diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index d240c63..0022d00 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 47a5fea..0404fca 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -27111,10 +27111,10 @@ index 0000000..15b42ae
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..270e9a8
+index 0000000..a298e23
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,350 @@
+@@ -0,0 +1,354 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -27422,6 +27422,10 @@ index 0000000..270e9a8
+')
+
+optional_policy(`
++ ipa_run_helper(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+ oddjob_run(unconfined_t, unconfined_r)
+')
@@ -35568,7 +35572,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..9926eaf 100644
+index 79a45f6..d092e6e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -36611,7 +36615,7 @@ index 79a45f6..9926eaf 100644
')
########################################
-@@ -1806,37 +2294,690 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2294,708 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -37039,6 +37043,24 @@ index 79a45f6..9926eaf 100644
+
+########################################
+##
++## Stop system from init
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_stop',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system stop;
++')
++
++########################################
++##
+## Start system from init
+##
+##
@@ -41815,7 +41837,7 @@ index 59b04c1..6810e0b 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 6b91740..7c98978 100644
+index 6b91740..7724116 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@@ -41936,7 +41958,7 @@ index 6b91740..7c98978 100644
#
# /var
-@@ -98,5 +174,9 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +174,11 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -41946,6 +41968,8 @@ index 6b91740..7c98978 100644
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
++
++/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..9e86fce 100644
--- a/policy/modules/system/lvm.if
@@ -48905,10 +48929,10 @@ index 0000000..16cd1ac
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..ceca7a3
+index 0000000..e77911b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,964 @@
+@@ -0,0 +1,965 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49137,6 +49161,7 @@ index 0000000..ceca7a3
+
+init_status(systemd_logind_t)
+init_start(systemd_logind_t)
++init_stop(systemd_logind_t)
+init_signal(systemd_logind_t)
+init_reboot(systemd_logind_t)
+init_halt(systemd_logind_t)
@@ -51288,7 +51313,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..420907f 100644
+index 9dc60c6..beadc1e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -54590,7 +54615,7 @@ index 9dc60c6..420907f 100644
## Create keys for all user domains.
##
##
-@@ -3435,4 +4628,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4628,1799 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -54782,6 +54807,24 @@ index 9dc60c6..420907f 100644
+
+########################################
+##
++## dontaudit create dirs /root
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_create_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir create_dir_perms;
++')
++
++########################################
++##
+## RW unpriviledged user SysV sempaphores.
+##
+##
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 40b3d80..12515db 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -16971,7 +16971,7 @@ index bd18063..47c8fd0 100644
optional_policy(`
policykit_domtrans_auth(consolekit_t)
diff --git a/corosync.fc b/corosync.fc
-index da39f0f..6a96733 100644
+index da39f0f..b26d3e0 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
@@ -16982,6 +16982,12 @@ index da39f0f..6a96733 100644
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+@@ -10,3 +12,5 @@
+ /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/corosync-qdevice(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/corosync-qnetd(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/corosync.if b/corosync.if
index 694a037..d859681 100644
--- a/corosync.if
@@ -20797,7 +20803,7 @@ index 3023be7..4f0fe46 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813c..8aececf 100644
+index c91813c..71b61c4 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21199,7 +21205,11 @@ index c91813c..8aececf 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+@@ -367,23 +431,23 @@ manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
++allow cupsd_config_t cupsd_var_run_t:sock_file read_file_perms;
manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
@@ -21223,7 +21233,7 @@ index c91813c..8aececf 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +456,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -21244,7 +21254,7 @@ index c91813c..8aececf 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +473,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -21256,7 +21266,7 @@ index c91813c..8aececf 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +499,12 @@ optional_policy(`
+@@ -449,9 +500,12 @@ optional_policy(`
')
optional_policy(`
@@ -21270,7 +21280,7 @@ index c91813c..8aececf 100644
')
optional_policy(`
-@@ -467,6 +520,10 @@ optional_policy(`
+@@ -467,6 +521,10 @@ optional_policy(`
')
optional_policy(`
@@ -21281,7 +21291,7 @@ index c91813c..8aececf 100644
rpm_read_db(cupsd_config_t)
')
-@@ -487,10 +544,6 @@ optional_policy(`
+@@ -487,10 +545,6 @@ optional_policy(`
# Lpd local policy
#
@@ -21292,7 +21302,7 @@ index c91813c..8aececf 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +562,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -21310,7 +21320,7 @@ index c91813c..8aececf 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +591,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@@ -21320,7 +21330,7 @@ index c91813c..8aececf 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -550,7 +600,6 @@ optional_policy(`
+@@ -550,7 +601,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21328,7 +21338,7 @@ index c91813c..8aececf 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +616,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -21480,7 +21490,7 @@ index c91813c..8aececf 100644
