diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 9778f1a..d80d875 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index b31891e..0b207de 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -6262,7 +6262,7 @@ index 3f6e168..340e49f 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..50a45cf 100644
+index b31c054..012cc6f 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -6370,7 +6370,7 @@ index b31c054..50a45cf 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -172,11 +193,16 @@ ifdef(`distro_suse', `
+@@ -172,15 +193,21 @@ ifdef(`distro_suse', `
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -6387,7 +6387,12 @@ index b31c054..50a45cf 100644
  /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
-@@ -198,12 +224,27 @@ ifdef(`distro_debian',`
+ /dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
++/dev/xen/privcmd	-c	gen_context(system_u:object_r:xen_device_t,s0)
+ 
+ ifdef(`distro_debian',`
+ # this is a static /dev dir "backup mount"
+@@ -198,12 +225,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -6418,7 +6423,7 @@ index b31c054..50a45cf 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..c542dd3 100644
+index 76f285e..5cd2702 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -8690,7 +8695,7 @@ index 76f285e..c542dd3 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5915,1020 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -9593,6 +9598,7 @@ index 76f285e..c542dd3 100644
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
++	filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
 +	filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
@@ -46292,10 +46298,10 @@ index a392fc4..78fa512 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..0e4185f
+index 0000000..6cf3942
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,69 @@
 +HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +/root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 +
@@ -46318,6 +46324,7 @@ index 0000000..0e4185f
 +
 +/usr/lib/dracut/modules.d/.*\.service	gen_context(system_u:object_r:systemd_unit_file_t,s0)
 +/usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/run/systemd/transient(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-machined\.service	--	gen_context(system_u:object_r:systemd_machined_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-networkd\.service     gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-resolved\.service     gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0)
@@ -48088,10 +48095,10 @@ index 0000000..ebd6cc8
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..6c16f21
+index 0000000..f799c5b
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,928 @@
+@@ -0,0 +1,929 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48974,6 +48981,7 @@ index 0000000..6c16f21
 +corenet_udp_bind_llmnr_port(systemd_resolved_t)
 +
 +dev_write_kmsg(systemd_resolved_t)
++dev_read_sysfs(systemd_resolved_t)
 +
 +sysnet_manage_config(systemd_resolved_t)
 +
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index c00ad2f..88a051e 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -25419,7 +25419,7 @@ index 23ab808..84735a8 100644
 +/var/run/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
  /var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..45c70c1 100644
+index 19aa0b8..a79982c 100644
 --- a/dnsmasq.if
 +++ b/dnsmasq.if
 @@ -10,7 +10,6 @@
@@ -25666,7 +25666,7 @@ index 19aa0b8..45c70c1 100644
  	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +395,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +395,36 @@ interface(`dnsmasq_admin',`
  	files_list_var_lib($1)
  	admin_pattern($1, dnsmasq_lease_t)
  
@@ -25680,9 +25680,32 @@ index 19aa0b8..45c70c1 100644
 +	dnsmasq_systemctl($1)
 +	admin_pattern($1, dnsmasq_unit_file_t)
 +	allow $1 dnsmasq_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	dnsmasq over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dnsmasq_dbus_chat',`
++	gen_require(`
++		type dnsmasq_t;
++		class dbus send_msg;
++	')
++
++	allow $1 dnsmasq_t:dbus send_msg;
++	allow dnsmasq_t $1:dbus send_msg;
  ')
++
++
 diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b..921056a 100644
+index 37a3b7b..0a64088 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -25731,7 +25754,7 @@ index 37a3b7b..921056a 100644
  
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,12 +105,21 @@ optional_policy(`
+@@ -98,12 +105,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25741,20 +25764,24 @@ index 37a3b7b..921056a 100644
 +optional_policy(`
  	dbus_connect_system_bus(dnsmasq_t)
  	dbus_system_bus_client(dnsmasq_t)
++
++	optional_policy(`
++		networkmanager_dbus_chat(dnsmasq_t)
++	')
++')
++
++optional_policy(`
++	dnsmasq_domtrans(dnsmasq_t)
  ')
  
  optional_policy(`
 -	networkmanager_read_pid_files(dnsmasq_t)
-+	dnsmasq_domtrans(dnsmasq_t)
-+')
-+
-+optional_policy(`
 +	networkmanager_read_conf(dnsmasq_t)
 +	networkmanager_manage_pid_files(dnsmasq_t)
  ')
  
  optional_policy(`
-@@ -124,6 +140,14 @@ optional_policy(`
+@@ -124,6 +144,14 @@ optional_policy(`
  
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
@@ -25912,10 +25939,10 @@ index 0000000..d22ed69
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..181a31b
+index 0000000..f186d85
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,88 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@@ -25949,8 +25976,9 @@ index 0000000..181a31b
 +
 +manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
 +manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++manage_lnk_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
 +allow dnssec_trigger_t dnssec_trigger_var_run_t:file  relabelfrom_file_perms;
-+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file lnk_file })
 +
 +manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
 +manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t)
@@ -31935,10 +31963,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..59e84ca
+index 0000000..33654d5
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,297 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@@ -32176,6 +32204,7 @@ index 0000000..59e84ca
 +optional_policy(`
 +    dbus_system_bus_client(glusterd_t)
 +    dbus_connect_system_bus(glusterd_t)
++	unconfined_dbus_chat(glusterd_t)
 +
 +    optional_policy(`
 +        policykit_dbus_chat(glusterd_t)
@@ -32221,6 +32250,7 @@ index 0000000..59e84ca
 +    rpc_domtrans_nfsd(glusterd_t)
 +    rpc_domtrans_rpcd(glusterd_t)
 +    rpc_manage_nfs_state_data(glusterd_t)
++	rpc_manage_nfs_state_data_dir(glusterd_t)
 +	rpcbind_stream_connect(glusterd_t)
 +')
 +
@@ -58382,7 +58412,7 @@ index 86dc29d..7380935 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..2646460 100644
+index 55f2009..ab2d757 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -58640,7 +58670,7 @@ index 55f2009..2646460 100644
  	consoletype_exec(NetworkManager_t)
  ')
  
