diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 486f14cf..2a3cd569 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 097cf35c..6b2dbbce 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -6416,7 +6416,7 @@ index 3f6e168..340e49f 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..ab7c054 100644
+index b31c054..891ace5 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -6475,16 +6475,18 @@ index b31c054..ab7c054 100644
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
-@@ -80,6 +93,8 @@
+@@ -80,7 +93,10 @@
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0)
+/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
++/dev/ndctl[0-9] -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -90,6 +105,7 @@
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -90,6 +106,7 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -6492,7 +6494,7 @@ index b31c054..ab7c054 100644
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-@@ -106,6 +122,7 @@
+@@ -106,6 +123,7 @@
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6500,7 +6502,7 @@ index b31c054..ab7c054 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +135,12 @@
+@@ -118,6 +136,12 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
@@ -6513,7 +6515,7 @@ index b31c054..ab7c054 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +152,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +153,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6528,7 +6530,7 @@ index b31c054..ab7c054 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,15 +197,21 @@ ifdef(`distro_suse', `
+@@ -172,15 +198,21 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -6550,7 +6552,7 @@ index b31c054..ab7c054 100644
ifdef(`distro_debian',`
# this is a static /dev dir "backup mount"
-@@ -198,12 +229,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +230,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -37011,7 +37013,7 @@ index 79a45f6..9926eaf 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..0a4a187 100644
+index 17eda24..28999af 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -37310,7 +37312,7 @@ index 17eda24..0a4a187 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +326,258 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +326,259 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -37500,6 +37502,7 @@ index 17eda24..0a4a187 100644
+systemd_manage_unit_symlinks(initrc_t)
+systemd_config_all_services(initrc_t)
+systemd_read_unit_files(initrc_t)
++systemd_login_status(init_t)
+
+create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
@@ -37578,7 +37581,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -216,7 +585,30 @@ optional_policy(`
+@@ -216,7 +586,30 @@ optional_policy(`
')
optional_policy(`
@@ -37610,7 +37613,7 @@ index 17eda24..0a4a187 100644
')
########################################
-@@ -225,9 +617,9 @@ optional_policy(`
+@@ -225,9 +618,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37622,7 +37625,7 @@ index 17eda24..0a4a187 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -258,12 +650,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +651,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37639,7 +37642,7 @@ index 17eda24..0a4a187 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +675,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +676,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -37682,7 +37685,7 @@ index 17eda24..0a4a187 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +712,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +713,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -37694,7 +37697,7 @@ index 17eda24..0a4a187 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -313,8 +724,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +725,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -37705,7 +37708,7 @@ index 17eda24..0a4a187 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -322,8 +735,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +736,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -37715,7 +37718,7 @@ index 17eda24..0a4a187 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -332,7 +744,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +745,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -37723,7 +37726,7 @@ index 17eda24..0a4a187 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -340,6 +751,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +752,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37731,7 +37734,7 @@ index 17eda24..0a4a187 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -347,14 +759,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +760,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -37749,7 +37752,7 @@ index 17eda24..0a4a187 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -364,8 +777,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +778,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -37763,7 +37766,7 @@ index 17eda24..0a4a187 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -375,10 +792,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +793,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -37777,7 +37780,7 @@ index 17eda24..0a4a187 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -387,8 +805,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +806,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -37788,7 +37791,7 @@ index 17eda24..0a4a187 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +818,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +819,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -37796,7 +37799,7 @@ index 17eda24..0a4a187 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -416,20 +837,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +838,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -37820,7 +37823,7 @@ index 17eda24..0a4a187 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +870,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +871,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -37828,7 +37831,7 @@ index 17eda24..0a4a187 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +904,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +905,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -37839,7 +37842,7 @@ index 17eda24..0a4a187 100644
alsa_read_lib(initrc_t)
')
-@@ -506,7 +928,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +929,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -37848,7 +37851,7 @@ index 17eda24..0a4a187 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -521,6 +943,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +944,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -37856,7 +37859,7 @@ index 17eda24..0a4a187 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -541,6 +964,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +965,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -37864,7 +37867,7 @@ index 17eda24..0a4a187 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +974,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +975,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -37909,7 +37912,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -559,14 +1019,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1020,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -37941,7 +37944,7 @@ index 17eda24..0a4a187 100644
')
')
-@@ -577,6 +1054,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1055,39 @@ ifdef(`distro_suse',`
')
')
@@ -37981,7 +37984,7 @@ index 17eda24..0a4a187 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1099,8 @@ optional_policy(`
+@@ -589,6 +1100,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -37990,7 +37993,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -610,6 +1122,7 @@ optional_policy(`
+@@ -610,6 +1123,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -37998,7 +38001,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -626,6 +1139,17 @@ optional_policy(`
+@@ -626,6 +1140,17 @@ optional_policy(`
')
optional_policy(`
@@ -38016,7 +38019,7 @@ index 17eda24..0a4a187 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -642,9 +1166,13 @@ optional_policy(`
+@@ -642,9 +1167,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -38030,7 +38033,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -657,15 +1185,11 @@ optional_policy(`
+@@ -657,15 +1186,11 @@ optional_policy(`
')
optional_policy(`
@@ -38048,7 +38051,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -686,6 +1210,15 @@ optional_policy(`
+@@ -686,6 +1211,15 @@ optional_policy(`
')
optional_policy(`
@@ -38064,7 +38067,7 @@ index 17eda24..0a4a187 100644
inn_exec_config(initrc_t)
')
-@@ -726,6 +1259,7 @@ optional_policy(`
+@@ -726,6 +1260,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -38072,7 +38075,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -743,7 +1277,13 @@ optional_policy(`
+@@ -743,7 +1278,13 @@ optional_policy(`
')
optional_policy(`
@@ -38087,7 +38090,7 @@ index 17eda24..0a4a187 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -766,6 +1306,10 @@ optional_policy(`
+@@ -766,6 +1307,10 @@ optional_policy(`
')
optional_policy(`
@@ -38098,7 +38101,7 @@ index 17eda24..0a4a187 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -775,10 +1319,20 @@ optional_policy(`
+@@ -775,10 +1320,20 @@ optional_policy(`
')
optional_policy(`
@@ -38119,7 +38122,7 @@ index 17eda24..0a4a187 100644
quota_manage_flags(initrc_t)
')
-@@ -787,6 +1341,10 @@ optional_policy(`
+@@ -787,6 +1342,10 @@ optional_policy(`
')
optional_policy(`
@@ -38130,7 +38133,7 @@ index 17eda24..0a4a187 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -808,8 +1366,6 @@ optional_policy(`
+@@ -808,8 +1367,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -38139,7 +38142,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -818,6 +1374,10 @@ optional_policy(`
+@@ -818,6 +1375,10 @@ optional_policy(`
')
optional_policy(`
@@ -38150,7 +38153,7 @@ index 17eda24..0a4a187 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -827,10 +1387,12 @@ optional_policy(`
+@@ -827,10 +1388,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -38163,7 +38166,7 @@ index 17eda24..0a4a187 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1419,62 @@ optional_policy(`
+@@ -857,21 +1420,62 @@ optional_policy(`
')
optional_policy(`
@@ -38227,7 +38230,7 @@ index 17eda24..0a4a187 100644
')
optional_policy(`
-@@ -887,6 +1490,10 @@ optional_policy(`
+@@ -887,6 +1491,10 @@ optional_policy(`
')
optional_policy(`
@@ -38238,7 +38241,7 @@ index 17eda24..0a4a187 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -897,3 +1504,218 @@ optional_policy(`
+@@ -897,3 +1505,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d40c3d30..9cce4605 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -28825,7 +28825,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3..50e7985 100644
+index 98072a3..73c5573 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28894,7 +28894,7 @@ index 98072a3..50e7985 100644
-sysnet_read_config(firewalld_t)
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
-+sysnet_create_config(firewalld_t)
++sysnet_manage_config(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -45847,10 +45847,10 @@ index dd8e01a..9cd6b0b 100644
##
##
++## Allow logrotate to read logs inside ++##
++##