diff --git a/psad.spec b/psad.spec
index 5a104cf..bcf8ad6 100644
--- a/psad.spec
+++ b/psad.spec
@@ -1,7 +1,7 @@
 Summary: Port Scan Attack Detector (psad) watches for suspect traffic
 Name: psad
 Version: 2.4.6
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL: https://www.cipherdyne.org/psad/
 Source0: https://www.cipherdyne.org/psad/download/psad-%{version}.tar.bz2
@@ -114,14 +114,25 @@ cat >> $TMPDIR/psad-rpm.cil << __EOF__
 (allow firewalld_t psad_t(dbus (send_msg)))
 (allow psad_t firewalld_t(dbus (send_msg)))
 (allow psad_t journalctl_exec_t(file (execute execute_no_trans map open read)))
+(allow psad_t kernel_t (system (module_request)))
 (allow psad_t psad_var_log_t(file (read rename unlink write)))
+(allow psad_t self (netlink_tcpdiag_socket (bind create setopt)))
 (dontaudit psad_t load_policy_t (dir (getattr search)))
 (dontaudit psad_t load_policy_t (file (open read)))
 (dontaudit psad_t load_policy_t (lnk_file (read)))
 (dontaudit psad_t mandb_t (dir (getattr search)))
 (dontaudit psad_t mandb_t (file (open read)))
+(dontaudit psad_t radvd_exec_t (file (getattr)))
+(dontaudit psad_t rngd_exec_t (file (getattr)))
+(dontaudit psad_t rpcd_exec_t (file (getattr)))
 (dontaudit psad_t self (capability (dac_override sys_ptrace sys_resource)))
 (dontaudit psad_t self (cap_userns (sys_ptrace)))
+(dontaudit psad_t sshd_exec_t (file (getattr)))
+(dontaudit psad_t syslogd_exec_t (file (getattr)))
+(dontaudit psad_t systemd_logind_exec_t (file (getattr)))
+(dontaudit psad_t systemd_machined_exec_t (file (getattr)))
+(dontaudit psad_t udev_exec_t (file (getattr)))
+(dontaudit psad_t virtd_exec_t (file (getattr)))
 (dontaudit psad_t xserver_log_t (dir (search)))
 __EOF__
 %{_sbindir}/semodule -i $TMPDIR/psad-rpm.cil
@@ -138,28 +149,6 @@ if [ $1 -eq 0 ]; then
   %{_sbindir}/semodule -r psad-rpm > /dev/null || :
 fi
 
-# remove once all releases are shipping 2.4.5+
-%triggerpostun -- psad < 2.4.5
-TMPDIR=$(%{_bindir}/mktemp -d)
-cat >> $TMPDIR/psad-rpm.cil << __EOF__
-(allow firewalld_t psad_t(dbus (send_msg)))
-(allow psad_t firewalld_t(dbus (send_msg)))
-(allow psad_t journalctl_exec_t(file (execute execute_no_trans map open read)))
-(allow psad_t psad_var_log_t(file (read rename unlink write)))
-(dontaudit psad_t load_policy_t (dir (getattr search)))
-(dontaudit psad_t load_policy_t (file (open read)))
-(dontaudit psad_t load_policy_t (lnk_file (read)))
-(dontaudit psad_t mandb_t (dir (getattr search)))
-(dontaudit psad_t mandb_t (file (open read)))
-(dontaudit psad_t self (capability (dac_override sys_ptrace sys_resource)))
-(dontaudit psad_t self (cap_userns (sys_ptrace)))
-(dontaudit psad_t xserver_log_t (dir (search)))
-__EOF__
-%{_sbindir}/semodule -i $TMPDIR/psad-rpm.cil
-rm -rf $TMPDIR
-%systemd_post psad.service
-exit 0
-
 %files
 %license LICENSE
 %doc doc/BENCHMARK ChangeLog CREDITS doc/FW_EXAMPLE_RULES README.md doc/README.SYSLOG doc/SCAN_LOG
@@ -193,6 +182,12 @@ exit 0
 %ghost %attr(0700,root,root) /var/run/%{name}/psad.cmd
 
 %changelog
+* Wed Dec 04 2019 Dominik Mierzejewski <rpm@greysector.net> - 2.4.6-5
+- fix netlink_tcpdiag_socket AVC denials
+- allow ss command to trigger kernel module loads
+- silence more getattr AVC denials
+- drop obsolete triggerpostun
+
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild