diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index dc3f83c..59cae3f 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -15771,7 +15771,7 @@ index 7be4ddf..71e675a 100644
 +/sys/class/net/ib.* 	  --	gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..9e881e6 100644
+index e100d88..f45a698 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -16398,7 +16398,7 @@ index e100d88..9e881e6 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2972,5 +3280,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3280,583 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -16964,6 +16964,24 @@ index e100d88..9e881e6 100644
 +	')
 +
 +	allow $1 usermodehelper_t:file relabelto;
++')
++
++########################################
++## <summary>
++##      Read netlink audit socket
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`kernel_read_netlink_audit_socket',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
 index 8dbab4c..15230be 100644
@@ -21737,18 +21755,20 @@ index 6d77e81..79ee03d 100644
 +	')
 +')
 diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f..947af6c 100644
+index a26f84f..59fe535 100644
 --- a/policy/modules/services/postgresql.fc
 +++ b/policy/modules/services/postgresql.fc
-@@ -10,6 +10,7 @@
+@@ -10,6 +10,9 @@
  #
  /usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
  /usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 +/usr/bin/pg_ctl				--	gen_context(system_u:object_r:postgresql_exec_t,s0)
++
++/usr/libexec/postgresql-ctl     --  gen_context(system_u:object_r:postgresql_exec_t,s0)
  
  /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
  /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-@@ -28,9 +29,10 @@ ifdef(`distro_redhat', `
+@@ -28,9 +31,10 @@ ifdef(`distro_redhat', `
  #
  /var/lib/postgres(ql)?(/.*)? 		gen_context(system_u:object_r:postgresql_db_t,s0)
  
@@ -21761,7 +21781,7 @@ index a26f84f..947af6c 100644
  
  /var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
  /var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +47,4 @@ ifdef(`distro_redhat', `
+@@ -45,4 +49,4 @@ ifdef(`distro_redhat', `
  
  /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
  
@@ -34686,7 +34706,7 @@ index 4e94884..8de26ad 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..53a6182 100644
+index 59b04c1..d9852d4 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -34921,7 +34941,7 @@ index 59b04c1..53a6182 100644
  
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +434,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -34944,6 +34964,7 @@ index 59b04c1..53a6182 100644
  kernel_read_system_state(syslogd_t)
  kernel_read_network_state(syslogd_t)
  kernel_read_kernel_sysctls(syslogd_t)
++kernel_read_netlink_audit_socket(syslogd_t)
  kernel_read_proc_symlinks(syslogd_t)
  # Allow access to /proc/kmsg for syslog-ng
  kernel_read_messages(syslogd_t)
@@ -34971,7 +34992,7 @@ index 59b04c1..53a6182 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +484,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -34980,7 +35001,7 @@ index 59b04c1..53a6182 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +496,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -35008,7 +35029,7 @@ index 59b04c1..53a6182 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+@@ -448,13 +529,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
  fs_search_auto_mountpoints(syslogd_t)
@@ -35026,7 +35047,7 @@ index 59b04c1..53a6182 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -35041,7 +35062,7 @@ index 59b04c1..53a6182 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -497,6 +581,7 @@ optional_policy(`
+@@ -497,6 +582,7 @@ optional_policy(`
  optional_policy(`
  	cron_manage_log_files(syslogd_t)
  	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -35049,7 +35070,7 @@ index 59b04c1..53a6182 100644
  ')
  
  optional_policy(`
-@@ -507,15 +592,40 @@ optional_policy(`
+@@ -507,15 +593,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35090,7 +35111,7 @@ index 59b04c1..53a6182 100644
  ')
  
  optional_policy(`
-@@ -526,3 +636,26 @@ optional_policy(`
+@@ -526,3 +637,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -39082,7 +39103,7 @@ index 1447687..d5e6fb9 100644
  seutil_read_config(setrans_t)
  
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..963b974 100644
+index 40edc18..b328c40 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
 @@ -17,23 +17,27 @@ ifdef(`distro_debian',`
@@ -39114,7 +39135,7 @@ index 40edc18..963b974 100644
 +/var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 +/var/run/systemd/resolve/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
  ')
-+/var/run/NetworkManager/resolv\.conf   --  gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/NetworkManager/resolv\.conf.*   --  gen_context(system_u:object_r:net_conf_t,s0)
  
  #
  # /sbin
@@ -39156,7 +39177,7 @@ index 40edc18..963b974 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..07185cb 100644
+index 2cea692..8dbfc5b 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39359,7 +39380,7 @@ index 2cea692..07185cb 100644
  
  	allow $1 net_conf_t:file manage_file_perms;
  
-@@ -463,7 +597,42 @@ interface(`sysnet_manage_config',`
+@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',`
  	')
  
  	ifdef(`distro_redhat',`
@@ -39368,7 +39389,6 @@ index 2cea692..07185cb 100644
 +		allow $1 net_conf_t:dir list_dir_perms;
  		manage_files_pattern($1, net_conf_t, net_conf_t)
 +		manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
-+        sysnet_filetrans_named_content($1)
 +	')
 +')
 +
@@ -39402,7 +39422,7 @@ index 2cea692..07185cb 100644
  	')
  ')
  
-@@ -501,6 +670,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',`
  		type dhcpc_var_run_t;
  	')
  
@@ -39410,7 +39430,7 @@ index 2cea692..07185cb 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -610,6 +780,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',`
  
  ########################################
  ## <summary>
@@ -39436,7 +39456,7 @@ index 2cea692..07185cb 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -626,6 +815,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',`
  	files_search_etc($1)
  	allow $1 dhcp_etc_t:dir list_dir_perms;
  	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -39444,7 +39464,7 @@ index 2cea692..07185cb 100644
  ')
  
  ########################################
-@@ -647,6 +837,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',`
  	allow $1 dhcp_state_t:dir search_dir_perms;
  ')
  
@@ -39471,7 +39491,7 @@ index 2cea692..07185cb 100644
  ########################################
  ## <summary>
  ##	Create DHCP state data.
-@@ -711,8 +921,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',`
  	allow $1 self:udp_socket create_socket_perms;
  	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
@@ -39480,19 +39500,21 @@ index 2cea692..07185cb 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +928,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_sendrecv_dns_port($1)
  	corenet_udp_sendrecv_dns_port($1)
  	corenet_tcp_connect_dns_port($1)
-+    corenet_tcp_connect_dnssec_port($1)
++	corenet_tcp_connect_dnssec_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
++	files_search_all_pids($1)
++
 +	miscfiles_read_generic_certs($1)
 +
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -750,8 +961,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -39501,7 +39523,7 @@ index 2cea692..07185cb 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +969,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',`
  
  	# Support for LDAPS
  	dev_read_rand($1)
@@ -39516,7 +39538,7 @@ index 2cea692..07185cb 100644
  ')
  
  ########################################
-@@ -784,7 +998,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -39524,7 +39546,7 @@ index 2cea692..07185cb 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1009,122 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1010,122 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d332224..3ea2457 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -10519,7 +10519,7 @@ index 0000000..968c957
 +')
 diff --git a/brltty.te b/brltty.te
 new file mode 100644
-index 0000000..32c786b
+index 0000000..0efa3a2
 --- /dev/null
 +++ b/brltty.te
 @@ -0,0 +1,61 @@
@@ -10573,7 +10573,7 @@ index 0000000..32c786b
 +corenet_tcp_bind_brlp_port(brltty_t)
 +
 +dev_read_sysfs(brltty_t)
-+dev_getattr_generic_usb_dev(brltty_t)
++dev_rw_generic_usb_dev(brltty_t)
 +
 +fs_getattr_all_fs(brltty_t)
 +
@@ -25259,10 +25259,10 @@ index 0000000..c8e5981
 +
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..4561111
+index 0000000..2bfade6
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,309 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -25278,19 +25278,15 @@ index 0000000..4561111
 +## </desc>
 +gen_tunable(docker_connect_any, false)
 +
-+## <desc>
-+## <p>
-+## Allow docker to transition to unconfined containers.
-+## </p>
-+## </desc>
-+gen_tunable(docker_transition_unconfined, false)
-+
 +type docker_t;
 +type docker_exec_t;
 +init_daemon_domain(docker_t, docker_exec_t)
 +domain_subj_id_change_exemption(docker_t)
 +domain_role_change_exemption(docker_t)
 +
++type spc_t;
++domain_type(spc_t)
++
 +type docker_var_lib_t;
 +files_type(docker_var_lib_t)
 +
@@ -25562,12 +25558,20 @@ index 0000000..4561111
 +    corenet_tcp_sendrecv_all_ports(docker_t)
 +')
 +
-+tunable_policy(`docker_transition_unconfined',`
-+	unconfined_transition(docker_t, docker_share_t)
-+	unconfined_transition(docker_t, docker_var_lib_t)
-+	unconfined_setsched(docker_t)
-+	userdom_attach_admin_tun_iface(docker_t)
++########################################
++#
++# spc local policy
++#
++role system_r types spc_t;
++allow docker_t spc_t:process setsched;
++
++domtrans_pattern(docker_t, docker_share_t, spc_t)
++domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
++
++optional_policy(`
++	unconfined_domain(spc_t)
 +')
++
 diff --git a/dovecot.fc b/dovecot.fc
 index c880070..4448055 100644
 --- a/dovecot.fc
@@ -55596,7 +55600,7 @@ index 86dc29d..219892b 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 55f2009..476d363 100644
+index 55f2009..694f99e 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -9,15 +9,18 @@ type NetworkManager_t;
@@ -55794,7 +55798,8 @@ index 55f2009..476d363 100644
  sysnet_search_dhcp_state(NetworkManager_t)
 +# in /etc created by NetworkManager will be labelled net_conf_t.
  sysnet_manage_config(NetworkManager_t)
- sysnet_etc_filetrans_config(NetworkManager_t)
+-sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_filetrans_named_content(NetworkManager_t)
  
 -# certificates in user home directories (cert_home_t in ~/\.pki)
 -userdom_read_user_home_content_files(NetworkManager_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dcb4d60..9dfee1f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 110%{?dist}
+Release: 111%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -605,6 +605,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Feb 10 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-111
+- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
+- Remove automatcically running filetrans_named_content form sysnet_manage_config
+- Allow syslogd/journal to read netlink audit socket
+- Allow brltty ioctl on usb_device_t. BZ(1190349)
+- Make sure NetworkManager configures resolv.conf correctly
+
 * Thu Feb 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-110
 - Allow cockpit_session_t to create tmp files
 - apmd needs sys_resource when shutting down the machine