diff --git a/SOURCES/rhbz1212658.patch b/SOURCES/rhbz1212658.patch
new file mode 100644
index 0000000..0a72fc8
--- /dev/null
+++ b/SOURCES/rhbz1212658.patch
@@ -0,0 +1,120 @@
+commit 985408d2120252fc68bd8afd0e5425ccf1d75dda
+Author: Qiao Nuohan <qiaonuohan@cn.fujitsu.com>
+Date:   Tue Apr 7 10:06:33 2015 -0500
+
+    Fix failure of signing modules on XFS.
+    
+    * stap-serverd.cxx (mok_dir_valid_p): Call stat() if readdir() returns
+      'DT_UNKNOWN'. Certain filesystems like XFS don't implement returning the
+      file type.
+
+diff --git a/stap-serverd.cxx b/stap-serverd.cxx
+index 40b3c39..de71f10 100644
+--- a/stap-serverd.cxx
++++ b/stap-serverd.cxx
+@@ -370,13 +370,28 @@ mok_dir_valid_p (string mok_fingerprint, bool verbose)
+   struct dirent *direntp;
+   while ((direntp = readdir (dirp)) != NULL)
+     {
+-      if (! priv_found && direntp->d_type == DT_REG
++      bool reg_file = false;
++
++      if (direntp->d_type == DT_REG)
++	reg_file = true;
++      else if (direntp->d_type == DT_UNKNOWN)
++        {
++	  struct stat tmpstat;
++
++	  // If the filesystem doesn't support d_type, we'll have to
++	  // call stat().
++	  stat((mok_dir + "/" + direntp->d_name).c_str (), &tmpstat);
++	  if (S_ISREG(tmpstat.st_mode))
++	      reg_file = true;
++        }
++      
++      if (! priv_found && reg_file
+ 	  && strcmp (direntp->d_name, MOK_PRIVATE_CERT_NAME) == 0)
+         {
+ 	  priv_found = true;
+ 	  continue;
+ 	}
+-      if (! cert_found && direntp->d_type == DT_REG
++      if (! cert_found && reg_file
+ 	  && strcmp (direntp->d_name, MOK_PUBLIC_CERT_NAME) == 0)
+         {
+ 	  cert_found = true;
+
+commit 112095a21f6c18424f7d1f9540d395778e8f79dd
+Author: Qiao Nuohan <qiaonuohan@cn.fujitsu.com>
+Date:   Tue Apr 7 10:33:09 2015 -0500
+
+    Fix another d_type problem on XFS.
+    
+    * stap-serverd.cxx (get_server_mok_fingerprints): Call stat() if readdir()
+      returns 'DT_UNKNOWN'. Certain filesystems like XFS don't implement
+      returning the file type.
+
+diff --git a/stap-serverd.cxx b/stap-serverd.cxx
+index de71f10..eeb32cf 100644
+--- a/stap-serverd.cxx
++++ b/stap-serverd.cxx
+@@ -473,7 +473,19 @@ get_server_mok_fingerprints(vector<string> &mok_fingerprints, bool verbose,
+     {
+       // We're only interested in directories (of key files).
+       if (direntp->d_type != DT_DIR)
+-	continue;
++        {
++          if (direntp->d_type == DT_UNKNOWN)
++            {
++              // If the filesystem doesn't support d_type, we'll have to
++              // call stat().
++              struct stat tmpstat;
++              stat((mok_path + "/" + direntp->d_name).c_str (), &tmpstat);
++              if (!S_ISDIR(tmpstat.st_mode))
++                continue;
++            }
++          else
++            continue;
++        }
+ 
+       // We've got a directory. If the directory name isn't in the right
+       // format for a MOK fingerprint, skip it.
+commit ed64d10fb7def700729cf553c8463f0882f1134a
+Author: David Smith <dsmith@redhat.com>
+Date:   Thu Apr 30 12:56:12 2015 -0500
+
+    Fix PR18361 by supporting RHEL7's 'securelevel' feature.
+    
+    * session.cxx (modules_must_be_signed): Check the
+      '/sys/kernel/security/securelevel' file for the value '1'. If so,
+      modules must be signed.
+
+diff --git a/session.cxx b/session.cxx
+index 3753445..0475d29 100644
+--- a/session.cxx
++++ b/session.cxx
+@@ -2441,16 +2441,24 @@ systemtap_session::parse_stap_color(const std::string& type)
+  * This routine parses /sys/module/module/parameters/sig_enforce to
+  * figure out if signatures are enforced on modules. Note that if the
+  * file doesn't exist, we don't really care and return false.
++ *
++ * On certain kernels (RHEL7), we also have to check
++ * /sys/kernel/security/securelevel.
+  */
+ bool
+ systemtap_session::modules_must_be_signed()
+ {
+   ifstream statm("/sys/module/module/parameters/sig_enforce");
++  ifstream securelevel("/sys/kernel/security/securelevel");
+   char status = 'N';
+ 
+   statm >> status;
+   if (status == 'Y')
+     return true;
++
++  securelevel >> status;
++  if (status == '1')
++    return true;
+   return false;
+ }
+ 
diff --git a/SPECS/systemtap.spec b/SPECS/systemtap.spec
index 50eb89e..b789d05 100644
--- a/SPECS/systemtap.spec
+++ b/SPECS/systemtap.spec
@@ -64,7 +64,7 @@
 
 Name: systemtap
 Version: 2.6
-Release: 8%{?dist}
+Release: 10%{?dist}
 # for version, see also configure.ac
 
 #Patch1: reserved for elfutils (see below)
@@ -76,6 +76,7 @@ Patch6: rhbz1119335.patch
 Patch7: rhbz1127591.patch
 Patch8: rhbz1167652.patch
 Patch9: rhbz1171823.patch
+Patch10: rhbz1212658.patch
 
 
 # Packaging abstract:
@@ -414,6 +415,7 @@ cd ..
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %build
 
@@ -1045,6 +1047,12 @@ done
 #   http://sourceware.org/systemtap/wiki/SystemTapReleases
 
 %changelog
+* Thu Apr 30 2015 Frank Ch. Eigler <fche@redhat.com> - 2.6-10
+- append upstream PR18361 to xfs & signing patch, to catch up with kernel change
+
+* Tue Apr 28 2015 Frank Ch. Eigler <fche@redhat.com> - 2.6-9
+- rhbz1216230=rhbz1212658 (xfs & signing)
+
 * Wed Dec 10 2014 Frank Ch. Eigler <fche@redhat.com> - 2.6-8
 - rhbz1171823 (nfsd svc_fh access)