diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 5ce998d..fbd45dc 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index d287cb3..0efa0d7 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -22548,7 +22548,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..0371f63 100644
+index 2522ca6..a73a163 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -22754,7 +22754,11 @@ index 2522ca6..0371f63 100644
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
-@@ -175,10 +249,27 @@ optional_policy(`
+@@ -172,13 +246,31 @@ optional_policy(`
+ 	# at things (e.g., ipsec auto --status)
+ 	# probably should create an ipsec_admin role for this kind of thing
+ 	ipsec_exec_mgmt(sysadm_t)
++    ipsec_read_pid(sysadm_t)
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -22782,7 +22786,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -190,11 +281,12 @@ optional_policy(`
+@@ -190,11 +282,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22797,7 +22801,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -210,22 +302,20 @@ optional_policy(`
+@@ -210,22 +303,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -22826,7 +22830,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -237,14 +327,28 @@ optional_policy(`
+@@ -237,14 +328,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22855,7 +22859,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -252,10 +356,20 @@ optional_policy(`
+@@ -252,10 +357,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22876,7 +22880,7 @@ index 2522ca6..0371f63 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +380,41 @@ optional_policy(`
+@@ -266,35 +381,41 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22925,7 +22929,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -308,6 +428,7 @@ optional_policy(`
+@@ -308,6 +429,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -22933,7 +22937,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -315,12 +436,20 @@ optional_policy(`
+@@ -315,12 +437,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22955,7 +22959,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -345,30 +474,37 @@ optional_policy(`
+@@ -345,30 +475,37 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23002,7 +23006,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -380,10 +516,6 @@ optional_policy(`
+@@ -380,10 +517,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23013,7 +23017,7 @@ index 2522ca6..0371f63 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +523,9 @@ optional_policy(`
+@@ -391,6 +524,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -23023,7 +23027,7 @@ index 2522ca6..0371f63 100644
  ')
  
  optional_policy(`
-@@ -398,31 +533,34 @@ optional_policy(`
+@@ -398,31 +534,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23064,7 +23068,7 @@ index 2522ca6..0371f63 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +573,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +574,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -23075,7 +23079,7 @@ index 2522ca6..0371f63 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +593,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +594,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -35414,7 +35418,7 @@ index 662e79b..d32012f 100644
 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..720ece8 100644
+index 0d4c8d3..537aa42 100644
 --- a/policy/modules/system/ipsec.if
 +++ b/policy/modules/system/ipsec.if
 @@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
@@ -35600,7 +35604,34 @@ index 0d4c8d3..720ece8 100644
  ')
  
  ########################################
-@@ -369,3 +497,27 @@ interface(`ipsec_run_setkey',`
+@@ -267,6 +395,26 @@ interface(`ipsec_write_pid',`
+ 
+ ########################################
+ ## <summary>
++##	Allow read the IPSEC pid files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipsec_read_pid',`
++	gen_require(`
++		type ipsec_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++	read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete the IPSEC pid files.
+ ## </summary>
+ ## <param name="domain">
+@@ -369,3 +517,27 @@ interface(`ipsec_run_setkey',`
  	ipsec_domtrans_setkey($1)
  	role $2 types setkey_t;
  ')
@@ -35629,7 +35660,7 @@ index 0d4c8d3..720ece8 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..8e32ea8 100644
+index 312cd04..34f5262 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -35771,7 +35802,7 @@ index 312cd04..8e32ea8 100644
  	seutil_sigchld_newrole(ipsec_t)
  ')
  
-@@ -182,19 +211,29 @@ optional_policy(`
+@@ -182,19 +211,30 @@ optional_policy(`
  	udev_read_db(ipsec_t)
  ')
  
@@ -35802,10 +35833,11 @@ index 312cd04..8e32ea8 100644
  allow ipsec_mgmt_t self:key_socket create_socket_perms;
  allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 +allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
++allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms };
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +247,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
  
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -35821,7 +35853,7 @@ index 312cd04..8e32ea8 100644
  
  # _realsetup needs to be able to cat /var/run/pluto.pid,
  # run ps on that pid, and delete the file
-@@ -246,6 +287,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -35838,7 +35870,7 @@ index 312cd04..8e32ea8 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +306,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -35847,7 +35879,7 @@ index 312cd04..8e32ea8 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -269,6 +322,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
  files_read_etc_files(ipsec_mgmt_t)
  files_exec_etc_files(ipsec_mgmt_t)
  files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -35855,7 +35887,7 @@ index 312cd04..8e32ea8 100644
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +332,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -35867,7 +35899,7 @@ index 312cd04..8e32ea8 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +343,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -35901,7 +35933,7 @@ index 312cd04..8e32ea8 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +388,10 @@ optional_policy(`
+@@ -322,6 +389,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35912,7 +35944,7 @@ index 312cd04..8e32ea8 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +405,7 @@ optional_policy(`
+@@ -335,7 +406,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -35921,7 +35953,7 @@ index 312cd04..8e32ea8 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +440,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -35941,7 +35973,7 @@ index 312cd04..8e32ea8 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +470,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -35954,7 +35986,7 @@ index 312cd04..8e32ea8 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +507,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 6f72c4a..e71fc66 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8260,7 +8260,7 @@ index 50c9b9c..533a555 100644
 +	allow $1 arpwatch_unit_file_t:service all_service_perms;
  ')
 diff --git a/arpwatch.te b/arpwatch.te
-index 2d7bf34..2927585 100644
+index 2d7bf34..766a91a 100644
 --- a/arpwatch.te
 +++ b/arpwatch.te
 @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -8273,15 +8273,16 @@ index 2d7bf34..2927585 100644
  ########################################
  #
  # Local policy
-@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
+@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
  allow arpwatch_t self:tcp_socket { accept listen };
  allow arpwatch_t self:packet_socket create_socket_perms;
  allow arpwatch_t self:socket create_socket_perms;
 +allow arpwatch_t self:netlink_socket create_socket_perms;
++allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
  
  manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
  manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
  manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
  files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
  
@@ -8306,7 +8307,7 @@ index 2d7bf34..2927585 100644
  dev_read_sysfs(arpwatch_t)
  dev_read_usbmon_dev(arpwatch_t)
  dev_rw_generic_usb_dev(arpwatch_t)
-@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
+@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t)
  
  domain_use_interactive_fds(arpwatch_t)
  
@@ -65103,7 +65104,7 @@ index 9b15730..cb00f20 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..ba23186 100644
+index 44dbc99..a17af8b 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -9,11 +9,8 @@ type openvswitch_t;
@@ -65120,7 +65121,7 @@ index 44dbc99..ba23186 100644
  
  type openvswitch_var_lib_t;
  files_type(openvswitch_var_lib_t)
-@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t)
+@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t)
  type openvswitch_var_run_t;
  files_pid_file(openvswitch_var_run_t)
  
@@ -65145,6 +65146,7 @@ index 44dbc99..ba23186 100644
 +allow openvswitch_t self:tcp_socket create_stream_socket_perms;
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
++allow openvswitch_t self:netlink_generic_socket create_socket_perms;
  
 -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
@@ -65157,7 +65159,7 @@ index 44dbc99..ba23186 100644
  
  manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
  files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -65168,7 +65170,7 @@ index 44dbc99..ba23186 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-@@ -65,33 +68,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +69,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
  
@@ -93304,7 +93306,7 @@ index 2b7c441..0232e85 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
 diff --git a/sambagui.te b/sambagui.te
-index e18b0a2..463e207 100644
+index e18b0a2..dc2a745 100644
 --- a/sambagui.te
 +++ b/sambagui.te
 @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
@@ -93325,8 +93327,11 @@ index e18b0a2..463e207 100644
  
  sysnet_use_ldap(sambagui_t)
  
-@@ -61,6 +61,7 @@ optional_policy(`
+@@ -59,8 +59,10 @@ optional_policy(`
+ 	samba_append_log(sambagui_t)
+ 	samba_manage_config(sambagui_t)
  	samba_manage_var_files(sambagui_t)
++	samba_manage_var_dirs(sambagui_t)
  	samba_read_secrets(sambagui_t)
  	samba_initrc_domtrans(sambagui_t)
 +	samba_systemctl(sambagui_t)
@@ -110464,7 +110469,7 @@ index facdee8..19b6ffb 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..27c7cb7 100644
+index f03dcf5..a9548bd 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,248 @@
@@ -111457,7 +111462,7 @@ index f03dcf5..27c7cb7 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +686,277 @@ optional_policy(`
+@@ -746,44 +686,278 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -111534,7 +111539,8 @@ index f03dcf5..27c7cb7 100644
 +manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
 +manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
 +manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
-+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file })
++manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
++files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file})
 +userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
 +
 +manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
@@ -111757,7 +111763,7 @@ index f03dcf5..27c7cb7 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +967,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +968,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -111784,7 +111790,7 @@ index f03dcf5..27c7cb7 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +987,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +988,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -111818,7 +111824,7 @@ index f03dcf5..27c7cb7 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1024,20 @@ optional_policy(`
+@@ -856,14 +1025,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -111840,7 +111846,7 @@ index f03dcf5..27c7cb7 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1062,65 @@ optional_policy(`
+@@ -888,49 +1063,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -111924,7 +111930,7 @@ index f03dcf5..27c7cb7 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1132,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1133,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -111944,7 +111950,7 @@ index f03dcf5..27c7cb7 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1153,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1154,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -111968,7 +111974,7 @@ index f03dcf5..27c7cb7 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1178,343 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1179,343 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -112453,7 +112459,7 @@ index f03dcf5..27c7cb7 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1527,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -112468,7 +112474,7 @@ index f03dcf5..27c7cb7 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1545,8 @@ optional_policy(`
+@@ -1192,9 +1546,8 @@ optional_policy(`
  
  ########################################
  #
@@ -112479,7 +112485,7 @@ index f03dcf5..27c7cb7 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1205,7 +1557,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
  
  kernel_read_network_state(virt_bridgehelper_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 92d43b0..30af6c3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 162%{?dist}
+Release: 163%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Dec 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-163
+- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t.
+- Add ipsec_read_pid() interface
+
 * Mon Dec 07 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-162
 - Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739)
 - Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)