diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index b57ae16..659c3a5 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5c190b1..9cc9fe8 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3535,7 +3535,7 @@ index 7590165..d81185e 100644
 +	fs_mounton_fusefs(seunshare_domain)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..b94f32f 100644
+index 33e0f8d..48f001d 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3611,7 +3611,16 @@ index 33e0f8d..b94f32f 100644
  /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
+@@ -128,6 +146,8 @@ ifdef(`distro_debian',`
+ /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
+ ')
+ 
++/etc/dhcp/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /lib
+ #
+@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
  /lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3625,7 +3634,7 @@ index 33e0f8d..b94f32f 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
  /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3639,7 +3648,7 @@ index 33e0f8d..b94f32f 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3647,7 +3656,7 @@ index 33e0f8d..b94f32f 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3707,7 +3716,7 @@ index 33e0f8d..b94f32f 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3747,7 +3756,7 @@ index 33e0f8d..b94f32f 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3793,7 +3802,7 @@ index 33e0f8d..b94f32f 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -3808,7 +3817,7 @@ index 33e0f8d..b94f32f 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -3833,7 +3842,7 @@ index 33e0f8d..b94f32f 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3862,7 +3871,7 @@ index 33e0f8d..b94f32f 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
  /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3870,7 +3879,7 @@ index 33e0f8d..b94f32f 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
  #
  # /var
  #
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6657026..0f5e589 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3460,10 +3460,10 @@ index 0000000..d8b04b5
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..754c30f 100644
+index 7caefc3..2029082 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,214 @@
+@@ -1,162 +1,215 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3672,6 +3672,7 @@ index 7caefc3..754c30f 100644
 +/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/var/lib/cherokee(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/ganglia(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/glpi(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/php(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/graphite-web(/.*)?     gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -9426,10 +9427,10 @@ index c3fd7b1..e189593 100644
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..49accb6 100644
+index 2b9a3a1..982ce9b 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,77 @@
+@@ -1,54 +1,78 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -9508,6 +9509,7 @@ index 2b9a3a1..49accb6 100644
 +/etc/named\.root\.hints	--	gen_context(system_u:object_r:named_conf_t,s0)
 +/etc/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
 +/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/lib/softhsm(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
 +/var/lib/unbound(/.*)? 		gen_context(system_u:object_r:named_cache_t,s0)
 +/var/named(/.*)?		gen_context(system_u:object_r:named_zone_t,s0)
 +/var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
@@ -9731,7 +9733,7 @@ index 531a8f2..3fcf187 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 1241123..bf5ad4a 100644
+index 1241123..ab9ec30 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9764,7 +9766,13 @@ index 1241123..bf5ad4a 100644
  allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
  allow named_t self:fifo_file rw_fifo_file_perms;
  allow named_t self:unix_stream_socket { accept listen };
-@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+@@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms;
+ read_files_pattern(named_t, named_conf_t, named_conf_t)
+ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ 
++manage_dirs_pattern(named_t, named_cache_t, named_cache_t)
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
  
  allow named_t named_keytab_t:file read_file_perms;
  
@@ -9775,7 +9783,7 @@ index 1241123..bf5ad4a 100644
  logging_log_filetrans(named_t, named_log_t, file)
  
  manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
-@@ -112,10 +114,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -112,10 +115,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
  kernel_read_kernel_sysctls(named_t)
  kernel_read_system_state(named_t)
  kernel_read_network_state(named_t)
@@ -9787,7 +9795,7 @@ index 1241123..bf5ad4a 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -141,9 +143,13 @@ corenet_sendrecv_all_client_packets(named_t)
+@@ -141,9 +144,13 @@ corenet_sendrecv_all_client_packets(named_t)
  corenet_tcp_connect_all_ports(named_t)
  corenet_tcp_sendrecv_all_ports(named_t)
  
@@ -9801,7 +9809,7 @@ index 1241123..bf5ad4a 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -175,6 +181,19 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +182,19 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -9821,7 +9829,7 @@ index 1241123..bf5ad4a 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -187,7 +206,17 @@ optional_policy(`
+@@ -187,7 +207,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -9839,7 +9847,7 @@ index 1241123..bf5ad4a 100644
  	kerberos_use(named_t)
  ')
  
-@@ -215,7 +244,8 @@ optional_policy(`
+@@ -215,7 +245,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -9849,7 +9857,7 @@ index 1241123..bf5ad4a 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -229,10 +259,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +260,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -9861,7 +9869,7 @@ index 1241123..bf5ad4a 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +271,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +272,9 @@ corenet_tcp_bind_generic_node(ndc_t)
  corenet_tcp_connect_rndc_port(ndc_t)
  corenet_sendrecv_rndc_client_packets(ndc_t)
  
@@ -9871,7 +9879,7 @@ index 1241123..bf5ad4a 100644
  domain_use_interactive_fds(ndc_t)
  
  files_search_pids(ndc_t)
-@@ -257,7 +289,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +290,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -18019,7 +18027,7 @@ index ad0bae9..615a947 100644
 +/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
  ')
 diff --git a/cron.if b/cron.if
-index 1303b30..759412f 100644
+index 1303b30..f13c532 100644
 --- a/cron.if
 +++ b/cron.if
 @@ -2,11 +2,12 @@
@@ -18205,15 +18213,6 @@ index 1303b30..759412f 100644
 -	#
 -	# Declarations
 -	#
--
--	role $1 types { unconfined_cronjob_t crontab_t };
--
--	##############################
--	#
--	# Local policy
--	#
--
--	domtrans_pattern($2, crontab_exec_t, crontab_t)
 +    ##############################
 +    #
 +    # Declarations
@@ -18221,32 +18220,41 @@ index 1303b30..759412f 100644
 +    
 +    role $1 types unconfined_cronjob_t;
  
--	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
--	allow $2 crond_t:process sigchld;
+-	role $1 types { unconfined_cronjob_t crontab_t };
 +    ##############################
 +    #
 +    # Local policy
 +    #
  
--	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+-	##############################
+-	#
+-	# Local policy
+-	#
 +    dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
  
--	allow $2 crontab_t:process { ptrace signal_perms };
--	ps_process_pattern($2, crontab_t)
+-	domtrans_pattern($2, crontab_exec_t, crontab_t)
 +    allow $2 crond_t:process sigchld;
  
--	corecmd_exec_bin(crontab_t)
--	corecmd_exec_shell(crontab_t)
+-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+-	allow $2 crond_t:process sigchld;
 +    allow $2 user_cron_spool_t:file { getattr read write ioctl };
  
--	tunable_policy(`cron_userdomain_transition',`
--		allow crond_t $2:process transition;
--		allow crond_t $2:fd use;
--		allow crond_t $2:key manage_key_perms;
+-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
 +	# cronjob shows up in user ps
 +	ps_process_pattern($2, unconfined_cronjob_t)
 +	allow $2 unconfined_cronjob_t:process signal_perms;
  
+-	allow $2 crontab_t:process { ptrace signal_perms };
+-	ps_process_pattern($2, crontab_t)
+-
+-	corecmd_exec_bin(crontab_t)
+-	corecmd_exec_shell(crontab_t)
+-
+-	tunable_policy(`cron_userdomain_transition',`
+-		allow crond_t $2:process transition;
+-		allow crond_t $2:fd use;
+-		allow crond_t $2:key manage_key_perms;
+-
 -		allow $2 user_cron_spool_t:file entrypoint;
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 unconfined_cronjob_t:process ptrace;
@@ -18371,16 +18379,15 @@ index 1303b30..759412f 100644
 -		allow crond_t $2:process transition;
 -		allow crond_t $2:fd use;
 -		allow crond_t $2:key manage_key_perms;
+-
+-		allow $2 user_cron_spool_t:file entrypoint;
 +    tunable_policy(`cron_userdomain_transition',`
 +        allow crond_t $2:process transition;
 +        allow crond_t $2:fd use;
 +        allow crond_t $2:key manage_key_perms;
  
--		allow $2 user_cron_spool_t:file entrypoint;
-+        allow $2 user_cron_spool_t:file entrypoint;
- 
 -		allow $2 crond_t:fifo_file rw_fifo_file_perms;
-+        allow $2 crond_t:fifo_file rw_fifo_file_perms;
++        allow $2 user_cron_spool_t:file entrypoint;
  
