diff --git a/integrity/centos/build_srpm.data b/integrity/centos/build_srpm.data
index 16ebb10..d07dc14 100644
--- a/integrity/centos/build_srpm.data
+++ b/integrity/centos/build_srpm.data
@@ -1,5 +1,5 @@
 COPY_LIST=" \
   $FILES_BASE/* \
   $PATCHES_BASE/* \
-  $STX_BASE/downloads/integrity-kmod-668a8270.tar.gz"
+  $STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz"
 TIS_PATCH_VER=5
diff --git a/integrity/centos/integrity-kmod.spec b/integrity/centos/integrity-kmod.spec
index eb3c739..c0e6ee4 100644
--- a/integrity/centos/integrity-kmod.spec
+++ b/integrity/centos/integrity-kmod.spec
@@ -22,7 +22,7 @@ ExclusiveArch: x86_64
 # Sources.
 # the integrity is available as a tarball, with
 # the git commit Id referenced in the name
-Source0:  %{kmod_name}-kmod-668a8270.tar.gz
+Source0:  %{kmod_name}-kmod-e6aef069.tar.gz
 Source1:  modules-load.conf
 Source2:  COPYING
 Source3:  README
diff --git a/integrity/centos/patches/0001-integrity-kcompat-support.patch b/integrity/centos/patches/0001-integrity-kcompat-support.patch
index 10cbfb4..ce82a96 100644
--- a/integrity/centos/patches/0001-integrity-kcompat-support.patch
+++ b/integrity/centos/patches/0001-integrity-kcompat-support.patch
@@ -497,7 +497,7 @@ index 106e855..f850ef7 100644
  #endif
  
  #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-@@ -77,32 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
+@@ -77,39 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
  
  	return -EOPNOTSUPP;
  }
@@ -507,6 +507,7 @@ index 106e855..f850ef7 100644
 +int integrity_init_keyring(const unsigned int id)
  {
  	const struct cred *cred = current_cred();
+-	struct key_restriction *restriction;
  	int err = 0;
  
 -	if (!init_keyring)
@@ -515,27 +516,29 @@ index 106e855..f850ef7 100644
 +		 * the Kernel as a trusted keyring for which
 +		 * a search reference is available
 +		 */
-+		keyring[id] = ima_keyring; 
++		keyring[id] = ima_keyring;
  		return 0;
+-
+-	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+-	if (!restriction)
+-		return -ENOMEM;
+-
+-	restriction->check = restrict_link_to_ima;
 +	}
  
  	keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
--				    KGIDT_INIT(0), cred,
--				    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
--				     KEY_USR_VIEW | KEY_USR_READ |
--				     KEY_USR_WRITE | KEY_USR_SEARCH),
+ 				    KGIDT_INIT(0), cred,
+ 				    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ 				     KEY_USR_VIEW | KEY_USR_READ |
+ 				     KEY_USR_WRITE | KEY_USR_SEARCH),
 -				    KEY_ALLOC_NOT_IN_QUOTA,
--				    restrict_link_to_ima, NULL);
+-				    restriction, NULL);
 -	if (IS_ERR(keyring[id])) {
-+					KGIDT_INIT(0), cred,
-+					((KEY_POS_ALL & ~KEY_POS_SETATTR) |
-+					 KEY_USR_VIEW | KEY_USR_READ |
-+					 KEY_USR_WRITE | KEY_USR_SEARCH),
-+					KEY_ALLOC_NOT_IN_QUOTA, NULL);
++				    KEY_ALLOC_NOT_IN_QUOTA, NULL);
 +
-+	if (!IS_ERR(keyring[id]))
++	if (!IS_ERR(keyring[id])) {
 +		set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
-+	else {
++	} else {
  		err = PTR_ERR(keyring[id]);
  		pr_info("Can't allocate %s keyring (%d)\n",
  			keyring_name[id], err);
@@ -1096,21 +1099,48 @@ diff --git a/ima/ima_policy.c b/ima/ima_policy.c
 index aed47b7..dd52d98 100644
 --- a/ima/ima_policy.c
 +++ b/ima/ima_policy.c
-@@ -92,9 +92,11 @@ static struct ima_rule_entry dont_measure_rules[] = {
- 	{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
- 	{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
+@@ -85,7 +85,7 @@ struct ima_rule_entry {
+  * normal users can easily run the machine out of memory simply building
+  * and running executables.
+  */
+-static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
++static struct ima_rule_entry dont_measure_rules[] = {
+ 	{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
+ 	{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
+ 	{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
+@@ -96,10 +96,12 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
  	{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
-+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
-+	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
-+#endif
  	{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
--	 .flags = IMA_FSMAGIC},
--	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
-+	 .flags = IMA_FSMAGIC}
+ 	 .flags = IMA_FSMAGIC},
++#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
+ 	{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
++#endif
  };
  
