diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 9c9c4d4..6e99a9d 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5e5cccc..9a9cb7e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -26525,10 +26525,10 @@ index 0000000..03faeac
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..31076d7
+index 0000000..bca9f3c
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,345 @@
+@@ -0,0 +1,349 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -26766,6 +26766,10 @@ index 0000000..31076d7
 +		gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
 +	')
 +
++    optional_policy(`
++        gnome_filetrans_cert_home_content(unconfined_t)
++    ')
++
 +	optional_policy(`
 +		ipsec_mgmt_dbus_chat(unconfined_t)
 +	')
@@ -48023,10 +48027,10 @@ index 0000000..3380372
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..d8fdd7b
+index 0000000..6c16f21
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,920 @@
+@@ -0,0 +1,928 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48870,11 +48874,14 @@ index 0000000..d8fdd7b
 +# systemd_gpt_generator domain
 +#
 +
++allow systemd_gpt_generator_t self:capability sys_rawio;
++
 +dev_read_sysfs(systemd_gpt_generator_t)
 +dev_write_kmsg(systemd_gpt_generator_t)
 +dev_read_nvme(systemd_gpt_generator_t)
 +
 +storage_raw_read_fixed_disk(systemd_gpt_generator_t)
++storage_raw_read_removable_device(systemd_gpt_generator_t)
 +
 +allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms;
 +systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file)
@@ -48889,6 +48896,7 @@ index 0000000..d8fdd7b
 +allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
 +allow systemd_resolved_t self:process setcap;
 +allow systemd_resolved_t self:tcp_socket { accept listen };
++allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
@@ -48899,9 +48907,13 @@ index 0000000..d8fdd7b
 +
 +kernel_dgram_send(systemd_resolved_t)
 +
++auth_read_passwd(systemd_resolved_t)
++
 +corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 +corenet_udp_bind_llmnr_port(systemd_resolved_t)
 +
++dev_write_kmsg(systemd_resolved_t)
++
 +sysnet_manage_config(systemd_resolved_t)
 +
 +optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 31b767e..f8463ff 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -31776,11 +31776,11 @@ index 0000000..fc9bf19
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..b974353
+index 0000000..74ec2fd
 --- /dev/null
 +++ b/glusterd.te
 @@ -0,0 +1,295 @@
-+policy_module(glusterfs, 1.1.2)
++policy_module(glusterd, 1.1.3)
 +
 +## <desc>
 +## <p>
@@ -32360,7 +32360,7 @@ index e39de43..5edcb83 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index ab09d61..0734f6b 100644
+index ab09d61..980f1f6 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,52 +1,76 @@
@@ -33409,7 +33409,7 @@ index ab09d61..0734f6b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -34318,6 +34318,24 @@ index ab09d61..0734f6b 100644
 +    gnome_cache_filetrans($1, config_home_t, dir, "dconf")
 +')
 +
++######################################
++## <summary>
++##  File name transition for generic home content files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`gnome_filetrans_cert_home_content',`
++    gen_require(`
++            type home_cert_t;
++    ')
++
++    gnome_data_filetrans($1, home_cert_t, dir, "certificates")
++')
++
 +########################################
 +## <summary>
 +##	Create gnome directory in the /root directory
@@ -67157,9 +67175,15 @@ index bf59ef7..0e33327 100644
 +')
 +
 diff --git a/passenger.te b/passenger.te
-index 08ec33b..3b92c4d 100644
+index 08ec33b..3ad995c 100644
 --- a/passenger.te
 +++ b/passenger.te
+@@ -1,4 +1,4 @@
+-policy_module(passanger, 1.1.1)
++policy_module(passenger, 1.1.2)
+ 
+ ########################################
+ #
 @@ -14,6 +14,9 @@ role system_r types passenger_t;
  type passenger_log_t;
  logging_log_file(passenger_log_t)
@@ -87969,11 +87993,11 @@ index 0000000..0be4cee
 +')
 diff --git a/rkhunter.te b/rkhunter.te
 new file mode 100644
-index 0000000..aa2d09e
+index 0000000..44de480
 --- /dev/null
 +++ b/rkhunter.te
 @@ -0,0 +1,4 @@
-+policy_module(rhhunter, 1.0)
++policy_module(rkhunter, 1.1)
 +
 +type rkhunter_var_lib_t;
 +files_type(rkhunter_var_lib_t)
@@ -103246,11 +103270,11 @@ index 0000000..80c6480
 +')
 diff --git a/stapserver.te b/stapserver.te
 new file mode 100644
-index 0000000..bc92f68
+index 0000000..e847ea3
 --- /dev/null
 +++ b/stapserver.te
 @@ -0,0 +1,114 @@
-+policy_module(systemtap, 1.1.0)
++policy_module(stapserver, 1.1.1)
 +
 +########################################
 +#
@@ -111647,7 +111671,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..2a1d3e5 100644
+index f03dcf5..5e41cd6 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,395 @@
@@ -113207,7 +113231,7 @@ index f03dcf5..2a1d3e5 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -113290,7 +113314,6 @@ index f03dcf5..2a1d3e5 100644
 +manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
 +allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
 +allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto };
 +virt_mounton_sandbox_file(svirt_sandbox_domain)
@@ -113704,7 +113727,7 @@ index f03dcf5..2a1d3e5 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -113719,7 +113742,7 @@ index f03dcf5..2a1d3e5 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1616,7 @@ optional_policy(`
+@@ -1192,7 +1615,7 @@ optional_policy(`
  
  ########################################
  #
@@ -113728,7 +113751,7 @@ index f03dcf5..2a1d3e5 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 833b264..aa9e7a9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 181%{?dist}
+Release: 182%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -653,6 +653,15 @@ exit 0
 %endif
 
 %changelog
+* Fri Apr 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-182
+- rename several contrib modules according to their filenames
+- Add interface gnome_filetrans_cert_home_content()
+- By default container domains should not be allowed to create devices
+- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t.
+- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used
+- Allow systemd gpt generator to read removable devices. BZ(1323458)
+- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands  BZ(1323454)
+
 * Fri Apr 01 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-181
 - Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075)
 - /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224)