diff --git a/SOURCES/glusterd-snapshot-creation-fdc66.patch b/SOURCES/glusterd-snapshot-creation-fdc66.patch
new file mode 100644
index 0000000..ce7a3c6
--- /dev/null
+++ b/SOURCES/glusterd-snapshot-creation-fdc66.patch
@@ -0,0 +1,29 @@
+diff --git a/glusterd.te b/glusterd.te
+index 48811e2..d2a1ba9 100644
+--- a/glusterd.te
++++ b/glusterd.te
+@@ -59,7 +59,7 @@ files_type(glusterd_brick_t)
+ # Local policy
+ #
+ 
+-allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+ 
+ allow glusterd_t self:capability2 block_suspend;
+ allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
+@@ -155,6 +155,7 @@ corenet_tcp_connect_all_ports(glusterd_t)
+ dev_read_sysfs(glusterd_t)
+ dev_read_urand(glusterd_t)
+ dev_read_rand(glusterd_t)
++dev_rw_infiniband_dev(glusterd_t)
+ 
+ domain_read_all_domains_state(glusterd_t)
+ domain_getattr_all_sockets(glusterd_t)
+@@ -164,6 +165,7 @@ domain_use_interactive_fds(glusterd_t)
+ fs_mount_all_fs(glusterd_t)
+ fs_unmount_all_fs(glusterd_t)
+ fs_getattr_all_fs(glusterd_t)
++fs_getattr_all_dirs(glusterd_t)
+ 
+ files_mounton_non_security(glusterd_t)
+ 
diff --git a/SOURCES/policy-rhel-7.3-base.patch b/SOURCES/policy-rhel-7.3-base.patch
index 39fb90f..bbf81c4 100644
--- a/SOURCES/policy-rhel-7.3-base.patch
+++ b/SOURCES/policy-rhel-7.3-base.patch
@@ -42755,7 +42755,7 @@ index d43f3b1..c5053db 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..f496e60 100644
+index 3822072..cce3055 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
 @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -43235,7 +43235,33 @@ index 3822072..f496e60 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1146,9 @@ interface(`seutil_read_file_contexts',`
+@@ -768,6 +1130,25 @@ interface(`seutil_manage_default_contexts',`
+ 
+ ########################################
+ ## <summary>
++##	Create, read, write, and delete the default_contexts dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`seutil_manage_default_contexts_dirs',`
++	gen_require(`
++		type selinux_config_t, default_context_t;
++	')
++
++	files_search_etc($1)
++	manage_dirs_pattern($1, default_context_t, default_context_t)
++')
++
++########################################
++## <summary>
+ ##	Read the file_contexts files.
+ ## </summary>
+ ## <param name="domain">
+@@ -784,7 +1165,9 @@ interface(`seutil_read_file_contexts',`
  
  	files_search_etc($1)
  	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@@ -43245,7 +43271,7 @@ index 3822072..f496e60 100644
  ')
  
  ########################################
-@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',`
+@@ -846,6 +1229,7 @@ interface(`seutil_manage_file_contexts',`
  	files_search_etc($1)
  	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
  	manage_files_pattern($1, file_context_t, file_context_t)
@@ -43253,7 +43279,7 @@ index 3822072..f496e60 100644
  ')
  
  ########################################
-@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1383,26 @@ interface(`seutil_domtrans_semanage',`
  
  ########################################
  ## <summary>
@@ -43280,7 +43306,7 @@ index 3822072..f496e60 100644
  ##	Execute semanage in the semanage domain, and
  ##	allow the specified role the semanage domain,
  ##	and use the caller's terminal.
-@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1421,105 @@ interface(`seutil_domtrans_semanage',`
  #
  interface(`seutil_run_semanage',`
  	gen_require(`
@@ -43388,7 +43414,7 @@ index 3822072..f496e60 100644
  ')
  
  ########################################
-@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',`
+@@ -1041,9 +1539,15 @@ interface(`seutil_manage_module_store',`
  	')
  
  	files_search_etc($1)
@@ -43404,7 +43430,7 @@ index 3822072..f496e60 100644
  ')
  
