diff --git a/container-selinux.tgz b/container-selinux.tgz
index b4f108a..05c2141 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index e4bcf7d..0bcf164 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -17942,7 +17942,7 @@ index d7c11a0..f521a50 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..ca45838 100644
+index 8416beb..b38387e 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18441,7 +18441,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
  ##	</summary>
  ## </param>
  #
@@ -18547,6 +18547,7 @@ index 8416beb..ca45838 100644
 -#
 -interface(`fs_exec_fusefs_files',`
 -	gen_require(`
+-		type fusefs_t;
 +## <desc>
 +##	<p>
 +##	Execute a file on a FUSE filesystem
@@ -18580,86 +18581,34 @@ index 8416beb..ca45838 100644
 +interface(`fs_ecryptfs_domtrans',`
 +	gen_require(`
 +		type ecryptfs_t;
-+	')
-+
-+	allow $1 ecryptfs_t:dir search_dir_perms;
-+	domain_auto_transition_pattern($1, ecryptfs_t, $2)
-+')
-+
-+########################################
-+## <summary>
-+##	Mount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_mount_fusefs',`
-+	gen_require(`
- 		type fusefs_t;
  	')
  
 -	exec_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 fusefs_t:filesystem mount;
++	allow $1 ecryptfs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, ecryptfs_t, $2)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete files
-+##	Unmount a FUSE filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_unmount_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
-+	allow $1 fusefs_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
-+##	Mounton a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_mounton_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
-+	allow $1 fusefs_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
-+##	Search directories
- ##	on a FUSEFS filesystem.
+-##	on a FUSEFS filesystem.
++##	Mount a FUSE filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',`
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
  ## </param>
- ## <rolecap/>
+-## <rolecap/>
  #
 -interface(`fs_manage_fusefs_files',`
-+interface(`fs_search_fusefs',`
++interface(`fs_mount_fusefs',`
  	gen_require(`
  		type fusefs_t;
  	')
  
 -	manage_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 fusefs_t:dir search_dir_perms;
++	allow $1 fusefs_t:filesystem mount;
  ')
  
  ########################################
@@ -18667,79 +18616,96 @@ index 8416beb..ca45838 100644
 -##	Do not audit attempts to create,
 -##	read, write, and delete files
 -##	on a FUSEFS filesystem.
-+##	Do not audit attempts to list the contents
-+##	of directories on a FUSEFS filesystem.
++##	Unmount a FUSE filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_dontaudit_list_fusefs',`
++interface(`fs_unmount_fusefs',`
  	gen_require(`
  		type fusefs_t;
  	')
  
 -	dontaudit $1 fusefs_t:file manage_file_perms;
-+	dontaudit $1 fusefs_t:dir list_dir_perms;
++	allow $1 fusefs_t:filesystem unmount;
  ')
  
  ########################################
  ## <summary>
 -##	Read symbolic links on a FUSEFS filesystem.
-+##	Create, read, write, and delete directories
-+##	on a FUSEFS filesystem.
++##	Mounton a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_manage_fusefs_dirs',`
++interface(`fs_mounton_fusefs',`
  	gen_require(`
  		type fusefs_t;
  	')
  
 -	allow $1 fusefs_t:dir list_dir_perms;
 -	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+	allow $1 fusefs_t:dir manage_dir_perms;
++	allow $1 fusefs_t:dir mounton;
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of an hugetlbfs
 -##	filesystem.
-+##	Do not audit attempts to create, read,
-+##	write, and delete directories
++##	Search directories
 +##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
++interface(`fs_search_fusefs',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type fusefs_t;
  	')
  
 -	allow $1 hugetlbfs_t:filesystem getattr;
-+	dontaudit $1 fusefs_t:dir manage_dir_perms;
++	allow $1 fusefs_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	List hugetlbfs.
-+##	Read, a FUSEFS filesystem.
++##	Do not audit attempts to list the contents
++##	of directories on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_list_fusefs',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	dontaudit $1 fusefs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18749,20 +18715,40 @@ index 8416beb..ca45838 100644
 +## <rolecap/>
  #
 -interface(`fs_list_hugetlbfs',`
-+interface(`fs_read_fusefs_files',`
++interface(`fs_manage_fusefs_dirs',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type fusefs_t;
  	')
  
 -	allow $1 hugetlbfs_t:dir list_dir_perms;
-+	read_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 fusefs_t:dir manage_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Manage hugetlbfs dirs.
-+##	Execute files on a FUSEFS filesystem.
++##	Do not audit attempts to create, read,
++##	write, and delete directories
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_fusefs_dirs',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	dontaudit $1 fusefs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++##	Read, a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18772,38 +18758,37 @@ index 8416beb..ca45838 100644
 +## <rolecap/>
  #
 -interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_exec_fusefs_files',`
++interface(`fs_read_fusefs_files',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type fusefs_t;
  	')
  
 -	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+	exec_files_pattern($1, fusefs_t, fusefs_t)
++	read_files_pattern($1, fusefs_t, fusefs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read and write hugetlbfs files.
-+##	Make general progams in FUSEFS an entrypoint for
-+##	the specified domain.
++##	Execute files on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	The domain for which fusefs_t is an entrypoint.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_fusefs_entry_type',`
++interface(`fs_exec_fusefs_files',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type fusefs_t;
  	')
  
 -	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+	domain_entry_file($1, fusefs_t)
++	exec_files_pattern($1, fusefs_t, fusefs_t)
  ')
  
  ########################################
@@ -18821,94 +18806,93 @@ index 8416beb..ca45838 100644
  ## </param>
  #
 -interface(`fs_associate_hugetlbfs',`
-+interface(`fs_fusefs_entrypoint',`
++interface(`fs_fusefs_entry_type',`
  	gen_require(`
 -		type hugetlbfs_t;
 +		type fusefs_t;
  	')
  
 -	allow $1 hugetlbfs_t:filesystem associate;
-+    allow $1 fusefs_t:file entrypoint;
++	domain_entry_file($1, fusefs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search inotifyfs filesystem.
-+##	Create, read, write, and delete files
-+##	on a FUSEFS filesystem.
++##	Make general progams in FUSEFS an entrypoint for
++##	the specified domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	The domain for which fusefs_t is an entrypoint.
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`fs_search_inotifyfs',`
-+interface(`fs_manage_fusefs_files',`
++interface(`fs_fusefs_entrypoint',`
  	gen_require(`
 -		type inotifyfs_t;
 +		type fusefs_t;
  	')
  
 -	allow $1 inotifyfs_t:dir search_dir_perms;
-+	manage_files_pattern($1, fusefs_t, fusefs_t)
++    allow $1 fusefs_t:file entrypoint;
  ')
  
  ########################################
  ## <summary>
 -##	List inotifyfs filesystem.
-+##	Do not audit attempts to create,
-+##	read, write, and delete files
++##	Create, read, write, and delete files
 +##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`fs_list_inotifyfs',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`fs_manage_fusefs_files',`
  	gen_require(`
 -		type inotifyfs_t;
 +		type fusefs_t;
  	')
  
 -	allow $1 inotifyfs_t:dir list_dir_perms;
-+	dontaudit $1 fusefs_t:file manage_file_perms;
++	manage_files_pattern($1, fusefs_t, fusefs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Dontaudit List inotifyfs filesystem.
-+##	Read symbolic links on a FUSEFS filesystem.
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_dontaudit_list_inotifyfs',`
-+interface(`fs_read_fusefs_symlinks',`
++interface(`fs_dontaudit_manage_fusefs_files',`
  	gen_require(`
 -		type inotifyfs_t;
 +		type fusefs_t;
  	')
  
 -	dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+	allow $1 fusefs_t:dir list_dir_perms;
-+	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	dontaudit $1 fusefs_t:file manage_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create an object in a hugetlbfs filesystem, with a private
 -##	type using a type transition.
-+##	Manage symbolic links on a FUSEFS filesystem.
++##	Read symbolic links on a FUSEFS filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18917,6 +18901,27 @@ index 8416beb..ca45838 100644
  ## </param>
 -## <param name="private type">
 +#
++interface(`fs_read_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The type of the object to be created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="object">
++#
 +interface(`fs_manage_fusefs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
@@ -18951,84 +18956,93 @@ index 8416beb..ca45838 100644
 +## </desc>
 +## <param name="domain">
  ##	<summary>
--##	The type of the object to be created.
+-##	The object class of the object being created.
 +##	Domain allowed to transition.
  ##	</summary>
  ## </param>
--## <param name="object">
+-## <param name="name" optional="true">
 +## <param name="target_domain">
  ##	<summary>
--##	The object class of the object being created.
+-##	The name of the object being created.
 +##	The type of the new process.
  ##	</summary>
  ## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`fs_hugetlbfs_filetrans',`
 +interface(`fs_fusefs_domtrans',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $2 hugetlbfs_t:filesystem associate;
+-	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
 +	allow $1 fusefs_t:dir search_dir_perms;
 +	domain_auto_transition_pattern($1, fusefs_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount an iso9660 filesystem, which
+-##	is usually used on CDs.
 +##	Get the attributes of a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
  ##	<summary>
--##	The name of the object being created.
-+##	Domain allowed access.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
 +## <rolecap/>
  #
--interface(`fs_hugetlbfs_filetrans',`
+-interface(`fs_mount_iso9660_fs',`
 +interface(`fs_getattr_fusefs',`
  	gen_require(`
--		type hugetlbfs_t;
+-		type iso9660_t;
 +		type fusefs_t;
  	')
  
--	allow $2 hugetlbfs_t:filesystem associate;
--	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+-	allow $1 iso9660_t:filesystem mount;
 +	allow $1 fusefs_t:filesystem getattr;
  ')
  
  ########################################
  ## <summary>
--##	Mount an iso9660 filesystem, which
--##	is usually used on CDs.
+-##	Remount an iso9660 filesystem, which
+-##	is usually used on CDs.  This allows
+-##	some mount options to be changed.
 +##	Get the attributes of an hugetlbfs
 +##	filesystem.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',`
+@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_mount_iso9660_fs',`
+-interface(`fs_remount_iso9660_fs',`
 +interface(`fs_getattr_hugetlbfs',`
-+	gen_require(`
+ 	gen_require(`
+-		type iso9660_t;
 +		type hugetlbfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 iso9660_t:filesystem remount;
 +	allow $1 hugetlbfs_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unmount an iso9660 filesystem, which
+-##	is usually used on CDs.
 +##	List hugetlbfs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2253,38 +2606,725 @@ interface(`fs_remount_iso9660_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_unmount_iso9660_fs',`
 +interface(`fs_list_hugetlbfs',`
 +	gen_require(`
 +		type hugetlbfs_t;
@@ -19672,58 +19686,47 @@ index 8416beb..ca45838 100644
 +## </param>
 +#
 +interface(`fs_read_kdbus_files',`
- 	gen_require(`
--		type iso9660_t;
++	gen_require(`
 +		type cgroup_t;
 +
- 	')
- 
--	allow $1 iso9660_t:filesystem mount;
++	')
++
 +	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
- ')
- 
- ########################################
- ## <summary>
--##	Remount an iso9660 filesystem, which
--##	is usually used on CDs.  This allows
--##	some mount options to be changed.
++')
++
++########################################
++## <summary>
 +##	Write kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_remount_iso9660_fs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_write_kdbus_files', `
- 	gen_require(`
--		type iso9660_t;
++	gen_require(`
 +		type kdbusfs_t;
- 	')
- 
--	allow $1 iso9660_t:filesystem remount;
++	')
++
 +	write_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
- ')
- 
- ########################################
- ## <summary>
--##	Unmount an iso9660 filesystem, which
--##	is usually used on CDs.
++')
++
++########################################
++## <summary>
 +##	Read and write kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2253,38 +3290,41 @@ interface(`fs_remount_iso9660_fs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_unmount_iso9660_fs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_rw_kdbus_files',`
  	gen_require(`
 -		type iso9660_t;
@@ -20111,7 +20114,7 @@ index 8416beb..ca45838 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3255,17 +4470,107 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +4470,126 @@ interface(`fs_list_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -20170,6 +20173,25 @@ index 8416beb..ca45838 100644
 +##	</summary>
 +## </param>
 +#
++interface(`fs_dontaudit_getattr_nsfs_files',`
++	gen_require(`
++		type nsfs_t;
++	')
++
++	dontaudit $1 nsfs_t:file getattr;
++')
++
++
++########################################
++## <summary>
++##	Getattr files on an nsfs filesystem
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_getattr_nsfs_files',`
 +	gen_require(`
 +		type nsfs_t;
@@ -20223,7 +20245,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3273,12 +4578,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +4597,12 @@ interface(`fs_getattr_nfsd_files',`
  ##	</summary>
  ## </param>
  #
@@ -20238,7 +20260,7 @@ index 8416beb..ca45838 100644
  ')
  
  ########################################
-@@ -3301,6 +4606,24 @@ interface(`fs_associate_ramfs',`
+@@ -3301,6 +4625,24 @@ interface(`fs_associate_ramfs',`
  
  ########################################
  ## <summary>
@@ -20263,7 +20285,7 @@ index 8416beb..ca45838 100644
  ##	Mount a RAM filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3392,7 +4715,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4734,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -20272,7 +20294,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4752,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4771,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -20281,7 +20303,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4770,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4789,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -20290,7 +20312,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3779,6 +5102,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5121,24 @@ interface(`fs_mount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -20315,7 +20337,7 @@ index 8416beb..ca45838 100644
  ##	Remount a tmpfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3815,6 +5156,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5175,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -20340,7 +20362,7 @@ index 8416beb..ca45838 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3908,7 +5267,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5286,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -20349,7 +20371,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +5275,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5294,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -20370,7 +20392,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +5293,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5312,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -20391,7 +20413,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5311,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5330,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -20431,7 +20453,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +5348,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5367,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -20487,7 +20509,7 @@ index 8416beb..ca45838 100644
  ')
  
  ########################################
-@@ -4057,23 +5452,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5471,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
  ## </param>
  ## <param name="name" optional="true">
  ##	<summary>
@@ -20664,7 +20686,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4081,18 +5623,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5642,18 @@ interface(`fs_tmpfs_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -20687,7 +20709,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4100,54 +5642,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5661,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -20754,7 +20776,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4155,17 +5696,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5715,18 @@ interface(`fs_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -20776,7 +20798,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4173,17 +5715,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5734,18 @@ interface(`fs_rw_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -20798,7 +20820,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4191,37 +5734,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5753,36 @@ interface(`fs_read_tmpfs_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -20844,7 +20866,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4229,18 +5771,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5790,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -20866,7 +20888,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4248,18 +5790,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5809,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
  ##	</summary>
  ## </param>
  #
@@ -20890,7 +20912,7 @@ index 8416beb..ca45838 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4267,32 +5810,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5829,31 @@ interface(`fs_rw_tmpfs_blk_files',`
  ##	</summary>
  ## </param>
  #
@@ -20929,7 +20951,7 @@ index 8416beb..ca45838 100644
  ')
  
  ########################################
-@@ -4407,6 +5949,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +5968,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
  
@@ -20955,7 +20977,7 @@ index 8416beb..ca45838 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete directories
-@@ -4503,6 +6064,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6083,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -20964,7 +20986,7 @@ index 8416beb..ca45838 100644
  ')
  
  ########################################
-@@ -4549,7 +6112,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6131,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -20973,7 +20995,7 @@ index 8416beb..ca45838 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +6159,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6178,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -21000,7 +21022,7 @@ index 8416beb..ca45838 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +6254,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6273,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -21026,7 +21048,7 @@ index 8416beb..ca45838 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6514,173 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6533,175 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -21065,10 +21087,12 @@ index 8416beb..ca45838 100644
 +interface(`fs_tmpfs_filetrans_named_content',`
 +	gen_require(`
 +		type cgroup_t;
++        type devlog_t;
 +	')
 +
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
++	fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log")
 +')
 +
 +#######################################
@@ -41504,7 +41528,7 @@ index 4e94884..31be8ac 100644
 +	filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..6810e0b 100644
+index 59b04c1..2be561d 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -41739,13 +41763,14 @@ index 59b04c1..6810e0b 100644
  
  mls_file_read_all_levels(klogd_t)
  
-@@ -355,13 +417,12 @@ optional_policy(`
+@@ -355,13 +417,13 @@ optional_policy(`
  # sys_admin for the integrated klog of syslog-ng and metalog
  # sys_nice for rsyslog
  # cjp: why net_admin!
 -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
 +allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
  dontaudit syslogd_t self:capability sys_tty_config;
++dontaudit syslogd_t self:cap_userns sys_ptrace;
 +allow syslogd_t self:capability2 { syslog block_suspend };
  # setpgid for metalog
  # setrlimit for syslog-ng
@@ -41756,7 +41781,7 @@ index 59b04c1..6810e0b 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,11 +430,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -369,11 +431,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
  allow syslogd_t self:fifo_file rw_fifo_file_perms;
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -41773,7 +41798,7 @@ index 59b04c1..6810e0b 100644
  files_pid_filetrans(syslogd_t, devlog_t, sock_file)
  
  # create/append log files.
-@@ -389,30 +454,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +455,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -41824,7 +41849,7 @@ index 59b04c1..6810e0b 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +504,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +505,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -41833,7 +41858,7 @@ index 59b04c1..6810e0b 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +516,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +517,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -41867,7 +41892,7 @@ index 59b04c1..6810e0b 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -448,13 +555,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +556,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
@@ -41885,7 +41910,7 @@ index 59b04c1..6810e0b 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +577,12 @@ init_use_fds(syslogd_t)
+@@ -466,11 +578,12 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -41901,7 +41926,7 @@ index 59b04c1..6810e0b 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +609,7 @@ optional_policy(`
+@@ -497,6 +610,7 @@ optional_policy(`
  optional_policy(`
  	cron_manage_log_files(syslogd_t)
  	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -41909,7 +41934,7 @@ index 59b04c1..6810e0b 100644
  ')
  
  optional_policy(`
-@@ -507,15 +620,44 @@ optional_policy(`
+@@ -507,15 +621,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41954,7 +41979,7 @@ index 59b04c1..6810e0b 100644
  ')
  
  optional_policy(`
-@@ -526,3 +668,26 @@ optional_policy(`
+@@ -526,3 +669,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -46841,7 +46866,7 @@ index 2cea692..e3cb4f2 100644
 +	files_etc_filetrans($1, net_conf_t, file)
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..518cf50 100644
+index a392fc4..b01eb22 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47240,7 +47265,7 @@ index a392fc4..518cf50 100644
  ')
  
  optional_policy(`
-@@ -371,3 +497,13 @@ optional_policy(`
+@@ -371,3 +497,17 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -47250,16 +47275,20 @@ index a392fc4..518cf50 100644
 +')
 +
 +optional_policy(`
++    tlp_manage_pid_files(ifconfig_t)
++')
++
++optional_policy(`
 +	tunable_policy(`dhcpc_exec_iptables',`
 +		iptables_domtrans(dhcpc_t)
 +	')
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..fc4c791
+index 0000000..a0ed66f
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@@ -47317,6 +47346,7 @@ index 0000000..fc4c791
 +/var/lib/systemd/rfkill(/.*)?         gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 +/var/lib/systemd/linger(/.*)?  		gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh)
 +/var/lib/random-seed 		gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
++/usr/lib/systemd/resolv.*   --   gen_context(system_u:object_r:lib_t,s0)
 +/usr/var/lib/random-seed 	gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +
 +/var/run/.*nologin.*		gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch
index 811c8b8..15c12d8 100644
--- a/policy-f25-contrib.patch
+++ b/policy-f25-contrib.patch
@@ -29049,7 +29049,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..ee152e2 100644
+index 98072a3..0235724 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -29077,7 +29077,7 @@ index 98072a3..ee152e2 100644
  
  allow firewalld_t firewalld_var_log_t:file append_file_perms;
  allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
  files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
  allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
  
@@ -29093,7 +29093,14 @@ index 98072a3..ee152e2 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t)
+ kernel_rw_net_sysctls(firewalld_t)
+ 
++files_list_kernel_modules(firewalld_t)
++
+ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+ 
+@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -29114,20 +29121,20 @@ index 98072a3..ee152e2 100644
 -seutil_exec_setfiles(firewalld_t)
 -seutil_read_file_contexts(firewalld_t)
 +logging_send_syslog_msg(firewalld_t)
- 
--sysnet_read_config(firewalld_t)
++
 +sysnet_dns_name_resolve(firewalld_t)
 +sysnet_manage_config_dirs(firewalld_t)
 +sysnet_manage_config(firewalld_t)
 +sysnet_relabelfrom_net_conf(firewalld_t)
 +sysnet_relabelto_net_conf(firewalld_t)
-+
+ 
+-sysnet_read_config(firewalld_t)
 +userdom_dontaudit_create_admin_dir(firewalld_t)
 +userdom_dontaudit_manage_admin_dir(firewalld_t)
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -91,10 +111,15 @@ optional_policy(`
+@@ -91,10 +113,15 @@ optional_policy(`
  
  	optional_policy(`
  		networkmanager_dbus_chat(firewalld_t)
@@ -46284,7 +46291,7 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..d46c5e7 100644
+index be0ab84..6180bdb 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -46359,7 +46366,7 @@ index be0ab84..d46c5e7 100644
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -46386,6 +46393,7 @@ index be0ab84..d46c5e7 100644
 +fs_search_auto_mountpoints(logrotate_t)
 +fs_getattr_all_fs(logrotate_t)
 +fs_list_inotifyfs(logrotate_t)
++fs_dontaudit_getattr_nsfs_files(logrotate_t)
 +
 +mls_file_read_all_levels(logrotate_t)
 +mls_file_write_all_levels(logrotate_t)
@@ -46417,7 +46425,7 @@ index be0ab84..d46c5e7 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t)
  selinux_get_fs_mount(logrotate_t)
  selinux_get_enforce_mode(logrotate_t)
  
@@ -46480,7 +46488,7 @@ index be0ab84..d46c5e7 100644
  ')
  
  optional_policy(`
-@@ -135,16 +198,17 @@ optional_policy(`
+@@ -135,16 +199,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -46500,7 +46508,7 @@ index be0ab84..d46c5e7 100644
  ')
  
  optional_policy(`
-@@ -170,6 +234,11 @@ optional_policy(`
+@@ -170,6 +235,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46512,7 +46520,7 @@ index be0ab84..d46c5e7 100644
  	fail2ban_stream_connect(logrotate_t)
  ')
  
-@@ -178,7 +247,8 @@ optional_policy(`
+@@ -178,7 +248,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46522,7 +46530,7 @@ index be0ab84..d46c5e7 100644
  ')
  
  optional_policy(`
-@@ -198,17 +268,18 @@ optional_policy(`
+@@ -198,17 +269,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46544,7 +46552,7 @@ index be0ab84..d46c5e7 100644
  ')
  
  optional_policy(`
-@@ -216,6 +287,14 @@ optional_policy(`
+@@ -216,6 +288,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46559,7 +46567,7 @@ index be0ab84..d46c5e7 100644
  	samba_exec_log(logrotate_t)
  ')
  
-@@ -228,26 +307,50 @@ optional_policy(`
+@@ -228,26 +308,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69146,10 +69154,10 @@ index 0000000..fa4cfaa
 Binary files /dev/null and b/pcp.pp differ
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..d6fdef6
+index 0000000..04a0b20
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,299 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -69405,6 +69413,8 @@ index 0000000..d6fdef6
 +
 +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
 +
++allow pcp_pmie_t pcp_pmcd_t:process signal;
++
 +kernel_read_system_state(pcp_pmie_t)
 +
 +corecmd_exec_bin(pcp_pmie_t)
@@ -87708,7 +87718,7 @@ index c8bdea2..8ad3e01 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..943fd8b 100644
+index 6cf79c4..4538e45 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -87747,7 +87757,7 @@ index 6cf79c4..943fd8b 100644
  attribute cluster_domain;
  attribute cluster_log;
  attribute cluster_pid;
-@@ -44,34 +73,284 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,288 @@ type foghorn_initrc_exec_t;
  init_script_file(foghorn_initrc_exec_t)
  
  rhcs_domain_template(gfs_controld)
@@ -87957,6 +87967,10 @@ index 6cf79c4..943fd8b 100644
 +')
 +
 +optional_policy(`
++    fprintd_dbus_chat(cluster_t)
++')
++
++optional_policy(`
 +    ldap_systemctl(cluster_t)
 +')
 +
@@ -88036,7 +88050,7 @@ index 6cf79c4..943fd8b 100644
  ')
  
  #####################################
-@@ -79,13 +358,14 @@ optional_policy(`
+@@ -79,13 +362,14 @@ optional_policy(`
  # dlm_controld local policy
  #
  
@@ -88053,7 +88067,7 @@ index 6cf79c4..943fd8b 100644
  kernel_rw_net_sysctls(dlm_controld_t)
  
  corecmd_exec_bin(dlm_controld_t)
-@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +382,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -88087,7 +88101,7 @@ index 6cf79c4..943fd8b 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +416,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -88099,7 +88113,7 @@ index 6cf79c4..943fd8b 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +437,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
  
  corenet_sendrecv_zented_server_packets(fenced_t)
  corenet_tcp_bind_zented_port(fenced_t)
@@ -88108,7 +88122,7 @@ index 6cf79c4..943fd8b 100644
  corenet_tcp_sendrecv_zented_port(fenced_t)
  
  corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +443,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +447,8 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -88120,7 +88134,7 @@ index 6cf79c4..943fd8b 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +454,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +458,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -88129,7 +88143,7 @@ index 6cf79c4..943fd8b 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +476,8 @@ optional_policy(`
+@@ -182,7 +480,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -88139,7 +88153,7 @@ index 6cf79c4..943fd8b 100644
  ')
  
  optional_policy(`
-@@ -190,12 +485,17 @@ optional_policy(`
+@@ -190,12 +489,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -88158,7 +88172,7 @@ index 6cf79c4..943fd8b 100644
  ')
  
  optional_policy(`
-@@ -203,6 +503,21 @@ optional_policy(`
+@@ -203,6 +507,21 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -88180,7 +88194,7 @@ index 6cf79c4..943fd8b 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +536,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +540,22 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -88205,7 +88219,7 @@ index 6cf79c4..943fd8b 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -247,16 +568,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
+@@ -247,16 +572,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_
  stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
  stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -88227,7 +88241,7 @@ index 6cf79c4..943fd8b 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +600,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +604,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -88287,7 +88301,7 @@ index 6cf79c4..943fd8b 100644
  ######################################
  #
  # qdiskd local policy
-@@ -292,7 +664,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+@@ -292,7 +668,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
  files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
  
@@ -88295,7 +88309,7 @@ index 6cf79c4..943fd8b 100644
  kernel_read_software_raid_state(qdiskd_t)
  kernel_getattr_core_if(qdiskd_t)
  
-@@ -321,6 +692,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +696,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -90445,7 +90459,7 @@ index ccb5991..fa10c5a 100644
  
  optional_policy(`
 diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..3148280 100644
+index a6fb30c..97ef313 100644
 --- a/rpc.fc
 +++ b/rpc.fc
 @@ -1,12 +1,25 @@
@@ -90480,7 +90494,7 @@ index a6fb30c..3148280 100644
  /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
  /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
  /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +29,12 @@
+@@ -16,7 +29,13 @@
  /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
  /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
  
@@ -90494,6 +90508,7 @@ index a6fb30c..3148280 100644
  /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 -/var/run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
++/var/run/rpc\.statd\.lock --	gen_context(system_u:object_r:rpcd_lock_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
 index 0bf13c2..ed393a0 100644
@@ -90956,7 +90971,7 @@ index 0bf13c2..ed393a0 100644
  	files_list_tmp($1)
  	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..23bddad 100644
+index 2da9fca..6935f5c 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -90999,10 +91014,13 @@ index 2da9fca..23bddad 100644
  
  attribute rpc_domain;
  
-@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t)
+@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
  type rpcd_var_run_t;
  files_pid_file(rpcd_var_run_t)
  
++type rpcd_lock_t;
++files_lock_file(rpcd_lock_t)
++
 +# rpcd_t is the domain of rpc daemons.
 +# rpc_exec_t is the type of rpc daemon programs.
  rpc_domain_template(rpcd)
@@ -91028,7 +91046,7 @@ index 2da9fca..23bddad 100644
  
  type var_lib_nfs_t;
  files_mountpoint(var_lib_nfs_t)
-@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
  manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
  manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
  
@@ -91036,7 +91054,7 @@ index 2da9fca..23bddad 100644
  kernel_read_kernel_sysctls(rpc_domain)
  kernel_rw_rpc_sysctls(rpc_domain)
  
-@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain)
+@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
  dev_read_urand(rpc_domain)
  dev_read_rand(rpc_domain)
  
@@ -91045,7 +91063,7 @@ index 2da9fca..23bddad 100644
  corenet_tcp_sendrecv_generic_if(rpc_domain)
  corenet_udp_sendrecv_generic_if(rpc_domain)
  corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
  files_read_usr_files(rpc_domain)
  files_list_home(rpc_domain)
  
@@ -91089,6 +91107,9 @@ index 2da9fca..23bddad 100644
  
 +read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
 +
++allow rpcd_t rpcd_lock_t:file manage_file_perms;
++files_lock_filetrans(rpcd_t, rpcd_lock_t, file)
++
 +# rpc.statd executes sm-notify
  can_exec(rpcd_t, rpcd_exec_t)
  
@@ -91099,7 +91120,7 @@ index 2da9fca..23bddad 100644
  kernel_read_sysctl(rpcd_t)
  kernel_rw_fs_sysctls(rpcd_t)
  kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
  
  storage_getattr_fixed_disk_dev(rpcd_t)
  
@@ -91123,7 +91144,7 @@ index 2da9fca..23bddad 100644
  
  ifdef(`distro_debian',`
  	term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +197,27 @@ optional_policy(`
+@@ -181,19 +203,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -91154,7 +91175,7 @@ index 2da9fca..23bddad 100644
  ')
  
  ########################################
-@@ -202,41 +226,61 @@ optional_policy(`
+@@ -202,41 +232,61 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -91225,7 +91246,7 @@ index 2da9fca..23bddad 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -91233,7 +91254,7 @@ index 2da9fca..23bddad 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -91248,7 +91269,7 @@ index 2da9fca..23bddad 100644
  ')
  
  ########################################
-@@ -270,7 +313,7 @@ optional_policy(`
+@@ -270,7 +319,7 @@ optional_policy(`
  # GSSD local policy
  #
  
@@ -91257,7 +91278,7 @@ index 2da9fca..23bddad 100644
  allow gssd_t self:process { getsched setsched };
  allow gssd_t self:fifo_file rw_fifo_file_perms;
  
-@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -91265,7 +91286,7 @@ index 2da9fca..23bddad 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -288,25 +332,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -91300,7 +91321,7 @@ index 2da9fca..23bddad 100644
  ')
  
  optional_policy(`
-@@ -314,9 +364,12 @@ optional_policy(`
+@@ -314,9 +370,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103017,7 +103038,7 @@ index 1499b0b..e695a62 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..d844f55 100644
+index cc58e35..963d86c 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -103724,7 +103745,7 @@ index cc58e35..d844f55 100644
  ')
  
  optional_policy(`
-@@ -463,9 +571,9 @@ optional_policy(`
+@@ -463,9 +571,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -103732,10 +103753,11 @@ index cc58e35..d844f55 100644
  	sendmail_stub(spamd_t)
  	mta_read_config(spamd_t)
 -	mta_send_mail(spamd_t)
++    mta_manage_spool(spamd_t)
  ')
  
  optional_policy(`
-@@ -474,32 +582,32 @@ optional_policy(`
+@@ -474,32 +583,32 @@ optional_policy(`
  
