diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 6d06b4c..77f76d5 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 35a266a..0813676 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6288,7 +6288,7 @@ index 3f6e168..340e49f 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..50a45cf 100644
+index b31c054..012cc6f 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6396,7 +6396,7 @@ index b31c054..50a45cf 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,11 +193,16 @@ ifdef(`distro_suse', `
+@@ -172,15 +193,21 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -6413,7 +6413,12 @@ index b31c054..50a45cf 100644
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
-@@ -198,12 +224,27 @@ ifdef(`distro_debian',`
+ /dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
++/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0)
+
+ ifdef(`distro_debian',`
+ # this is a static /dev dir "backup mount"
+@@ -198,12 +225,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6444,7 +6449,7 @@ index b31c054..50a45cf 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..c542dd3 100644
+index 76f285e..5cd2702 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8716,7 +8721,7 @@ index 76f285e..c542dd3 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5915,1020 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -9619,6 +9624,7 @@ index 76f285e..c542dd3 100644
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
@@ -46330,10 +46336,10 @@ index a392fc4..78fa512 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..0e4185f
+index 0000000..6cf3942
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
@@ -46356,6 +46362,7 @@ index 0000000..0e4185f
+
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
@@ -48126,10 +48133,10 @@ index 0000000..ebd6cc8
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..6c16f21
+index 0000000..f799c5b
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,928 @@
+@@ -0,0 +1,929 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -49012,6 +49019,7 @@ index 0000000..6c16f21
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
+
+dev_write_kmsg(systemd_resolved_t)
++dev_read_sysfs(systemd_resolved_t)
+
+sysnet_manage_config(systemd_resolved_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fc313f0..7e8426d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -25419,7 +25419,7 @@ index 23ab808..84735a8 100644
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..45c70c1 100644
+index 19aa0b8..a79982c 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -25666,7 +25666,7 @@ index 19aa0b8..45c70c1 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -25680,9 +25680,32 @@ index 19aa0b8..45c70c1 100644
+ dnsmasq_systemctl($1)
+ admin_pattern($1, dnsmasq_unit_file_t)
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## dnsmasq over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_dbus_chat',`
++ gen_require(`
++ type dnsmasq_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 dnsmasq_t:dbus send_msg;
++ allow dnsmasq_t $1:dbus send_msg;
')
++
++
diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..921056a 100644
+index 37a3b7b..0a64088 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -25731,7 +25754,7 @@ index 37a3b7b..921056a 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,12 +105,21 @@ optional_policy(`
+@@ -98,12 +105,25 @@ optional_policy(`
')
optional_policy(`
@@ -25741,20 +25764,24 @@ index 37a3b7b..921056a 100644
+optional_policy(`
dbus_connect_system_bus(dnsmasq_t)
dbus_system_bus_client(dnsmasq_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(dnsmasq_t)
++ ')
++')
++
++optional_policy(`
++ dnsmasq_domtrans(dnsmasq_t)
')
optional_policy(`
- networkmanager_read_pid_files(dnsmasq_t)
-+ dnsmasq_domtrans(dnsmasq_t)
-+')
-+
-+optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
+ networkmanager_manage_pid_files(dnsmasq_t)
')
optional_policy(`
-@@ -124,6 +140,14 @@ optional_policy(`
+@@ -124,6 +144,14 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -25912,10 +25939,10 @@ index 0000000..d22ed69
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..181a31b
+index 0000000..f186d85
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,88 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -25949,8 +25976,9 @@ index 0000000..181a31b
+
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
+allow dnssec_trigger_t dnssec_trigger_var_run_t:file relabelfrom_file_perms;
-+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file })
+
+manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
+manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
@@ -31935,10 +31963,10 @@ index 0000000..764ae00
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..59e84ca
+index 0000000..33654d5
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,297 @@
+policy_module(glusterd, 1.1.3)
+
+## <desc>
@@ -32176,6 +32204,7 @@ index 0000000..59e84ca
+optional_policy(`
+ dbus_system_bus_client(glusterd_t)
+ dbus_connect_system_bus(glusterd_t)
++ unconfined_dbus_chat(glusterd_t)
+
+ optional_policy(`
+ policykit_dbus_chat(glusterd_t)
@@ -32221,6 +32250,7 @@ index 0000000..59e84ca
+ rpc_domtrans_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
++ rpc_manage_nfs_state_data_dir(glusterd_t)
+ rpcbind_stream_connect(glusterd_t)
+')
+
@@ -58382,7 +58412,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..2646460 100644
+index 55f2009..ab2d757 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -58640,7 +58670,7 @@ index 55f2009..2646460 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +260,11 @@ optional_policy(`
+@@ -210,31 +260,34 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -58659,7 +58689,12 @@ index 55f2009..2646460 100644
')
')
-@@ -231,10 +276,17 @@ optional_policy(`
+ optional_policy(`
+ dnsmasq_read_pid_files(NetworkManager_t)
++ dnsmasq_dbus_chat(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t)
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -58678,7 +58713,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -246,10 +298,26 @@ optional_policy(`
+@@ -246,10 +299,26 @@ optional_policy(`
')
optional_policy(`
@@ -58705,7 +58740,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -257,15 +325,19 @@ optional_policy(`
+@@ -257,15 +326,19 @@ optional_policy(`
')
optional_policy(`
@@ -58727,7 +58762,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -274,10 +346,17 @@ optional_policy(`
+@@ -274,10 +347,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -58745,7 +58780,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -286,9 +365,12 @@ optional_policy(`
+@@ -286,9 +366,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@@ -58758,7 +58793,7 @@ index 55f2009..2646460 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +378,7 @@ optional_policy(`
+@@ -296,7 +379,7 @@ optional_policy(`
')
optional_policy(`
@@ -58767,7 +58802,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -307,6 +389,7 @@ optional_policy(`
+@@ -307,6 +390,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -58775,7 +58810,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -320,14 +403,21 @@ optional_policy(`
+@@ -320,14 +404,21 @@ optional_policy(`
')
optional_policy(`
@@ -58802,7 +58837,7 @@ index 55f2009..2646460 100644
')
optional_policy(`
-@@ -338,6 +428,13 @@ optional_policy(`
+@@ -338,6 +429,13 @@ optional_policy(`
vpn_relabelfrom_tun_socket(NetworkManager_t)
')
@@ -58816,7 +58851,7 @@ index 55f2009..2646460 100644
########################################
#
# wpa_cli local policy
-@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -86765,15 +86800,16 @@ index 6cf79c4..1a605f9 100644
')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
-index 0000000..4b66adf
+index 0000000..013d1d9
--- /dev/null
+++ b/rhev.fc
-@@ -0,0 +1,13 @@
+@@ -0,0 +1,14 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
++/usr/share/ovirt-guest-agent/ovirt-guest-agent\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
@@ -88928,7 +88964,7 @@ index a6fb30c..38a2f09 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 0bf13c2..4f3c2b9 100644
+index 0bf13c2..ed393a0 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -89240,7 +89276,7 @@ index 0bf13c2..4f3c2b9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -326,12 +345,31 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -89270,11 +89306,30 @@ index 0bf13c2..4f3c2b9 100644
+
+########################################
+## <summary>
++## Manage NFS state data in /var/lib/nfs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpc_manage_nfs_state_data_dir',`
++ gen_require(`
++ type var_lib_nfs_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 var_lib_nfs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
+## Read NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
-@@ -350,8 +388,7 @@ interface(`rpc_read_nfs_state_data',`
+@@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',`
########################################
## <summary>
@@ -89284,7 +89339,7 @@ index 0bf13c2..4f3c2b9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -89359,7 +89414,7 @@ index 0bf13c2..4f3c2b9 100644
')
allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,7 +485,7 @@ interface(`rpc_admin',`
+@@ -411,7 +504,7 @@ interface(`rpc_admin',`
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bdb1cab..c254865 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 190%{?dist}
+Release: 191%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,18 @@ exit 0
%endif
%changelog
+* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191
+- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
+- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
+- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
+- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t.
+- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus
+- Merge pull request #125 from rhatdan/typebounds
+- Typebounds user domains
+- Allow systemd_resolved_t to check if ipv6 is disabled.
+- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
+- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
+
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port