-@@ -210,16 +260,11 @@ optional_policy(`
+@@ -210,31 +260,34 @@ optional_policy(`
  optional_policy(`
  	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
  
@@ -58659,7 +58689,12 @@ index 55f2009..2646460 100644
  	')
  ')
  
-@@ -231,10 +276,17 @@ optional_policy(`
+ optional_policy(`
+ 	dnsmasq_read_pid_files(NetworkManager_t)
++	dnsmasq_dbus_chat(NetworkManager_t)
+ 	dnsmasq_delete_pid_files(NetworkManager_t)
+ 	dnsmasq_domtrans(NetworkManager_t)
+ 	dnsmasq_initrc_domtrans(NetworkManager_t)
  	dnsmasq_kill(NetworkManager_t)
  	dnsmasq_signal(NetworkManager_t)
  	dnsmasq_signull(NetworkManager_t)
@@ -58678,7 +58713,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -246,10 +298,26 @@ optional_policy(`
+@@ -246,10 +299,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58705,7 +58740,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -257,15 +325,19 @@ optional_policy(`
+@@ -257,15 +326,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58727,7 +58762,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -274,10 +346,17 @@ optional_policy(`
+@@ -274,10 +347,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -58745,7 +58780,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -286,9 +365,12 @@ optional_policy(`
+@@ -286,9 +366,12 @@ optional_policy(`
  	openvpn_kill(NetworkManager_t)
  	openvpn_signal(NetworkManager_t)
  	openvpn_signull(NetworkManager_t)
@@ -58758,7 +58793,7 @@ index 55f2009..2646460 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +378,7 @@ optional_policy(`
+@@ -296,7 +379,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58767,7 +58802,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -307,6 +389,7 @@ optional_policy(`
+@@ -307,6 +390,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -58775,7 +58810,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -320,14 +403,21 @@ optional_policy(`
+@@ -320,14 +404,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58802,7 +58837,7 @@ index 55f2009..2646460 100644
  ')
  
  optional_policy(`
-@@ -338,6 +428,13 @@ optional_policy(`
+@@ -338,6 +429,13 @@ optional_policy(`
  	vpn_relabelfrom_tun_socket(NetworkManager_t)
  ')
  
@@ -58816,7 +58851,7 @@ index 55f2009..2646460 100644
  ########################################
  #
  # wpa_cli local policy
-@@ -357,6 +454,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -88928,7 +88963,7 @@ index a6fb30c..38a2f09 100644
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
-index 0bf13c2..4f3c2b9 100644
+index 0bf13c2..ed393a0 100644
 --- a/rpc.if
 +++ b/rpc.if
 @@ -1,4 +1,4 @@
@@ -89240,7 +89275,7 @@ index 0bf13c2..4f3c2b9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -326,12 +345,31 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',`
  	')
  
  	files_search_var_lib($1)
@@ -89270,11 +89305,30 @@ index 0bf13c2..4f3c2b9 100644
 +
 +########################################
 +## <summary>
++##	Manage NFS state data in /var/lib/nfs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpc_manage_nfs_state_data_dir',`
++	gen_require(`
++		type var_lib_nfs_t;
++	')
++
++	files_search_var_lib($1)
++	allow $1 var_lib_nfs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Read NFS state data in /var/lib/nfs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -350,8 +388,7 @@ interface(`rpc_read_nfs_state_data',`
+@@ -350,8 +407,7 @@ interface(`rpc_read_nfs_state_data',`
  
  ########################################
  ## <summary>
@@ -89284,7 +89338,7 @@ index 0bf13c2..4f3c2b9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -366,31 +403,68 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -366,31 +422,68 @@ interface(`rpc_manage_nfs_state_data',`
  
  	files_search_var_lib($1)
  	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -89359,7 +89413,7 @@ index 0bf13c2..4f3c2b9 100644
  	')
  
  	allow $1 rpc_domain:process { ptrace signal_perms };
-@@ -411,7 +485,7 @@ interface(`rpc_admin',`
+@@ -411,7 +504,7 @@ interface(`rpc_admin',`
  	admin_pattern($1, rpcd_var_run_t)
  
  	files_list_all($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 679c704..cb9ffd3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 187%{?dist}
+Release: 188%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -645,6 +645,15 @@ exit 0
 %endif
 
 %changelog
+* Tue May 24 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-188
+- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t
+- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954)
+- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus.
+- dnsmasq: allow NetworkManager to control dnsmasq via D-Bus
+- Allow systemd_resolved_t to check if ipv6 is disabled.
+- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120
+- Label /dev/xen/privcmd as xen_device_t. BZ(1334115)
+
 * Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-187
 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
 - Allow zabbix to connect to postgresql port