diff --git a/coreutils-8.27-runcon-doc.patch b/coreutils-8.27-runcon-doc.patch
new file mode 100644
index 0000000..41c0a8a
--- /dev/null
+++ b/coreutils-8.27-runcon-doc.patch
@@ -0,0 +1,33 @@
+From 76be8a7f9eb717b3d47009eb25d39fe7139a2c2d Mon Sep 17 00:00:00 2001
+From: Sebastian Kisela <skisela@redhat.com>
+Date: Tue, 30 May 2017 09:29:32 +0200
+Subject: [PATCH] doc: mention `setpriv --no-new-privs` feature in runcon info
+
+upstream commit: 6ebaf8195000d6d3590a2eac13f13b158e325452
+---
+ doc/coreutils.texi | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index 68df075..e16e885 100644
+--- a/doc/coreutils.texi
++++ b/doc/coreutils.texi
+@@ -16583,7 +16583,14 @@ are interpreted as arguments to the command.
+ With neither @var{context} nor @var{command}, print the current
+ security context.
+ 
+-The program accepts the following options.  Also see @ref{Common options}.
++@cindex restricted security context
++@cindex NO_NEW_PRIVS
++Note also the @command{setpriv} command which can be used to set the
++NO_NEW_PRIVS bit using @command{setpriv --no-new-privs runcon ...},
++thus disallowing usage of a security context with more privileges
++than the process would normally have.
++
++@command{runcon} accepts the following options.  Also see @ref{Common options}.
+ 
+ @table @samp
+ 
+-- 
+2.9.4
+
diff --git a/coreutils.spec b/coreutils.spec
index 13f3ed9..2fadd14 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 8.27
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv3+
 Group:   System Environment/Base
 Url:     https://www.gnu.org/software/coreutils/
@@ -22,6 +22,9 @@ Patch2:   coreutils-8.27-CVE-2017-7476.patch
 # tail: revert to polling if a followed directory is replaced (#1283760)
 Patch3:   coreutils-8.27-tail-inotify-recreate.patch
 
+# doc: mention `setpriv --no-new-privs` feature in runcon info
+Patch4:   coreutils-8.27-runcon-doc.patch
+
 # disable the test-lock gnulib test prone to deadlock
 Patch100: coreutils-8.26-test-lock.patch
 
@@ -288,6 +291,9 @@ fi
 %license COPYING
 
 %changelog
+* Tue May 30 2017 Sebastian Kisela <skisela@redhat.com> - 8.27-10
+- doc: mention `setpriv --no-new-privs` feature in runcon info
+
 * Tue May 16 2017 Kamil Dudka <kdudka@redhat.com> - 8.27-9
 - add coreutils-full provides for coreutils to make it explicitly installable