diff --git a/container-selinux.tgz b/container-selinux.tgz
index 9b07a0f..734bfcd 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c2288f8..9b14adf 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -10068,7 +10068,7 @@ index 0b1a871..29965c3 100644
 +dev_getattr_all(devices_unconfined_type)
 +
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1a2713b 100644
+index 6a1e4d1..f23f6a6 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -10107,15 +10107,6 @@ index 6a1e4d1..1a2713b 100644
  ')
  
  ########################################
-@@ -128,7 +103,7 @@ interface(`domain_entry_file',`
- 	')
- 
- 	allow $1 $2:file entrypoint;
--	allow $1 $2:file { mmap_file_perms ioctl lock };
-+	allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
- 
- 	typeattribute $2 entry_type;
- 
 @@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',`
  
  ########################################
@@ -39984,7 +39975,7 @@ index c42fbc3..bf211db 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..218750e 100644
+index be8ed1e..aa38f90 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@@ -40120,7 +40111,16 @@ index be8ed1e..218750e 100644
  	modutils_run_insmod(iptables_t, iptables_roles)
  ')
  
-@@ -124,6 +154,16 @@ optional_policy(`
+@@ -119,11 +149,25 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    plymouthd_exec_plymouth(iptables_t)
++')
++
++optional_policy(`
+ 	ppp_dontaudit_use_fds(iptables_t)
+ ')
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -40137,7 +40137,7 @@ index be8ed1e..218750e 100644
  ')
  
  optional_policy(`
-@@ -135,9 +175,9 @@ optional_policy(`
+@@ -135,9 +179,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40184,7 +40184,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..549c41b 100644
+index 73bb3c0..fffae71 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -40222,7 +40222,12 @@ index 73bb3c0..549c41b 100644
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
-@@ -103,6 +106,12 @@ ifdef(`distro_redhat',`
+@@ -99,10 +102,17 @@ ifdef(`distro_redhat',`
+ # /sbin
+ #
+ /sbin/ldconfig				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
++/sbin/sln				--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
+ 
  #
  # /usr
  #
@@ -40235,7 +40240,7 @@ index 73bb3c0..549c41b 100644
  /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -111,12 +120,12 @@ ifdef(`distro_redhat',`
+@@ -111,12 +121,12 @@ ifdef(`distro_redhat',`
  /usr/(.*/)?java/.+\.jsa			--	gen_context(system_u:object_r:lib_t,s0)
  
  /usr/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
@@ -40250,7 +40255,7 @@ index 73bb3c0..549c41b 100644
  /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
-@@ -125,10 +134,12 @@ ifdef(`distro_redhat',`
+@@ -125,10 +135,12 @@ ifdef(`distro_redhat',`
  /usr/lib/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/librealaudio_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libtfmessbsp\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40263,7 +40268,7 @@ index 73bb3c0..549c41b 100644
  /usr/lib/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/win32/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -141,19 +152,23 @@ ifdef(`distro_redhat',`
+@@ -141,19 +153,23 @@ ifdef(`distro_redhat',`
  /usr/lib/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/fglrx/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libjs\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40292,7 +40297,7 @@ index 73bb3c0..549c41b 100644
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -182,11 +197,13 @@ ifdef(`distro_redhat',`
+@@ -182,11 +198,13 @@ ifdef(`distro_redhat',`
  # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
  # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
  HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40306,7 +40311,7 @@ index 73bb3c0..549c41b 100644
  /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +258,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
  
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
  /usr/lib.*/libmpg123\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40322,7 +40327,7 @@ index 73bb3c0..549c41b 100644
  
  # Jai, Sun Microsystems (Jpackage SPRM)
  /usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +284,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  
  # Java, Sun Microsystems (JPackage SRPM)
  /usr/(.*/)?jre.*/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40353,7 +40358,7 @@ index 73bb3c0..549c41b 100644
  
  /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 70263d8..e10ed4d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -20522,7 +20522,7 @@ index b25b01d..06895f3 100644
  ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 001b502..47199aa 100644
+index 001b502..9892b34 100644
 --- a/ctdb.te
 +++ b/ctdb.te
 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -20576,7 +20576,7 @@ index 001b502..47199aa 100644
  kernel_read_network_state(ctdbd_t)
  kernel_read_system_state(ctdbd_t)
  kernel_rw_net_sysctls(ctdbd_t)
-@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,10 +89,16 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
  corenet_tcp_sendrecv_generic_if(ctdbd_t)
  corenet_tcp_sendrecv_generic_node(ctdbd_t)
  corenet_tcp_bind_generic_node(ctdbd_t)
@@ -20588,9 +20588,12 @@ index 001b502..47199aa 100644
 +corenet_tcp_bind_smbd_port(ctdbd_t)
 +corenet_tcp_connect_ctdb_port(ctdbd_t)
  corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
++corenet_tcp_connect_gluster_port(ctdbd_t)
++corenet_tcp_connect_nfs_port(ctdbd_t)
  
  corecmd_exec_bin(ctdbd_t)
-@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t)
+ corecmd_exec_shell(ctdbd_t)
+@@ -85,14 +108,18 @@ dev_read_urand(ctdbd_t)
  
  domain_dontaudit_read_all_domains_state(ctdbd_t)
  
@@ -20611,10 +20614,14 @@ index 001b502..47199aa 100644
  optional_policy(`
  	consoletype_exec(ctdbd_t)
  ')
-@@ -106,9 +131,16 @@ optional_policy(`
+@@ -106,9 +133,20 @@ optional_policy(`
  ')
  
  optional_policy(`
++    rpc_read_nfs_state_data(ctdbd_t)
++')
++
++optional_policy(`
 +    samba_signull_smbd(ctdbd_t)
  	samba_initrc_domtrans(ctdbd_t)
  	samba_domtrans_net(ctdbd_t)
@@ -32116,10 +32123,10 @@ index 5cd0909..bd3c3d2 100644
 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
 diff --git a/glusterd.fc b/glusterd.fc
 new file mode 100644
-index 0000000..52b4110
+index 0000000..a3633cd
 --- /dev/null
 +++ b/glusterd.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,29 @@
 +/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +
 +/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
@@ -32128,6 +32135,13 @@ index 0000000..52b4110
 +/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 +/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
++/usr/sbin/glustereventsd   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/sbin/gluster-eventsapi   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++
++/usr/libexec/glusterfs/peer_eventsapi.py    -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/libexec/glusterfs/events/glustereventsd.py   -- 	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
 +/usr/bin/ganesha.nfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 +
 +/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
@@ -32411,10 +32425,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..0a33da3
+index 0000000..40c6ade
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,307 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@@ -32604,6 +32618,7 @@ index 0000000..0a33da3
 +init_rw_script_tmp_files(glusterd_t)
 +init_manage_script_status_files(glusterd_t)
 +init_status(glusterd_t)
++init_stop_transient_unit(glusterd_t)
 +
 +systemd_config_systemd_services(glusterd_t)
 +systemd_signal_passwd_agent(glusterd_t)
@@ -32622,6 +32637,7 @@ index 0000000..0a33da3
 +userdom_delete_user_tmp_files(glusterd_t)
 +userdom_rw_user_tmp_files(glusterd_t)
 +userdom_kill_all_users(glusterd_t)
++userdom_signal_unpriv_users(glusterd_t)
 +
 +mount_domtrans(glusterd_t)
 +
@@ -76636,7 +76652,7 @@ index cd8b8b9..2cfa88a 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index d616ca3..b03d137 100644
+index d616ca3..76f9b25 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -76911,7 +76927,7 @@ index d616ca3..b03d137 100644
  
  allow pptp_t pppd_etc_t:dir list_dir_perms;
  allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +266,45 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +266,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
  allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
  allow pptp_t pppd_etc_rw_t:file read_file_perms;
  allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -76942,6 +76958,7 @@ index d616ca3..b03d137 100644
 +dev_read_sysfs(pptp_t)
 +dev_read_rand(pptp_t)
 +dev_read_urand(pptp_t)
++dev_read_rand(pptp_t)
 +
  corecmd_exec_shell(pptp_t)
  corecmd_read_bin_symlinks(pptp_t)
@@ -76970,7 +76987,7 @@ index d616ca3..b03d137 100644
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
-@@ -282,12 +312,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +313,12 @@ term_ioctl_generic_ptys(pptp_t)
  term_search_ptys(pptp_t)
  term_use_ptmx(pptp_t)
  
@@ -76985,7 +77002,7 @@ index d616ca3..b03d137 100644
  sysnet_exec_ifconfig(pptp_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +329,10 @@ optional_policy(`
+@@ -299,6 +330,10 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ea5883e..add1429 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 230%{?dist}
+Release: 231%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,14 @@ exit 0
 %endif
 
 %changelog
+* Wed Dec 14 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-231
+- Allow pptp_t to read /dev/random BZ(1404248)
+- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t
+- Allow systemd to stop glusterd_t domains.
+- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base
+- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323)
+- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition,  I can see no case where this is  a bad thing, and elminiates a whole class of AVCs."
+
 * Thu Dec 08 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-230
 - Label /usr/bin/rpcbind as rpcbind_exec_t
 - Dontaudit mozilla plugin rawip socket creation. BZ(1275961)