diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 300776f..d2395b3 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -24029,7 +24029,7 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..97291d1 100644
+index 5fc0391..980e658 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
@@ -24280,7 +24280,7 @@ index 5fc0391..97291d1 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +264,55 @@ optional_policy(`
+@@ -223,33 +264,56 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -24312,6 +24312,7 @@ index 5fc0391..97291d1 100644
corenet_sendrecv_xserver_server_packets(sshd_t)
+auth_exec_login_program(sshd_t)
++auth_signal_chk_passwd(sshd_t)
+
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
@@ -24345,7 +24346,7 @@ index 5fc0391..97291d1 100644
')
optional_policy(`
-@@ -257,11 +320,28 @@ optional_policy(`
+@@ -257,11 +321,28 @@ optional_policy(`
')
optional_policy(`
@@ -24375,7 +24376,7 @@ index 5fc0391..97291d1 100644
')
optional_policy(`
-@@ -269,6 +349,10 @@ optional_policy(`
+@@ -269,6 +350,10 @@ optional_policy(`
')
optional_policy(`
@@ -24386,7 +24387,7 @@ index 5fc0391..97291d1 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +363,93 @@ optional_policy(`
+@@ -279,13 +364,93 @@ optional_policy(`
')
optional_policy(`
@@ -24480,7 +24481,7 @@ index 5fc0391..97291d1 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +458,33 @@ optional_policy(`
+@@ -294,19 +459,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -24515,7 +24516,7 @@ index 5fc0391..97291d1 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -322,7 +500,14 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -322,7 +501,14 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -24530,7 +24531,7 @@ index 5fc0391..97291d1 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +516,148 @@ optional_policy(`
+@@ -331,3 +517,148 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -24680,7 +24681,7 @@ index 5fc0391..97291d1 100644
+')
+
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..7acda6c 100644
+index d1f64a0..b79dbb4 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -24786,7 +24787,7 @@ index d1f64a0..7acda6c 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +130,50 @@ ifndef(`distro_debian',`
+@@ -92,25 +130,51 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -24828,11 +24829,12 @@ index d1f64a0..7acda6c 100644
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
++/var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+
+
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index a4a6124..99dd61b 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4966,7 +4966,7 @@ index 83e899c..9426db5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..17a51e3 100644
+index 1a82e29..d2693f8 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
@@ -6192,7 +6192,7 @@ index 1a82e29..17a51e3 100644
')
optional_policy(`
-@@ -781,34 +944,57 @@ optional_policy(`
+@@ -781,34 +944,58 @@ optional_policy(`
')
optional_policy(`
@@ -6211,6 +6211,7 @@ index 1a82e29..17a51e3 100644
+
+optional_policy(`
+ mirrormanager_manage_pid_files(httpd_t)
++ mirrormanager_manage_pid_sock_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
+')
@@ -6261,7 +6262,7 @@ index 1a82e29..17a51e3 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +1002,18 @@ optional_policy(`
+@@ -816,8 +1003,18 @@ optional_policy(`
')
optional_policy(`
@@ -6280,7 +6281,7 @@ index 1a82e29..17a51e3 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +1022,7 @@ optional_policy(`
+@@ -826,6 +1023,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6288,7 +6289,7 @@ index 1a82e29..17a51e3 100644
')
optional_policy(`
-@@ -836,20 +1033,40 @@ optional_policy(`
+@@ -836,20 +1034,40 @@ optional_policy(`
')
optional_policy(`
@@ -6335,7 +6336,7 @@ index 1a82e29..17a51e3 100644
')
optional_policy(`
-@@ -857,19 +1074,35 @@ optional_policy(`
+@@ -857,19 +1075,35 @@ optional_policy(`
')
optional_policy(`
@@ -6371,7 +6372,7 @@ index 1a82e29..17a51e3 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1110,173 @@ optional_policy(`
+@@ -877,65 +1111,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6567,7 +6568,7 @@ index 1a82e29..17a51e3 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1285,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1286,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6722,7 +6723,7 @@ index 1a82e29..17a51e3 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1369,106 @@ optional_policy(`
+@@ -1077,172 +1370,106 @@ optional_policy(`
')
')
@@ -6959,7 +6960,7 @@ index 1a82e29..17a51e3 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1476,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1477,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7056,7 +7057,7 @@ index 1a82e29..17a51e3 100644
########################################
#
-@@ -1315,8 +1551,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1552,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7073,7 +7074,7 @@ index 1a82e29..17a51e3 100644
')
########################################
-@@ -1324,49 +1567,38 @@ optional_policy(`
+@@ -1324,49 +1568,38 @@ optional_policy(`
# User content local policy
#
@@ -7138,7 +7139,7 @@ index 1a82e29..17a51e3 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1608,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1609,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -11380,10 +11381,10 @@ index 0000000..d020d89
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..23407b8
+index 0000000..7beaafe
--- /dev/null
+++ b/chrome.if
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,138 @@
+
+## policy for chrome
+
@@ -11475,6 +11476,7 @@ index 0000000..23407b8
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
++ allow chrome_sandbox_t $2:udp_socket rw_socket_perms;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
@@ -12850,10 +12852,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..496ce03
+index 0000000..2b47a40
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,300 @@
+@@ -0,0 +1,301 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -13052,6 +13054,7 @@ index 0000000..496ce03
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
++kernel_read_network_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
@@ -40143,7 +40146,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 98b5405..7d982bb 100644
+index 98b5405..1150694 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -40163,11 +40166,12 @@ index 98b5405..7d982bb 100644
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
-@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
+@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
+term_use_usb_ttys(lircd_t)
++term_use_unallocated_ttys(lircd_t)
logging_send_syslog_msg(lircd_t)
@@ -40466,7 +40470,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..5fef0a4 100644
+index 7bab8e5..6234385 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
@@ -40755,8 +40759,14 @@ index 7bab8e5..5fef0a4 100644
su_exec(logrotate_t)
')
-@@ -241,13 +295,11 @@ optional_policy(`
+@@ -239,15 +293,17 @@ optional_policy(`
+ varnishd_manage_log(logrotate_t)
+ ')
++optional_policy(`
++ virt_manage_cache(logrotate_t)
++')
++
#######################################
#
-# Mail local policy
@@ -43485,10 +43495,10 @@ index 0000000..c713b27
+/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
diff --git a/mirrormanager.if b/mirrormanager.if
new file mode 100644
-index 0000000..fbb831d
+index 0000000..86467cf
--- /dev/null
+++ b/mirrormanager.if
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,256 @@
+
+## policy for mirrormanager
+
@@ -43688,6 +43698,25 @@ index 0000000..fbb831d
+
+########################################
+##
++## Manage mirrormanager PID sock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mirrormanager_manage_pid_sock_files',`
++ gen_require(`
++ type mirrormanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an mirrormanager environment
+##
@@ -50287,7 +50316,7 @@ index 687af38..a77dc09 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..6e73360 100644
+index 9f6179e..919fdc3 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -50377,7 +50406,7 @@ index 9f6179e..6e73360 100644
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +92,55 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -93,50 +92,57 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -50404,11 +50433,13 @@ index 9f6179e..6e73360 100644
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
++corenet_tcp_bind_tram_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
-
-corecmd_exec_bin(mysqld_t)
-corecmd_exec_shell(mysqld_t)
++corenet_tcp_connect_tram_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
@@ -50450,7 +50481,7 @@ index 9f6179e..6e73360 100644
')
optional_policy(`
-@@ -144,6 +148,10 @@ optional_policy(`
+@@ -144,6 +150,10 @@ optional_policy(`
')
optional_policy(`
@@ -50461,7 +50492,7 @@ index 9f6179e..6e73360 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -153,29 +161,25 @@ optional_policy(`
+@@ -153,29 +163,25 @@ optional_policy(`
#######################################
#
@@ -50500,7 +50531,7 @@ index 9f6179e..6e73360 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -50536,7 +50567,7 @@ index 9f6179e..6e73360 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +217,7 @@ optional_policy(`
+@@ -205,7 +219,7 @@ optional_policy(`
########################################
#
@@ -50545,7 +50576,7 @@ index 9f6179e..6e73360 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -50563,7 +50594,7 @@ index 9f6179e..6e73360 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -95037,7 +95068,7 @@ index 0000000..80c6480
+')
diff --git a/stapserver.te b/stapserver.te
new file mode 100644
-index 0000000..6aeecac
+index 0000000..337d201
--- /dev/null
+++ b/stapserver.te
@@ -0,0 +1,114 @@
@@ -95073,7 +95104,7 @@ index 0000000..6aeecac
+allow stapserver_t self:capability { setuid setgid };
+allow stapserver_t self:process setsched;
+
-+allow stapserver_t self:capability { dac_override kill };
++allow stapserver_t self:capability { dac_override kill sys_ptrace};
+allow stapserver_t self:process { setrlimit signal };
+
+allow stapserver_t self:fifo_file rw_fifo_file_perms;
@@ -100565,7 +100596,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..8cade37 100644
+index 9d4d8cb..1189323 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -100590,7 +100621,7 @@ index 9d4d8cb..8cade37 100644
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner fsetid };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
@@ -100820,10 +100851,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index c30da4c..6351bcb 100644
+index c30da4c..9ccc90c 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,52 +1,92 @@
+@@ -1,52 +1,97 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -100931,6 +100962,11 @@ index c30da4c..6351bcb 100644
+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
++#support for vdsm
++/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0)
++
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5d53ad2..202b049 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 176%{?dist}
+Release: 177%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jul 14 2014 Lukas Vrabec 3.12.1-177
+- Allow lircd_t to use tty_device_t for use withmythtv
+- Allow mysqld to bind and connect to tram port BZ #1118052
+- Allow deltacloudd_t to read network state BZ #1116940
+- Allow apache to manage pid sock files
+- Add capability sys_ptrace to stapserver
+- Added support for vdsm
+- Allow chrome sandbox to use udp_sockets leaked in by its parent
+- Allow logrotate to manage virt_cache
+- varnishd needs to have fsetid capability
+- Allow sshd to send signal to chkpwd_t
+- Set proper labeling on /var/run/sddm
+
* Wed Jul 02 2014 Lukas Vrabec 3.12.1-176
- Allow apache to search ipa lib files by default