diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2480dc5..b9c8b31 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -32228,7 +32228,7 @@ index 17eda24..d4113cc 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..353c3b7 100644
+index 662e79b..ad9ef4e 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
 @@ -1,14 +1,25 @@
@@ -32258,7 +32258,7 @@ index 662e79b..353c3b7 100644
  
  /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
  
-@@ -26,16 +37,26 @@
+@@ -26,16 +37,27 @@
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -32281,6 +32281,7 @@ index 662e79b..353c3b7 100644
  /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
  
 +/var/run/charon\.ctl     -s  gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon\.vici    -s  gen_context(system_u:object_r:ipsec_var_run_t,s0)
 +/var/run/charon.*       --  gen_context(system_u:object_r:ipsec_var_run_t,s0)
  /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
  /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -37268,13 +37269,31 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..8686e0a 100644
+index 3822072..1b9a765 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',`
+@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
  
  ########################################
  ## <summary>
++## Allow access check on load_policy.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`seutil_access_check_load_policy',`
++	gen_require(`
++		type load_policy_exec_t;
++	')
++
++    allow $1 load_policy_exec_t:file audit_access;
++')
++
++########################################
++## <summary>
 +## Dontaudit access check on load_policy.
 +## </summary>
 +## <param name="domain">
@@ -37296,7 +37315,7 @@ index 3822072..8686e0a 100644
  ##	Read the load_policy program file.
  ## </summary>
  ## <param name="domain">
-@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',`
+@@ -192,11 +228,22 @@ interface(`seutil_domtrans_newrole',`
  #
  interface(`seutil_run_newrole',`
  	gen_require(`
@@ -37321,7 +37340,7 @@ index 3822072..8686e0a 100644
  ')
  
  ########################################
-@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',`
+@@ -359,6 +406,27 @@ interface(`seutil_exec_restorecon',`
  
  ########################################
  ## <summary>
@@ -37349,7 +37368,7 @@ index 3822072..8686e0a 100644
  ##	Execute run_init in the run_init domain.
  ## </summary>
  ## <param name="domain">
-@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+@@ -425,11 +493,20 @@ interface(`seutil_init_script_domtrans_runinit',`
  #
  interface(`seutil_run_runinit',`
  	gen_require(`
@@ -37373,7 +37392,7 @@ index 3822072..8686e0a 100644
  ')
  
  ########################################
-@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',`
+@@ -461,11 +538,19 @@ interface(`seutil_run_runinit',`
  #
  interface(`seutil_init_script_run_runinit',`
  	gen_require(`
@@ -37396,7 +37415,7 @@ index 3822072..8686e0a 100644
  ')
  
  ########################################
-@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',`
+@@ -535,6 +620,53 @@ interface(`seutil_run_setfiles',`
  
  ########################################
  ## <summary>
@@ -37450,10 +37469,28 @@ index 3822072..8686e0a 100644
  ##	Execute setfiles in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',`
+@@ -555,6 +687,42 @@ interface(`seutil_exec_setfiles',`
  
  ########################################
  ## <summary>
++## Allow access check on setfiles.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`seutil_access_check_setfiles',`
++	gen_require(`
++		type setfiles_exec_t;
++	')
++
++    allow $1 setfiles_exec_t:file audit_access;
++')
++
++########################################
++## <summary>
 +## Dontaudit access check on setfiles.
 +## </summary>
 +## <param name="domain">
@@ -37475,7 +37512,7 @@ index 3822072..8686e0a 100644
  ##	Do not audit attempts to search the SELinux
  ##	configuration directory (/etc/selinux).
  ## </summary>
-@@ -680,10 +812,115 @@ interface(`seutil_manage_config',`
+@@ -680,10 +848,115 @@ interface(`seutil_manage_config',`
  	')
  
  	files_search_etc($1)
@@ -37591,7 +37628,7 @@ index 3822072..8686e0a 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete
-@@ -694,15 +931,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +967,62 @@ interface(`seutil_manage_config',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -37657,7 +37694,7 @@ index 3822072..8686e0a 100644
  ')
  
  ########################################
-@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',`
  	read_files_pattern($1, default_context_t, default_context_t)
  ')
  
@@ -37687,7 +37724,7 @@ index 3822072..8686e0a 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',`
  
  	files_search_etc($1)
  	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@@ -37697,7 +37734,7 @@ index 3822072..8686e0a 100644
  ')
  
  ########################################
-@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',`
  
  ########################################
  ## <summary>
@@ -37724,7 +37761,7 @@ index 3822072..8686e0a 100644
  ##	Execute semanage in the semanage domain, and
  ##	allow the specified role the semanage domain,
  ##	and use the caller's terminal.
-@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1382,87 @@ interface(`seutil_domtrans_semanage',`
  #
  interface(`seutil_run_semanage',`
  	gen_require(`
@@ -37773,6 +37810,26 @@ index 3822072..8686e0a 100644
 +
 +########################################
 +## <summary>
++##	List of the semanage
++##	module store.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`seutil_access_check_module_store',`
++	gen_require(`
++		type semanage_store_t;
++	')
++
++	files_search_etc($1)
++    allow $1 semanage_store_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
 +##	Full management of the semanage
 +##	module store.
 +## </summary>
@@ -37794,7 +37851,7 @@ index 3822072..8686e0a 100644
  ')
  
  ########################################
-@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1484,11 @@ interface(`seutil_manage_module_store',`
  	files_search_etc($1)
  	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
  	manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -37806,10 +37863,28 @@ index 3822072..8686e0a 100644
  ')
  
  #######################################
-@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',`
  
  #######################################
  ## <summary>
++##	Allow access check on module store
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`seutil_access_check_semanage_read_lock',`
++	gen_require(`
++		type semanage_read_lock_t;
++	')
++
++    allow $1 semanage_read_lock_t:file audit_access;
++')
++
++#######################################
++## <summary>
 +##	Dontaudit access check on module store
 +## </summary>
 +## <param name="domain">
@@ -37831,7 +37906,7 @@ index 3822072..8686e0a 100644
  ##	Get trans lock on module store
  ## </summary>
  ## <param name="domain">
-@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9fc84d2..3f12b14 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -61915,7 +61915,7 @@ index 6837e9a..21e6dae 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 63957a3..3eb9dc1 100644
+index 63957a3..ba34f72 100644
 --- a/openvpn.te
 +++ b/openvpn.te
 @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -62040,7 +62040,7 @@ index 63957a3..3eb9dc1 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,6 +188,10 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',`
  ')
  
  optional_policy(`
@@ -62051,11 +62051,17 @@ index 63957a3..3eb9dc1 100644
  	daemontools_service_domain(openvpn_t, openvpn_exec_t)
  ')
  
-@@ -173,5 +201,30 @@ optional_policy(`
+ optional_policy(`
++    networkmanager_stream_connect(openvpn_t)
++    networkmanager_manage_pid_files(openvpn_t)
++')
++
++optional_policy(`
+ 	dbus_system_bus_client(openvpn_t)
+ 	dbus_connect_system_bus(openvpn_t)
  
- 	optional_policy(`
+@@ -175,3 +208,27 @@ optional_policy(`
  		networkmanager_dbus_chat(openvpn_t)
-+        networkmanager_stream_connect(openvpn_t)
  	')
  ')
 +
@@ -92301,7 +92307,7 @@ index 35ad2a7..6b75e85 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 12700b4..fde3c8d 100644
+index 12700b4..906b5db 100644
 --- a/sendmail.te
 +++ b/sendmail.te
 @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -92441,7 +92447,7 @@ index 12700b4..fde3c8d 100644
  ')
  
  optional_policy(`
-@@ -164,6 +168,10 @@ optional_policy(`
+@@ -164,14 +168,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -92452,7 +92458,12 @@ index 12700b4..fde3c8d 100644
  	milter_stream_connect_all(sendmail_t)
  ')
  
-@@ -172,6 +180,11 @@ optional_policy(`
+ optional_policy(`
++    mta_filetrans_home_content(sendmail_t)
++')
++
++optional_policy(`
+ 	munin_dontaudit_search_lib(sendmail_t)
  ')
  
  optional_policy(`
@@ -92464,7 +92475,7 @@ index 12700b4..fde3c8d 100644
  	postfix_domtrans_postdrop(sendmail_t)
  	postfix_domtrans_master(sendmail_t)
  	postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +206,10 @@ optional_policy(`
+@@ -193,6 +210,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -92475,7 +92486,7 @@ index 12700b4..fde3c8d 100644
  	udev_read_db(sendmail_t)
  ')
  
-@@ -206,8 +223,8 @@ optional_policy(`
+@@ -206,8 +227,8 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -97481,7 +97492,7 @@ index a240455..f4d8c79 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..ababeba 100644
+index 2d8db1f..dbb5dd6 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -97539,7 +97550,7 @@ index 2d8db1f..ababeba 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,28 +79,30 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -97559,6 +97570,12 @@ index 2d8db1f..ababeba 100644
 -# seutil_manage_login_config_files(sssd_t)
 +seutil_rw_login_config_dirs(sssd_t)
 +seutil_manage_login_config_files(sssd_t)
++
++seutil_access_check_module_store(sssd_t)
++
++seutil_access_check_load_policy(sssd_t)
++seutil_access_check_setfiles(sssd_t)
++seutil_access_check_semanage_read_lock(sssd_t)
  
  mls_file_read_to_clearance(sssd_t)
  mls_socket_read_to_clearance(sssd_t)
@@ -97574,7 +97591,7 @@ index 2d8db1f..ababeba 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +110,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6efdd23..8aef00c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 93%{?dist}
+Release: 94%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
+- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
+- Allow sendmail to create dead.letter. BZ(1165443)
+- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
+- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
+- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
+- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
+
 * Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
 - Allow bumblebee to use nsswitch. BZ(1155339)
 - Allow openvpn to stream connect to networkmanager. BZ(1164182)