diff --git a/container-selinux.tgz b/container-selinux.tgz
index 1955292..b5fe483 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 609038c..b0e3e06 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -96252,7 +96252,7 @@ index 0000000..b7db254
 +# Empty
 diff --git a/sandbox.if b/sandbox.if
 new file mode 100644
-index 0000000..9879f95
+index 0000000..cc29a06
 --- /dev/null
 +++ b/sandbox.if
 @@ -0,0 +1,96 @@
@@ -96348,9 +96348,9 @@ index 0000000..9879f95
 +    auth_reader_shadow($1_t)
 +    auth_writer_shadow($1_t)
 +
-+    optional_policy(`
-+	    unconfined_typebounds($1_t)
-+    ')
++    #optional_policy(`
++	#    unconfined_typebounds($1_t)
++    #')
 +')
 diff --git a/sandbox.te b/sandbox.te
 new file mode 100644
@@ -96434,7 +96434,7 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 0000000..964ccbf
+index 0000000..98dc14e
 --- /dev/null
 +++ b/sandboxX.if
 @@ -0,0 +1,401 @@
@@ -96573,10 +96573,10 @@ index 0000000..964ccbf
 +	allow $1_client_t $1_t:unix_stream_socket connectto;
 +	allow $1_t $1_client_t:unix_stream_socket connectto;
 +
-+    optional_policy(`
-+	    unconfined_typebounds($1_t)
-+	    unconfined_typebounds($1_client_t)
-+    ')
++    #optional_policy(`
++	#    unconfined_typebounds($1_t)
++	#    unconfined_typebounds($1_client_t)
++    #')
 +')
 +
 +########################################
@@ -111880,7 +111880,7 @@ index a4f20bc..9777de2 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..1c4817b 100644
+index facdee8..2cff369 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,111 @@
@@ -113628,9 +113628,9 @@ index facdee8..1c4817b 100644
 +	kernel_read_system_state($1_t)
 +	kernel_read_all_proc($1_t)
 +
-+    optional_policy(`
-+        container_runtime_typebounds($1_t)
-+    ')
++ #   optional_policy(`
++ #       container_runtime_typebounds($1_t)
++ #   ')
  ')
  
  ########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 111cf10..65c7dfb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -676,6 +676,8 @@ exit 0
 
 %changelog
 * Fri Oct 14 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-220
+- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain.
+- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build.
 - Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473)
 - Rename docker intefaces to container
 - Merge pull request #167 from rhatdan/container