diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 32cd82d..2be1b57 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -20798,7 +20798,7 @@ index 62d22cb..89671dd 100644
 +    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
  ')
 diff --git a/dbus.te b/dbus.te
-index c9998c8..8b8b691 100644
+index c9998c8..9c12159 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -4,17 +4,15 @@ gen_require(`
@@ -20842,7 +20842,7 @@ index c9998c8..8b8b691 100644
  
  ifdef(`enable_mcs',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,62 @@ ifdef(`enable_mls',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -20890,12 +20890,13 @@ index c9998c8..8b8b691 100644
  
  kernel_read_system_state(system_dbusd_t)
  kernel_read_kernel_sysctls(system_dbusd_t)
- 
+-
 -corecmd_list_bin(system_dbusd_t)
 -corecmd_read_bin_pipes(system_dbusd_t)
 -corecmd_read_bin_sockets(system_dbusd_t)
 -corecmd_exec_shell(system_dbusd_t)
--
++kernel_stream_connect(system_dbusd_t)
+ 
  dev_read_urand(system_dbusd_t)
  dev_read_sysfs(system_dbusd_t)
  
@@ -20921,7 +20922,7 @@ index c9998c8..8b8b691 100644
  mls_fd_use_all_levels(system_dbusd_t)
  mls_rangetrans_target(system_dbusd_t)
  mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +121,160 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,162 @@ term_dontaudit_use_console(system_dbusd_t)
  auth_use_nsswitch(system_dbusd_t)
  auth_read_pam_console_data(system_dbusd_t)
  
@@ -21028,6 +21029,8 @@ index c9998c8..8b8b691 100644
 +role system_r types system_bus_type;
 +dontaudit system_bus_type self:capability net_admin;
 +
++allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms;
++
 +fs_search_all(system_bus_type)
 +
 +dbus_system_bus_client(system_bus_type)
@@ -21040,7 +21043,7 @@ index c9998c8..8b8b691 100644
 +init_rw_stream_sockets(system_bus_type)
 +
 +ps_process_pattern(system_dbusd_t, system_bus_type)
-+
+ 
 +userdom_dontaudit_search_admin_dir(system_bus_type)
 +userdom_read_all_users_state(system_bus_type)
 +
@@ -21055,7 +21058,7 @@ index c9998c8..8b8b691 100644
 +optional_policy(`
 +	unconfined_dbus_send(system_bus_type)
 +')
- 
++
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
 +')
@@ -21096,7 +21099,7 @@ index c9998c8..8b8b691 100644
  kernel_read_kernel_sysctls(session_bus_type)
  
  corecmd_list_bin(session_bus_type)
-@@ -191,23 +283,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +286,18 @@ corecmd_read_bin_files(session_bus_type)
  corecmd_read_bin_pipes(session_bus_type)
  corecmd_read_bin_sockets(session_bus_type)
  
@@ -21121,7 +21124,7 @@ index c9998c8..8b8b691 100644
  files_dontaudit_search_var(session_bus_type)
  
  fs_getattr_romfs(session_bus_type)
-@@ -215,7 +302,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +305,6 @@ fs_getattr_xattr_fs(session_bus_type)
  fs_list_inotifyfs(session_bus_type)
  fs_dontaudit_list_nfs(session_bus_type)
  
@@ -21129,7 +21132,7 @@ index c9998c8..8b8b691 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +311,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +314,36 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -21171,7 +21174,7 @@ index c9998c8..8b8b691 100644
  ')
  
  ########################################
-@@ -244,5 +348,6 @@ optional_policy(`
+@@ -244,5 +351,9 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -21180,6 +21183,9 @@ index c9998c8..8b8b691 100644
 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
++
++kernel_stream_connect(session_bus_type)
++systemd_login_read_pid_files(session_bus_type)
 diff --git a/dcc.fc b/dcc.fc
 index 62d3c4e..cef59a7 100644
 --- a/dcc.fc
@@ -36317,10 +36323,10 @@ index 0000000..9d32f23
 +')
 diff --git a/journalctl.te b/journalctl.te
 new file mode 100644
-index 0000000..5de3229
+index 0000000..1b313e8
 --- /dev/null
 +++ b/journalctl.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,47 @@
 +policy_module(journalctl, 1.0.0)
 +
 +########################################
@@ -36356,15 +36362,18 @@ index 0000000..5de3229
 +
 +fs_getattr_all_fs(journalctl_t)
 +
++auth_use_nsswitch(journalctl_t)
++
++miscfiles_read_localization(journalctl_t)
++
++logging_read_generic_logs(journalctl_t)
++
 +userdom_list_user_home_dirs(journalctl_t)
 +userdom_read_user_home_content_files(journalctl_t)
 +userdom_use_inherited_user_ptys(journalctl_t)
 +userdom_write_inherited_user_tmp_files(journalctl_t)
 +userdom_rw_inherited_user_tmpfs_files(journalctl_t)
 +userdom_rw_inherited_user_home_content_files(journalctl_t)
-+
-+miscfiles_read_localization(journalctl_t)
-+logging_read_generic_logs(journalctl_t)
 diff --git a/kde.fc b/kde.fc
 new file mode 100644
 index 0000000..25e4b68
@@ -38747,6 +38756,137 @@ index 8ad0d4d..c070420 100644
  
  optional_policy(`
  	dbus_system_bus_client(kismet_t)
+diff --git a/kmscon.fc b/kmscon.fc
+new file mode 100644
+index 0000000..ccd29c0
+--- /dev/null
++++ b/kmscon.fc
+@@ -0,0 +1,3 @@
++/usr/bin/kmscon              --      gen_context(system_u:object_r:kmscon_exec_t,s0)
++/usr/lib/systemd/system/kmscon.*\.*      --      gen_context(system_u:object_r:kmscon_unit_file_t,s0)
++/etc/kmscon(/.*)?                                      gen_context(system_u:object_r:kmscon_conf_t,s0)
+diff --git a/kmscon.if b/kmscon.if
+new file mode 100644
+index 0000000..ab52e25
+--- /dev/null
++++ b/kmscon.if
+@@ -0,0 +1,24 @@
++## <summary>Terminal emulator for Linux graphical console</summary>
++
++########################################
++## <summary>
++##     Execute kmscon in the kmscon domain.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed to transition.
++##     </summary>
++## </param>
++#
++interface(`kmscon_systemctl',`
++       gen_require(`
++               type kmscon_unit_file_t;
++               type kmscon_t;
++       ')
++
++       systemd_exec_systemctl($1)
++       allow $1 kmscon_unit_file_t:file read_file_perms;
++       allow $1 kmscon_unit_file_t:service manage_service_perms;
++
++       ps_process_pattern($1, kmscon_t)
++')
+diff --git a/kmscon.te b/kmscon.te
+new file mode 100644
+index 0000000..be3d5d6
+--- /dev/null
++++ b/kmscon.te
+@@ -0,0 +1,86 @@
++# KMSCon SELinux policy module
++# Contributed by Lubomir Rintel <lkundrak@v3.sk>
++
++########################################
++#
++# Declarations
++#
++policy_module(kmscon, 1.0)
++
++type kmscon_t;
++type kmscon_exec_t;
++init_daemon_domain(kmscon_t, kmscon_exec_t)
++
++type kmscon_conf_t;
++files_config_file(kmscon_conf_t)
++
++type kmscon_unit_file_t;
++systemd_unit_file(kmscon_unit_file_t)
++
++type kmscon_devpts_t;
++term_pty(kmscon_devpts_t)
++# Label this as t, so that login_t can read our terminal with use_all_ttys()
++term_tty(kmscon_devpts_t)
++
++########################################
++#
++# zoneminder local policy
++#
++
++# Switch the VT into a graphics mode ; Set DRM master
++allow kmscon_t self:capability {sys_admin sys_tty_config};
++
++dontaudit kmscon_t self:capability2 block_suspend;
++
++# Create an udev monitor
++allow kmscon_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
++
++allow kmscon_t kmscon_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++term_create_pty(kmscon_t, kmscon_devpts_t)
++
++list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
++read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
++
++auth_read_passwd(kmscon_t)
++
++dev_rw_dri(kmscon_t)
++dev_read_sysfs(kmscon_t)
++dev_read_framebuffer(kmscon_t)
++dev_write_framebuffer(kmscon_t)
++dev_rw_input_dev(kmscon_t)
++
++# Get allowed path length for directory with modules
++fs_getattr_xattr_fs(kmscon_t)
++
++locallogin_domtrans(kmscon_t)
++
++miscfiles_read_fonts(kmscon_t)
++miscfiles_manage_fonts_cache(kmscon_t)
++
++# Open the tty, so that it can be handed over to the seat manager
++term_use_unallocated_ttys(kmscon_t)
++
++optional_policy(`
++    # Learn about the input devices
++    udev_read_db(kmscon_t)
++')
++
++optional_policy(`
++    # Fontconfig and Pango configuration
++    gnome_read_home_config(kmscon_t)
++')
++
++optional_policy(`
++    dbus_system_bus_client(kmscon_t)
++    init_dbus_chat(kmscon_t)
++
++    optional_policy(`
++        systemd_dbus_chat_logind(kmscon_t)
++
++        # List seats
++        systemd_login_list_pid_dirs(kmscon_t)
++        systemd_login_read_pid_files(kmscon_t)
++
++        kmscon_systemctl(systemd_logind_t)
++    ')
++')
 diff --git a/ksmtuned.fc b/ksmtuned.fc
 index e736c45..4b1e1e4 100644
 --- a/ksmtuned.fc
@@ -80482,7 +80622,7 @@ index ccb5991..189ac01 100644
  
  userdom_dontaudit_use_unpriv_user_fds(roundup_t)
 diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..b0c22f7 100644
+index a6fb30c..38a2f09 100644
 --- a/rpc.fc
 +++ b/rpc.fc
 @@ -1,12 +1,23 @@
@@ -80515,7 +80655,7 @@ index a6fb30c..b0c22f7 100644
  /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
  /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
  /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +27,11 @@
+@@ -16,7 +27,12 @@
  /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
  /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
  
@@ -80525,6 +80665,7 @@ index a6fb30c..b0c22f7 100644
 +#
 +/var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)
  
++/var/run/sm-notify.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)
  /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 -/var/run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1dbf05e..4506690 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 58%{?dist}
+Release: 59%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-59
+- Allow system_bus_types to use stream_sockets inherited from system_dbusd
+- Allow journalctl to call getpw
+- New access needed by dbus to talk to kernel stream
+- Label sm-notifypid files correctly
+- contrib: Add KMSCon policy module
+
 * Wed Jun 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-58
 - Add mozilla_plugin_use_bluejeans boolean
 - Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean