diff --git a/container-selinux.tgz b/container-selinux.tgz
index c34b771..08e4154 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6bdaf0c..afa94bc 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,3 +1,13 @@
+diff --git a/.gitmodules b/.gitmodules
+index 360bd03..e794aa3 100644
+--- a/.gitmodules
++++ b/.gitmodules
+@@ -1,3 +1,4 @@
+ [submodule "policy/modules/contrib"]
+ 	path = policy/modules/contrib
+-	url = http://oss.tresys.com/git/refpolicy-contrib.git
++    url = https://github.com/fedora-selinux/selinux-policy-contrib
++    branch = rawhide
 diff --git a/Makefile b/Makefile
 index ec7b5cb..e2936c6 100644
 --- a/Makefile
@@ -19165,7 +19175,7 @@ index 7be4ddf..9710b33 100644
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..342fb1e 100644
+index e100d88..d780b64 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -19561,7 +19571,34 @@ index e100d88..342fb1e 100644
  ')
  
  ########################################
-@@ -2085,7 +2241,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',`
+ 	list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+ ')
+ 
++
++########################################
++## <summary>
++##	Read RPC sysctls.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`kernel_rw_rpc_sysctls_dirs',`
++	gen_require(`
++		type proc_t, proc_net_t, sysctl_rpc_t;
++	')
++
++	rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write RPC sysctls.
+@@ -2085,7 +2261,54 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -19617,7 +19654,7 @@ index e100d88..342fb1e 100644
  ')
  
  ########################################
-@@ -2282,6 +2485,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2505,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -19643,7 +19680,7 @@ index e100d88..342fb1e 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2528,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2548,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19652,98 +19689,77 @@ index e100d88..342fb1e 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2710,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,21 +2730,39 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
+-##	Do not audit attempts by caller to get attributes for
+-##	unlabeled character devices.
 +##	Read and write unlabeled sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_rw_unlabeled_socket',`
-+	gen_require(`
-+		type unlabeled_t;
-+	')
-+
-+	allow $1 unlabeled_t:socket rw_socket_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts by caller to get attributes for
- ##	unlabeled character devices.
- ## </summary>
-@@ -2525,7 +2765,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- 
- ########################################
- ## <summary>
--##	Allow caller to relabel unlabeled files.
-+##	Allow caller to relabel unlabeled filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2533,18 +2773,17 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`kernel_relabelfrom_unlabeled_files',`
-+interface(`kernel_relabelfrom_unlabeled_fs',`
- 	gen_require(`
- 		type unlabeled_t;
- 	')
- 
--	kernel_list_unlabeled($1)
--	allow $1 unlabeled_t:file { getattr relabelfrom };
-+	allow $1 unlabeled_t:filesystem relabelfrom;
- ')
- 
- ########################################
- ## <summary>
--##	Allow caller to relabel unlabeled symbolic links.
-+##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2552,13 +2791,32 @@ interface(`kernel_relabelfrom_unlabeled_files',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`kernel_relabelfrom_unlabeled_symlinks',`
-+interface(`kernel_relabelfrom_unlabeled_files',`
+-interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
++interface(`kernel_rw_unlabeled_socket',`
  	gen_require(`
  		type unlabeled_t;
  	')
  
- 	kernel_list_unlabeled($1)
--	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
-+	allow $1 unlabeled_t:file { getattr relabelfrom };
+-	dontaudit $1 unlabeled_t:chr_file getattr;
++	allow $1 unlabeled_t:socket rw_socket_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to relabel unlabeled symbolic links.
++##	Do not audit attempts by caller to get attributes for
++##	unlabeled character devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`kernel_relabelfrom_unlabeled_symlinks',`
++interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 +	gen_require(`
 +		type unlabeled_t;
 +	')
 +
-+	kernel_list_unlabeled($1)
-+	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
++	dontaudit $1 unlabeled_t:chr_file getattr;
  ')
  
  ########################################
-@@ -2667,6 +2925,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2525,6 +2785,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Allow caller to relabel unlabeled filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_relabelfrom_unlabeled_fs',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	allow $1 unlabeled_t:filesystem relabelfrom;
++')
++
++########################################
++## <summary>
+ ##	Allow caller to relabel unlabeled files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2667,6 +2945,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -19768,7 +19784,7 @@ index e100d88..342fb1e 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2694,6 +2970,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2990,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -19794,7 +19810,7 @@ index e100d88..342fb1e 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2803,6 +3098,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3118,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -19828,7 +19844,7 @@ index e100d88..342fb1e 100644
  
  ########################################
  ## <summary>
-@@ -2958,6 +3280,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3300,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -19853,7 +19869,7 @@ index e100d88..342fb1e 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2972,5 +3312,649 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3332,649 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -37802,7 +37818,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..7b05663 100644
+index 73bb3c0..5d62107 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -37886,7 +37902,7 @@ index 73bb3c0..7b05663 100644
  /usr/lib/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/win32/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libGLdispatch/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLdispatch.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -43211,7 +43227,7 @@ index 3822072..d358162 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc46420..8d4ed0f 100644
+index dc46420..a86e9eb 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -43746,7 +43762,7 @@ index dc46420..8d4ed0f 100644
  ')
  
  ########################################
-@@ -522,111 +597,201 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -43911,6 +43927,7 @@ index dc46420..8d4ed0f 100644
 +fs_getattr_all_files(setfiles_domain)
 +fs_search_auto_mountpoints(setfiles_domain)
 +fs_relabelfrom_noxattr_fs(setfiles_domain)
++fs_mount_tracefs(setfiles_domain)
 +
 +selinux_validate_context(setfiles_domain)
 +selinux_compute_access_vector(setfiles_domain)
@@ -47071,10 +47088,10 @@ index 0000000..86e3d01
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c6280dc
+index 0000000..0100a56
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1017 @@
+@@ -0,0 +1,1018 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48072,6 +48089,7 @@ index 0000000..c6280dc
 +#
 +
 +allow systemd_bootchart_t self:capability2 wake_alarm;
++allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_bootchart_t)
 +kernel_rw_kernel_sysctl(systemd_bootchart_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2396b2b..30ee75e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12878,7 +12878,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..ec869f5 100644
+index 80a88a2..71c25c3 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -12906,7 +12906,7 @@ index 80a88a2..ec869f5 100644
  domain_setpriority_all_domains(cgclear_t)
  
  fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
  kernel_list_unlabeled(cgconfig_t)
  kernel_read_system_state(cgconfig_t)
  
@@ -12930,12 +12930,13 @@ index 80a88a2..ec869f5 100644
 -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
++allow cgred_t self:netlink_connector_socket create_socket_perms;
  
 +allow cgred_t cgconfig_etc_t:file read_file_perms;
  allow cgred_t cgrules_etc_t:file read_file_perms;
  
  allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
@@ -14855,10 +14856,10 @@ index cc4e7cb..f348d27 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index bbdd396..8328b95 100644
+index bbdd396..28b1761 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
-@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t)
  # Local policy
  #
  
@@ -14867,7 +14868,14 @@ index bbdd396..8328b95 100644
  dontaudit cmirrord_t self:capability sys_tty_config;
  allow cmirrord_t self:process { setfscreate signal };
  allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+ allow cmirrord_t self:sem create_sem_perms;
+ allow cmirrord_t self:shm create_shm_perms;
+ allow cmirrord_t self:netlink_socket create_socket_perms;
++allow cmirrord_t self:netlink_connector_socket create_socket_perms;
+ allow cmirrord_t self:unix_stream_socket { accept listen };
+ 
+ manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
  domain_use_interactive_fds(cmirrord_t)
  domain_obj_id_change_exemption(cmirrord_t)
  
@@ -30858,6 +30866,243 @@ index e5b15fb..220622e 100644
  	allow games_t self:process execmem;
  ')
  