  #######################################
-@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1571,24 @@ interface(`seutil_get_semanage_read_lock',`
  
  #######################################
  ## <summary>
@@ -43429,7 +43455,7 @@ index 3822072..f496e60 100644
  ##	Get trans lock on module store
  ## </summary>
  ## <param name="domain">
-@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1659,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
diff --git a/SOURCES/policy-rhel-7.3-contrib.patch b/SOURCES/policy-rhel-7.3-contrib.patch
index cb7780d..f5c2ff7 100644
--- a/SOURCES/policy-rhel-7.3-contrib.patch
+++ b/SOURCES/policy-rhel-7.3-contrib.patch
@@ -103539,7 +103539,7 @@ index a240455..04419ae 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..694c12d 100644
+index 2d8db1f..87e70a6 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
@@ -103649,7 +103649,7 @@ index 2d8db1f..694c12d 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +124,59 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +124,60 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -103708,6 +103708,7 @@ index 2d8db1f..694c12d 100644
 +seutil_manage_config(sssd_selinux_manager_t)
 +seutil_manage_login_config(sssd_selinux_manager_t)
 +seutil_manage_default_contexts(sssd_selinux_manager_t)
++seutil_manage_default_contexts_dirs(sssd_selinux_manager_t)
 +
 +seutil_exec_setfiles(sssd_selinux_manager_t)
 +logging_dontaudit_search_audit_logs(sssd_selinux_manager_t)
diff --git a/SOURCES/selinux-policy-migrate-local-changes.sh b/SOURCES/selinux-policy-migrate-local-changes.sh
new file mode 100755
index 0000000..6ccf3f0
--- /dev/null
+++ b/SOURCES/selinux-policy-migrate-local-changes.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+#===============================================================================
+#
+#          FILE: selinux-policy-migrate-local-changes.sh
+# 
+#         USAGE: ./selinux-policy-migrate-local-changes.sh <POLICYTYPE>
+# 
+#   DESCRIPTION: This script migrates local changes from pre-2.4 SELinux modules
+#                store structure to the new structure
+# 
+#        AUTHOR: Petr Lautrbach <plautrba@redhat.com>
+#===============================================================================
+
+if [ ! -f /etc/selinux/config ]; then
+    SELINUXTYPE=none
+else
+    source /etc/selinux/config
+fi
+
+REBUILD=0
+MIGRATE_SELINUXTYPE=$1
+
+for local in booleans.local file_contexts.local ports.local users_extra.local users.local; do
+    if [ -e /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/$local ]; then
+        REBUILD=1
+        cp -v --preserve=mode,ownership,timestamps,links /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/$local /etc/selinux/$MIGRATE_SELINUXTYPE/active/$local
+    fi
+done
+if [ -e /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/seusers ]; then
+    REBUILD=1
+    cp -v --preserve=mode,ownership,timestamps,links /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/seusers /etc/selinux/$MIGRATE_SELINUXTYPE/active/seusers.local
+fi
+
+INSTALL_MODULES=""
+for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*disabled 2> /dev/null`; do
+    module=`basename $i | sed 's/\.pp\.disabled$//'`
+    if [ -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then
+        touch /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/disabled/$module
+    fi
+done
+for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*.pp 2> /dev/null`; do
+    module=`basename $i | sed 's/\.pp$//'`
+    if [ ! -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then
+        INSTALL_MODULES="${INSTALL_MODULES} $i"
+    fi
+done
+if [ -n "$INSTALL_MODULES" ]; then
+    semodule -s $MIGRATE_SELINUXTYPE -n -X 400 -i $INSTALL_MODULES
+    REBUILD=1
+fi
+
+cat > /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/README.migrated <<EOF
+Your old modules store and local changes were migrated to the new structure in
+in the following directory:
+
+/etc/selinux/$MIGRATE_SELINUXTYPE/active
+
+WARNING: Do not remove this file or remove /etc/selinux/$MIGRATE_SELINUXTYPE/modules
+completely if you are confident that you don't need old files anymore.
+EOF
+
+if [ $REBUILD = 1 ]; then
+    semodule -B -n -s $MIGRATE_SELINUXTYPE
+    if [ "$MIGRATE_SELINUXTYPE" = "$SELINUXTYPE" ] && selinuxenabled; then
+        load_policy
+        semanage export | semanage import
+    fi
+fi
diff --git a/SOURCES/selinux-policy-migrate-local-changes@.service b/SOURCES/selinux-policy-migrate-local-changes@.service
new file mode 100644
index 0000000..eeb326b
--- /dev/null
+++ b/SOURCES/selinux-policy-migrate-local-changes@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Migrate local SELinux policy changes from the old store structure to the new structure
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=selinux
+ConditionPathExists=/etc/selinux/%I/modules
+ConditionPathExists=!/etc/selinux/%I/modules/active/README.migrated
+
+[Service]
+ExecStart=/usr/libexec/selinux/selinux-policy-migrate-local-changes.sh %I
+Type=oneshot
+TimeoutSec=0
+RemainAfterExit=yes
+StandardInput=tty
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 14a1e7b..659ab13 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 102%{?dist}
+Release: 102%{?dist}.4
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -28,6 +28,7 @@ patch: policy-rhel-7.1-base.patch
 patch1: policy-rhel-7.1-contrib.patch
 patch2: policy-rhel-7.3-base.patch
 patch3: policy-rhel-7.3-contrib.patch
+patch4: glusterd-snapshot-creation-fdc66.patch
 Source1: modules-targeted-base.conf 
 Source31: modules-targeted-contrib.conf
 Source2: booleans-targeted.conf
@@ -56,6 +57,10 @@ Source30: booleans.subs_dist
 
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros
+# Migrate local SELinux policy changes on first boot after update to new userspace
+# This is needed for systems which doesn't use rpm for updates
+Source110: selinux-policy-migrate-local-changes.sh
+Source111: selinux-policy-migrate-local-changes@.service
 
 Url: http://oss.tresys.com/repos/refpolicy/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -241,7 +246,12 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
+%{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh \
+%{_unitdir}/selinux-policy-migrate-local-changes@.service \
+%{_unitdir}/basic.target.wants/selinux-policy-migrate-local-changes@%1.service \
+%nil
+
 
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@@ -306,36 +316,13 @@ if [ %1 != "mls" ];then \
     echo "%ghost /etc/selinux/%1/modules/active/modules/docker.pp" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
 fi;
 
-%define migrateStoreUpdateLocalChanges() \
-for local in booleans.local file_contexts.local ports.local users_extra.local users.local; do \
-    if [ -e /etc/selinux/%1/modules/active/$local ]; then \
-        touch /etc/selinux/%1/.rebuild \
-        install -D /etc/selinux/%1/modules/active/$local /etc/selinux/%1/active/$local \
-    fi \
-done \
-if [ -e /etc/selinux/%1/modules/active/seusers ]; then \
-    touch /etc/selinux/%1/.rebuild \
-    install -D /etc/selinux/%1/modules/active/seusers /etc/selinux/%1/active/seusers.local \
-fi;
-
-%define migrateStoreUpdateLocalPackages() \
-INSTALL_MODULES="" \
-for i in `find /etc/selinux/%1/modules/active/modules/ -name \*disabled 2> /dev/null`; do \
-    module=`basename $i | sed 's/\.pp\.disabled$//'` \
-    if [ -d /etc/selinux/%1/active/modules/100/$module ]; then \
-        touch /etc/selinux/%1/active/modules/disabled/$module \
-    fi \
-done \
-for i in `find /etc/selinux/%1/modules/active/modules/ -name \*.pp 2> /dev/null`; do \
-    module=`basename $i | sed 's/\.pp$//'` \
-    if [ ! -d /etc/selinux/%1/active/modules/100/$module ]; then \
-        INSTALL_MODULES="${INSTALL_MODULES} $i" \
-    fi \
-done \
-if [ -n "$INSTALL_MODULES" ]; then \
-    semodule -s %1 -n -X 400 -i $INSTALL_MODULES \
-    touch /etc/selinux/%1/.rebuild \
-fi;
+%define installMigrateLocalChangesFiles() \
+mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
+install -p -m 755 %{SOURCE110} %{buildroot}/%{_libexecdir}/selinux/ \
+mkdir   -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/ \
+install -m 644 -p %{SOURCE111} %{buildroot}/%{_unitdir}/ \
+ln -s ../selinux-policy-migrate-local-changes@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-policy-migrate-local-changes@%1.service \
+%nil
 