 -		allow $2 cronjob_t:process { ptrace signal_perms };
 -		ps_process_pattern($2, cronjob_t)
@@ -18388,6 +18395,9 @@ index 1303b30..759412f 100644
 -		dontaudit crond_t $2:process transition;
 -		dontaudit crond_t $2:fd use;
 -		dontaudit crond_t $2:key manage_key_perms;
++        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ 
+-		dontaudit $2 user_cron_spool_t:file entrypoint;
 +        allow $2 cronjob_t:process { signal_perms };
 +        ps_process_pattern($2, cronjob_t)
 +    ',`
@@ -18395,8 +18405,6 @@ index 1303b30..759412f 100644
 +        dontaudit crond_t $2:fd use;
 +        dontaudit crond_t $2:key manage_key_perms;
  
--		dontaudit $2 user_cron_spool_t:file entrypoint;
--
 -		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
 -
 -		dontaudit $2 cronjob_t:process { ptrace signal_perms };
@@ -18705,11 +18713,10 @@ index 1303b30..759412f 100644
  
 -	allow $1 crond_t:fifo_file rw_fifo_file_perms;
 +	allow $1 user_cron_spool_t:file rw_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read and write crond TCP sockets.
++')
++
++########################################
++## <summary>
 +##	Read and write inherited spool files.
 +## </summary>
 +## <param name="domain">
@@ -18724,10 +18731,11 @@ index 1303b30..759412f 100644
 +	')
 +
 +	allow $1 cron_spool_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write crond TCP sockets.
 +##	Read, and write cron daemon TCP sockets.
  ## </summary>
  ## <param name="domain">
@@ -18751,106 +18759,120 @@ index 1303b30..759412f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -627,8 +675,26 @@ interface(`cron_search_spool',`
+@@ -627,8 +675,7 @@ interface(`cron_search_spool',`
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	crond pid files.
 +##	Search the directory containing user cron tables.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`cron_manage_system_spool',`
-+	gen_require(`
-+		type cron_system_spool_t;
-+	')
-+
-+	files_search_spool($1)
-+	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Manage pid files used by cron
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -641,13 +707,13 @@ interface(`cron_manage_pid_files',`
- 		type crond_var_run_t;
+@@ -636,37 +683,37 @@ interface(`cron_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`cron_manage_pid_files',`
++interface(`cron_manage_system_spool',`
+ 	gen_require(`
+-		type crond_var_run_t;
++		type cron_system_spool_t;
  	')
  
-+	files_search_pids($1)
- 	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+-	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
++	files_search_spool($1)
++	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
  ')
  
  ########################################
  ## <summary>
 -##	Execute anacron in the cron
 -##	system domain.
-+##	Execute anacron in the cron system domain.
++##	Manage pid files used by cron
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -660,13 +726,13 @@ interface(`cron_anacron_domtrans_system_job',`
- 		type system_cronjob_t, anacron_exec_t;
+-##	Domain allowed to transition.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`cron_anacron_domtrans_system_job',`
++interface(`cron_manage_pid_files',`
+ 	gen_require(`
+-		type system_cronjob_t, anacron_exec_t;
++		type crond_var_run_t;
  	')
  
 -	corecmd_search_bin($1)
- 	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+-	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
++	files_search_pids($1)
++	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
  ')
  
  ########################################
  ## <summary>
 -##	Use system cron job file descriptors.
-+##	Inherit and use a file descriptor
-+##	from system cron jobs.
++##	Read pid files used by cron
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -684,7 +750,7 @@ interface(`cron_use_system_job_fds',`
+@@ -674,37 +721,37 @@ interface(`cron_anacron_domtrans_system_job',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`cron_use_system_job_fds',`
++interface(`cron_read_pid_files',`
+ 	gen_require(`
+-		type system_cronjob_t;
++		type crond_var_run_t;
+ 	')
+ 
+-	allow $1 system_cronjob_t:fd use;
++	files_search_pids($1)
++	read_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
  
  ########################################
  ## <summary>
 -##	Read system cron job lib files.
-+##	Write a system cron job unnamed pipe.
++##	Execute anacron in the cron system domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -692,19 +758,17 @@ interface(`cron_use_system_job_fds',`
+-##	Domain allowed access.
++##	Domain allowed to transition.
  ##	</summary>
  ## </param>
  #
 -interface(`cron_read_system_job_lib_files',`
-+interface(`cron_write_system_job_pipes',`
++interface(`cron_anacron_domtrans_system_job',`
  	gen_require(`
 -		type system_cronjob_var_lib_t;
-+		type system_cronjob_t;
++		type system_cronjob_t, anacron_exec_t;
  	')
  