+diff --git a/ganesha.fc b/ganesha.fc
+new file mode 100644
+index 0000000..c5982d5
+--- /dev/null
++++ b/ganesha.fc
+@@ -0,0 +1,11 @@
++/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/var/log/ganesha.log	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)
++
++/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)
+diff --git a/ganesha.if b/ganesha.if
+new file mode 100644
+index 0000000..d9ba5fa
+--- /dev/null
++++ b/ganesha.if
+@@ -0,0 +1,147 @@
++
++## <summary>policy for ganesha</summary>
++
++########################################
++## <summary>
++##	Execute ganesha_exec_t in the ganesha domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ganesha_domtrans',`
++	gen_require(`
++		type ganesha_t, ganesha_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, ganesha_exec_t, ganesha_t)
++')
++
++######################################
++## <summary>
++##	Execute ganesha in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ganesha_exec',`
++	gen_require(`
++		type ganesha_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, ganesha_exec_t)
++')
++########################################
++## <summary>
++##	Read ganesha PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ganesha_read_pid_files',`
++	gen_require(`
++		type ganesha_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute ganesha server in the ganesha domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`ganesha_systemctl',`
++	gen_require(`
++		type ganesha_t;
++		type ganesha_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 ganesha_unit_file_t:file read_file_perms;
++	allow $1 ganesha_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, ganesha_t)
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	ganesha over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ganesha_dbus_chat',`
++	gen_require(`
++		type ganesha_t;
++		class dbus send_msg;
++	')
++
++	allow $1 ganesha_t:dbus send_msg;
++	allow ganesha_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an ganesha environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`ganesha_admin',`
++	gen_require(`
++		type ganesha_t;
++		type ganesha_var_run_t;
++	type ganesha_unit_file_t;
++	')
++
++	allow $1 ganesha_t:process { signal_perms };
++	ps_process_pattern($1, ganesha_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 ganesha_t:process ptrace;
++    ')
++
++	files_search_pids($1)
++	admin_pattern($1, ganesha_var_run_t)
++
++	ganesha_systemctl($1)
++	admin_pattern($1, ganesha_unit_file_t)
++	allow $1 ganesha_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/ganesha.te b/ganesha.te
+new file mode 100644
+index 0000000..20b9fcf
+--- /dev/null
++++ b/ganesha.te
+@@ -0,0 +1,61 @@
++policy_module(ganesha, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ganesha_t;
++type ganesha_exec_t;
++init_daemon_domain(ganesha_t, ganesha_exec_t)
++
++permissive ganesha_t;
++
++type ganesha_var_log_t;
++logging_log_file(ganesha_var_log_t)
++
++type ganesha_var_run_t;
++files_pid_file(ganesha_var_run_t)
++
++type ganesha_unit_file_t;
++systemd_unit_file(ganesha_unit_file_t)
++
++########################################
++#
++# ganesha local policy
++#
++allow ganesha_t self:process { setcap setrlimit };
++allow ganesha_t self:fifo_file rw_fifo_file_perms;
++allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
++allow ganesha_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
++
++manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
++
++auth_use_nsswitch(ganesha_t)
++
++corenet_tcp_bind_nfs_port(ganesha_t)
++corenet_tcp_connect_generic_port(ganesha_t)
++corenet_udp_bind_nfs_port(ganesha_t)
++corenet_udp_bind_all_rpc_ports(ganesha_t)
++corenet_tcp_bind_all_rpc_ports(ganesha_t)
++
++logging_send_syslog_msg(ganesha_t)
++
++sysnet_dns_name_resolve(ganesha_t)
++
++optional_policy(`
++	dbus_system_bus_client(ganesha_t)
++	dbus_connect_system_bus(ganesha_t)
++')
++
++optional_policy(`
++	rpc_manage_nfs_state_data_dir(ganesha_t)
++	rpcbind_stream_connect(ganesha_t)
++')
 diff --git a/gatekeeper.te b/gatekeeper.te
 index 2820368..88c98f4 100644
 --- a/gatekeeper.te
@@ -32165,10 +32410,10 @@ index 5cd0909..bd3c3d2 100644
 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 0000000..a3633cd
+index 0000000..9806f50
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,25 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -32184,20 +32429,16 @@ index 0000000..a3633cd
 +/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
-+/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
-+
 +/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
 +/var/lib/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
 +
 +/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
-+/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)
 +
 +/var/run/gluster(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 +/var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/ganesha.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
 diff --git a/glusterd.if b/glusterd.if
 new file mode 100644
 index 0000000..764ae00
@@ -83507,7 +83748,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
  ')
 diff --git a/quota.te b/quota.te
-index f47c8e8..d4e9042 100644
+index f47c8e8..af09c76 100644
 --- a/quota.te
 +++ b/quota.te
 @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@@ -83602,7 +83843,7 @@ index f47c8e8..d4e9042 100644
  ')
  
  optional_policy(`
-@@ -103,12 +102,12 @@ optional_policy(`
+@@ -103,12 +102,13 @@ optional_policy(`
  
  #######################################
  #
@@ -83613,11 +83854,12 @@ index f47c8e8..d4e9042 100644
  allow quota_nld_t self:fifo_file rw_fifo_file_perms;
  allow quota_nld_t self:netlink_socket create_socket_perms;
 -allow quota_nld_t self:unix_stream_socket { accept listen };
++allow quota_nld_t self:netlink_generic_socket create_socket_perms;
 +allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
  
  manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
  files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +121,9 @@ init_read_utmp(quota_nld_t)
  
  logging_send_syslog_msg(quota_nld_t)
  
@@ -91112,7 +91354,7 @@ index 0bf13c2..ed393a0 100644
  	files_list_tmp($1)
  	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..a37f579 100644
+index 2da9fca..be1fab2 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -91316,7 +91558,7 @@ index 2da9fca..a37f579 100644
  ')
  
  ########################################
-@@ -202,41 +232,61 @@ optional_policy(`
+@@ -202,41 +232,62 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91334,6 +91576,7 @@ index 2da9fca..a37f579 100644
  kernel_request_load_module(nfsd_t)
 -# kernel_mounton_proc(nfsd_t)
 +kernel_mounton_proc(nfsd_t)
++kernel_rw_rpc_sysctls_dirs(nfsd_t)
  
 -corenet_sendrecv_nfs_server_packets(nfsd_t)
 +corecmd_exec_shell(nfsd_t)
@@ -91388,7 +91631,7 @@ index 2da9fca..a37f579 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -91396,7 +91639,7 @@ index 2da9fca..a37f579 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -91411,7 +91654,7 @@ index 2da9fca..a37f579 100644
  ')
  
  ########################################
-@@ -270,7 +319,7 @@ optional_policy(`
+@@ -270,7 +320,7 @@ optional_policy(`
  # GSSD local policy
  #
  
@@ -91420,7 +91663,7 @@ index 2da9fca..a37f579 100644
  allow gssd_t self:process { getsched setsched };
  allow gssd_t self:fifo_file rw_fifo_file_perms;
  
-@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -91428,7 +91671,7 @@ index 2da9fca..a37f579 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +339,31 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -91463,7 +91706,7 @@ index 2da9fca..a37f579 100644
  ')
  
  optional_policy(`
-@@ -314,9 +370,12 @@ optional_policy(`
+@@ -314,9 +371,12 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5862875..72a0954 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 240%{?dist}
+Release: 241%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 21 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-241
+- Remove ganesha from gluster module and create own module for ganesha
+- FIx label for /usr/lib/libGLdispatch.so.0.0.0
+
 * Wed Feb 15 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-240
 - Dontaudit xdm_t wake_alarm capability2
 - Allow systemd_initctl_t to create and connect unix_dgram sockets