 %description
 SELinux Reference Policy - modular.
@@ -346,6 +333,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-contrib-%{version} -q -b 29
 %patch3 -p1
+%patch4 -p1
 contrib_path=`pwd`
 %setup -n serefpolicy-%{version} -q
 %patch2 -p1
@@ -393,6 +381,8 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
 mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
 %modulesList targeted 
 %nonBaseModulesList targeted
+%installMigrateLocalChangesFiles targeted
+
 %endif
 
 %if %{BUILD_MINIMUM}
@@ -407,6 +397,7 @@ rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox
 rm -rf %{buildroot}%{_sysconfdir}/selinux/minimum/active/modules/100/sandbox
 %modulesList minimum
 %nonBaseModulesList minimum
+%installMigrateLocalChangesFiles minimum
 %endif
 
 %if %{BUILD_MLS}
@@ -416,6 +407,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/minimum/active/modules/100/sandbox
 %installCmds mls mls n deny
 %modulesList mls
 %nonBaseModulesList mls
+%installMigrateLocalChangesFiles mls
 %endif
 
 mkdir -p %{buildroot}%{_mandir}
@@ -507,8 +499,7 @@ SELinux Reference policy targeted base module.
 
 %post targeted
 if [ -e /etc/selinux/targeted/modules/active/base.pp ]; then
-    %migrateStoreUpdateLocalChanges targeted
-    %migrateStoreUpdateLocalPackages targeted
+    %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh targeted
 fi
 %postInstall $1 targeted
 exit 0
@@ -555,8 +546,7 @@ fi
 
 %post minimum
 if [ -e /etc/selinux/minimum/modules/active/base.pp ]; then
-    %migrateStoreUpdateLocalChanges minimum
-    %migrateStoreUpdateLocalPackages minimum
+    %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh minimum
 fi
 contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
 basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
@@ -629,8 +619,7 @@ SELinux Reference policy mls base module.
 
 %post mls 
 if [ -e /etc/selinux/mls/modules/active/base.pp ]; then
-    %migrateStoreUpdateLocalChanges mls
-    %migrateStoreUpdateLocalPackages mls
+    %{_libexecdir}/selinux/selinux-policy-migrate-local-changes.sh mls
 fi
 %postInstall $1 mls
 
@@ -646,6 +635,24 @@ fi
 %endif
 
 %changelog
+* Wed Oct 19 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-102.4
+- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device.
+Resolves:#1386620
+- Allow glusterd to get attributes on /sys/kernel/config directory.
+Resolves:#1386621
+
+* Wed Oct 12 2016 Petr Lautrbach <plautrba@redhat.com> - 3.13.1-102.3
+- Use selinux-policy-migrate-local-changes.sh instead of migrateStore* macros
+Resolves: rhbz#1383450
+- Add selinux-policy-migrate-local-changes service
+Resolves: rhbz#1383450
+
+* Fri Sep 30 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-102.1
+- Allow sssd_selinux_manager_t to manage also dir class.
+Resolves: rhbz#1380687
+- Add interface seutil_manage_default_contexts_dirs()
+Resolves: rhbz#1380687
+
 * Tue Sep 27 2016 Dan Walsh <dwalsh@redhat.com> - 3.13.1-102
 - Add virt_sandbox_use_nfs -> virt_use_nfs boolean substitution.
 Resolves: rhbz#1355783