diff --git a/container-selinux.tgz b/container-selinux.tgz
index 2eaaf44..8b0d167 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 0d6489d..e9b9e2d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -50199,10 +50199,10 @@ index 000000000..5871e072d
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 000000000..5033e0eb6
+index 000000000..bb880db4a
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1039 @@
+@@ -0,0 +1,1040 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -50272,6 +50272,7 @@ index 000000000..5033e0eb6
 +
 +type systemd_resolved_var_run_t;
 +files_pid_file(systemd_resolved_var_run_t)
++files_mountpoint(systemd_resolved_var_run_t)
 +
 +type systemd_resolved_unit_file_t;
 +systemd_unit_file(systemd_resolved_unit_file_t)
@@ -58380,7 +58381,7 @@ index e79d54501..101086d66 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e9131723..dc1c884fe 100644
+index 6e9131723..528c5d2d1 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -58389,7 +58390,7 @@ index 6e9131723..dc1c884fe 100644
  #
 -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 -
-+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket dccp_socket }')
  
  #
  # Datagram socket classes.
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e24c5b2..71c1df7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -5626,7 +5626,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..cb95398ea 100644
+index 6649962b6..3db9df9f9 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6345,7 +6345,7 @@ index 6649962b6..cb95398ea 100644
  files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +571,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -6412,6 +6412,7 @@ index 6649962b6..cb95398ea 100644
 -fs_search_auto_mountpoints(httpd_t)
 +fs_rw_anon_inodefs_files(httpd_t)
 +fs_rw_hugetlbfs_files(httpd_t)
++fs_exec_hugetlbfs_files(httpd_t)
 +fs_list_inotifyfs(httpd_t)
 +
 +auth_use_nsswitch(httpd_t)
@@ -6588,7 +6589,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +754,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -6648,7 +6649,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +806,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6751,7 +6752,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +865,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6832,7 +6833,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  optional_policy(`
-@@ -749,24 +917,32 @@ optional_policy(`
+@@ -749,24 +918,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6871,7 +6872,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  optional_policy(`
-@@ -775,6 +951,10 @@ optional_policy(`
+@@ -775,6 +952,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6882,7 +6883,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  optional_policy(`
-@@ -786,35 +966,62 @@ optional_policy(`
+@@ -786,35 +967,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6958,7 +6959,7 @@ index 6649962b6..cb95398ea 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1029,31 @@ optional_policy(`
+@@ -822,8 +1030,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6990,7 +6991,7 @@ index 6649962b6..cb95398ea 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1062,8 @@ optional_policy(`
+@@ -832,6 +1063,8 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6999,7 +7000,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1074,48 @@ optional_policy(`
+@@ -842,20 +1075,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7054,7 +7055,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  optional_policy(`
-@@ -863,16 +1123,31 @@ optional_policy(`
+@@ -863,16 +1124,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7088,7 +7089,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  optional_policy(`
-@@ -883,65 +1158,189 @@ optional_policy(`
+@@ -883,65 +1159,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -7300,7 +7301,7 @@ index 6649962b6..cb95398ea 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1350,75 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -7454,7 +7455,7 @@ index 6649962b6..cb95398ea 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1434,107 @@ optional_policy(`
+@@ -1083,172 +1435,107 @@ optional_policy(`
  	')
  ')
  
@@ -7692,7 +7693,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1543,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7790,7 +7791,7 @@ index 6649962b6..cb95398ea 100644
  
  ########################################
  #
-@@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1618,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7807,7 +7808,7 @@ index 6649962b6..cb95398ea 100644
  ')
  
  ########################################
-@@ -1330,49 +1633,43 @@ optional_policy(`
+@@ -1330,49 +1634,43 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7876,7 +7877,7 @@ index 6649962b6..cb95398ea 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1680,109 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -13908,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644
 +    roleattribute $2 chronyc_roles;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c29..89ecee1f7 100644
+index e5b621c29..47b5fe7e4 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
@@ -13967,17 +13968,19 @@ index e5b621c29..89ecee1f7 100644
  manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
  manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
  fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
-@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
  
  kernel_read_system_state(chronyd_t)
  kernel_read_network_state(chronyd_t)
 +kernel_request_load_module(chronyd_t)
 +
++can_exec(chronyd_t,chronyc_exec_t)
++
 +clock_read_adjtime(chronyd_t)
  
  corenet_all_recvfrom_unlabeled(chronyd_t)
  corenet_all_recvfrom_netlabel(chronyd_t)
-@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
  corenet_udp_bind_chronyd_port(chronyd_t)
  corenet_udp_sendrecv_chronyd_port(chronyd_t)
  
