diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index ac16f1c..47c593a 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644
  # fork
  # setexec
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..c73c1d2 100644
+index 28802c5..4b3db76 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -62032,7 +62032,7 @@ index 28802c5..c73c1d2 100644
  }
  
  #
-@@ -443,10 +448,11 @@ class capability
+@@ -443,10 +448,12 @@ class capability
  class capability2 
  {
  	mac_override	# unused by SELinux
@@ -62040,12 +62040,13 @@ index 28802c5..c73c1d2 100644
 +	mac_admin
  	syslog
  	wake_alarm
++	epolwakeup
  	block_suspend
 +	secure_firmware
  }
  
  #
-@@ -862,3 +868,20 @@ inherits database
+@@ -862,3 +869,20 @@ inherits database
  	implement
  	execute
  }
@@ -81790,7 +81791,7 @@ index d2e40b8..3ba2e4c 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..3f3a57f 100644
+index d26fe81..efdc556 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -82312,7 +82313,33 @@ index d26fe81..3f3a57f 100644
  ')
  
  ########################################
-@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',`
+@@ -1098,6 +1321,25 @@ interface(`init_getattr_all_script_files',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the specified domain to modify the systemd configuration of 
++##	all init scripts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_config_all_script_files',`
++	gen_require(`
++		attribute init_script_file_type;
++	')
++
++	allow $1 init_script_file_type:service all_service_perms;
++')
++
++########################################
++## <summary>
+ ##	Read all init script files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1117,6 +1359,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -82337,7 +82364,7 @@ index d26fe81..3f3a57f 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1428,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -82351,7 +82378,7 @@ index d26fe81..3f3a57f 100644
  ')
  
  ########################################
-@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1668,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -82379,7 +82406,7 @@ index d26fe81..3f3a57f 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1775,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -82405,7 +82432,7 @@ index d26fe81..3f3a57f 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1852,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -82430,7 +82457,7 @@ index d26fe81..3f3a57f 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1942,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -82474,7 +82501,7 @@ index d26fe81..3f3a57f 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2067,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -82483,10 +82510,11 @@ index d26fe81..3f3a57f 100644
  ')
  
  ########################################
-@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,7 +2108,129 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
+-########################################
 +######################################
 +## <summary>
 +##  Allow search  directory in the /run/systemd directory.
@@ -82609,10 +82637,11 @@ index d26fe81..3f3a57f 100644
 +	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
 +')
 +
- ########################################
++########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ## </summary>
+@@ -1792,3 +2264,284 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -89853,10 +89882,10 @@ index 0000000..7da5bf6
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..6d1582c
+index 0000000..58d1ab6
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,735 @@
+@@ -0,0 +1,736 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -90463,8 +90492,8 @@ index 0000000..6d1582c
 +
 +########################################
 +## <summary>
-+##	Allow the specified domain to connect to
-+##	systemd_logger with a unix socket.
++##	Allow the specified domain to modify the systemd configuration of 
++##	all systemd services
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -90478,6 +90507,7 @@ index 0000000..6d1582c
 +	')
 +
 +	allow $1 systemd_unit_file_type:service all_service_perms;
++	init_config_all_script_files($1)
 +')
 +
 +
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 49dc44f..86deda8 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -60403,10 +60403,10 @@ index 65baaac..821bcea 100644
 +	can_exec($1, consolehelper_exec_t)
 +')
 diff --git a/userhelper.te b/userhelper.te
-index f25ed61..390de9e 100644
+index f25ed61..a137f29 100644
 --- a/userhelper.te
 +++ b/userhelper.te
-@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0)
+@@ -6,9 +6,82 @@ policy_module(userhelper, 1.7.0)
  #
  
  attribute userhelper_type;
@@ -60427,7 +60427,8 @@ index f25ed61..390de9e 100644
 +#
 +
 +allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid }; 
++allow consolehelper_domain self:capability { setgid setuid dac_override }; 
++allow consolehelper_domain self:process signal;
 +
 +allow consolehelper_domain  userhelper_conf_t:file audit_access;
 +dontaudit consolehelper_domain  userhelper_conf_t:file write;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d0dd8ce..0a2442e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Aug 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-5
+- Put placeholder back in place for proper numbering of capabilities
+- Systemd also configures init scripts
+
 * Thu Aug 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-4
 - Fix ecryptfs interfaces
 - Bootloader seems to be trolling around /dev/shm and /dev