diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index a53f917..2dada19 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a5c7403..ab24bc0 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -35886,7 +35886,7 @@ index c42fbc3..bf211db 100644
 +	files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
 +')
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e..660ef80 100644
+index be8ed1e..bce6063 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@@ -35947,7 +35947,7 @@ index be8ed1e..660ef80 100644
  kernel_use_fds(iptables_t)
  
  # needed by ipvsadm
-@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
@@ -35956,7 +35956,9 @@ index be8ed1e..660ef80 100644
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
+ fs_list_inotifyfs(iptables_t)
++fs_read_nsfs_files(iptables_t)
+ 
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -35971,7 +35973,7 @@ index be8ed1e..660ef80 100644
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -35989,7 +35991,7 @@ index be8ed1e..660ef80 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -35999,7 +36001,7 @@ index be8ed1e..660ef80 100644
  ')
  
  optional_policy(`
-@@ -110,6 +125,12 @@ optional_policy(`
+@@ -110,6 +126,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36012,7 +36014,7 @@ index be8ed1e..660ef80 100644
  	modutils_run_insmod(iptables_t, iptables_roles)
  ')
  
-@@ -124,6 +145,16 @@ optional_policy(`
+@@ -124,6 +146,16 @@ optional_policy(`
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -36029,7 +36031,7 @@ index be8ed1e..660ef80 100644
  ')
  
  optional_policy(`
-@@ -135,9 +166,9 @@ optional_policy(`
+@@ -135,9 +167,9 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d8d0f0f..03b15df 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -108706,10 +108706,10 @@ index 3d11c6a..b19a117 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index a4f20bc..374e8ef 100644
+index a4f20bc..58f9c69 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,51 +1,101 @@
+@@ -1,51 +1,102 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -108762,6 +108762,7 @@ index a4f20bc..374e8ef 100644
  /usr/sbin/libvirt-qmf	--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)
  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/sbin/virtlockd --  gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/sbin/virtlogd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virt-who   --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6ff9647..ad84a35 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 167%{?dist}
+Release: 168%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -664,6 +664,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Jan 20 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-168
+- Label virtlogd binary as virtd_exec_t. BZ(1291940)
+- Allow iptables to read nsfs files. BZ(1296826)
+
 * Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
 - Add fwupd policy for daemon to allow session software to update device firmware
 - Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)