diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 1799d9e..1f4d9ec 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 9112bf0..b727ff9 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -43837,15 +43837,16 @@ index a392fc4..78fa512 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..849cdb8
+index 0000000..19617c7
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,64 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
++/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
+
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
@@ -43858,6 +43859,7 @@ index 0000000..849cdb8
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0)
+
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
@@ -43866,6 +43868,7 @@ index 0000000..849cdb8
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
++/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -45588,10 +45591,10 @@ index 0000000..21f7c14
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..11d2aa1
+index 0000000..551317f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,843 @@
+@@ -0,0 +1,860 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -45632,6 +45635,11 @@ index 0000000..11d2aa1
+type systemd_coredump_tmpfs_t;
+files_tmpfs_file(systemd_coredump_tmpfs_t)
+
++systemd_domain_template(systemd_hwdb)
++
++type systemd_hwdb_unit_file_t;
++systemd_unit_file(systemd_hwdb_unit_file_t)
++
+systemd_domain_template(systemd_networkd)
+
+type systemd_networkd_unit_file_t;
@@ -45675,6 +45683,9 @@ index 0000000..11d2aa1
+type hostname_etc_t;
+files_config_file(hostname_etc_t)
+
++type systemd_hwdb_etc_t;
++files_config_file(systemd_hwdb_etc_t)
++
+systemd_domain_template(systemd_rfkill)
+
+type systemd_rfkill_unit_file_t;
@@ -46396,6 +46407,15 @@ index 0000000..11d2aa1
+ unconfined_domain(systemd_coredump_t)
+')
+
++#######################################
++#
++# systemd_hwdb domain
++#
++
++manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
++files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
++
++
+########################################
+#
+# Common rules for systemd domains
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b30f250..6de2977 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -18885,7 +18885,7 @@ index 1303b30..759412f 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 7de3859..9d2cd2d 100644
+index 7de3859..1444c2f 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -19580,7 +19580,18 @@ index 7de3859..9d2cd2d 100644
')
optional_policy(`
-@@ -591,6 +602,7 @@ optional_policy(`
+@@ -567,6 +578,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ firewalld_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ ftp_read_log(system_cronjob_t)
+ ')
+
+@@ -591,6 +606,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -19588,7 +19599,7 @@ index 7de3859..9d2cd2d 100644
')
optional_policy(`
-@@ -598,7 +610,23 @@ optional_policy(`
+@@ -598,7 +614,23 @@ optional_policy(`
')
optional_policy(`
@@ -19612,7 +19623,7 @@ index 7de3859..9d2cd2d 100644
')
optional_policy(`
-@@ -607,7 +635,12 @@ optional_policy(`
+@@ -607,7 +639,12 @@ optional_policy(`
')
optional_policy(`
@@ -19625,7 +19636,7 @@ index 7de3859..9d2cd2d 100644
')
optional_policy(`
-@@ -615,12 +648,27 @@ optional_policy(`
+@@ -615,12 +652,27 @@ optional_policy(`
')
optional_policy(`
@@ -19655,7 +19666,7 @@ index 7de3859..9d2cd2d 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +676,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +680,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -19689,7 +19700,7 @@ index 7de3859..9d2cd2d 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +709,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +713,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -99518,10 +99529,10 @@ index 0000000..ed76979
+
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..243fc96
+index 0000000..88805d7
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,78 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -99562,6 +99573,7 @@ index 0000000..243fc96
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++allow snapperd_t snapperd_data_t:dir mounton;
+snapper_filetrans_named_content(snapperd_t)
+
+domain_read_all_domains_state(snapperd_t)
@@ -109173,7 +109185,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 87da8a2..13f2f44 100644
+index 87da8a2..4ca0271 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -109184,7 +109196,7 @@ index 87da8a2..13f2f44 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen };
-@@ -39,23 +40,26 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,23 +40,28 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
@@ -109196,7 +109208,8 @@ index 87da8a2..13f2f44 100644
dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t)
--
++fs_getattr_tmpfs(vdagent_t)
+
term_use_virtio_console(vdagent_t)
init_read_state(vdagent_t)
@@ -117092,7 +117105,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..d594e47 100644
+index 7f496c6..b23f29d 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -117187,17 +117200,17 @@ index 7f496c6..d594e47 100644
-allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search dac_override };
++
++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
-+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
-+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
-+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-+
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -117310,7 +117323,34 @@ index 7f496c6..d594e47 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +192,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -170,6 +185,26 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
+ corenet_tcp_connect_ssh_port(zabbix_agent_t)
+ corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
+
++corenet_sendrecv_ftp_client_packets(zabbix_agent_t)
++corenet_tcp_connect_ftp_port(zabbix_agent_t)
++corenet_tcp_sendrecv_ftp_port(zabbix_agent_t)
++
++corenet_sendrecv_http_client_packets(zabbix_agent_t)
++corenet_tcp_connect_http_port(zabbix_agent_t)
++corenet_tcp_sendrecv_http_port(zabbix_agent_t)
++
++corenet_sendrecv_innd_client_packets(zabbix_agent_t)
++corenet_tcp_connect_innd_port(zabbix_agent_t)
++corenet_tcp_sendrecv_innd_port(zabbix_agent_t)
++
++corenet_sendrecv_pop_client_packets(zabbix_agent_t)
++corenet_tcp_connect_pop_port(zabbix_agent_t)
++corenet_tcp_sendrecv_pop_port(zabbix_agent_t)
++
++corenet_sendrecv_smtp_client_packets(zabbix_agent_t)
++corenet_tcp_connect_smtp_port(zabbix_agent_t)
++corenet_tcp_sendrecv_smtp_port(zabbix_agent_t)
++
+ corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
+ corenet_tcp_connect_zabbix_port(zabbix_agent_t)
+ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +212,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 17cfb8a..f479ed5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 176%{?dist}
+Release: 177%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -670,6 +670,15 @@ exit 0
%endif
%changelog
+* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
+- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
+- Allow sending dbus msgs between firewalld and system_cronjob domains.
+- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
+- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
+- Add support for systemd-gpt-auto-generator. rhbz#1314968
+- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
+- Add support for systemd-hwdb daemon. rhbz#1306243
+
* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV