diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 192c2ecc..486f14cf 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 671a9491..097cf35c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -25374,7 +25374,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..fe03d6d 100644
+index 2522ca6..a23a472 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25807,7 +25807,7 @@ index 2522ca6..fe03d6d 100644
  ')
  
  optional_policy(`
-@@ -345,30 +490,37 @@ optional_policy(`
+@@ -345,30 +490,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25820,6 +25820,7 @@ index 2522ca6..fe03d6d 100644
 +	systemd_login_reboot(sysadm_t)
 +	systemd_login_halt(sysadm_t)
 +	systemd_login_undefined(sysadm_t)
++	systemd_tmpfiles_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
@@ -25854,7 +25855,7 @@ index 2522ca6..fe03d6d 100644
  ')
  
  optional_policy(`
-@@ -380,10 +532,6 @@ optional_policy(`
+@@ -380,10 +533,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25865,7 +25866,7 @@ index 2522ca6..fe03d6d 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +539,9 @@ optional_policy(`
+@@ -391,6 +540,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -25875,7 +25876,7 @@ index 2522ca6..fe03d6d 100644
  ')
  
  optional_policy(`
-@@ -398,31 +549,34 @@ optional_policy(`
+@@ -398,31 +550,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25916,7 +25917,7 @@ index 2522ca6..fe03d6d 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +589,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +590,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25927,7 +25928,7 @@ index 2522ca6..fe03d6d 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +609,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +610,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -35258,7 +35259,7 @@ index bc0ffc8..37b8ea5 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..e176b9f 100644
+index 79a45f6..9926eaf 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -36301,7 +36302,7 @@ index 79a45f6..e176b9f 100644
  ')
  
  ########################################
-@@ -1806,37 +2294,672 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,37 +2294,690 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -36729,6 +36730,24 @@ index 79a45f6..e176b9f 100644
 +
 +########################################
 +## <summary>
++##	Start  system from init
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_start',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:system start;
++')
++
++########################################
++## <summary>
 +##	Tell init to reboot the system.
 +## </summary>
 +## <param name="domain">
@@ -46795,10 +46814,10 @@ index 0000000..8b77d7a
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..513b97b
+index 0000000..16cd1ac
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1738 @@
+@@ -0,0 +1,1763 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -47405,6 +47424,31 @@ index 0000000..513b97b
 +
 +########################################
 +## <summary>
++##	Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and
++##	allow the specified role the systemd_tmpfiles domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the systemd_tmpfiles domain.
++##	</summary>
++## </param>
++#
++interface(`systemd_tmpfiles_run',`
++	gen_require(`
++		type systemd_tmpfiles_t;
++	')
++
++	systemd_passwd_agent_domtrans($1)
++	role $2 types systemd_tmpfiles_t;
++')
++
++########################################
++## <summary>
 +##	Role access for systemd_passwd_agent
 +## </summary>
 +## <param name="role">
@@ -48539,10 +48583,10 @@ index 0000000..513b97b
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..7877160
+index 0000000..180e701
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,957 @@
+@@ -0,0 +1,958 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48770,6 +48814,7 @@ index 0000000..7877160
 +init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
 +
 +init_status(systemd_logind_t)
++init_start(systemd_logind_t)
 +init_signal(systemd_logind_t)
 +init_reboot(systemd_logind_t)
 +init_halt(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2a756761..7b0f931c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -648,6 +648,12 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-202
+- Allow systemd_logind_t to start init_t BZ(1355861)
+- Add init_start() interface
+- Allow sysadm user to run systemd-tmpfiles
+- Add interface systemd_tmpfiles_run
+
 * Mon Jul 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-201
 - Allow lttng tools to block suspending
 - Allow creation of vpnaas in openstack