diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 7b7b4588..4987b604 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5832,7 +5832,7 @@ index 3f6e168..51ad69a 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..5d200ef 100644
+index b31c054..341e29c 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -5880,7 +5880,7 @@ index b31c054..5d200ef 100644
  ')
 +/dev/vchiq		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 +/dev/vc-mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/vfio/(vfio)?[0-9]+	-c	gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vfio/(vfio)?[0-9]*	-c	gen_context(system_u:object_r:vfio_device_t,s0)
  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -14921,7 +14921,7 @@ index 7be4ddf..d5ef507 100644
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..ee4c057 100644
+index e100d88..1c1a61c 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -15035,12 +15035,11 @@ index e100d88..ee4c057 100644
  ##	Do not audit attempts by caller to
  ##	read system state information in proc.
  ## </summary>
-@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1260,24 @@ interface(`kernel_read_messages',`
  
  ########################################
  ## <summary>
-+##	Allow caller to read kernel messages
-+##	using the /proc/kmsg interface.
++##	Allow caller to mounton the kernel messages file
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15050,10 +15049,10 @@ index e100d88..ee4c057 100644
 +#
 +interface(`kernel_mounton_messages',`
 +	gen_require(`
-+		type proc_kmsg_t, proc_t;
++		type proc_kmsg_t;
 +	')
 +
-+    allow $1 proc_kmsg_t:dir mounton;
++	allow $1 proc_kmsg_t:file mounton;
 +')
 +
 +########################################
@@ -15061,7 +15060,7 @@ index e100d88..ee4c057 100644
  ##	Allow caller to get the attributes of kernel message
  ##	interface (/proc/kmsg).
  ## </summary>
-@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1547,24 @@ interface(`kernel_dontaudit_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -15086,7 +15085,7 @@ index e100d88..ee4c057 100644
  ##	Do not audit attempts by caller to search
  ##	the base directory of sysctls.
  ## </summary>
-@@ -1750,16 +1839,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1838,9 @@ interface(`kernel_rw_unix_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -15104,7 +15103,7 @@ index e100d88..ee4c057 100644
  ')
  
  ########################################
-@@ -1771,16 +1853,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1852,9 @@ interface(`kernel_read_hotplug_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -15122,7 +15121,7 @@ index e100d88..ee4c057 100644
  ')
  
  ########################################
-@@ -1792,16 +1867,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1866,9 @@ interface(`kernel_rw_hotplug_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -15140,7 +15139,7 @@ index e100d88..ee4c057 100644
  ')
  
  ########################################
-@@ -1813,16 +1881,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1880,9 @@ interface(`kernel_read_modprobe_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -15158,7 +15157,7 @@ index e100d88..ee4c057 100644
  ')
  
  ########################################
-@@ -2085,7 +2146,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2145,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15167,7 +15166,7 @@ index e100d88..ee4c057 100644
  ')
  
  ########################################
-@@ -2282,6 +2343,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2342,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -15193,7 +15192,7 @@ index e100d88..ee4c057 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2386,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2385,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15202,7 +15201,7 @@ index e100d88..ee4c057 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2568,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2567,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -15227,7 +15226,7 @@ index e100d88..ee4c057 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2525,6 +2623,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2622,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
  ########################################
  ## <summary>
@@ -15252,7 +15251,7 @@ index e100d88..ee4c057 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2667,6 +2783,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2782,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -15277,7 +15276,7 @@ index e100d88..ee4c057 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2694,6 +2828,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2827,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -15303,7 +15302,7 @@ index e100d88..ee4c057 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2803,6 +2956,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2955,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -15337,7 +15336,7 @@ index e100d88..ee4c057 100644
  
  ########################################
  ## <summary>
-@@ -2958,6 +3138,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3137,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -15362,7 +15361,7 @@ index e100d88..ee4c057 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2972,5 +3170,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3169,565 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 07ae53c0..612727d9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -578,6 +578,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-22
+- Fix /dev/vfio/vfio labeling
+
 * Wed Feb 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-21
 - Add kernel_mounton_messages() interface
 - init wants to manage lock files for iscsi