diff --git a/policy-f23-base.patch b/policy-f23-base.patch
index b9a8050..3b4fe09 100644
--- a/policy-f23-base.patch
+++ b/policy-f23-base.patch
@@ -2112,7 +2112,7 @@ index 688abc2..3d89250 100644
  /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
 +/usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
 diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..a777e72 100644
+index 03ec5ca..48ab7f8 100644
 --- a/policy/modules/admin/su.if
 +++ b/policy/modules/admin/su.if
 @@ -58,6 +58,7 @@ template(`su_restricted_domain_template', `
@@ -2162,7 +2162,7 @@ index 03ec5ca..a777e72 100644
  	allow $1_su_t $3:key search;
  
  	# Transition from the user domain to this domain.
-@@ -194,125 +182,12 @@ template(`su_role_template',`
+@@ -194,125 +182,16 @@ template(`su_role_template',`
  	allow $3 $1_su_t:process sigchld;
  
  	kernel_read_system_state($1_su_t)
@@ -2174,7 +2174,7 @@ index 03ec5ca..a777e72 100644
 -	dev_read_urand($1_su_t)
 -
 -	fs_search_auto_mountpoints($1_su_t)
- 
+-
 -	# needed for pam_rootok
 -	selinux_compute_access_vector($1_su_t)
 -
@@ -2184,9 +2184,11 @@ index 03ec5ca..a777e72 100644
 -	auth_rw_faillog($1_su_t)
 -
 -	corecmd_search_bin($1_su_t)
--
++	kernel_dontaudit_getattr_core_if($1_su_t)
+ 
 -	domain_use_interactive_fds($1_su_t)
--
++	auth_use_pam($1_su_t)
+ 
 -	files_read_etc_files($1_su_t)
 -	files_read_etc_runtime_files($1_su_t)
 -	files_search_var_lib($1_su_t)
@@ -2195,12 +2197,12 @@ index 03ec5ca..a777e72 100644
 -	init_dontaudit_use_fds($1_su_t)
 -	# Write to utmp.
 -	init_rw_utmp($1_su_t)
-+	auth_use_pam($1_su_t)
++	init_dontaudit_getattr_initctl($1_su_t)
  
  	mls_file_write_all_levels($1_su_t)
  
  	logging_send_syslog_msg($1_su_t)
--
+ 
 -	miscfiles_read_localization($1_su_t)
 -
 -	userdom_use_user_terminals($1_su_t)
@@ -3475,7 +3477,7 @@ index 7590165..d81185e 100644
 +	fs_mounton_fusefs(seunshare_domain)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 33e0f8d..b94f32f 100644
+index 33e0f8d..4b14465 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3532,7 +3534,7 @@ index 33e0f8d..b94f32f 100644
  
  /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
  
-@@ -101,8 +118,6 @@ ifdef(`distro_redhat',`
+@@ -101,11 +118,8 @@ ifdef(`distro_redhat',`
  
  /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
  
@@ -3540,8 +3542,11 @@ index 33e0f8d..b94f32f 100644
 -
  /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -116,6 +131,9 @@ ifdef(`distro_redhat',`
+-/etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/netconsole	--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/readonly-root 	--	gen_context(system_u:object_r:bin_t,s0)
+ 
+@@ -116,6 +130,9 @@ ifdef(`distro_redhat',`
  
  /etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3551,7 +3556,7 @@ index 33e0f8d..b94f32f 100644
  /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
+@@ -135,10 +152,12 @@ ifdef(`distro_debian',`
  /lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3565,7 +3570,7 @@ index 33e0f8d..b94f32f 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
+@@ -149,10 +168,12 @@ ifdef(`distro_gentoo',`
  /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3579,7 +3584,7 @@ index 33e0f8d..b94f32f 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +189,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3587,7 +3592,7 @@ index 33e0f8d..b94f32f 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +201,50 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3647,7 +3652,7 @@ index 33e0f8d..b94f32f 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +256,32 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3687,7 +3692,7 @@ index 33e0f8d..b94f32f 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
+@@ -245,26 +296,40 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3733,7 +3738,7 @@ index 33e0f8d..b94f32f 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +345,14 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -3748,7 +3753,7 @@ index 33e0f8d..b94f32f 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +367,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -3773,7 +3778,7 @@ index 33e0f8d..b94f32f 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +400,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3802,7 +3807,7 @@ index 33e0f8d..b94f32f 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +428,7 @@ ifdef(`distro_redhat', `
  /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3810,7 +3815,7 @@ index 33e0f8d..b94f32f 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
+@@ -387,17 +470,34 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -5689,7 +5694,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..e3122b4 100644
+index b191055..e4b4e8d 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5927,7 +5932,7 @@ index b191055..e3122b4 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +238,128 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +238,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5978,6 +5983,7 @@ index b191055..e3122b4 100644
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 +network_port(preupgrade, tcp, 8099, s0)
  network_port(printer, tcp,515,s0)
++network_port(prosody, tcp,5280-5281,s0)
  network_port(ptal, tcp,5703,s0)
 -network_port(pulseaudio, tcp,4713,s0)
 +network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
@@ -6074,7 +6080,7 @@ index b191055..e3122b4 100644
  network_port(xserver, tcp,6000-6020,s0)
  network_port(zarafa, tcp,236,s0, tcp,237,s0)
  network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +367,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +368,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -6101,7 +6107,7 @@ index b191055..e3122b4 100644
  
  ########################################
  #
-@@ -333,6 +416,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +417,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6110,7 +6116,7 @@ index b191055..e3122b4 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +430,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +431,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -25849,7 +25855,7 @@ index fe0c682..3ad1b1f 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..b8e6e98 100644
+index cc877c7..4d56aea 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -25936,7 +25942,7 @@ index cc877c7..b8e6e98 100644
  
  type ssh_t;
  type ssh_exec_t;
-@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
  type ssh_tmpfs_t;
  typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
  typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@@ -25957,7 +25963,11 @@ index cc877c7..b8e6e98 100644
  
  ##############################
  #
-@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ # SSH client local policy
+ #
+ 
+-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
++allow ssh_t self:capability { setpcap setuid setgid dac_override dac_read_search };
  allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow ssh_t self:fd use;
  allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -38417,10 +38427,10 @@ index 6b91740..3af8a10 100644
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
  /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..8f7b119 100644
+index 58bc27f..9e86fce 100644
 --- a/policy/modules/system/lvm.if
 +++ b/policy/modules/system/lvm.if
-@@ -1,5 +1,22 @@
+@@ -1,5 +1,41 @@
  ## <summary>Policy for logical volume management programs.</summary>
  
 +
@@ -38440,10 +38450,29 @@ index 58bc27f..8f7b119 100644
 +    ')
 +')
 +
++########################################
++## <summary>
++##	Get the attribute of lvm entrypoint files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`lvm_getattr_exec_files',`
++	gen_require(`
++		type lvm_exec_t;
++	')
++
++	files_list_etc($1)
++	allow $1 lvm_exec_t:file getattr;
++')
++
  ########################################
  ## <summary>
  ##	Execute lvm programs in the lvm domain.
-@@ -86,6 +103,50 @@ interface(`lvm_read_config',`
+@@ -86,6 +122,50 @@ interface(`lvm_read_config',`
  
  ########################################
  ## <summary>
@@ -38494,7 +38523,7 @@ index 58bc27f..8f7b119 100644
  ##	Manage LVM configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -105,6 +166,25 @@ interface(`lvm_manage_config',`
+@@ -105,6 +185,25 @@ interface(`lvm_manage_config',`
  	manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
  ')
  
@@ -38520,7 +38549,7 @@ index 58bc27f..8f7b119 100644
  ######################################
  ## <summary>
  ##	Execute a domain transition to run clvmd.
-@@ -123,3 +203,175 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +222,175 @@ interface(`lvm_domtrans_clvmd',`
  	corecmd_search_bin($1)
  	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
  ')
@@ -47232,7 +47261,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..faf2340 100644
+index 9dc60c6..6879008 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -48243,7 +48272,7 @@ index 9dc60c6..faf2340 100644
 +	allow $1_t self:process ~{ ptrace execmem execstack execheap };
 +
 +	tunable_policy(`selinuxuser_use_ssh_chroot',`
-+		allow $1_t self:capability { setuid setgid sys_chroot };
++		allow $1_t self:capability { sys_chroot };
 +	')
  
 -	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch
index e3def8d..6b3d7d8 100644
--- a/policy-f23-contrib.patch
+++ b/policy-f23-contrib.patch
@@ -11075,10 +11075,12 @@ index c5a9113..1919abd 100644
  	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
 diff --git a/brltty.fc b/brltty.fc
 new file mode 100644
-index 0000000..0cfe342
+index 0000000..05e3528
 --- /dev/null
 +++ b/brltty.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
++/tmp/brltty\.log.*	 			--	gen_context(system_u:object_r:brltty_log_t,s0)
++
 +/usr/lib/systemd/system/brltty.*		--	gen_context(system_u:object_r:brltty_unit_file_t,s0)
 +
 +/usr/bin/brltty		--	gen_context(system_u:object_r:brltty_exec_t,s0)
@@ -11175,10 +11177,10 @@ index 0000000..968c957
 +')
 diff --git a/brltty.te b/brltty.te
 new file mode 100644
-index 0000000..eabda1e
+index 0000000..c167267
 --- /dev/null
 +++ b/brltty.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,70 @@
 +policy_module(brltty, 1.0.0)
 +
 +########################################
@@ -11196,6 +11198,9 @@ index 0000000..eabda1e
 +type brltty_var_run_t;
 +files_pid_file(brltty_var_run_t)
 +
++type brltty_log_t;
++logging_log_file(brltty_log_t)
++
 +type brltty_unit_file_t;
 +systemd_unit_file(brltty_unit_file_t)
 +
@@ -11210,6 +11215,11 @@ index 0000000..eabda1e
 +allow brltty_t self:unix_stream_socket create_stream_socket_perms;
 +allow brltty_t self:tcp_socket listen;
 +
++manage_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
++manage_sock_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
++manage_lnk_files_pattern(brltty_t, brltty_log_t, brltty_log_t)
++files_tmp_filetrans(brltty_t, brltty_log_t, { file dir })
++
 +manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
 +manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t)
 +manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t)
@@ -28193,7 +28203,7 @@ index 50d0084..94e1936 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..7945ad9 100644
+index cf0e567..7bebd26 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -28274,7 +28284,13 @@ index cf0e567..7945ad9 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -126,27 +141,37 @@ optional_policy(`
+ # Client Local policy
+ #
+ 
+-allow fail2ban_client_t self:capability dac_read_search;
++allow fail2ban_client_t self:capability { dac_read_search dac_override };
+ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -28652,7 +28668,7 @@ index c62c567..2d9e254 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..18a2ef2 100644
+index 98072a3..50e7985 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28696,7 +28712,7 @@ index 98072a3..18a2ef2 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,20 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,21 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -28721,10 +28737,11 @@ index 98072a3..18a2ef2 100644
 -sysnet_read_config(firewalld_t)
 +sysnet_dns_name_resolve(firewalld_t)
 +sysnet_manage_config_dirs(firewalld_t)
++sysnet_create_config(firewalld_t)
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +109,10 @@ optional_policy(`
+@@ -95,6 +110,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36688,10 +36705,10 @@ index 6517fad..f183748 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
  ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..3ba4a51 100644
+index 4eb7041..9717a5a 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,141 @@ policy_module(hypervkvp, 1.0.0)
  # Declarations
  #
  
@@ -36778,6 +36795,8 @@ index 4eb7041..3ba4a51 100644
 +
 +files_dontaudit_search_home(hypervkvp_t)
 +
++fs_getattr_all_fs(hypervkvp_t)
++
 +auth_use_nsswitch(hypervkvp_t)
 +
 +logging_send_syslog_msg(hypervkvp_t)
@@ -37000,7 +37019,7 @@ index fbb54e7..05c3777 100644
  
  ########################################
 diff --git a/inetd.te b/inetd.te
-index c6450df..a28aa13 100644
+index c6450df..6304b00 100644
 --- a/inetd.te
 +++ b/inetd.te
 @@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -37090,7 +37109,7 @@ index c6450df..a28aa13 100644
  dev_read_urand(inetd_child_t)
  
  fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t)
  
  logging_send_syslog_msg(inetd_child_t)
  
@@ -37100,6 +37119,10 @@ index c6450df..a28aa13 100644
 +optional_policy(`
 +	kerberos_use(inetd_child_t)
 +')
++
++optional_policy(`
++        systemd_dbus_chat_logind(inetd_child_t)
++')
  
  optional_policy(`
  	unconfined_domain(inetd_child_t)
@@ -41779,7 +41802,7 @@ index f6c00d8..e3cb4f1 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 8833d59..1d0599a 100644
+index 8833d59..a6356be 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -42048,7 +42071,7 @@ index 8833d59..1d0599a 100644
  
  selinux_validate_context(krb5kdc_t)
  
-+auth_read_passwd(krb5kdc_t)
++auth_use_nsswitch(krb5kdc_t)
 +
  logging_send_syslog_msg(krb5kdc_t)
  
@@ -45966,10 +45989,10 @@ index 0000000..bdd17ca
 +/var/run/lttng(/.*)?        gen_context(system_u:object_r:lttng_sessiond_var_run_t,s0)
 diff --git a/lttng-tools.if b/lttng-tools.if
 new file mode 100644
-index 0000000..6b0da33
+index 0000000..e86897d
 --- /dev/null
 +++ b/lttng-tools.if
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,117 @@
 +
 +## <summary>LTTng 2.x central tracing registry session daemon.</summary>
 +
@@ -46068,6 +46091,25 @@ index 0000000..6b0da33
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
++
++########################################
++## <summary>
++## Read and write lttng-tools shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lttng_read_shm',`
++	gen_require(`
++		type lttng_sessiond_tmpfs_t;
++	')
++
++	read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
++	fs_search_tmpfs($1)
++')
 diff --git a/lttng-tools.te b/lttng-tools.te
 new file mode 100644
 index 0000000..0b9ade5
@@ -48881,10 +48923,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..86766b0
+index 0000000..66c45cb
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,278 @@
+@@ -0,0 +1,284 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -49031,7 +49073,13 @@ index 0000000..86766b0
 +logging_send_audit_msgs(mock_t)
 +logging_send_syslog_msg(mock_t)
 +
++lvm_manage_lock(mock_t)
++lvm_read_config(mock_t)
++lvm_read_metadata(mock_t)
++lvm_getattr_exec_files(mock_t)
++
 +userdom_use_user_ptys(mock_t)
++userdom_use_user_ttys(mock_t)
 +
 +files_search_home(mock_t)
 +
@@ -59428,7 +59476,7 @@ index ba64485..429bd79 100644
 +
 +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 diff --git a/nscd.if b/nscd.if
-index 8f2ab09..cd5d344 100644
+index 8f2ab09..a298198 100644
 --- a/nscd.if
 +++ b/nscd.if
 @@ -1,8 +1,8 @@
@@ -59614,16 +59662,34 @@ index 8f2ab09..cd5d344 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -193,7 +214,25 @@ interface(`nscd_dontaudit_search_pid',`
  
  ########################################
  ## <summary>
 -##	Read nscd pid files.
++##      Do not audit attempts to read the NSCD pid directory.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to not audit.
++##      </summary>
++## </param>
++#
++interface(`nscd_dontaudit_read_pid',`
++        gen_require(`
++                type nscd_var_run_t;
++        ')
++
++        dontaudit $1 nscd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
 +##	Read NSCD pid file.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -212,7 +233,7 @@ interface(`nscd_read_pid',`
+@@ -212,7 +251,7 @@ interface(`nscd_read_pid',`
  
  ########################################
  ## <summary>
@@ -59632,7 +59698,7 @@ index 8f2ab09..cd5d344 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,20 +265,20 @@ interface(`nscd_unconfined',`
+@@ -244,20 +283,20 @@ interface(`nscd_unconfined',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -59657,7 +59723,7 @@ index 8f2ab09..cd5d344 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -275,8 +296,32 @@ interface(`nscd_initrc_domtrans',`
+@@ -275,8 +314,32 @@ interface(`nscd_initrc_domtrans',`
  
  ########################################
  ## <summary>
@@ -59692,7 +59758,7 @@ index 8f2ab09..cd5d344 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',`
+@@ -285,7 +348,7 @@ interface(`nscd_initrc_domtrans',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -59701,7 +59767,7 @@ index 8f2ab09..cd5d344 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -294,10 +339,14 @@ interface(`nscd_admin',`
+@@ -294,10 +357,14 @@ interface(`nscd_admin',`
  	gen_require(`
  		type nscd_t, nscd_log_t, nscd_var_run_t;
  		type nscd_initrc_exec_t;
@@ -59717,7 +59783,7 @@ index 8f2ab09..cd5d344 100644
  
  	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -310,5 +359,7 @@ interface(`nscd_admin',`
+@@ -310,5 +377,7 @@ interface(`nscd_admin',`
  	files_list_pids($1)
  	admin_pattern($1, nscd_var_run_t)
  
@@ -60040,7 +60106,7 @@ index a9c60ff..ad4f14a 100644
 +	refpolicywarn(`$0($*) has been deprecated.')
  ')
 diff --git a/nsd.te b/nsd.te
-index 47bb1d2..b73b24e 100644
+index 47bb1d2..fcd0c38 100644
 --- a/nsd.te
 +++ b/nsd.te
 @@ -9,9 +9,7 @@ type nsd_t;
@@ -60088,14 +60154,15 @@ index 47bb1d2..b73b24e 100644
 +allow nsd_t self:udp_socket create_socket_perms;
  allow nsd_t self:fifo_file rw_fifo_file_perms;
 -allow nsd_t self:tcp_socket { accept listen };
- 
- allow nsd_t nsd_conf_t:dir list_dir_perms;
+-
+-allow nsd_t nsd_conf_t:dir list_dir_perms;
 -allow nsd_t nsd_conf_t:file read_file_perms;
 -allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
--
+ 
 -allow nsd_t nsd_db_t:file manage_file_perms;
 -filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
-+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
++manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
++manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
 +read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
  
  manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
@@ -64937,7 +65004,7 @@ index 6837e9a..8d6e33b 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 63957a3..a6cf637 100644
+index 63957a3..91dead6 100644
 --- a/openvpn.te
 +++ b/openvpn.te
 @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -64991,7 +65058,7 @@ index 63957a3..a6cf637 100644
  allow openvpn_t openvpn_etc_t:dir list_dir_perms;
  allow openvpn_t openvpn_etc_t:file read_file_perms;
  allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms;
-@@ -73,13 +85,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
  allow openvpn_t openvpn_status_t:file manage_file_perms;
  logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
  
@@ -65012,7 +65079,14 @@ index 63957a3..a6cf637 100644
  logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
  
  manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-@@ -97,7 +113,6 @@ kernel_request_load_module(openvpn_t)
+ manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+-files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
++manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
++files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir })
+ 
+ can_exec(openvpn_t, openvpn_etc_t)
+ 
+@@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t)
  corecmd_exec_bin(openvpn_t)
  corecmd_exec_shell(openvpn_t)
  
@@ -65020,7 +65094,7 @@ index 63957a3..a6cf637 100644
  corenet_all_recvfrom_netlabel(openvpn_t)
  corenet_tcp_sendrecv_generic_if(openvpn_t)
  corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -117,13 +132,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -117,13 +133,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
  corenet_sendrecv_http_server_packets(openvpn_t)
  corenet_tcp_bind_http_port(openvpn_t)
  corenet_sendrecv_http_client_packets(openvpn_t)
@@ -65037,7 +65111,7 @@ index 63957a3..a6cf637 100644
  corenet_rw_tun_tap_dev(openvpn_t)
  
  dev_read_rand(openvpn_t)
-@@ -132,21 +149,31 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t)
  
  fs_getattr_all_fs(openvpn_t)
  fs_search_auto_mountpoints(openvpn_t)
@@ -65072,7 +65146,7 @@ index 63957a3..a6cf637 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +192,20 @@ tunable_policy(`openvpn_can_network_connect',`
  ')
  
  optional_policy(`
@@ -65093,7 +65167,7 @@ index 63957a3..a6cf637 100644
  	dbus_system_bus_client(openvpn_t)
  	dbus_connect_system_bus(openvpn_t)
  
-@@ -175,3 +212,27 @@ optional_policy(`
+@@ -175,3 +213,27 @@ optional_policy(`
  		networkmanager_dbus_chat(openvpn_t)
  	')
  ')
@@ -67026,10 +67100,10 @@ index 0000000..80246e6
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..778faa9
+index 0000000..2692b16
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,278 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -67140,6 +67214,7 @@ index 0000000..778faa9
 +# pcp_pmcd local  policy
 +#
 +
++allow pcp_pmcd_t self:capability sys_admin;
 +allow pcp_pmcd_t self:process { setsched };
 +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
 +
@@ -67156,6 +67231,7 @@ index 0000000..778faa9
 +corenet_tcp_connect_amqp_port(pcp_pmcd_t)
 +
 +dev_read_sysfs(pcp_pmcd_t)
++dev_rw_lvm_control(pcp_pmcd_t)
 +
 +domain_read_all_domains_state(pcp_pmcd_t)
 +domain_getattr_all_domains(pcp_pmcd_t)
@@ -69003,13 +69079,15 @@ index 0000000..a989aea
 +
 +sysnet_read_config(piranha_domain)
 diff --git a/pkcs.fc b/pkcs.fc
-index 9a72226..0351b1e 100644
+index 9a72226..b296894 100644
 --- a/pkcs.fc
 +++ b/pkcs.fc
-@@ -4,4 +4,6 @@
+@@ -4,4 +4,8 @@
  
  /var/lib/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
  
++/var/log/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_log_t,s0)
++
 +/var/lock/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_lock_t,s0)
 +
  /var/run/pkcsslotd.*	gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
@@ -69037,10 +69115,10 @@ index 69be2aa..2d7b3f6 100644
  	admin_pattern($1, pkcs_slotd_var_run_t)
  
 diff --git a/pkcs.te b/pkcs.te
-index 8eb3f7b..ee837c6 100644
+index 8eb3f7b..81ee57d 100644
 --- a/pkcs.te
 +++ b/pkcs.te
-@@ -7,21 +7,31 @@ policy_module(pkcs, 1.0.1)
+@@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1)
  
  type pkcs_slotd_t;
  type pkcs_slotd_exec_t;
@@ -69059,6 +69137,9 @@ index 8eb3f7b..ee837c6 100644
 +typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t;
 +files_lock_file(pkcs_slotd_lock_t)
 +
++type pkcs_slotd_log_t;
++logging_log_file(pkcs_slotd_log_t)
++
  type pkcs_slotd_var_run_t;
 +typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
  files_pid_file(pkcs_slotd_var_run_t)
@@ -69072,16 +69153,22 @@ index 8eb3f7b..ee837c6 100644
  files_tmpfs_file(pkcs_slotd_tmpfs_t)
  
  ########################################
-@@ -40,6 +50,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+@@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
  manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
  files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
  
 +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
++manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
++files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir)
++
++manage_files_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
++manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_log_t, pkcs_slotd_log_t)
++logging_log_filetrans(pkcs_slotd_t, pkcs_slotd_log_t, dir)
 +
  manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
  manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
  manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
-@@ -51,10 +63,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
+@@ -51,10 +72,12 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
  
  manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
  manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
@@ -76121,10 +76208,10 @@ index 0000000..8231f4f
 +')
 diff --git a/prosody.te b/prosody.te
 new file mode 100644
-index 0000000..3ef4a99
+index 0000000..d9a9124
 --- /dev/null
 +++ b/prosody.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,98 @@
 +policy_module(prosody, 1.0.0)
 +
 +########################################
@@ -76197,6 +76284,7 @@ index 0000000..3ef4a99
 +corenet_tcp_connect_postgresql_port(prosody_t)
 +corenet_tcp_connect_jabber_interserver_port(prosody_t)
 +corenet_tcp_connect_jabber_client_port(prosody_t)
++corenet_tcp_bind_prosody_port(prosody_t)
 +corenet_tcp_bind_jabber_client_port(prosody_t)
 +corenet_tcp_bind_jabber_interserver_port(prosody_t)
 +corenet_tcp_bind_jabber_router_port(prosody_t)
@@ -84609,7 +84697,7 @@ index 47de2d6..dfb3396 100644
 +/var/log/pacemaker\.log.*           --  gen_context(system_u:object_r:cluster_var_log_t,s0) 
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index c8bdea2..29df561 100644
+index c8bdea2..b2d9745 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -84638,7 +84726,7 @@ index c8bdea2..29df561 100644
  	')
  
  	##############################
-@@ -43,33 +43,29 @@ template(`rhcs_domain_template',`
+@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
  	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
  
@@ -84650,11 +84738,9 @@ index c8bdea2..29df561 100644
  	logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
  
  	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- 	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- 	manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+@@ -56,20 +51,21 @@ template(`rhcs_domain_template',`
  	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
--	files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
-+	files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
+ 	files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
  
 -	optional_policy(`
 -		dbus_system_bus_client($1_t)
@@ -99338,7 +99424,7 @@ index 7d86b34..5f58180 100644
 +	files_list_pids($1)
  ')
 diff --git a/snort.te b/snort.te
-index 1af72df..7e55b50 100644
+index 1af72df..ffccc41 100644
 --- a/snort.te
 +++ b/snort.te
 @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -99375,7 +99461,7 @@ index 1af72df..7e55b50 100644
  corenet_all_recvfrom_netlabel(snort_t)
  corenet_tcp_sendrecv_generic_if(snort_t)
  corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +86,19 @@ dev_rw_generic_usb_dev(snort_t)
  
  domain_use_interactive_fds(snort_t)
  
@@ -99387,6 +99473,8 @@ index 1af72df..7e55b50 100644
  
 +auth_read_passwd(snort_t)
 +
++auth_use_nsswitch(snort_t)
++
  init_read_utmp(snort_t)
  
  logging_send_syslog_msg(snort_t)
@@ -101249,10 +101337,10 @@ index b38b8b1..eb36653 100644
  userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
  
 diff --git a/squid.fc b/squid.fc
-index 0a8b0f7..0630506 100644
+index 0a8b0f7..03fb6b1 100644
 --- a/squid.fc
 +++ b/squid.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,28 @@
 -/etc/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)
 +/dev/shm/squid-*	--	gen_context(system_u:object_r:squid_tmpfs_t,s0)
  
@@ -101262,6 +101350,8 @@ index 0a8b0f7..0630506 100644
 +/etc/lightsquid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)
  
 -/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
++/usr/libexec/squid/cache_swap\.sh	--		gen_context(system_u:object_r:squid_exec_t,s0)
++
 +/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:squid_script_exec_t,s0)
 +
 +/usr/sbin/lightparser.pl --	gen_context(system_u:object_r:squid_cron_exec_t,s0)
@@ -102202,10 +102292,10 @@ index a240455..04419ae 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..a696686 100644
+index 2d8db1f..c420309 100644
 --- a/sssd.te
 +++ b/sssd.te
-@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t)
+@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
  type sssd_var_run_t;
  files_pid_file(sssd_var_run_t)
  
@@ -102233,8 +102323,11 @@ index 2d8db1f..a696686 100644
 +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
  read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
++list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
  
-@@ -51,9 +59,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+@@ -51,9 +60,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
  
@@ -102245,7 +102338,7 @@ index 2d8db1f..a696686 100644
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +68,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +69,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
  
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
@@ -102267,7 +102360,7 @@ index 2d8db1f..a696686 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,28 +85,35 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +86,35 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -102307,7 +102400,7 @@ index 2d8db1f..a696686 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +121,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +122,64 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -110834,7 +110927,7 @@ index facdee8..a81bff7 100644
 +	typeattribute $1 sandbox_caps_domain;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..4ad762f 100644
+index f03dcf5..c998aa3 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,234 @@
@@ -111814,7 +111907,7 @@ index f03dcf5..4ad762f 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +674,284 @@ optional_policy(`
+@@ -746,44 +674,288 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -111942,7 +112035,7 @@ index f03dcf5..4ad762f 100644
 +dev_rw_kvm(virt_domain)
 +dev_rw_qemu(virt_domain)
 +dev_rw_inherited_vhost(virt_domain)
-+
+ 
 +domain_use_interactive_fds(virt_domain)
 +
 +files_read_mnt_symlinks(virt_domain)
@@ -111984,6 +112077,10 @@ index f03dcf5..4ad762f 100644
 +')
 +
 +optional_policy(`
++	nscd_dontaudit_read_pid(virt_domain)
++')
++
++optional_policy(`
 +	ptchown_domtrans(virt_domain)
 +')
 +
@@ -112037,7 +112134,7 @@ index f03dcf5..4ad762f 100644
 +	fs_read_cifs_symlinks(virt_domain)
 +	fs_getattr_cifs(virt_domain)
 +')
- 
++
 +tunable_policy(`virt_use_usb',`
 +	dev_rw_usbfs(virt_domain)
 +	dev_read_sysfs(virt_domain)
@@ -112121,7 +112218,7 @@ index f03dcf5..4ad762f 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +962,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +966,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -112148,7 +112245,7 @@ index f03dcf5..4ad762f 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +982,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +986,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -112165,10 +112262,10 @@ index f03dcf5..4ad762f 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
-+
-+auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
++auth_read_passwd(virsh_t)
++
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -112182,7 +112279,7 @@ index f03dcf5..4ad762f 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1019,20 @@ optional_policy(`
+@@ -856,14 +1023,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -112204,7 +112301,7 @@ index f03dcf5..4ad762f 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1057,65 @@ optional_policy(`
+@@ -888,49 +1061,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -112288,7 +112385,7 @@ index f03dcf5..4ad762f 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1127,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1131,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -112308,7 +112405,7 @@ index f03dcf5..4ad762f 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1148,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1152,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -112332,7 +112429,7 @@ index f03dcf5..4ad762f 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1173,325 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1177,325 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -112348,21 +112445,21 @@ index f03dcf5..4ad762f 100644
 +optional_policy(`
 +	dbus_system_bus_client(virtd_lxc_t)
 +	init_dbus_chat(virtd_lxc_t)
-+
+ 
+-miscfiles_read_localization(virtd_lxc_t)
 +	optional_policy(`
 +		hal_dbus_chat(virtd_lxc_t)
 +	')
 +')
  
--miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+	gnome_read_generic_cache_files(virtd_lxc_t)
-+')
- 
 -seutil_domtrans_setfiles(virtd_lxc_t)
 -seutil_read_config(virtd_lxc_t)
 -seutil_read_default_contexts(virtd_lxc_t)
 +optional_policy(`
++	gnome_read_generic_cache_files(virtd_lxc_t)
++')
++
++optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
  
@@ -112563,19 +112660,19 @@ index f03dcf5..4ad762f 100644
 +	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
 +')
-+
-+optional_policy(`
-+	gear_read_pid_files(svirt_sandbox_domain)
-+')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++	gear_read_pid_files(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
 +
@@ -112771,10 +112868,10 @@ index f03dcf5..4ad762f 100644
 +fs_manage_cgroup_files(svirt_qemu_net_t)
 +
 +term_pty(svirt_sandbox_file_t)
-+
-+auth_use_nsswitch(svirt_qemu_net_t)
  
 -allow svirt_prot_exec_t self:process { execmem execstack };
++auth_use_nsswitch(svirt_qemu_net_t)
++
 +rpm_read_db(svirt_qemu_net_t)
 +
 +logging_send_syslog_msg(svirt_qemu_net_t)
@@ -112799,7 +112896,7 @@ index f03dcf5..4ad762f 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1504,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1508,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -112814,7 +112911,7 @@ index f03dcf5..4ad762f 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1522,7 @@ optional_policy(`
+@@ -1192,7 +1526,7 @@ optional_policy(`
  
  ########################################
  #
@@ -112823,7 +112920,7 @@ index f03dcf5..4ad762f 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1531,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1535,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
@@ -113237,10 +113334,10 @@ index 0000000..afd0c97
 +')
 diff --git a/vmtools.te b/vmtools.te
 new file mode 100644
-index 0000000..1928ad9
+index 0000000..f98f288
 --- /dev/null
 +++ b/vmtools.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,100 @@
 +policy_module(vmtools, 1.0.0)
 +
 +########################################
@@ -113316,6 +113413,10 @@ index 0000000..1928ad9
 +')
 +
 +optional_policy(`
++    rpm_transition_script(vmtools_t,system_r)
++')
++
++optional_policy(`
 +    unconfined_domain(vmtools_t)
 +')
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cc43e3b..464f96f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 158.21%{?dist}
+Release: 158.22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -653,6 +653,19 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-158.22
+- Fix typo in brltty policy.
+- Allow pcp dmcache metrics collection
+- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t
+- Allow openvpn to create sock files labeled as openvpn_var_run_t
+- Allow hypervkvp daemon to getattr on  all filesystem types.
+- Allow firewalld to create net_conf_t files
+- Allow mock to use lvm
+- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245
+- corecmd: Remove fcontext for /etc/sysconfig/libvirtd
+- Add interface lvm_getattr_exec_files()
+- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl
+
 * Tue Jun 28 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-158.21
 - Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs.
 - Allow firewalld_t to create entries in net_conf_t dirs.