diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 1f4d9ec..3bbf129 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b727ff9..c922d1b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..5ee0a46 100644
+index b191055..1be0b6d 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5874,7 +5874,7 @@ index b191055..5ee0a46 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -140,45 +179,57 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +179,58 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5916,6 +5916,7 @@ index b191055..5ee0a46 100644
 +network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
 +network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
 +network_port(lltng, tcp, 5345, s0)
++network_port(llmnr, tcp, 5355, s0, udp, 5355,s0)
 +network_port(rabbitmq, tcp,25672,s0)
 +network_port(rkt, tcp,18112,s0)
 +network_port(rlogin, tcp,543,s0, tcp,2105,s0)
@@ -5947,7 +5948,7 @@ index b191055..5ee0a46 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -186,101 +237,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,101 +238,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -6092,7 +6093,7 @@ index b191055..5ee0a46 100644
  network_port(xserver, tcp,6000-6020,s0)
  network_port(zarafa, tcp,236,s0, tcp,237,s0)
  network_port(zabbix, tcp,10051,s0)
-@@ -288,19 +364,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +365,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -6119,7 +6120,7 @@ index b191055..5ee0a46 100644
  
  ########################################
  #
-@@ -333,6 +413,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +414,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -6128,7 +6129,7 @@ index b191055..5ee0a46 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -345,9 +427,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +428,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -6332,7 +6333,7 @@ index b31c054..8722f6d 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..b7a4271 100644
+index 76f285e..1c1addd 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -7288,7 +7289,7 @@ index 76f285e..b7a4271 100644
  ')
  
  ########################################
-@@ -3144,6 +3686,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3686,60 @@ interface(`dev_create_null_dev',`
  
  ########################################
  ## <summary>
@@ -7328,10 +7329,28 @@ index 76f285e..b7a4271 100644
 +
 +########################################
 +## <summary>
++##	Read Non-Volatile Memory Host Controller Interface.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_nvme',`
++	gen_require(`
++		type nvme_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, nvme_device_t)
++')
++
++########################################
++## <summary>
  ##	Do not audit attempts to get the attributes
  ##	of the BIOS non-volatile RAM device.
  ## </summary>
-@@ -3163,6 +3741,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3759,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
  
  ########################################
  ## <summary>
@@ -7356,7 +7375,7 @@ index 76f285e..b7a4271 100644
  ##	Read and write BIOS non-volatile RAM.
  ## </summary>
  ## <param name="domain">
-@@ -3254,7 +3850,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3868,25 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -7383,7 +7402,7 @@ index 76f285e..b7a4271 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3262,12 +3876,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3894,13 @@ interface(`dev_rw_printer',`
  ##	</summary>
  ## </param>
  #
@@ -7400,7 +7419,7 @@ index 76f285e..b7a4271 100644
  ')
  
  ########################################
-@@ -3399,7 +4014,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4032,7 @@ interface(`dev_dontaudit_read_rand',`
  
  ########################################
  ## <summary>
@@ -7409,7 +7428,7 @@ index 76f285e..b7a4271 100644
  ##	number generator devices (e.g., /dev/random)
  ## </summary>
  ## <param name="domain">
-@@ -3413,7 +4028,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4046,7 @@ interface(`dev_dontaudit_append_rand',`
  		type random_device_t;
  	')
  
@@ -7418,7 +7437,7 @@ index 76f285e..b7a4271 100644
  ')
  
  ########################################
-@@ -3855,7 +4470,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4488,7 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -7427,7 +7446,7 @@ index 76f285e..b7a4271 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3863,91 +4478,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4496,89 @@ interface(`dev_getattr_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7538,7 +7557,7 @@ index 76f285e..b7a4271 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3955,68 +4568,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4586,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7617,7 +7636,7 @@ index 76f285e..b7a4271 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4024,114 +4622,97 @@ interface(`dev_rw_sysfs',`
+@@ -4024,114 +4640,97 @@ interface(`dev_rw_sysfs',`
  ##	</summary>
  ## </param>
  #
@@ -7762,7 +7781,7 @@ index 76f285e..b7a4271 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4139,35 +4720,50 @@ interface(`dev_getattr_generic_usb_dev',`
+@@ -4139,35 +4738,50 @@ interface(`dev_getattr_generic_usb_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7821,58 +7840,50 @@ index 76f285e..b7a4271 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4175,17 +4771,20 @@ interface(`dev_read_generic_usb_dev',`
+@@ -4175,7 +4789,254 @@ interface(`dev_read_generic_usb_dev',`
  ##	</summary>
  ## </param>
  #
 -interface(`dev_rw_generic_usb_dev',`
 +interface(`dev_rw_sysfs',`
- 	gen_require(`
--		type device_t, usb_device_t;
++	gen_require(`
 +		type sysfs_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, usb_device_t)
++	')
++
 +	rw_files_pattern($1, sysfs_t, sysfs_t)
 +	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
 +
 +	list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Relabel generic the USB devices.
++')
++
++########################################
++## <summary>
 +##	Relabel hardware state directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4193,17 +4792,17 @@ interface(`dev_rw_generic_usb_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_relabel_generic_usb_dev',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`dev_relabel_sysfs_dirs',`
- 	gen_require(`
--		type usb_device_t;
++	gen_require(`
 +		type sysfs_t;
- 	')
- 
--	relabel_chr_files_pattern($1, device_t, usb_device_t)
++	')
++
 +	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read USB monitor devices.
++')
++
++########################################
++## <summary>
 +##	Relabel hardware state files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4211,7 +4810,251 @@ interface(`dev_relabel_generic_usb_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_usbmon_dev',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`dev_relabel_all_sysfs',`
 +	gen_require(`
 +		type sysfs_t;
@@ -8082,59 +8093,65 @@ index 76f285e..b7a4271 100644
 +## </param>
 +#
 +interface(`dev_rw_generic_usb_dev',`
-+	gen_require(`
-+		type device_t, usb_device_t;
-+	')
-+
-+	rw_chr_files_pattern($1, device_t, usb_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel generic the USB devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_relabel_generic_usb_dev',`
-+	gen_require(`
-+		type usb_device_t;
-+	')
-+
-+	relabel_chr_files_pattern($1, device_t, usb_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read USB monitor devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_read_usbmon_dev',`
  	gen_require(`
- 		type device_t, usbmon_device_t;
+ 		type device_t, usb_device_t;
  	')
-@@ -4267,15 +5110,169 @@ interface(`dev_mount_usbfs',`
+@@ -4409,9 +5270,9 @@ interface(`dev_rw_usbfs',`
+ 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+ 
+-########################################
++######################################
+ ## <summary>
+-##	Get the attributes of video4linux devices.
++##	Read and write userio device.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4419,17 +5280,17 @@ interface(`dev_rw_usbfs',`
+ ##	</summary>
+ ## </param>
  #
- interface(`dev_associate_usbfs',`
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
  	gen_require(`
--		type usbfs_t;
-+		type usbfs_t;
-+	')
-+
-+	allow $1 usbfs_t:filesystem associate;
-+')
-+
+-		type device_t, v4l_device_t;
++		type device_t, userio_device_t;
+ 	')
+ 
+-	getattr_chr_files_pattern($1, device_t, v4l_device_t)
++	rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+ 
+-######################################
 +########################################
-+## <summary>
-+##	Get the attributes of a directory in the usb filesystem.
+ ## <summary>
+-##	Read and write userio device.
++##	Get the attributes of video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4437,12 +5298,12 @@ interface(`dev_getattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ 	gen_require(`
+-		type device_t, userio_device_t;
++		type device_t, v4l_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, userio_device_t)
++	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+ 
+ ########################################
+@@ -4539,6 +5400,134 @@ interface(`dev_write_video_dev',`
+ 
+ ########################################
+ ## <summary>
++##	Get the attributes of vfio devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8142,18 +8159,18 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_usbfs_dirs',`
++interface(`dev_getattr_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	allow $1 usbfs_t:dir getattr_dir_perms;
++	getattr_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Do not audit attempts to get the attributes
-+##	of a directory in the usb filesystem.
++##	of vfio device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8161,17 +8178,17 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_getattr_usbfs_dirs',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type vfio_device_t;
 +	')
 +
-+	dontaudit $1 usbfs_t:dir getattr_dir_perms;
++	dontaudit $1 vfio_device_t:chr_file getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Search the directory containing USB hardware information.
++##	Set the attributes of vfio device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8179,38 +8196,36 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_search_usbfs',`
++interface(`dev_setattr_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	search_dirs_pattern($1, usbfs_t, usbfs_t)
++	setattr_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to get a list of usb hardware.
++##	Do not audit attempts to set the attributes
++##	of vfio device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type vfio_device_t;
 +	')
 +
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	dontaudit $1 vfio_device_t:chr_file setattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of usbfs filesystem.
++##	Read the vfio devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8218,19 +8233,17 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	setattr_files_pattern($1, usbfs_t, usbfs_t)
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	read_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read USB hardware information using
-+##	the usbfs filesystem interface.
++##	Write the vfio devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8238,19 +8251,17 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_usbfs',`
++interface(`dev_write_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	read_files_pattern($1, usbfs_t, usbfs_t)
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	write_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to modify usb hardware configuration files.
++##	Read and write the VFIO devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8258,19 +8269,24 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_usbfs',`
++interface(`dev_rw_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	rw_files_pattern($1, usbfs_t, usbfs_t)
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++	rw_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
-+######################################
++########################################
 +## <summary>
-+##	Read and write userio device.
+ ##	Allow read/write the vhost net device
+ ## </summary>
+ ## <param name="domain">
+@@ -4557,6 +5546,24 @@ interface(`dev_rw_vhost',`
+ 
+ ########################################
+ ## <summary>
++##	Allow read/write inheretid the vhost net device
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8278,365 +8294,20 @@ index 76f285e..b7a4271 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_userio_dev',`
++interface(`dev_rw_inherited_vhost',`
 +	gen_require(`
-+		type device_t, userio_device_t;
- 	')
- 
--	allow $1 usbfs_t:filesystem associate;
-+	rw_chr_files_pattern($1, device_t, userio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of a directory in the usb filesystem.
-+##	Get the attributes of video4linux devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4283,18 +5280,18 @@ interface(`dev_associate_usbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_getattr_usbfs_dirs',`
-+interface(`dev_getattr_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, v4l_device_t;
- 	')
- 
--	allow $1 usbfs_t:dir getattr_dir_perms;
-+	getattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
- ########################################
- ## <summary>
- ##	Do not audit attempts to get the attributes
--##	of a directory in the usb filesystem.
-+##	of video4linux device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4302,17 +5299,17 @@ interface(`dev_getattr_usbfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_dontaudit_getattr_usbfs_dirs',`
-+interface(`dev_dontaudit_getattr_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type v4l_device_t;
- 	')
- 
--	dontaudit $1 usbfs_t:dir getattr_dir_perms;
-+	dontaudit $1 v4l_device_t:chr_file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Search the directory containing USB hardware information.
-+##	Set the attributes of video4linux device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4320,38 +5317,36 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_search_usbfs',`
-+interface(`dev_setattr_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, v4l_device_t;
- 	')
- 
--	search_dirs_pattern($1, usbfs_t, usbfs_t)
-+	setattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Allow caller to get a list of usb hardware.
-+##	Do not audit attempts to set the attributes
-+##	of video4linux device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type v4l_device_t;
- 	')
- 
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
--	getattr_files_pattern($1, usbfs_t, usbfs_t)
--
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	dontaudit $1 v4l_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of usbfs filesystem.
-+##	Read the video4linux devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4359,19 +5354,17 @@ interface(`dev_list_usbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, v4l_device_t;
- 	')
- 
--	setattr_files_pattern($1, usbfs_t, usbfs_t)
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read USB hardware information using
--##	the usbfs filesystem interface.
-+##	Write the video4linux devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4379,19 +5372,17 @@ interface(`dev_setattr_usbfs_files',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, v4l_device_t;
- 	')
- 
--	read_files_pattern($1, usbfs_t, usbfs_t)
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Allow caller to modify usb hardware configuration files.
-+##	Get the attributes of vfio devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4399,37 +5390,36 @@ interface(`dev_read_usbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
--	rw_files_pattern($1, usbfs_t, usbfs_t)
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of video4linux devices.
-+##	Do not audit attempts to get the attributes
-+##	of vfio device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type vfio_device_t;
- 	')
- 
--	getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+	dontaudit $1 vfio_device_t:chr_file getattr;
- ')
- 
--######################################
-+########################################
- ## <summary>
--##	Read and write userio device.
-+##	Set the attributes of vfio device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4437,18 +5427,18 @@ interface(`dev_getattr_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
- 	gen_require(`
--		type device_t, userio_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, userio_device_t)
-+	setattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to get the attributes
--##	of video4linux device nodes.
-+##	Do not audit attempts to set the attributes
-+##	of vfio device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4456,17 +5446,17 @@ interface(`dev_rw_userio_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- 	gen_require(`
--		type v4l_device_t;
-+		type vfio_device_t;
- 	')
- 
--	dontaudit $1 v4l_device_t:chr_file getattr;
-+	dontaudit $1 vfio_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of video4linux device nodes.
-+##	Read the vfio devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4474,36 +5464,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+	read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to set the attributes
--##	of video4linux device nodes.
-+##	Write the vfio devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- 	gen_require(`
--		type v4l_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	dontaudit $1 v4l_device_t:chr_file setattr;
-+	write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read the video4linux devices.
-+##	Read and write the VFIO devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4511,17 +5500,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	read_chr_files_pattern($1, device_t, v4l_device_t)
-+	rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write the video4linux devices.
-+##	Allow read/write the vhost net device
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4529,17 +5518,17 @@ interface(`dev_read_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- 	gen_require(`
--		type device_t, v4l_device_t;
 +		type device_t, vhost_device_t;
- 	')
- 
--	write_chr_files_pattern($1, device_t, v4l_device_t)
-+	rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Allow read/write the vhost net device
-+##	Allow read/write inheretid the vhost net device
++	')
++
++	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Read and write VMWare devices.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -4547,12 +5536,12 @@ interface(`dev_write_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
- 	gen_require(`
- 		type device_t, vhost_device_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, vhost_device_t)
-+	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
- 
- ########################################
-@@ -4630,6 +5619,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5637,24 @@ interface(`dev_write_watchdog',`
  
  ########################################
  ## <summary>
@@ -8661,7 +8332,7 @@ index 76f285e..b7a4271 100644
  ##	Read and write the the wireless device.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5769,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5787,44 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -8706,7 +8377,7 @@ index 76f285e..b7a4271 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5896,978 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5914,978 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -43837,10 +43508,10 @@ index a392fc4..78fa512 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..19617c7
+index 0000000..0e4185f
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,68 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@@ -43865,6 +43536,7 @@ index 0000000..19617c7
 +/usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-machined\.service	--	gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-networkd\.service     gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-resolved\.service     gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-vconsole-setup\.service		gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-rfkill\.service	--	gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-time.*\.service	--	gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
@@ -43887,6 +43559,8 @@ index 0000000..19617c7
 +/usr/lib/systemd/systemd-networkd   --  gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 +/usr/lib/systemd/systemd-tmpfiles --	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +/usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
++/usr/lib/systemd/system-generators/systemd-gpt-auto-generator	--	gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
++/usr/lib/systemd/systemd-resolve(d|-host)			gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 +
 +/var/lib/machines(/.*)?			gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
 +/var/lib/systemd/rfkill(/.*)?         gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@@ -43903,6 +43577,7 @@ index 0000000..19617c7
 +/var/run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
 +/var/run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
 +/var/run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
++/var/run/systemd/resolve(/.*)?	gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 +/var/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
@@ -45591,10 +45266,10 @@ index 0000000..21f7c14
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..551317f
+index 0000000..f4783a5
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,860 @@
+@@ -0,0 +1,904 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -45648,6 +45323,14 @@ index 0000000..551317f
 +type systemd_networkd_var_run_t;
 +files_pid_file(systemd_networkd_var_run_t)
 +
++systemd_domain_template(systemd_resolved)
++
++type systemd_resolved_var_run_t;
++files_pid_file(systemd_resolved_var_run_t)
++
++type systemd_resolved_unit_file_t;
++systemd_unit_file(systemd_resolved_unit_file_t)
++
 +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
 +# systemd components
 +
@@ -45703,6 +45386,9 @@ index 0000000..551317f
 +
 +systemd_domain_template(systemd_sysctl)
 +
++#domain for gpt-auto-generator
++systemd_domain_template(systemd_gpt_generator)
++
 +#domain for systemd-machined
 +systemd_domain_template(systemd_machined)
 +
@@ -46411,11 +46097,44 @@ index 0000000..551317f
 +#
 +# systemd_hwdb domain
 +#
-+
 +manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
 +files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
 +
 +
++#######################################
++#
++# systemd_gpt_generator domain
++#
++dev_read_sysfs(systemd_gpt_generator_t)
++dev_write_kmsg(systemd_gpt_generator_t)
++dev_read_nvme(systemd_gpt_generator_t)
++
++#######################################
++#
++# systemd_resolved domain
++#
++
++allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
++allow systemd_resolved_t self:process setcap;
++allow systemd_resolved_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
++init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
++
++list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
++
++kernel_dgram_send(systemd_resolved_t)
++
++corenet_tcp_bind_llmnr_port(systemd_resolved_t)
++corenet_udp_bind_llmnr_port(systemd_resolved_t)
++
++sysnet_manage_config(systemd_resolved_t)
++
++optional_policy(`
++	dbus_system_bus_client(systemd_resolved_t)
++')
++
 +########################################
 +#
 +# Common rules for systemd domains
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f479ed5..1c1d049 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 177%{?dist}
+Release: 178%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -670,6 +670,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
+- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
+- Add support systemd-resolved.
+
 * Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
 - Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
 - Allow sending dbus msgs between firewalld and system_cronjob domains.