec_filetrans_etc_content',`
++ gen_require(`
++ type opendnssec_conf_t;
++ ')
++
++ files_etc_filetrans($1, opendnssec_conf_t, file)
++')
+diff --git a/opendnssec.te b/opendnssec.te
+new file mode 100644
+index 0000000..a0e817d
+--- /dev/null
++++ b/opendnssec.te
+@@ -0,0 +1,55 @@
++policy_module(opendnssec, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type opendnssec_t;
++type opendnssec_exec_t;
++init_daemon_domain(opendnssec_t, opendnssec_exec_t)
++
++type opendnssec_conf_t;
++files_config_file(opendnssec_conf_t)
++
++type opendnssec_var_t;
++files_type(opendnssec_var_t)
++
++type opendnssec_var_run_t;
++files_pid_file(opendnssec_var_run_t)
++
++type opendnssec_unit_file_t;
++systemd_unit_file(opendnssec_unit_file_t)
++
++########################################
++#
++# opendnssec local policy
++#
++allow opendnssec_t self:capability { chown setgid setuid sys_chroot };
++allow opendnssec_t self:process { fork signal_perms };
++allow opendnssec_t self:fifo_file rw_fifo_file_perms;
++allow opendnssec_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
++manage_dirs_pattern(opendnssec_t, opendnssec_conf_t,opendnssec_conf_t)
++
++manage_dirs_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
++manage_files_pattern(opendnssec_t, opendnssec_var_t, opendnssec_var_t)
++files_var_filetrans(opendnssec_t, opendnssec_var_t, dir)
++
++manage_dirs_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
++manage_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
++manage_lnk_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
++manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
++files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
++
++auth_use_nsswitch(opendnssec_t)
++
++corecmd_exec_bin(opendnssec_t)
++
++logging_send_syslog_msg(opendnssec_t)
++
++optional_policy(`
++ ipa_manage_lib(opendnssec_t)
++')
++
diff --git a/openfortivpn.fc b/openfortivpn.fc
new file mode 100644
index 0000000..2e4dd3f
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c254865..ab37315 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 191%{?dist}
+Release: 192%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,10 @@ exit 0
%endif
%changelog
+* Wed May 25 2016 Lukas Vrabec 3.13.1-192
+- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
+- Add SELinux policy for opendnssec service. BZ(1333106)
+
* Tue May 24 2016 Lukas Vrabec 3.13.1-191
- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)