  ########################################
  #
@@ -103778,7 +103800,7 @@ index cc58e35..d844f55 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -109009,6 +109031,267 @@ index 97cd155..49321a5 100644
  files_search_tmp(timidity_t)
  
  fs_search_auto_mountpoints(timidity_t)
+diff --git a/tlp.fc b/tlp.fc
+new file mode 100644
+index 0000000..8b8cf4a
+--- /dev/null
++++ b/tlp.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/((tlp-sleep.*)|(tlp.*))		--	gen_context(system_u:object_r:tlp_unit_file_t,s0)
++
++/usr/sbin/tlp		--	gen_context(system_u:object_r:tlp_exec_t,s0)
++
++/var/run/tlp(/.*)?		gen_context(system_u:object_r:tlp_var_run_t,s0)
+diff --git a/tlp.if b/tlp.if
+new file mode 100644
+index 0000000..46f12a4
+--- /dev/null
++++ b/tlp.if
+@@ -0,0 +1,184 @@
++
++## <summary>policy for tlp</summary>
++
++########################################
++## <summary>
++##	Execute tlp_exec_t in the tlp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tlp_domtrans',`
++	gen_require(`
++		type tlp_t, tlp_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, tlp_exec_t, tlp_t)
++')
++
++######################################
++## <summary>
++##	Execute tlp in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_exec',`
++	gen_require(`
++		type tlp_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, tlp_exec_t)
++')
++
++########################################
++## <summary>
++##	Search tlp conf directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_search_conf',`
++	gen_require(`
++		type tlp_etc_rw_t;
++	')
++
++	allow $1 tlp_etc_rw_t:dir search_dir_perms;
++	files_search_etc($1)
++')
++
++########################################
++## <summary>
++##	Read tlp conf files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_read_conf_files',`
++	gen_require(`
++		type tlp_etc_rw_t;
++	')
++
++	allow $1 tlp_etc_rw_t:dir list_dir_perms;
++	read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
++	files_search_etc($1)
++')
++
++########################################
++## <summary>
++##	Manage tlp conf files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_manage_conf_files',`
++	gen_require(`
++		type tlp_etc_rw_t;
++	')
++
++	manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
++	files_search_etc($1)
++')
++
++########################################
++## <summary>
++##	Execute tlp server in the tlp domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`tlp_systemctl',`
++	gen_require(`
++		type tlp_t;
++		type tlp_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 tlp_unit_file_t:file read_file_perms;
++	allow $1 tlp_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, tlp_t)
++')
++
++########################################
++## <summary>
++##	Read all dbus pid files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`tlp_manage_pid_files',`
++	gen_require(`
++		type tlp_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an tlp environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`tlp_admin',`
++	gen_require(`
++		type tlp_t;
++		type tlp_etc_rw_t;
++	type tlp_unit_file_t;
++	')
++
++	allow $1 tlp_t:process { signal_perms };
++	ps_process_pattern($1, tlp_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 tlp_t:process ptrace;
++    ')
++
++	files_search_etc($1)
++	admin_pattern($1, tlp_etc_rw_t)
++
++	tlp_systemctl($1)
++	admin_pattern($1, tlp_unit_file_t)
++	allow $1 tlp_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/tlp.te b/tlp.te
+new file mode 100644
+index 0000000..7c81c68
+--- /dev/null
++++ b/tlp.te
+@@ -0,0 +1,54 @@
++policy_module(tlp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type tlp_t;
++type tlp_exec_t;
++init_daemon_domain(tlp_t, tlp_exec_t)
++
++type tlp_var_run_t;
++files_pid_file(tlp_var_run_t)
++
++type tlp_unit_file_t;
++systemd_unit_file(tlp_unit_file_t)
++
++########################################
++#
++# tlp local policy
++#
++allow tlp_t self:capability { net_admin sys_rawio };
++allow tlp_t self:unix_stream_socket create_stream_socket_perms;
++allow tlp_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
++manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
++files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file })
++
++kernel_read_system_state(tlp_t)
++kernel_read_fs_sysctls(tlp_t)
++kernel_rw_fs_sysctls(tlp_t)
++kernel_rw_kernel_sysctl(tlp_t)
++kernel_rw_vm_sysctls(tlp_t)
++
++auth_read_passwd(tlp_t)
++
++corecmd_exec_bin(tlp_t)
++
++dev_list_sysfs(tlp_t)
++dev_manage_sysfs(tlp_t)
++
++files_read_kernel_modules(tlp_t)
++
++modutils_exec_insmod(tlp_t)
++modutils_read_module_config(tlp_t)
++
++storage_raw_read_fixed_disk(tlp_t)
++
++sysnet_exec_ifconfig(tlp_t)
++
++optional_policy(`
++    fstools_exec(tlp_t)
++')
 diff --git a/tmpreaper.te b/tmpreaper.te
 index 585a77f..a7cb326 100644
 --- a/tmpreaper.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ec3e31..4bbbd04 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 224%{?dist}
+Release: 225%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,18 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 29 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-225
+- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
+- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
+- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
+- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
+- Merge pull request #171 from t-woerner/rawhide-contrib
+- Allow firewalld to getattr open search read modules_object_t:dir
+- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
+- Add interface fs_dontaudit_getattr_nsfs_files()
+- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
+- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
+
 * Wed Nov 09 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-224
 - Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373)