diff --git a/policy/modules/contrib b/policy/modules/contrib
index 9dd465a5d..d59909fbf 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit 9dd465a5d5ae5c37f2efbde3ed9aa13d6a7f4913
+Subproject commit d59909fbf34e11ca808842173acf03cfe44f34aa
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 625768e27..9b06ff6ef 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.2)
+policy_module(files, 1.23.3)
 
 ########################################
 #
@@ -11,6 +11,7 @@ attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
 attribute configfile;
+attribute spoolfile;
 
 # For labeling types that are to be polyinstantiated
 attribute polydir;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f0761c9b3..7af0ab6a7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -932,6 +932,26 @@ interface(`xserver_create_xdm_tmp_sockets',`
 	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
+########################################
+## <summary>
+##	Delete a named socket in a XDM
+##	temporary directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_delete_xdm_tmp_sockets',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
 ########################################
 ## <summary>
 ##	Read XDM pid files.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 095435b75..ca7159ae1 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.1)
+policy_module(xserver, 3.13.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 0f4b78d56..59899fd91 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
 # /usr
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
@@ -34,7 +35,6 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
-
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 832abe474..63477f55d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.2)
+policy_module(init, 2.2.3)
 
 gen_require(`
 	class passwd rootok;
@@ -307,7 +307,9 @@ ifdef(`init_systemd',`
 	',`
 		# Run the shell in the sysadm role for single-user mode.
 		# causes problems with upstart
-		sysadm_shell_domtrans(init_t)
+		ifndef(`distro_debian',`
+			sysadm_shell_domtrans(init_t)
+		')
 	')
 ')
 
@@ -561,9 +563,6 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_generic_certs(initrc_t)
 
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
-
 seutil_read_config(initrc_t)
 
 userdom_read_user_home_content_files(initrc_t)
@@ -952,6 +951,11 @@ optional_policy(`
 	mailman_read_data_symlinks(initrc_t)
 ')
 
+optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
+
 optional_policy(`
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 40efd4f67..80ecafd54 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.1)
+policy_module(logging, 1.25.2)
 
 ########################################
 #
@@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
 
 init_dontaudit_use_fds(auditctl_t)
 
-locallogin_dontaudit_use_fds(auditctl_t)
-
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
 
@@ -133,6 +131,10 @@ ifdef(`init_systemd',`
 	init_rw_stream_sockets(auditctl_t)
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(auditctl_t)
+')
+
 ########################################
 #
 # Auditd local policy
@@ -373,8 +375,8 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
 # cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -565,6 +567,8 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(syslogd_t)
+	# for systemd-journal to read seat data from /run/udev/data
+	udev_read_pid_files(syslogd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 62eb23a57..73b108c06 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.1)
+policy_module(lvm, 1.19.2)
 
 ########################################
 #
@@ -257,6 +257,8 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
 # the following one is needed by cryptsetup
 dev_getattr_fs(lvm_t)
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
 
 domain_use_interactive_fds(lvm_t)
 domain_read_all_domains_state(lvm_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 08cea4c68..e51cb4ffe 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.1)
+policy_module(selinuxutil, 1.22.2)
 
 gen_require(`
 	bool secure_mode;
@@ -343,8 +343,6 @@ files_relabel_non_auth_files(restorecond_t )
 files_read_non_auth_files(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
-locallogin_dontaudit_use_fds(restorecond_t)
-
 logging_send_syslog_msg(restorecond_t)
 
 miscfiles_read_localization(restorecond_t)
@@ -357,6 +355,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	locallogin_dontaudit_use_fds(restorecond_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(restorecond_t)
 ')
@@ -482,8 +484,6 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)
 
-locallogin_use_fds(semanage_t)
-
 logging_send_syslog_msg(semanage_t)
 
 miscfiles_read_localization(semanage_t)
@@ -516,6 +516,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	locallogin_use_fds(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f4d2f133a..36ae9923c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.2)
+policy_module(sysnetwork, 1.20.3)
 
 ########################################
 #
@@ -145,8 +145,6 @@ logging_send_syslog_msg(dhcpc_t)
 
 miscfiles_read_localization(dhcpc_t)
 
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
-
 sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
 
 userdom_use_user_terminals(dhcpc_t)
@@ -205,6 +203,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
+
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`
 	netutils_run_ping(dhcpc_t, dhcpc_roles)
@@ -333,8 +335,6 @@ logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
 
-modutils_domtrans_insmod(ifconfig_t)
-
 seutil_use_runinit_fds(ifconfig_t)
 
 sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
@@ -376,6 +376,10 @@ optional_policy(`
 	ipsec_setcontext_default_spd(ifconfig_t)
 ')
 
+optional_policy(`
+	modutils_domtrans_insmod(ifconfig_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(ifconfig_t)
 ')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 5bec7a25d..b53e364a7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.1)
+policy_module(udev, 1.21.2)
 
 ########################################
 #
@@ -125,6 +125,7 @@ files_search_mnt(udev_t)
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
+fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 
 mcs_ptrace_all(udev_t)