- static struct ima_rule_entry original_measurement_rules[] = {
-@@ -132,7 +134,9 @@ static struct ima_rule_entry default_appraise_rules[] = {
+-static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
++static struct ima_rule_entry original_measurement_rules[] = {
+ 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+ 	 .flags = IMA_FUNC | IMA_MASK},
+ 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
+@@ -111,7 +113,7 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
+ 	{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
+ };
+ 
+-static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
++static struct ima_rule_entry default_measurement_rules[] = {
+ 	{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+ 	 .flags = IMA_FUNC | IMA_MASK},
+ 	{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
+@@ -127,7 +129,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
+ 	{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
+ };
+ 
+-static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
++static struct ima_rule_entry default_appraise_rules[] = {
+ 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
+ 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
+ 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
+@@ -137,7 +139,9 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
  	{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
  	{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
  	{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
@@ -1120,8 +1150,8 @@ index aed47b7..dd52d98 100644
  	{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
  #ifdef CONFIG_IMA_WRITE_POLICY
  	{.action = APPRAISE, .func = POLICY_CHECK,
-@@ -243,7 +247,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
- 	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
+@@ -249,7 +253,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
+ 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
  		return false;
  	if (rule->flags & IMA_EUID) {
 +#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
@@ -1129,38 +1159,51 @@ index aed47b7..dd52d98 100644
 +#else
 +		if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) {
 +#endif
- 			if (!uid_eq(rule->uid, cred->euid)
- 			    && !uid_eq(rule->uid, cred->suid)
- 			    && !uid_eq(rule->uid, cred->uid))
-@@ -541,10 +549,26 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
+ 			if (!rule->uid_op(cred->euid, rule->uid)
+ 			    && !rule->uid_op(cred->suid, rule->uid)
+ 			    && !rule->uid_op(cred->uid, rule->uid))
+@@ -556,16 +564,34 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
  	return result;
  }
  
 +static int ima_string_contains_hex(const char *string, size_t len)
 +{
-+    const unsigned char *p;
-+    for (p = string; p < (const unsigned char *)string + len; p++) {
-+        if (*p == '"' || *p < 0x21 || *p > 0x7e)
-+            return 1;
-+    }
-+    return 0;
++	const unsigned char *p;
++	for (p = string; p < (const unsigned char *)string + len; p++) {
++		if (*p == '"' || *p < 0x21 || *p > 0x7e)
++			return 1;
++	}
++	return 0;
 +}
 +
-+
- static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
+ static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
+ 			      bool (*rule_operator)(kuid_t, kuid_t))
  {
--	audit_log_format(ab, "%s=", key);
+-	if (rule_operator == &uid_gt)
+-		audit_log_format(ab, "%s>", key);
+-	else if (rule_operator == &uid_lt)
+-		audit_log_format(ab, "%s<", key);
+-	else
+-		audit_log_format(ab, "%s=", key);
 -	audit_log_untrustedstring(ab, value);
 +	if (ima_string_contains_hex(value, strlen(value))) {
-+		// value string contains hex. Convert to hex instead
-+		audit_log_format(ab, "%s=(contains hex)%s", key, value);
-+        }
-+	else {
-+		audit_log_format(ab, "%s=%s", key, value);
++		if (rule_operator == &uid_gt)
++			audit_log_format(ab, "%s>(contains hex)%s", key, value);
++		else if (rule_operator == &uid_lt)
++			audit_log_format(ab, "%s<(contains hex)%s", key, value);
++		else
++			audit_log_format(ab, "%s=(contains hex)%s", key, value);
++	} else {
++		if (rule_operator == &uid_gt)
++			audit_log_format(ab, "%s>", key);
++		else if (rule_operator == &uid_lt)
++			audit_log_format(ab, "%s<", key);
++		else
++			audit_log_format(ab, "%s=", key);
 +	}
  	audit_log_format(ab, " ");
  }
- 
+ static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
 diff --git a/integrity.h b/integrity.h
 index 24520b4..c13e61d 100644
 --- a/integrity.h
@@ -1183,11 +1226,7 @@ index 24520b4..c13e61d 100644
  	uint32_t keyid;		/* IMA key identifier - not X509/PGP specific */
  	uint16_t sig_size;	/* signature size */
  	uint8_t sig[0];		/* signature payload */
-@@ -127,12 +129,11 @@ int __init integrity_read_file(const char *path, char **data);
- #define INTEGRITY_KEYRING_MAX		3
- 
- #ifdef CONFIG_INTEGRITY_SIGNATURE
--
+@@ -131,8 +133,8 @@ int __init integrity_read_file(const char *path, char **data);
  int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
  			    const char *digest, int digestlen);
  
diff --git a/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch b/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch
index cb48968..1d37f69 100644
--- a/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch
+++ b/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch
@@ -24,19 +24,18 @@ diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
 index 88b5091..cff2ad2 100644
 --- a/ima/ima_appraise.c
 +++ b/ima/ima_appraise.c
-@@ -250,8 +250,11 @@ int ima_appraise_measurement(enum ima_hooks func,
- 	if (rc <= 0) {
+@@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func,
  		if (rc && rc != -ENODATA)
  			goto out;
--
+ 
 -		cause = "missing-hash";
-+		
 +		if (iint->flags & IMA_DIGSIG_REQUIRED)
-+		   cause = "missing-signature";
++			cause = "missing-signature";
 +		else
 +			cause = "missing-hash";
++
  		status = INTEGRITY_NOLABEL;
- 		if (opened & FILE_CREATED) {
+ 		if (opened & FILE_CREATED)
  			iint->flags |= IMA_NEW_FILE;
 @@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
  	int rc = 0;