@@ -22724,7 +22727,7 @@ index 83bfda6ed..92d9fb2e7 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 4283f2de2..fe348758e 100644
+index 4283f2de2..c29c47501 100644
 --- a/cyrus.te
 +++ b/cyrus.te
 @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@@ -22736,9 +22739,11 @@ index 4283f2de2..fe348758e 100644
  dontaudit cyrus_t self:capability sys_tty_config;
  allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow cyrus_t self:process setrlimit;
-@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -62,13 +62,14 @@ files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+ kernel_read_kernel_sysctls(cyrus_t)
  kernel_read_system_state(cyrus_t)
  kernel_read_all_sysctls(cyrus_t)
++kernel_read_network_state(cyrus_t)
  
 -corenet_all_recvfrom_unlabeled(cyrus_t)
  corenet_all_recvfrom_netlabel(cyrus_t)
@@ -22750,7 +22755,7 @@ index 4283f2de2..fe348758e 100644
  
  corenet_sendrecv_mail_server_packets(cyrus_t)
  corenet_tcp_bind_mail_port(cyrus_t)
-@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -76,6 +77,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
  corenet_sendrecv_lmtp_server_packets(cyrus_t)
  corenet_tcp_bind_lmtp_port(cyrus_t)
  
@@ -22760,7 +22765,7 @@ index 4283f2de2..fe348758e 100644
  corenet_sendrecv_pop_server_packets(cyrus_t)
  corenet_tcp_bind_pop_port(cyrus_t)
  
-@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -95,8 +99,6 @@ domain_use_interactive_fds(cyrus_t)
  
  files_list_var_lib(cyrus_t)
  files_read_etc_runtime_files(cyrus_t)
@@ -22769,7 +22774,7 @@ index 4283f2de2..fe348758e 100644
  
  fs_getattr_all_fs(cyrus_t)
  fs_search_auto_mountpoints(cyrus_t)
-@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -107,7 +109,6 @@ libs_exec_lib_files(cyrus_t)
  
  logging_send_syslog_msg(cyrus_t)
  
@@ -22777,7 +22782,7 @@ index 4283f2de2..fe348758e 100644
  miscfiles_read_generic_certs(cyrus_t)
  
  userdom_use_unpriv_users_fds(cyrus_t)
-@@ -121,6 +121,14 @@ optional_policy(`
+@@ -121,6 +122,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22792,7 +22797,7 @@ index 4283f2de2..fe348758e 100644
  	kerberos_read_keytab(cyrus_t)
  	kerberos_use(cyrus_t)
  ')
-@@ -134,8 +142,8 @@ optional_policy(`
+@@ -134,8 +143,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26230,10 +26235,10 @@ index 000000000..b3784d85d
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 000000000..f068532e7
+index 000000000..58a8bf4fd
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,210 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -26418,6 +26423,8 @@ index 000000000..f068532e7
 +manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
 +filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
 +
++kernel_read_system_state(dirsrv_snmp_t)
++
 +corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
 +
 +dev_read_rand(dirsrv_snmp_t)
@@ -26430,10 +26437,11 @@ index 000000000..f068532e7
 +fs_getattr_tmpfs(dirsrv_snmp_t)
 +fs_search_tmpfs(dirsrv_snmp_t)
 +
-+
 +sysnet_read_config(dirsrv_snmp_t)
 +sysnet_dns_name_resolve(dirsrv_snmp_t)
 +
++userdom_use_inherited_user_ptys(dirsrv_snmp_t)
++
 +optional_policy(`
 +	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
 +	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
@@ -32102,10 +32110,10 @@ index 000000000..d9ba5fa27
 +')
 diff --git a/ganesha.te b/ganesha.te
 new file mode 100644
-index 000000000..3cf186efc
+index 000000000..0fdeecfd6
 --- /dev/null
 +++ b/ganesha.te
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,110 @@
 +policy_module(ganesha, 1.0.0)
 +
 +########################################
@@ -32182,6 +32190,7 @@ index 000000000..3cf186efc
 +
 +dev_rw_infiniband_dev(ganesha_t)
 +dev_read_gpfs(ganesha_t)
++dev_read_rand(ganesha_t)
 +
 +logging_send_syslog_msg(ganesha_t)
 +
@@ -33861,10 +33870,10 @@ index 000000000..450146018
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 000000000..5d279ca35
+index 000000000..7eeb7b0c0
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,331 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@@ -33916,6 +33925,9 @@ index 000000000..5d279ca35
 +type glusterd_tmp_t;
 +files_tmp_file(glusterd_tmp_t)
 +
++type glusterd_tmpfs_t;
++files_tmpfs_file(glusterd_tmpfs_t)
++
 +type glusterd_log_t;
 +logging_log_file(glusterd_log_t)
 +
@@ -33954,6 +33966,10 @@ index 000000000..5d279ca35
 +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
 +allow glusterd_t glusterd_tmp_t:dir mounton;
 +
++manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
++manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
++fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
++
 +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
 +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
 +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
@@ -38150,10 +38166,10 @@ index 000000000..8a2013af9
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 000000000..86a4d31a1
+index 000000000..800eb43a1
 --- /dev/null
 +++ b/gssproxy.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,75 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
@@ -38196,6 +38212,7 @@ index 000000000..86a4d31a1
 +files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
 +
 +kernel_rw_rpc_sysctls(gssproxy_t)
++kernel_read_network_state(gssproxy_t)
 +
 +domain_use_interactive_fds(gssproxy_t)
 +
@@ -43845,10 +43862,10 @@ index 000000000..bd7e7fa17
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 000000000..f84877209
+index 000000000..d7cf7c7c3
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@@ -43926,6 +43943,7 @@ index 000000000..f84877209
 +    snmp_manage_var_lib_files(keepalived_t)
 +    snmp_manage_var_lib_sock_files(keepalived_t)
 +    snmp_manage_var_lib_dirs(keepalived_t)
++    snmp_stream_connect(keepalived_t)
 +')
 +
 +########################################
@@ -47497,10 +47515,10 @@ index 000000000..7ba50607c
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 000000000..7acdb2d40
+index 000000000..37414ae0d
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,184 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@@ -47670,10 +47688,14 @@ index 000000000..7acdb2d40
 +corenet_udp_bind_generic_node(ptp4l_t)
 +corenet_udp_bind_reserved_port(ptp4l_t)
 +
++kernel_read_network_state(ptp4l_t)
++
 +dev_rw_realtime_clock(ptp4l_t)
 +
 +logging_send_syslog_msg(ptp4l_t)
 +
++userdom_dgram_send(ptp4l_t)
++
 +optional_policy(`
 +	chronyd_rw_shm(ptp4l_t)
 +')
@@ -48443,6 +48465,32 @@ index be0ab84b3..af94fb163 100644
 +role system_r types logrotate_mail_t;
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+diff --git a/logwatch.if b/logwatch.if
+index 06c3d36ca..2bb771f02 100644
+--- a/logwatch.if
++++ b/logwatch.if
+@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',`
+ 	files_search_var($1)
+ 	allow $1 logwatch_cache_t:dir search_dir_perms;
+ ')
++
++#######################################
++## <summary>
++##  Dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++##  <summary>
++##	Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`logwatch_dontaudit_leaks',`
++    gen_require(`
++        type logwatch_t;
++    ')
++
++	dontaudit $1 logwatch_t:fifo_file { read write };
++')
 diff --git a/logwatch.te b/logwatch.te
 index ab650340c..433d37810 100644
 --- a/logwatch.te
@@ -54207,7 +54255,7 @@ index 6194b806b..e27c53d6e 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..28c1c5f16 100644
+index 11ac8e4fc..bb6533dae 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -54488,11 +54536,11 @@ index 11ac8e4fc..28c1c5f16 100644
  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
  
 -userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
- 
+-
 -userdom_manage_user_tmp_dirs(mozilla_t)
 -userdom_manage_user_tmp_files(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+ 
 -userdom_manage_user_home_content_dirs(mozilla_t)
 -userdom_manage_user_home_content_files(mozilla_t)
 -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -54626,34 +54674,34 @@ index 11ac8e4fc..28c1c5f16 100644
 -	gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
 +	gnome_manage_config(mozilla_t)
 +	gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++	java_domtrans(mozilla_t)
  ')
  
  optional_policy(`
 -	java_exec(mozilla_t)
 -	java_manage_generic_home_content(mozilla_t)
 -	java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+	java_domtrans(mozilla_t)
++	lpd_domtrans_lpr(mozilla_t)
  ')
  
  optional_policy(`
 -	lpd_run_lpr(mozilla_t, mozilla_roles)
-+	lpd_domtrans_lpr(mozilla_t)
++	mplayer_domtrans(mozilla_t)
++	mplayer_read_user_home_files(mozilla_t)
  ')
  
  optional_policy(`
 -	mplayer_exec(mozilla_t)
 -	mplayer_manage_generic_home_content(mozilla_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+	mplayer_domtrans(mozilla_t)
-+	mplayer_read_user_home_files(mozilla_t)
++	nscd_socket_use(mozilla_t)
  ')
  
  optional_policy(`
 -	pulseaudio_run(mozilla_t, mozilla_roles)
-+	nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
 +	#pulseaudio_role(mozilla_roles, mozilla_t)
 +	pulseaudio_exec(mozilla_t)
 +	pulseaudio_stream_connect(mozilla_t)
@@ -54661,7 +54709,7 @@ index 11ac8e4fc..28c1c5f16 100644
  ')
  
  optional_policy(`
-@@ -300,259 +340,261 @@ optional_policy(`
+@@ -300,259 +340,265 @@ optional_policy(`
  
  ########################################
  #
@@ -55026,13 +55074,6 @@ index 11ac8e4fc..28c1c5f16 100644
 +	dbus_session_bus_client(mozilla_plugin_t)
 +	dbus_connect_session_bus(mozilla_plugin_t)
 +	dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+	gnome_manage_config(mozilla_plugin_t)
-+	gnome_read_usr_config(mozilla_plugin_t)
-+	gnome_filetrans_home_content(mozilla_plugin_t)
-+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
  ')
  
  optional_policy(`
@@ -55040,6 +55081,17 @@ index 11ac8e4fc..28c1c5f16 100644
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++    devicekit_dbus_chat_disk(mozilla_plugin_t)
++')
++
++optional_policy(`
++	gnome_manage_config(mozilla_plugin_t)
++	gnome_read_usr_config(mozilla_plugin_t)
++	gnome_filetrans_home_content(mozilla_plugin_t)
++	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
  ')
  
@@ -55069,7 +55121,7 @@ index 11ac8e4fc..28c1c5f16 100644
  ')
  
  optional_policy(`
-@@ -560,7 +602,11 @@ optional_policy(`
+@@ -560,7 +606,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55082,7 +55134,7 @@ index 11ac8e4fc..28c1c5f16 100644
  ')
  
  optional_policy(`
-@@ -568,108 +614,144 @@ optional_policy(`
+@@ -568,108 +618,144 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71802,10 +71854,10 @@ index 000000000..02df03ad6
 +')
 diff --git a/pdns.te b/pdns.te
 new file mode 100644
-index 000000000..63ddc577c
+index 000000000..4df7ada2a
 --- /dev/null
 +++ b/pdns.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,85 @@
 +policy_module(pdns, 1.0.2)
 +
 +########################################
@@ -71849,6 +71901,8 @@ index 000000000..63ddc577c
 +allow pdns_t self:unix_dgram_socket create_socket_perms;
 +pdns_read_config(pdns_t)
 +
++kernel_read_network_state(pdns_t)
++
 +corenet_tcp_bind_dns_port(pdns_t)
 +corenet_udp_bind_dns_port(pdns_t)
 +
@@ -72037,7 +72091,7 @@ index d2fc677c1..86dce34a2 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454d8..8f0f5fd9c 100644
+index 608f454d8..64782ff03 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -72056,7 +72110,7 @@ index 608f454d8..8f0f5fd9c 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,335 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -72189,6 +72243,8 @@ index 608f454d8..8f0f5fd9c 100644
 +
 +kernel_read_network_state(pegasus_openlmi_services_t)
 +
++miscfiles_read_certs(pegasus_openlmi_services_t)
++
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_openlmi_services_t)
 +')
@@ -72398,7 +72454,7 @@ index 608f454d8..8f0f5fd9c 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -72433,7 +72489,7 @@ index 608f454d8..8f0f5fd9c 100644
  kernel_read_fs_sysctls(pegasus_t)
  kernel_read_system_state(pegasus_t)
  kernel_search_vm_sysctl(pegasus_t)
-@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -72466,7 +72522,7 @@ index 608f454d8..8f0f5fd9c 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -72478,7 +72534,7 @@ index 608f454d8..8f0f5fd9c 100644
  
  files_list_var_lib(pegasus_t)
  files_read_var_lib_files(pegasus_t)
-@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -72500,21 +72556,21 @@ index 608f454d8..8f0f5fd9c 100644
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
- 
--	optional_policy(`
--		networkmanager_dbus_chat(pegasus_t)
--	')
++
 +    optional_policy(`
 +	networkmanager_dbus_chat(pegasus_t)
 +    ')
 +')
-+
+ 
+-	optional_policy(`
+-		networkmanager_dbus_chat(pegasus_t)
+-	')
 +optional_policy(`
 +	rhcs_stream_connect_cluster(pegasus_t)
  ')
  
  optional_policy(`
-@@ -151,16 +473,24 @@ optional_policy(`
+@@ -151,16 +475,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72543,7 +72599,7 @@ index 608f454d8..8f0f5fd9c 100644
  ')
  
  optional_policy(`
-@@ -168,7 +498,7 @@ optional_policy(`
+@@ -168,7 +500,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72552,7 +72608,7 @@ index 608f454d8..8f0f5fd9c 100644
  ')
  
  optional_policy(`
-@@ -180,12 +510,17 @@ optional_policy(`
+@@ -180,12 +512,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -77332,7 +77388,7 @@ index ded95ec3a..210018ce4 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83eca..67f813d34 100644
+index 5cfb83eca..5de033f81 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -78040,7 +78096,7 @@ index 5cfb83eca..67f813d34 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -655,69 +595,80 @@ optional_policy(`
+@@ -655,69 +595,84 @@ optional_policy(`
  
  ########################################
  #
@@ -78104,6 +78160,10 @@ index 5cfb83eca..67f813d34 100644
  term_use_all_ptys(postfix_showq_t)
  term_use_all_ttys(postfix_showq_t)
  
++optional_policy(`
++    logwatch_dontaudit_leaks(postfix_showq_t)
++')
++
  ########################################
  #
 -# Smtp delivery local policy
@@ -78138,7 +78198,7 @@ index 5cfb83eca..67f813d34 100644
  ')
  
  optional_policy(`
-@@ -730,28 +681,32 @@ optional_policy(`
+@@ -730,28 +685,32 @@ optional_policy(`
  
  ########################################
  #
@@ -78179,7 +78239,7 @@ index 5cfb83eca..67f813d34 100644
  
  optional_policy(`
  	dovecot_stream_connect_auth(postfix_smtpd_t)
-@@ -764,6 +719,7 @@ optional_policy(`
+@@ -764,6 +723,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -78187,7 +78247,7 @@ index 5cfb83eca..67f813d34 100644
  ')
  
  optional_policy(`
-@@ -774,31 +730,102 @@ optional_policy(`
+@@ -774,31 +734,102 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -93683,7 +93743,7 @@ index 0bf13c220..79a2a9c48 100644
 +    allow $1 gssd_t:process { noatsecure rlimitinh };
 +')
 diff --git a/rpc.te b/rpc.te
-index 2da9fca2f..9099c9800 100644
+index 2da9fca2f..c8afd1e50 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -93888,7 +93948,7 @@ index 2da9fca2f..9099c9800 100644
  ')
  
  ########################################
-@@ -201,42 +231,64 @@ optional_policy(`
+@@ -201,42 +231,66 @@ optional_policy(`
  # NFSD local policy
  #
  
@@ -93935,6 +93995,8 @@ index 2da9fca2f..9099c9800 100644
  files_manage_mounttab(nfsd_t)
 +files_read_etc_runtime_files(nfsd_t)
  
++fs_read_configfs_files(nfsd_t)
++fs_read_configfs_dirs(nfsd_t)
 +fs_mounton_nfsd_fs(nfsd_t)
  fs_mount_nfsd_fs(nfsd_t)
  fs_getattr_all_fs(nfsd_t)
@@ -93964,7 +94026,7 @@ index 2da9fca2f..9099c9800 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -93972,7 +94034,7 @@ index 2da9fca2f..9099c9800 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -93987,7 +94049,7 @@ index 2da9fca2f..9099c9800 100644
  ')
  
  ########################################
-@@ -270,7 +321,7 @@ optional_policy(`
+@@ -270,7 +323,7 @@ optional_policy(`
  # GSSD local policy
  #
  
@@ -93996,7 +94058,7 @@ index 2da9fca2f..9099c9800 100644
  allow gssd_t self:process { getsched setsched };
  allow gssd_t self:fifo_file rw_fifo_file_perms;
  
-@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -94004,7 +94066,7 @@ index 2da9fca2f..9099c9800 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -288,25 +340,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -94039,7 +94101,7 @@ index 2da9fca2f..9099c9800 100644
  ')
  
  optional_policy(`
-@@ -314,9 +372,12 @@ optional_policy(`
+@@ -314,9 +374,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -111403,7 +111465,7 @@ index 5406b6ee8..dc5b46e28 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index d01096386..ae473b2b2 100644
+index d01096386..c491b2f9c 100644
 --- a/tgtd.te
 +++ b/tgtd.te
 @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
@@ -111435,7 +111497,7 @@ index d01096386..ae473b2b2 100644
  corenet_tcp_sendrecv_iscsi_port(tgtd_t)
  
  corenet_sendrecv_iscsi_client_packets(tgtd_t)
-@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
+@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t)
  
  dev_read_sysfs(tgtd_t)
  
@@ -111444,6 +111506,8 @@ index d01096386..ae473b2b2 100644
  
  fs_read_anon_inodefs_files(tgtd_t)
  
++miscfiles_read_generic_certs(tgtd_t)
++
  storage_manage_fixed_disk(tgtd_t)
 +storage_read_scsi_generic(tgtd_t)
 +storage_write_scsi_generic(tgtd_t)
@@ -120205,11 +120269,12 @@ index 6b72968ea..de409cc61 100644
 +userdom_use_inherited_user_terminals(vlock_t)
 diff --git a/vmtools.fc b/vmtools.fc
 new file mode 100644
-index 000000000..c5deffb77
+index 000000000..13ee573e4
 --- /dev/null
 +++ b/vmtools.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,6 @@
 +/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
++/usr/bin/VGAuthService		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
 +
 +/usr/bin/vmware-user-suid-wrapper		--	gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6cc0ea7..6014ce9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 300%{?dist}
+Release: 301%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,22 @@ exit 0
 %endif
 
 %changelog
+* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
+- Merge pull request #37 from milosmalik/rawhide
+- Allow mozilla_plugin_t domain to dbus chat with devicekit
+- Dontaudit leaked logwatch pipes
+- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
+- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
+- Allow chronyd daemon to execute chronyc. BZ(1507478)
+- Allow pdns to read network system state BZ(1507244)
+- Allow gssproxy to read network system state Resolves: rhbz#1507191
+- Allow nfsd_t domain to read configfs_t files/dirs
+- Allow tgtd_t domain to read generic certs
+- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
+- Allow dirsrv_snmp_t to use inherited user ptys and read system state
+- Allow glusterd_t domain to create own tmpfs dirs/files
+- Allow keepalived stream connect to snmp
+
 * Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
 - Allow zabbix_t domain to change its resource limits
 - Add new boolean nagios_use_nfs