diff --git a/container-selinux.tgz b/container-selinux.tgz
index e0774ec..237e40c 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 3a502cb..c2288f8 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -35720,7 +35720,7 @@ index 187f04f..cf0af09 100644
  interface(`hostname_exec',`
  	gen_require(`
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 24a7889..a3d8f1a 100644
+index 24a7889..619b32e 100644
 --- a/policy/modules/system/hostname.te
 +++ b/policy/modules/system/hostname.te
 @@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
@@ -35763,7 +35763,7 @@ index 24a7889..a3d8f1a 100644
  
  sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
  sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
-@@ -57,6 +60,14 @@ sysnet_read_config(hostname_t)
+@@ -57,10 +60,22 @@ sysnet_read_config(hostname_t)
  sysnet_dns_name_resolve(hostname_t)
  
  optional_policy(`
@@ -35778,6 +35778,14 @@ index 24a7889..a3d8f1a 100644
  	nis_use_ypbind(hostname_t)
  ')
  
+ optional_policy(`
++    rhcs_manage_cluster_tmp_files(hostname_t)
++')
++
++optional_policy(`
+ 	xen_append_log(hostname_t)
+ 	xen_dontaudit_use_fds(hostname_t)
+ ')
 diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
 index caf736b..91c4c6f 100644
 --- a/policy/modules/system/hotplug.fc
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b1004d0..15d2d0b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3203,10 +3203,10 @@ index 0000000..36251b9
 +')
 diff --git a/antivirus.te b/antivirus.te
 new file mode 100644
-index 0000000..6bd2eb9
+index 0000000..c679dd3
 --- /dev/null
 +++ b/antivirus.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,274 @@
 +policy_module(antivirus, 1.0.0)
 +
 +########################################
@@ -3298,7 +3298,8 @@ index 0000000..6bd2eb9
 +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
 +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
-+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
++manage_lnk_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
++files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir lnk_file sock_file } )
 +
 +manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
 +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
@@ -20913,7 +20914,7 @@ index 3023be7..5afde80 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..c3820a5 100644
+index c91813c..6f66ea4 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21095,7 +21096,8 @@ index c91813c..c3820a5 100644
  manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 +manage_lnk_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
  manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
++files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file lnk_file })
  
 +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
  manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -45951,7 +45953,7 @@ index dff21a7..b6981c8 100644
  	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 483c87b..0a54c6d 100644
+index 483c87b..f68ee3a 100644
 --- a/lircd.te
 +++ b/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -45992,7 +45994,7 @@ index 483c87b..0a54c6d 100644
 +term_use_unallocated_ttys(lircd_t)
  
 -logging_send_syslog_msg(lircd_t)
-+auth_read_passwd(lircd_t)
++auth_use_nsswitch(lircd_t)
  
 -miscfiles_read_localization(lircd_t)
 +logging_send_syslog_msg(lircd_t)
@@ -91366,6 +91368,20 @@ index 2da9fca..6935f5c 100644
  	kerberos_use(gssd_t)
  ')
  
+diff --git a/rpcbind.fc b/rpcbind.fc
+index d31220e..c84a461 100644
+--- a/rpcbind.fc
++++ b/rpcbind.fc
+@@ -1,6 +1,9 @@
+ /etc/rc\.d/init\.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+ 
++/usr/lib/systemd/system/rpcbind\.service	--	gen_context(system_u:object_r:rpcbind_unit_file_t,s0)
++
+ /sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
++/bin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
+ /usr/sbin/rpcbind	--	gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
 --- a/rpcbind.if
@@ -91521,7 +91537,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index 54de77c..0ee4cc1 100644
+index 54de77c..4ce4fb9 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t)
@@ -91534,7 +91550,15 @@ index 54de77c..0ee4cc1 100644
  type rpcbind_var_run_t;
  files_pid_file(rpcbind_var_run_t)
  init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
-@@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t)
+@@ -19,16 +22,23 @@ init_daemon_run_dir(rpcbind_var_run_t, "rpcbind")
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+ 
++type rpcbind_unit_file_t;
++systemd_unit_file(rpcbind_unit_file_t)
++
+ ########################################
+ #
  # Local policy
  #
  
@@ -91551,7 +91575,7 @@ index 54de77c..0ee4cc1 100644
  manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
  manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
  files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
-@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t)
+@@ -42,7 +52,6 @@ kernel_read_system_state(rpcbind_t)
  kernel_read_network_state(rpcbind_t)
  kernel_request_load_module(rpcbind_t)
  
@@ -91559,7 +91583,7 @@ index 54de77c..0ee4cc1 100644
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t)
+@@ -68,7 +77,11 @@ auth_use_nsswitch(rpcbind_t)
  
  logging_send_syslog_msg(rpcbind_t)
  
@@ -105766,7 +105790,7 @@ index 2ac91b6..a97033d 100644
  ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index 49d688d..f07cc80 100644
+index 49d688d..451a647 100644
 --- a/svnserve.te
 +++ b/svnserve.te
 @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@@ -105810,11 +105834,12 @@ index 49d688d..f07cc80 100644
  corenet_all_recvfrom_unlabeled(svnserve_t)
  corenet_all_recvfrom_netlabel(svnserve_t)
  corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
  corenet_udp_bind_svn_port(svnserve_t)
  corenet_udp_sendrecv_svn_port(svnserve_t)
  
 -logging_send_syslog_msg(svnserve_t)
++dev_read_rand(svnserve_t)
 +dev_read_urand(svnserve_t)
  
 -miscfiles_read_localization(svnserve_t)
@@ -109267,10 +109292,10 @@ index 0000000..46f12a4
 +')
 diff --git a/tlp.te b/tlp.te
 new file mode 100644
-index 0000000..7c81c68
+index 0000000..98e708a
 --- /dev/null
 +++ b/tlp.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
 +policy_module(tlp, 1.0.0)
 +
 +########################################
@@ -109295,6 +109320,7 @@ index 0000000..7c81c68
 +allow tlp_t self:capability { net_admin sys_rawio };
 +allow tlp_t self:unix_stream_socket create_stream_socket_perms;
 +allow tlp_t self:udp_socket create_socket_perms;
++allow tlp_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
 +manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 13322fc..05fb6c4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 228%{?dist}
+Release: 229%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,15 @@ exit 0
 %endif
 
 %changelog
+* Wed Dec 07 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-229
+- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service
+- Allot tlp domain to create unix_dgram sockets BZ(1401233)
+- Allow antivirus domain to create lnk_files in /tmp
+- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
+- Allow svnserve_t domain to read /dev/random BZ(1401827)
+- Allow lircd to use nsswitch. BZ(1401375)
+- Allow hostname_t domain to manage cluster_tmp_t files
+
 * Mon Dec 05 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-228
 - Fix some boolean descriptions.
 - Add fwupd_dbus_chat() interface