 -	files_search_var_lib($1)
 -	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+	allow $1 system_cronjob_t:fifo_file write;
++	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	system cron job lib files.
-+##	Read and write a system cron job unnamed pipe.
++##	Inherit and use a file descriptor
++##	from system cron jobs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -712,18 +776,17 @@ interface(`cron_read_system_job_lib_files',`
+@@ -712,18 +759,17 @@ interface(`cron_read_system_job_lib_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`cron_manage_system_job_lib_files',`
-+interface(`cron_rw_system_job_pipes',`
++interface(`cron_use_system_job_fds',`
  	gen_require(`
 -		type system_cronjob_var_lib_t;
 +		type system_cronjob_t;
@@ -18858,154 +18880,134 @@ index 1303b30..759412f 100644
  
 -	files_search_var_lib($1)
 -	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+	allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
++	allow $1 system_cronjob_t:fd use;
  ')
  
  ########################################
  ## <summary>
 -##	Write system cron job unnamed pipes.
-+##	Allow read/write unix stream sockets from the system cron jobs.
++##	Write a system cron job unnamed pipe.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -731,18 +794,17 @@ interface(`cron_manage_system_job_lib_files',`
- ##	</summary>
- ## </param>
- #
--interface(`cron_write_system_job_pipes',`
-+interface(`cron_rw_system_job_stream_sockets',`
- 	gen_require(`
+@@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',`
  		type system_cronjob_t;
  	')
  
 -	allow $1 system_cronjob_t:file write;
-+	allow $1 system_cronjob_t:unix_stream_socket { read write };
++	allow $1 system_cronjob_t:fifo_file write;
  ')
  
  ########################################
  ## <summary>
 -##	Read and write system cron job
 -##	unnamed pipes.
-+##	Read temporary files from the system cron jobs.
++##	Read and write a system cron job unnamed pipe.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -750,86 +812,142 @@ interface(`cron_write_system_job_pipes',`
- ##	</summary>
- ## </param>
- #
--interface(`cron_rw_system_job_pipes',`
-+interface(`cron_read_system_job_tmp_files',`
- 	gen_require(`
--		type system_cronjob_t;
-+		type system_cronjob_tmp_t, cron_var_run_t;
+@@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',`
+ 		type system_cronjob_t;
  	')
  
 -	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
-+	files_search_tmp($1)
-+	allow $1 system_cronjob_tmp_t:file read_file_perms;
-+
-+	files_search_pids($1)
-+	allow $1 cron_var_run_t:file read_file_perms;
++	allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Read and write inherited system cron
 -##	job unix domain stream sockets.
-+##	Do not audit attempts to append temporary
-+##	files from the system cron jobs.
++##	Allow read/write unix stream sockets from the system cron jobs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`cron_rw_system_job_stream_sockets',`
-+interface(`cron_dontaudit_append_system_job_tmp_files',`
- 	gen_require(`
--		type system_cronjob_t;
-+		type system_cronjob_tmp_t;
- 	')
- 
--	allow $1 system_cronjob_t:unix_stream_socket { read write };
-+	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
- ')
+@@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',`
  
  ########################################
  ## <summary>
 -##	Read system cron job temporary files.
-+##	Do not audit attempts to write temporary
-+##	files from the system cron jobs.
++##	Read temporary files from the system cron jobs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
+@@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',`
  #
--interface(`cron_read_system_job_tmp_files',`
-+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ interface(`cron_read_system_job_tmp_files',`
  	gen_require(`
- 		type system_cronjob_tmp_t;
-+		type cron_var_run_t;
+-		type system_cronjob_tmp_t;
++		type system_cronjob_tmp_t, cron_var_run_t;
  	')
  
--	files_search_tmp($1)
--	allow $1 system_cronjob_tmp_t:file read_file_perms;
-+	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
-+	dontaudit $1 cron_var_run_t:file write_file_perms;
+ 	files_search_tmp($1)
+ 	allow $1 system_cronjob_tmp_t:file read_file_perms;
++
++	files_search_pids($1)
++	allow $1 cron_var_run_t:file read_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to append temporary
+ ##	Do not audit attempts to append temporary
 -##	system cron job files.
-+##	Read temporary files from the system cron jobs.
++##	files from the system cron jobs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`cron_dontaudit_append_system_job_tmp_files',`
-+interface(`cron_read_system_job_lib_files',`
- 	gen_require(`
--		type system_cronjob_tmp_t;
-+		type system_cronjob_var_lib_t;
- 	')
- 
--	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
-+	files_search_var_lib($1)
-+	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
- ')
- 
+@@ -818,7 +865,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
  ########################################
  ## <summary>
--##	Do not audit attempts to write temporary
+ ##	Do not audit attempts to write temporary
 -##	system cron job files.
-+##	Manage files from the system cron jobs.
++##	files from the system cron jobs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`cron_dontaudit_write_system_job_tmp_files',`
-+interface(`cron_manage_system_job_lib_files',`
+@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+ interface(`cron_dontaudit_write_system_job_tmp_files',`
  	gen_require(`
--		type system_cronjob_tmp_t;
-+		type system_cronjob_var_lib_t;
+ 		type system_cronjob_tmp_t;
++		type cron_var_run_t;
  	')
  
--	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++	dontaudit $1 cron_var_run_t:file write_file_perms;
++')
++
++########################################
++## <summary>
++##	Read temporary files from the system cron jobs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cron_read_system_job_lib_files',`
++	gen_require(`
++		type system_cronjob_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage files from the system cron jobs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cron_manage_system_job_lib_files',`
++	gen_require(`
++		type system_cronjob_var_lib_t;
++	')
++
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 +')
@@ -24883,10 +24885,10 @@ index 0000000..5d30dab
 +/var/log/dirsrv/ldap-agent.log.*	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
 diff --git a/dirsrv.if b/dirsrv.if
 new file mode 100644
-index 0000000..b214253
+index 0000000..b3784d8
 --- /dev/null
 +++ b/dirsrv.if
-@@ -0,0 +1,208 @@
+@@ -0,0 +1,232 @@
 +## <summary>policy for dirsrv</summary>
 +
 +########################################
@@ -24907,6 +24909,30 @@ index 0000000..b214253
 +	domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
 +')
 +
++########################################
++## <summary>
++##	Execute dirsrv in the dirsrv domain, and
++##	allow the specified role the dirsrv domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++#
++interface(`dirsrv_run',`
++	gen_require(`
++		type dirsrv_t;
++	')
++
++	dirsrv_domtrans($1)
++	role $2 types dirsrv_t;
++')
 +
 +########################################
 +## <summary>
@@ -32050,10 +32076,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..c31e40e
+index 0000000..3ba328e
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,302 @@
+@@ -0,0 +1,303 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@@ -32240,6 +32266,7 @@ index 0000000..c31e40e
 +init_read_script_state(glusterd_t)
 +init_rw_script_tmp_files(glusterd_t)
 +init_manage_script_status_files(glusterd_t)
++init_status(glusterd_t)
 +
 +systemd_config_systemd_services(glusterd_t)
 +systemd_signal_passwd_agent(glusterd_t)
@@ -39511,7 +39538,7 @@ index 59ad3b3..bd02cc8 100644
 +
 +/var/spool/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
 diff --git a/jabber.if b/jabber.if
-index 7eb3811..629af1e 100644
+index 7eb3811..8075ba5 100644
 --- a/jabber.if
 +++ b/jabber.if
 @@ -1,29 +1,76 @@
@@ -39669,7 +39696,7 @@ index 7eb3811..629af1e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -66,20 +137,27 @@ interface(`jabber_tcp_connect',`
+@@ -66,20 +137,28 @@ interface(`jabber_tcp_connect',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -39687,6 +39714,7 @@ index 7eb3811..629af1e 100644
 +		type jabberd_t, jabberd_var_lib_t;
 +		type jabberd_initrc_exec_t, jabberd_router_t;
 +        type jabberd_lock_t;
++		type jabberd_var_spool_t;
  	')
  
 -	allow $1 jabberd_domain:process { ptrace signal_perms };
@@ -39703,7 +39731,7 @@ index 7eb3811..629af1e 100644
  
