diff --git a/policy/modules/contrib b/policy/modules/contrib
index bbaade66e..f371df35b 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit bbaade66e2b6ebad9fad744008a5390eac7a74d8
+Subproject commit f371df35b44f6ed874ce3ff8a57cb19df7ff0663
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 2b14f0834..bd36955cc 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.5)
+policy_module(fstools, 1.20.6)
 
 ########################################
 #
@@ -152,6 +152,8 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# for /run/mount/utab
+mount_getattr_runtime_files(fsadm_t)
 # losetup: bind mount_loopback_t files to loop devices
 mount_rw_loopback_files(fsadm_t)
 
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 370628006..25b0514c1 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -210,6 +210,24 @@ interface(`mount_rw_loopback_files',`
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##     Getattr on mount_var_run_t files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_getattr_runtime_files',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write mount runtime files.
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index f58a62bc4..1f16a6693 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.19.4)
+policy_module(mount, 1.19.5)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 97318a65c..7224e867a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.7)
+policy_module(selinuxutil, 1.22.8)
 
 gen_require(`
 	bool secure_mode;
@@ -665,6 +665,10 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+optional_policy(`
+	apt_use_fds(setfiles_t)
+')
+
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')