diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 783906b..bdae1d1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1052,17 +1052,10 @@ index 4705ab6..b82865c 100644
+## </desc>
+gen_tunable(mount_anyfile, false)
diff --git a/policy/mcs b/policy/mcs
-index 216b3d1..064ec83 100644
+index 216b3d1..78e56ed 100644
--- a/policy/mcs
+++ b/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+default_range dir_file_class_set target low;
-+
- #
- # Define sensitivities
- #
-@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats)
+@@ -69,53 +69,56 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
@@ -1139,7 +1132,7 @@ index 216b3d1..064ec83 100644
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
+@@ -135,6 +138,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
mlsconstrain { db_tuple } { insert relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -1149,7 +1142,7 @@ index 216b3d1..064ec83 100644
# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
-@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -44536,7 +44529,7 @@ index 0000000..cde0261
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..11cbcf8
+index 0000000..dff8d54
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,723 @@
@@ -45209,7 +45202,7 @@ index 0000000..11cbcf8
+#
+# systemd_sysctl domains local policy
+#
-+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_rawio };
++allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio };
+allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
+kernel_dgram_send(systemd_sysctl_t)
+kernel_request_load_module(systemd_sysctl_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a121c91..6fecdc7 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -25387,10 +25387,10 @@ index 0000000..1714fa6
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
new file mode 100644
-index 0000000..a846ce0
+index 0000000..d22ed69
--- /dev/null
+++ b/dnssec.if
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,123 @@
+
+## <summary>policy for dnssec_trigger</summary>
+
@@ -25474,6 +25474,25 @@ index 0000000..a846ce0
+
+########################################
+## <summary>
++## Send sigkill to dnssec_trigger.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`dnssec_trigger_sigkill',`
++ gen_require(`
++ type dnssec_trigger_t;
++ ')
++
++ allow $1 dnssec_trigger_t:process sigkill;
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an dnssec_trigger environment
+## </summary>
@@ -56978,7 +56997,7 @@ index 86dc29d..7380935 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..e6182a2 100644
+index 55f2009..b84767b 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -57055,11 +57074,11 @@ index 55f2009..e6182a2 100644
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
-+
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
-
++
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
@@ -57138,7 +57157,7 @@ index 55f2009..e6182a2 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +160,35 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +160,36 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -57169,13 +57188,14 @@ index 55f2009..e6182a2 100644
+libs_exec_ldconfig(NetworkManager_t)
+
logging_send_syslog_msg(NetworkManager_t)
++logging_send_audit_msgs(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
-miscfiles_read_localization(NetworkManager_t)
seutil_read_config(NetworkManager_t)
-@@ -166,21 +203,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +204,34 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -57214,7 +57234,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -196,10 +246,6 @@ optional_policy(`
+@@ -196,10 +247,6 @@ optional_policy(`
')
optional_policy(`
@@ -57225,7 +57245,7 @@ index 55f2009..e6182a2 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,17 +256,16 @@ optional_policy(`
+@@ -210,16 +257,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -57236,19 +57256,15 @@ index 55f2009..e6182a2 100644
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
-+ consolekit_read_pid_files(NetworkManager_t)
- ')
-+')
-
+- ')
+-
- optional_policy(`
- policykit_dbus_chat(NetworkManager_t)
-- ')
-+optional_policy(`
-+ dnssec_trigger_domtrans(NetworkManager_t)
++ consolekit_read_pid_files(NetworkManager_t)
+ ')
')
- optional_policy(`
-@@ -231,10 +276,15 @@ optional_policy(`
+@@ -231,10 +273,17 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -57257,7 +57273,9 @@ index 55f2009..e6182a2 100644
optional_policy(`
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
++ dnssec_trigger_domtrans(NetworkManager_t)
+ dnssec_trigger_signull(NetworkManager_t)
++ dnssec_trigger_sigkill(NetworkManager_t)
+')
+
+optional_policy(`
@@ -57265,7 +57283,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -246,10 +296,26 @@ optional_policy(`
+@@ -246,10 +295,26 @@ optional_policy(`
')
optional_policy(`
@@ -57292,7 +57310,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -257,15 +323,19 @@ optional_policy(`
+@@ -257,15 +322,19 @@ optional_policy(`
')
optional_policy(`
@@ -57314,7 +57332,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -274,10 +344,17 @@ optional_policy(`
+@@ -274,10 +343,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -57332,7 +57350,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -286,9 +363,12 @@ optional_policy(`
+@@ -286,9 +362,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@@ -57345,7 +57363,7 @@ index 55f2009..e6182a2 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +376,7 @@ optional_policy(`
+@@ -296,7 +375,7 @@ optional_policy(`
')
optional_policy(`
@@ -57354,7 +57372,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -307,6 +387,7 @@ optional_policy(`
+@@ -307,6 +386,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -57362,7 +57380,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -320,14 +401,21 @@ optional_policy(`
+@@ -320,14 +400,21 @@ optional_policy(`
')
optional_policy(`
@@ -57389,7 +57407,7 @@ index 55f2009..e6182a2 100644
')
optional_policy(`
-@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -65817,10 +65835,10 @@ index 8176e4a..2df1789 100644
diff --git a/pcp.fc b/pcp.fc
new file mode 100644
-index 0000000..9b8cb6b
+index 0000000..26a45e3
--- /dev/null
+++ b/pcp.fc
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,29 @@
+/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
@@ -65849,6 +65867,7 @@ index 0000000..9b8cb6b
+
+/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
++/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
index 0000000..80246e6
@@ -66001,10 +66020,10 @@ index 0000000..80246e6
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..e24db6b
+index 0000000..684f7b0
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,259 @@
+@@ -0,0 +1,260 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -66079,7 +66098,8 @@ index 0000000..e24db6b
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-+files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
++manage_lnk_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file lnk_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
@@ -70497,7 +70517,7 @@ index cbe36c1..8ebeb87 100644
auth_domtrans_chk_passwd(portslave_t)
diff --git a/postfix.fc b/postfix.fc
-index c0e8785..c0e0959 100644
+index c0e8785..3070aa0 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,38 +1,38 @@
@@ -70579,15 +70599,16 @@ index c0e8785..c0e0959 100644
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+-/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
-+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
++/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
++/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
++/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
- /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
++/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/postfix.if b/postfix.if
index ded95ec..3cf7146 100644
--- a/postfix.if
@@ -97065,10 +97086,10 @@ index 0000000..52450c7
+')
diff --git a/smsd.te b/smsd.te
new file mode 100644
-index 0000000..1fad7b8
+index 0000000..d971935
--- /dev/null
+++ b/smsd.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,75 @@
+policy_module(smsd, 1.0.0)
+
+########################################
@@ -97142,6 +97163,8 @@ index 0000000..1fad7b8
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
++
++term_use_usb_ttys(smsd_t)
diff --git a/smstools.if b/smstools.if
index cbfe369..6594af3 100644
--- a/smstools.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 59f6779..80ee139 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 143%{?dist}
+Release: 144%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,15 @@ exit 0
%endif
%changelog
+* Mon Aug 24 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-144
+- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
+- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)
+- Add interface dnssec_trigger_sigkill
+- Allow smsd use usb ttys. BZ(#1250536)
+- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file.
+- Revert default_range change in targeted policy
+- Allow systemd-sysctl cap. sys_ptrace BZ(1253926)
+
* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
- Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.