########################################
#
-@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +660,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -21488,7 +21498,7 @@ index c91813c..8aececf 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +669,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -21502,7 +21512,7 @@ index c91813c..8aececf 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +681,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -21511,7 +21521,7 @@ index c91813c..8aececf 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +692,4 @@ optional_policy(`
+@@ -773,3 +693,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@@ -28863,7 +28873,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..9670e41 100644
+index 98072a3..e42654a 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28907,7 +28917,7 @@ index 98072a3..9670e41 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,23 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,25 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -28935,10 +28945,12 @@ index 98072a3..9670e41 100644
+sysnet_manage_config(firewalld_t)
+sysnet_relabelfrom_net_conf(firewalld_t)
+sysnet_relabelto_net_conf(firewalld_t)
++
++userdom_dontaudit_create_admin_dir(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +112,10 @@ optional_policy(`
+@@ -95,6 +114,10 @@ optional_policy(`
')
optional_policy(`
@@ -29267,7 +29279,7 @@ index 5010f04..3b73741 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index 92a6479..59a65a4 100644
+index 92a6479..f064c94 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
@@ -29303,7 +29315,7 @@ index 92a6479..59a65a4 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +58,17 @@ optional_policy(`
+@@ -54,8 +58,21 @@ optional_policy(`
')
')
@@ -29316,6 +29328,10 @@ index 92a6479..59a65a4 100644
+')
+
+optional_policy(`
++ rhcs_dbus_chat_cluster(fprintd_t)
++')
++
++optional_policy(`
+ udev_read_db(fprintd_t)
+')
+
@@ -46858,7 +46874,7 @@ index d314333..27ede09 100644
+ ')
')
diff --git a/lsm.te b/lsm.te
-index 4ec0eea..693d9ae 100644
+index 4ec0eea..1400ca8 100644
--- a/lsm.te
+++ b/lsm.te
@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0)
@@ -46900,7 +46916,7 @@ index 4ec0eea..693d9ae 100644
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-@@ -26,4 +44,71 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+@@ -26,4 +44,72 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
@@ -46969,6 +46985,7 @@ index 4ec0eea..693d9ae 100644
+sysnet_read_config(lsmd_plugin_t)
+
+storage_raw_rw_fixed_disk(lsmd_plugin_t)
++storage_create_fixed_disk_dev(lsmd_plugin_t)
+storage_read_scsi_generic(lsmd_plugin_t)
+storage_write_scsi_generic(lsmd_plugin_t)
+storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t)
@@ -64243,10 +64260,10 @@ index 0000000..eac3932
+')
diff --git a/opendnssec.te b/opendnssec.te
new file mode 100644
-index 0000000..83507cf
+index 0000000..e246d45
--- /dev/null
+++ b/opendnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,68 @@
+policy_module(opendnssec, 1.0.0)
+
+########################################
@@ -64267,6 +64284,9 @@ index 0000000..83507cf
+type opendnssec_var_run_t;
+files_pid_file(opendnssec_var_run_t)
+
++type opendnssec_tmp_t;
++files_tmp_file(opendnssec_tmp_t)
++
+type opendnssec_unit_file_t;
+systemd_unit_file(opendnssec_unit_file_t)
+
@@ -64292,6 +64312,12 @@ index 0000000..83507cf
+manage_sock_files_pattern(opendnssec_t, opendnssec_var_run_t, opendnssec_var_run_t)
+files_pid_filetrans(opendnssec_t, opendnssec_var_run_t, { dir file lnk_file })
+
++manage_dirs_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
++manage_files_pattern(opendnssec_t, opendnssec_tmp_t, opendnssec_tmp_t)
++files_tmp_filetrans(opendnssec_t, opendnssec_tmp_t, { file dir })
++
++kernel_read_system_state(opendnssec_t)
++
+auth_use_nsswitch(opendnssec_t)
+
+corecmd_exec_bin(opendnssec_t)
@@ -97645,7 +97671,7 @@ index 0000000..7a058a8
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 0000000..f6e5b0f
+index 0000000..95a5182
--- /dev/null
+++ b/sbd.te
@@ -0,0 +1,52 @@
@@ -97670,7 +97696,7 @@ index 0000000..f6e5b0f
+#
+# sbd local policy
+#
-+allow sbd_t self:capability { dac_override ipc_lock sys_nice };
++allow sbd_t self:capability { dac_override ipc_lock sys_nice sys_admin};
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -110953,7 +110979,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 87da8a2..4ca0271 100644
+index 87da8a2..4be1fcb 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -110964,7 +110990,7 @@ index 87da8a2..4ca0271 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,23 +40,28 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,23 +40,29 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
@@ -110985,6 +111011,7 @@ index 87da8a2..4ca0271 100644
-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
++systemd_dbus_chat_logind(vdagent_t)
-miscfiles_read_localization(vdagent_t)
+logging_send_syslog_msg(vdagent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7a4b7a..95fbdfc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 208%{?dist}
+Release: 209%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -648,6 +648,23 @@ exit 0
%endif
%changelog
+* Tue Aug 16 2016 Lukas Vrabec 3.13.1-209
+- Fix lsm SELinux module
+- Dontaudit firewalld to create dirs in /root/ BZ(1340611)
+- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t
+- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774)
+- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299)
+- Add sys_admin capability to sbd domain
+- Allow vdagent to comunnicate with systemd-logind via dbus
+- Allow lsmd_plugin_t domain to create fixed_disk device.
+- Allow opendnssec domain to create and manage own tmp dirs/files
+- Allow opendnssec domain to read system state
+- Allow systemd_logind stop system init_t
+- Add interface init_stop()
+- Add interface userdom_dontaudit_create_admin_dir()
+- Label /var/run/storaged as lvm_var_run_t.
+- Allow unconfineduser to run ipa_helper_t.
+
* Fri Aug 12 2016 Lukas Vrabec 3.13.1-208
- Allow cups_config_t domain also mange sock_files. BZ(1361299)
- Add wake_alarm capability to fprintd domain BZ(1362430)