  	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -89,15 +167,9 @@ interface(`jabber_admin',`
+@@ -89,15 +168,9 @@ interface(`jabber_admin',`
  	files_search_locks($1)
  	admin_pattern($1, jabberd_lock_t)
  
@@ -39711,7 +39739,8 @@ index 7eb3811..629af1e 100644
 -	admin_pattern($1, jabberd_log_t)
 -
  	files_search_spool($1)
- 	admin_pattern($1, jabberd_spool_t)
+-	admin_pattern($1, jabberd_spool_t)
++	admin_pattern($1, jabberd_var_spool_t)
  
  	files_search_var_lib($1)
  	admin_pattern($1, jabberd_var_lib_t)
@@ -45775,7 +45804,7 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..688605e 100644
+index be0ab84..5160f96 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@@ -45900,7 +45929,7 @@ index be0ab84..688605e 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +126,54 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +126,55 @@ mls_process_write_to_clearance(logrotate_t)
  selinux_get_fs_mount(logrotate_t)
  selinux_get_enforce_mode(logrotate_t)
  
@@ -45925,6 +45954,7 @@ index be0ab84..688605e 100644
 +systemd_start_all_unit_files(logrotate_t)
 +systemd_reload_all_services(logrotate_t)
 +systemd_status_all_unit_files(logrotate_t)
++systemd_dbus_chat_logind(logrotate_t)
 +init_stream_connect(logrotate_t)
  
 -seutil_dontaudit_read_config(logrotate_t)
@@ -45961,7 +45991,7 @@ index be0ab84..688605e 100644
  ')
  
  optional_policy(`
-@@ -135,16 +188,17 @@ optional_policy(`
+@@ -135,16 +189,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -45981,7 +46011,7 @@ index be0ab84..688605e 100644
  ')
  
  optional_policy(`
-@@ -170,6 +224,11 @@ optional_policy(`
+@@ -170,6 +225,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45993,7 +46023,7 @@ index be0ab84..688605e 100644
  	fail2ban_stream_connect(logrotate_t)
  ')
  
-@@ -178,7 +237,7 @@ optional_policy(`
+@@ -178,7 +238,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46002,7 +46032,7 @@ index be0ab84..688605e 100644
  ')
  
  optional_policy(`
-@@ -198,17 +257,18 @@ optional_policy(`
+@@ -198,17 +258,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46024,7 +46054,7 @@ index be0ab84..688605e 100644
  ')
  
  optional_policy(`
-@@ -216,6 +276,14 @@ optional_policy(`
+@@ -216,6 +277,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46039,7 +46069,7 @@ index be0ab84..688605e 100644
  	samba_exec_log(logrotate_t)
  ')
  
-@@ -228,26 +296,43 @@ optional_policy(`
+@@ -228,26 +297,43 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64262,10 +64292,10 @@ index 8de6191..1a01e99 100644
 +')
 diff --git a/openhpid.fc b/openhpid.fc
 new file mode 100644
-index 0000000..9441fd7
+index 0000000..df219e6
 --- /dev/null
 +++ b/openhpid.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
 +
 +/etc/rc\.d/init\.d/openhpid	--	gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
 +
@@ -64273,6 +64303,8 @@ index 0000000..9441fd7
 +
 +/var/lib/openhpi(/.*)?		gen_context(system_u:object_r:openhpid_var_lib_t,s0)
 +
++/var/log/dynsim[0-9]*\.log	--		gen_context(system_u:object_r:openhpid_log_t,s0)
++
 +/var/run/openhpid\.pid	--	gen_context(system_u:object_r:openhpid_var_run_t,s0)
 diff --git a/openhpid.if b/openhpid.if
 new file mode 100644
@@ -64441,10 +64473,10 @@ index 0000000..598789a
 +
 diff --git a/openhpid.te b/openhpid.te
 new file mode 100644
-index 0000000..b4f88f6
+index 0000000..a0e0eaf
 --- /dev/null
 +++ b/openhpid.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,67 @@
 +policy_module(openhpid, 1.0.0)
 +
 +########################################
@@ -64459,6 +64491,9 @@ index 0000000..b4f88f6
 +type openhpid_initrc_exec_t;
 +init_script_file(openhpid_initrc_exec_t)
 +
++type openhpid_log_t;
++logging_log_file(openhpid_log_t)
++
 +type openhpid_var_lib_t;
 +files_type(openhpid_var_lib_t)
 +
@@ -64479,6 +64514,10 @@ index 0000000..b4f88f6
 +allow openhpid_t self:tcp_socket create_stream_socket_perms;
 +allow openhpid_t self:udp_socket create_socket_perms;
 +
++
++manage_files_pattern(openhpid_t, openhpid_log_t, openhpid_log_t)
++logging_log_filetrans(openhpid_t, openhpid_log_t, file)
++
 +manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
 +manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
 +files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
@@ -68410,10 +68449,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..5eb733c
+index 0000000..a9ca49d
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,279 @@
+@@ -0,0 +1,285 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -68566,6 +68605,10 @@ index 0000000..5eb733c
 +userdom_read_user_tmp_files(pcp_pmcd_t)
 +
 +optional_policy(`
++	cron_read_pid_files(pcp_pmcd_t)
++')
++
++optional_policy(`
 +    docker_manage_lib_files(pcp_pmcd_t)
 +')
 +
@@ -68682,8 +68725,10 @@ index 0000000..5eb733c
 +allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
 +
 +allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
++allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_read_system_state(pcp_pmlogger_t)
++kernel_read_network_state(pcp_pmlogger_t)
 +
 +corecmd_exec_bin(pcp_pmlogger_t)
 +
@@ -96580,7 +96625,7 @@ index 3df2a0f..7264d8a 100644
 -/var/log/sanlock\.log.*	--	gen_context(system_u:object_r:sanlock_log_t,s0)
 +/usr/lib/systemd/system/sanlk-resetd\.service	--	gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0)
 diff --git a/sanlock.if b/sanlock.if
-index cd6c213..372c7bb 100644
+index cd6c213..6d3cdc4 100644
 --- a/sanlock.if
 +++ b/sanlock.if
 @@ -1,4 +1,6 @@
@@ -96684,7 +96729,7 @@ index cd6c213..372c7bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -97,21 +120,125 @@ interface(`sanlock_stream_connect',`
+@@ -97,21 +120,121 @@ interface(`sanlock_stream_connect',`
  #
  interface(`sanlock_admin',`
  	gen_require(`
@@ -96804,11 +96849,7 @@ index cd6c213..372c7bb 100644
  
 -	logging_search_logs($1)
 -	admin_pattern($1, sanlock_log_t)
-+	sanlk_resetd_systemctl($1)
-+	admin_pattern($1, sanlk_resetd_unit_file_t)
-+	allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
-+
-+	sanlk_resetd_systemctl($1)
++	sanlock_systemctl_sanlk_resetd($1)
 +	admin_pattern($1, sanlk_resetd_unit_file_t)
 +	allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
 +	optional_policy(`
@@ -112745,7 +112786,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..8d090ad 100644
+index f03dcf5..4f5b8cd 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,402 @@
@@ -115076,7 +115117,7 @@ index f03dcf5..8d090ad 100644
 +allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
 +allow sandbox_net_domain self:packet_socket create_socket_perms;
 +allow sandbox_net_domain self:socket create_socket_perms;
-+allow sandbox_net_domain self:rawip_socket create_socket_perms;
++allow sandbox_net_domain self:rawip_socket create_stream_socket_perms;
 +allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 +
 +corenet_tcp_bind_generic_node(sandbox_net_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b3718bc..ecb8f22 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 198%{?dist}
+Release: 199%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,26 @@ exit 0
 %endif
 
 %changelog
+* Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-199
+- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
+- Allow glusterd daemon to get systemd status
+- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib
+- Merge pull request #135 from rhatdan/rawip_socket
+- Allow logrotate dbus-chat with system_logind daemon
+- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files
+- Add interface cron_read_pid_files()
+- Allow pcp_pmlogger to create unix dgram sockets
+- Add interface dirsrv_run()
+- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t.
+- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd()
+- Create label for openhpid log files.
+- Container processes need to be able to listen on rawip sockets
+- Label /var/lib/ganglia as httpd_var_lib_t
+- Allow firewalld_t to create entries in net_conf_t dirs.
+- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals
+- Label /etc/dhcp/scripts dir as bin_t
+- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals.
+
 * Wed Jun 22 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-198
 - Allow firewalld_t to create entries in net_conf_t dirs.
 - Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals