diff --git a/Makefile.toml b/Makefile.toml
index 8aa93462d4b..46d938bf2ee 100644
--- a/Makefile.toml
+++ b/Makefile.toml
@@ -28,7 +28,7 @@ DOCKER_BUILDKIT = "1"
 
 [env.development]
 # Defined here to allow us to override ${BUILDSYS_ARCH} on the command line.
-BUILDSYS_SDK_IMAGE = "bottlerocket/sdk-${BUILDSYS_ARCH}:v0.10.1"
+BUILDSYS_SDK_IMAGE = "bottlerocket/sdk-${BUILDSYS_ARCH}:v0.11.0"
 # Extra flags used when spawning containers.
 #
 # ex: BUILDSYS_DOCKER_RUN_ARGS="--network=host --dns=127.0.0.53"
diff --git a/macros/shared b/macros/shared
index 15d3fdb13b1..8976f7edaed 100644
--- a/macros/shared
+++ b/macros/shared
@@ -93,6 +93,7 @@ pkgconfig = '/usr/bin/pkg-config'\
 [properties]\
 c_args = [%{_cross_c_args}]\
 c_link_args = [%{_cross_c_link_args}]\
+pkg_config_libdir = '%{_cross_pkgconfigdir}'\
 [host_machine]\
 system = 'linux'\
 cpu_family ='%{_cross_cpu_family}'\
diff --git a/packages/glibc/glibc.spec b/packages/glibc/glibc.spec
index dcb8bd7e39f..6d7edc47960 100644
--- a/packages/glibc/glibc.spec
+++ b/packages/glibc/glibc.spec
@@ -37,7 +37,7 @@ CFLAGS="${BUILDFLAGS}" CPPFLAGS="" CXXFLAGS="${BUILDFLAGS}" \
   --build="%{_build}" \
   --with-headers="%{_cross_includedir}" \
   --enable-bind-now \
-  --enable-kernel="4.19" \
+  --enable-kernel="5.4.0" \
   --enable-shared \
   --enable-stack-protector=strong \
   --enable-static-pie \
diff --git a/packages/selinux-policy/files.cil b/packages/selinux-policy/files.cil
index 455d5437ad3..88393f6d583 100644
--- a/packages/selinux-policy/files.cil
+++ b/packages/selinux-policy/files.cil
@@ -89,7 +89,7 @@
 (classpermissionset relabel_fifo_file (
   fifo_file (relabelfrom relabelto)))
 (classpermissionset relabel_filesystem (
-  filesystem (associate relabelfrom relabelto transition)))
+  filesystem (associate relabelfrom relabelto)))
 (classpermissionset relabel_kernel_service (
   kernel_service (create_files_as)))
 
@@ -103,19 +103,19 @@
 (classpermission mount_fifo_file)
 (classpermission mount_filesystem)
 (classpermissionset mount_file (
-  file (mounton quotaon swapon)))
+  file (mounton quotaon)))
 (classpermissionset mount_dir (
-  dir (mounton quotaon swapon)))
+  dir (mounton quotaon)))
 (classpermissionset mount_lnk_file (
-  lnk_file (mounton quotaon swapon)))
+  lnk_file (mounton quotaon)))
 (classpermissionset mount_chr_file (
-  chr_file (mounton quotaon swapon)))
+  chr_file (mounton quotaon)))
 (classpermissionset mount_blk_file (
-  blk_file (mounton quotaon swapon)))
+  blk_file (mounton quotaon)))
 (classpermissionset mount_sock_file (
-  sock_file (mounton quotaon swapon)))
+  sock_file (mounton quotaon)))
 (classpermissionset mount_fifo_file (
-  fifo_file (mounton quotaon swapon)))
+  fifo_file (mounton quotaon)))
 (classpermissionset mount_filesystem (
   filesystem (mount quotamod remount unmount)))
 
@@ -216,36 +216,36 @@
   file (not (
     entrypoint execute_no_trans
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
 (classpermissionset mutate_dir (
   dir (not (
     search
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
 (classpermissionset mutate_lnk_file (
   lnk_file (not (
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
 (classpermissionset mutate_chr_file (
   chr_file (not (
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
 (classpermissionset mutate_blk_file (
   blk_file (not (
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
 (classpermissionset mutate_sock_file (
   sock_file (not (
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
 (classpermissionset mutate_fifo_file (
   fifo_file (not (
     execute ioctl getattr map open read execmod
-    relabelfrom relabelto mounton quotaon swapon
+    relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
diff --git a/tools/docker-go b/tools/docker-go
index bae49199a10..d89e90a48c9 100755
--- a/tools/docker-go
+++ b/tools/docker-go
@@ -68,6 +68,7 @@ docker run --rm \
   -e GOPATH='/tmp/go' \
   "${proxy_env[@]}" \
   --user "$(id -u):$(id -g)" \
+  --security-opt label:disable \
   ${DOCKER_RUN_ARGS} \
   -v "${GO_MOD_CACHE}":/tmp/go/pkg/mod \
   -v "${GO_MODULE_PATH}":/usr/src/host-ctr \