diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b9c8b31..38ad120 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -27255,7 +27255,7 @@ index 2479587..890e1e2 100644
  /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
  /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..9e85ea0 100644
+index 3efd5b6..f645c21 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -27317,7 +27317,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
+@@ -95,69 +117,68 @@ interface(`auth_use_pam',`
  interface(`auth_login_pgm_domain',`
  	gen_require(`
  		type var_auth_t, auth_cache_t;
@@ -27375,6 +27375,7 @@ index 3efd5b6..9e85ea0 100644
  	mls_file_downgrade($1)
  	mls_process_set_level($1)
 +    mls_process_write_to_clearance($1)
++    mls_process_write_all_levels($1)
  	mls_fd_share_all_levels($1)
  
  	auth_use_pam($1)
@@ -27426,7 +27427,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
  
  ########################################
  ## <summary>
@@ -27452,7 +27453,7 @@ index 3efd5b6..9e85ea0 100644
  ##	Execute a login_program in the target domain,
  ##	with a range transition.
  ## </summary>
-@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
  
  ########################################
  ## <summary>
@@ -27477,7 +27478,7 @@ index 3efd5b6..9e85ea0 100644
  ##	Manage authentication cache
  ## </summary>
  ## <param name="domain">
-@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -27486,7 +27487,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
  
  ########################################
  ## <summary>
@@ -27511,7 +27512,7 @@ index 3efd5b6..9e85ea0 100644
  ##	Execute chkpwd programs in the chkpwd domain.
  ## </summary>
  ## <param name="domain">
-@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -27537,7 +27538,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -27545,7 +27546,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -27556,7 +27557,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  #######################################
-@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -27608,7 +27609,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  #######################################
-@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
  	allow $1 lastlog_t:file { rw_file_perms lock setattr };
  ')
  
@@ -27639,7 +27640,7 @@ index 3efd5b6..9e85ea0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
  ##	</summary>
  ## </param>
  #
@@ -27670,7 +27671,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
  #
  interface(`auth_signal_pam',`
  	gen_require(`
@@ -27689,7 +27690,7 @@ index 3efd5b6..9e85ea0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
  ##	</summary>
  ## </param>
  #
@@ -27727,7 +27728,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -27761,7 +27762,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -27772,7 +27773,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -27780,7 +27781,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  #######################################
-@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -27806,7 +27807,7 @@ index 3efd5b6..9e85ea0 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -27832,7 +27833,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -27849,7 +27850,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -37269,7 +37270,7 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..1b9a765 100644
+index 3822072..929107c 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
 @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -37289,7 +37290,7 @@ index 3822072..1b9a765 100644
 +		type load_policy_exec_t;
 +	')
 +
-+    allow $1 load_policy_exec_t:file audit_access;
++    allow $1 load_policy_exec_t:file execute;
 +')
 +
 +########################################
@@ -37486,7 +37487,7 @@ index 3822072..1b9a765 100644
 +		type setfiles_exec_t;
 +	')
 +
-+    allow $1 setfiles_exec_t:file audit_access;
++    allow $1 setfiles_exec_t:file execute;
 +')
 +
 +########################################
@@ -37863,28 +37864,10 @@ index 3822072..1b9a765 100644
  ')
  
  #######################################
-@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1512,24 @@ interface(`seutil_get_semanage_read_lock',`
  
  #######################################
  ## <summary>
-+##	Allow access check on module store
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`seutil_access_check_semanage_read_lock',`
-+	gen_require(`
-+		type semanage_read_lock_t;
-+	')
-+
-+    allow $1 semanage_read_lock_t:file audit_access;
-+')
-+
-+#######################################
-+## <summary>
 +##	Dontaudit access check on module store
 +## </summary>
 +## <param name="domain">
@@ -37898,7 +37881,7 @@ index 3822072..1b9a765 100644
 +		type semanage_read_lock_t;
 +	')
 +
-+    dontaudit $1 semanage_read_lock_t:file audit_access;
++    dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
 +')
 +
 +#######################################
@@ -37906,7 +37889,7 @@ index 3822072..1b9a765 100644
  ##	Get trans lock on module store
  ## </summary>
  ## <param name="domain">
-@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1600,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3f12b14..b12d4b0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -21620,7 +21620,7 @@ index 62d22cb..f8ab4af 100644
 +    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
  ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..94ff984 100644
+index c9998c8..011faba 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -4,17 +4,15 @@ gen_require(`
@@ -21744,7 +21744,7 @@ index c9998c8..94ff984 100644
  mls_fd_use_all_levels(system_dbusd_t)
  mls_rangetrans_target(system_dbusd_t)
  mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,166 @@ term_dontaudit_use_console(system_dbusd_t)
  auth_use_nsswitch(system_dbusd_t)
  auth_read_pam_console_data(system_dbusd_t)
  
@@ -21753,6 +21753,7 @@ index c9998c8..94ff984 100644
 +corecmd_read_bin_sockets(system_dbusd_t)
 +# needed for system-tools-backends
 +corecmd_exec_shell(system_dbusd_t)
++corecmd_exec_bin(system_dbusd_t)
 +
 +domain_use_interactive_fds(system_dbusd_t)
 +domain_read_all_domains_state(system_dbusd_t)
@@ -21924,7 +21925,7 @@ index c9998c8..94ff984 100644
  kernel_read_kernel_sysctls(session_bus_type)
  
  corecmd_list_bin(session_bus_type)
-@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
  corecmd_read_bin_pipes(session_bus_type)
  corecmd_read_bin_sockets(session_bus_type)
  
@@ -21949,7 +21950,7 @@ index c9998c8..94ff984 100644
  files_dontaudit_search_var(session_bus_type)
  
  fs_getattr_romfs(session_bus_type)
-@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
  fs_list_inotifyfs(session_bus_type)
  fs_dontaudit_list_nfs(session_bus_type)
  
@@ -21957,7 +21958,7 @@ index c9998c8..94ff984 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -21999,7 +22000,7 @@ index c9998c8..94ff984 100644
  ')
  
  ########################################
-@@ -244,5 +354,9 @@ optional_policy(`
+@@ -244,5 +355,9 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -30267,10 +30268,10 @@ index c21a528..a746a2b 100644
  /var/lib/glance(/.*)?	gen_context(system_u:object_r:glance_var_lib_t,s0)
  
 diff --git a/glance.if b/glance.if
-index 9eacb2c..2f3fa34 100644
+index 9eacb2c..7b19ad2 100644
 --- a/glance.if
 +++ b/glance.if
-@@ -1,5 +1,36 @@
+@@ -1,5 +1,38 @@
  ## <summary>OpenStack image registry and delivery service.</summary>
  
 +#######################################
@@ -30302,12 +30303,14 @@ index 9eacb2c..2f3fa34 100644
 +
 +    logging_send_syslog_msg($1_t)
 +
++    auth_use_nsswitch($1_t)
++
 +')
 +
  ########################################
  ## <summary>
  ##	Execute a domain transition to
-@@ -26,9 +57,9 @@ interface(`glance_domtrans_registry',`
+@@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
  ##	run glance api.
  ## </summary>
  ## <param name="domain">
@@ -30319,7 +30322,7 @@ index 9eacb2c..2f3fa34 100644
  ## </param>
  #
  interface(`glance_domtrans_api',`
-@@ -242,8 +273,13 @@ interface(`glance_admin',`
+@@ -242,8 +275,13 @@ interface(`glance_admin',`
  		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
  	')
  
@@ -39451,7 +39454,7 @@ index f6c00d8..7b777ab 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 8833d59..534f815 100644
+index 8833d59..61910d0 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -39774,8 +39777,12 @@ index 8833d59..534f815 100644
  
  allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
  
-@@ -303,26 +341,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -301,27 +339,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
++kernel_read_system_state(kpropd_t)
++
  corecmd_exec_bin(kpropd_t)
  
 -corenet_all_recvfrom_unlabeled(kpropd_t)
@@ -39795,13 +39802,14 @@ index 8833d59..534f815 100644
  
  selinux_validate_context(kpropd_t)
  
- logging_send_syslog_msg(kpropd_t)
+-logging_send_syslog_msg(kpropd_t)
++auth_use_nsswitch(kpropd_t)
  
 -miscfiles_read_localization(kpropd_t)
--
++logging_send_syslog_msg(kpropd_t)
+ 
  seutil_read_file_contexts(kpropd_t)
  
- sysnet_dns_name_resolve(kpropd_t)
 diff --git a/kerneloops.if b/kerneloops.if
 index 714448f..fa0c994 100644
 --- a/kerneloops.if
@@ -42048,10 +42056,10 @@ index 0000000..236707b
 +
 diff --git a/linuxptp.te b/linuxptp.te
 new file mode 100644
-index 0000000..affa9bd
+index 0000000..15aea48
 --- /dev/null
 +++ b/linuxptp.te
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,172 @@
 +policy_module(linuxptp, 1.0.0)
 +
 +
@@ -42224,7 +42232,6 @@ index 0000000..affa9bd
 +optional_policy(`
 +	gpsd_rw_shm(ptp4l_t)
 +')
-+
 diff --git a/lircd.if b/lircd.if
 index dff21a7..b6981c8 100644
 --- a/lircd.if
@@ -54533,7 +54540,7 @@ index 94b9734..448a7e8 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 86dc29d..1cd0d0e 100644
+index 86dc29d..98fdac1 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -54757,7 +54764,7 @@ index 86dc29d..1cd0d0e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -241,13 +306,13 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +306,32 @@ interface(`networkmanager_append_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -54770,10 +54777,29 @@ index 86dc29d..1cd0d0e 100644
  	files_search_pids($1)
 -	allow $1 NetworkManager_var_run_t:file read_file_perms;
 +	manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++## <summary>
++##	Manage NetworkManager PID sock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`networkmanager_manage_pid_sock_files',`
++	gen_require(`
++		type NetworkManager_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
  ')
  
  ####################################
-@@ -272,14 +337,33 @@ interface(`networkmanager_stream_connect',`
+@@ -272,14 +356,33 @@ interface(`networkmanager_stream_connect',`
  
  ########################################
  ## <summary>
@@ -54809,7 +54835,7 @@ index 86dc29d..1cd0d0e 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -287,33 +371,132 @@ interface(`networkmanager_stream_connect',`
+@@ -287,33 +390,132 @@ interface(`networkmanager_stream_connect',`
  ## </param>
  ## <rolecap/>
  #
@@ -61915,7 +61941,7 @@ index 6837e9a..21e6dae 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 63957a3..ba34f72 100644
+index 63957a3..57fbf6d 100644
 --- a/openvpn.te
 +++ b/openvpn.te
 @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -62040,7 +62066,7 @@ index 63957a3..ba34f72 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +188,20 @@ tunable_policy(`openvpn_can_network_connect',`
  ')
  
  optional_policy(`
@@ -62054,13 +62080,14 @@ index 63957a3..ba34f72 100644
  optional_policy(`
 +    networkmanager_stream_connect(openvpn_t)
 +    networkmanager_manage_pid_files(openvpn_t)
++    networkmanager_manage_pid_sock_files(openvpn_t)
 +')
 +
 +optional_policy(`
  	dbus_system_bus_client(openvpn_t)
  	dbus_connect_system_bus(openvpn_t)
  
-@@ -175,3 +208,27 @@ optional_policy(`
+@@ -175,3 +209,27 @@ optional_policy(`
  		networkmanager_dbus_chat(openvpn_t)
  	')
  ')
@@ -73549,10 +73576,10 @@ index 6643b49..dd0c3d3 100644
  
  optional_policy(`
 diff --git a/puppet.fc b/puppet.fc
-index d68e26d..cad91e2 100644
+index d68e26d..d2c4d2a 100644
 --- a/puppet.fc
 +++ b/puppet.fc
-@@ -1,18 +1,20 @@
+@@ -1,18 +1,21 @@
 -/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
  
@@ -73567,6 +73594,7 @@ index d68e26d..cad91e2 100644
 +#helper scripts
 +/usr/bin/start-puppet-agent       --  gen_context(system_u:object_r:puppetagent_exec_t,s0)
 +/usr/bin/start-puppet-master      --  gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++/usr/bin/start-puppet-ca          --    gen_context(system_u:object_r:puppetca_exec_t,s0)
  
 -/usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
 -/usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
@@ -85814,7 +85842,7 @@ index ef3b225..d248cd3 100644
  	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/rpm.te b/rpm.te
-index 6fc360e..1abda8b 100644
+index 6fc360e..15fcd26 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -86156,7 +86184,7 @@ index 6fc360e..1abda8b 100644
  mls_file_read_all_levels(rpm_script_t)
  mls_file_write_all_levels(rpm_script_t)
  
-@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +331,53 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -86186,6 +86214,7 @@ index 6fc360e..1abda8b 100644
 +init_disable_services(rpm_script_t)
 +init_enable_services(rpm_script_t)
 +init_reload_services(rpm_script_t)
++init_manage_transient_unit(rpm_script_t)
  init_domtrans_script(rpm_script_t)
  init_telinit(rpm_script_t)
  
@@ -86218,7 +86247,7 @@ index 6fc360e..1abda8b 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
+@@ -363,41 +386,69 @@ ifdef(`distro_redhat',`
  	')
  ')
  
@@ -86299,7 +86328,7 @@ index 6fc360e..1abda8b 100644
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +459,6 @@ optional_policy(`
+@@ -409,6 +460,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -97492,7 +97521,7 @@ index a240455..f4d8c79 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..dbb5dd6 100644
+index 2d8db1f..fe72f8e 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -97550,7 +97579,7 @@ index 2d8db1f..dbb5dd6 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,34 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -97571,11 +97600,9 @@ index 2d8db1f..dbb5dd6 100644
 +seutil_rw_login_config_dirs(sssd_t)
 +seutil_manage_login_config_files(sssd_t)
 +
-+seutil_access_check_module_store(sssd_t)
-+
-+seutil_access_check_load_policy(sssd_t)
-+seutil_access_check_setfiles(sssd_t)
-+seutil_access_check_semanage_read_lock(sssd_t)
++seutil_dontaudit_access_check_load_policy(sssd_t)
++seutil_dontaudit_access_check_setfiles(sssd_t)
++seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
  
  mls_file_read_to_clearance(sssd_t)
  mls_socket_read_to_clearance(sssd_t)
@@ -97591,7 +97618,7 @@ index 2d8db1f..dbb5dd6 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +114,36 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8aef00c..690ebbb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 94%{?dist}
+Release: 95%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
+- Allow networkmanager manage also openvpn sock pid files.
+
 * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
 - Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
 - Allow sendmail to create dead.letter. BZ(1165443)