diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 9763ea9..e2b3421 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f6f8c8e..7fe17fb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -35871,7 +35871,7 @@ index 0d4c8d3..537aa42 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd04..34f5262 100644
+index 312cd04..324b3af 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -35978,7 +35978,7 @@ index 312cd04..34f5262 100644
  
  dev_read_sysfs(ipsec_t)
  dev_read_rand(ipsec_t)
-@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
  
@@ -36004,16 +36004,15 @@ index 312cd04..34f5262 100644
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
- 
- optional_policy(`
-+    iptables_domtrans(ipsec_t)
-+')
++userdom_read_home_certs(ipsec_t)
 +
 +optional_policy(`
- 	seutil_sigchld_newrole(ipsec_t)
- ')
++    iptables_domtrans(ipsec_t)
++')
  
-@@ -182,19 +211,30 @@ optional_policy(`
+ optional_policy(`
+ 	seutil_sigchld_newrole(ipsec_t)
+@@ -182,19 +212,30 @@ optional_policy(`
  	udev_read_db(ipsec_t)
  ')
  
@@ -36048,7 +36047,7 @@ index 312cd04..34f5262 100644
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
  
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -36064,7 +36063,7 @@ index 312cd04..34f5262 100644
  
  # _realsetup needs to be able to cat /var/run/pluto.pid,
  # run ps on that pid, and delete the file
-@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -36081,7 +36080,7 @@ index 312cd04..34f5262 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -36090,7 +36089,7 @@ index 312cd04..34f5262 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
  files_read_etc_files(ipsec_mgmt_t)
  files_exec_etc_files(ipsec_mgmt_t)
  files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -36098,7 +36097,7 @@ index 312cd04..34f5262 100644
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -36110,7 +36109,7 @@ index 312cd04..34f5262 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t)
+@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
  init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
@@ -36144,7 +36143,7 @@ index 312cd04..34f5262 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +389,10 @@ optional_policy(`
+@@ -322,6 +390,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36155,7 +36154,7 @@ index 312cd04..34f5262 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +406,7 @@ optional_policy(`
+@@ -335,7 +407,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -36164,7 +36163,7 @@ index 312cd04..34f5262 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -36184,7 +36183,7 @@ index 312cd04..34f5262 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -36197,7 +36196,7 @@ index 312cd04..34f5262 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -43785,7 +43784,7 @@ index a392fc4..78fa512 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..b53de2b
+index 0000000..849cdb8
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
 @@ -0,0 +1,61 @@
@@ -43839,7 +43838,7 @@ index 0000000..b53de2b
 +/var/lib/random-seed 		gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +/usr/var/lib/random-seed 	gen_context(system_u:object_r:random_seed_t,mls_systemhigh)
 +
-+/var/run/nologin		gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
++/var/run/.*nologin.*		gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 +/var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
 +/var/run/systemd/shutdown(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@@ -43852,10 +43851,10 @@ index 0000000..b53de2b
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..300bf59
+index 0000000..21f7c14
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1676 @@
+@@ -0,0 +1,1678 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -44970,6 +44969,7 @@ index 0000000..300bf59
 +		type systemd_logind_var_run_t;
 +		type hostname_etc_t;
 +		type systemd_home_t;
++		type systemd_rfkill_var_lib_t;
 +	')
 +
 +	files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
@@ -44978,6 +44978,7 @@ index 0000000..300bf59
 +	init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
 +	files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
 +	files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
++	init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" )
 +')
 +
 +########################################
@@ -45534,10 +45535,10 @@ index 0000000..300bf59
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..eb1b3c3
+index 0000000..bf93dba
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,842 @@
+@@ -0,0 +1,843 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -45687,7 +45688,7 @@ index 0000000..eb1b3c3
 +manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t })
 +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
 +init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
-+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
++init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, { file dir })
 +files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin")
 +
 +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
@@ -45896,6 +45897,7 @@ index 0000000..eb1b3c3
 +fs_read_xenfs_files(systemd_networkd_t)
 +
 +dev_read_sysfs(systemd_networkd_t)
++dev_write_kmsg(systemd_networkd_t)
 +
 +logging_send_syslog_msg(systemd_networkd_t)
 +
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d3c8d76..b1c1c4c 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2267,7 +2267,7 @@ index 7f4dfbc..e5c9f45 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index 519051c..f5784a5 100644
+index 519051c..0f871e6 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2330,7 +2330,15 @@ index 519051c..f5784a5 100644
  
  files_read_etc_runtime_files(amanda_t)
  files_list_all(amanda_t)
-@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
+ storage_raw_read_fixed_disk(amanda_t)
+ storage_read_tape(amanda_t)
+ storage_write_tape(amanda_t)
++storage_write_scsi_generic(amanda_t)
+ 
+ auth_use_nsswitch(amanda_t)
+ auth_read_shadow(amanda_t)
+@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
  corecmd_exec_shell(amanda_recover_t)
  corecmd_exec_bin(amanda_recover_t)
  
@@ -2338,7 +2346,7 @@ index 519051c..f5784a5 100644
  corenet_all_recvfrom_netlabel(amanda_recover_t)
  corenet_tcp_sendrecv_generic_if(amanda_recover_t)
  corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
  
  auth_use_nsswitch(amanda_recover_t)
  
@@ -41006,10 +41014,10 @@ index 0000000..bd7e7fa
 +')
 diff --git a/keepalived.te b/keepalived.te
 new file mode 100644
-index 0000000..8ab40b5
+index 0000000..66e747b
 --- /dev/null
 +++ b/keepalived.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,92 @@
 +policy_module(keepalived, 1.0.0)
 +
 +########################################
@@ -41038,6 +41046,7 @@ index 0000000..8ab40b5
 +allow keepalived_t self:capability { net_admin net_raw kill };
 +allow keepalived_t self:process { signal_perms };
 +allow keepalived_t self:netlink_socket create_socket_perms;
++allow keepalived_t self:netlink_generic_socket create_socket_perms;
 +allow keepalived_t self:netlink_route_socket nlmsg_write;
 +allow keepalived_t self:packet_socket create_socket_perms;
 +allow keepalived_t self:rawip_socket create_socket_perms;
@@ -49397,7 +49406,7 @@ index b1ac8b5..24782b3 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..25f2cfe 100644
+index d15eb5b..6e2a403 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -49410,7 +49419,7 @@ index d15eb5b..25f2cfe 100644
  ########################################
  #
  # Local policy
-@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+@@ -19,20 +22,24 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
  allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
  allow modemmanager_t self:process { getsched signal };
  allow modemmanager_t self:fifo_file rw_fifo_file_perms;
@@ -49420,6 +49429,8 @@ index d15eb5b..25f2cfe 100644
  
  kernel_read_system_state(modemmanager_t)
  
++auth_read_passwd(modemmanager_t)
++
 +corecmd_exec_bin(modemmanager_t)
 +
  dev_read_sysfs(modemmanager_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 799d32d..ab47992 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 172%{?dist}
+Release: 173%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -673,6 +673,16 @@ exit 0
 %endif
 
 %changelog
+* Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-173
+- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759
+- Allow keepalived to create netlink generic sockets. rhbz#1311756
+- Allow modemmanager to read /etc/passwd file.
+- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t.
+- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255
+- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019
+- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444
+- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
+
 * Thu Feb 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-172
 - Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy.
 - Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033