diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 206fe53..e70b33d 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -22857,7 +22857,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..e73a293 100644
+index 346d011..19dfc1f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -22931,7 +22931,13 @@ index 346d011..e73a293 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
-@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
+@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+ files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(postgresql_t)
++kernel_read_network_state(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
@@ -22939,7 +22945,7 @@ index 346d011..e73a293 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -22949,7 +22955,7 @@ index 346d011..e73a293 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@@ -22981,7 +22987,7 @@ index 346d011..e73a293 100644
allow postgresql_t self:process execmem;
')
-@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -23038,7 +23044,7 @@ index 346d011..e73a293 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -23047,7 +23053,7 @@ index 346d011..e73a293 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index d52b916..4147183 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -23083,10 +23083,10 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..cc6846a
+index 0000000..867fd78
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,324 @@
+
+## The open-source application container engine.
+
@@ -23202,6 +23202,7 @@ index 0000000..cc6846a
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++ manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
+')
+
+########################################
@@ -98401,7 +98402,7 @@ index c30da4c..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..f2c0191 100644
+index 9dec06c..88dcafb 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -99923,7 +99924,7 @@ index 9dec06c..f2c0191 100644
##
##
##
-@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
##
##
#
@@ -99947,7 +99948,7 @@ index 9dec06c..f2c0191 100644
##
-##
+##
- ##
++##
+## Prefix for the domain.
+##
+##
@@ -99964,6 +99965,8 @@ index 9dec06c..f2c0191 100644
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+
++ logging_send_syslog_msg($1_t)
++
+ kernel_read_system_state($1_t)
+')
+
@@ -99972,7 +99975,7 @@ index 9dec06c..f2c0191 100644
+## Make the specified type usable as a lxc domain
+##
+##
-+##
+ ##
+## Type to be used as a lxc domain
+##
+##
@@ -100069,7 +100072,7 @@ index 9dec06c..f2c0191 100644
##
##
##
-@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -100143,7 +100146,7 @@ index 9dec06c..f2c0191 100644
##
##
##
-@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -100216,7 +100219,7 @@ index 9dec06c..f2c0191 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..49a7fce 100644
+index 1f22fba..afa8936 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -101649,7 +101652,7 @@ index 1f22fba..49a7fce 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1111,276 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1111,278 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -101869,6 +101872,8 @@ index 1f22fba..49a7fce 100644
+')
+
+optional_policy(`
++ docker_manage_lib_files(svirt_lxc_net_t)
++ docker_manage_lib_dirs(svirt_lxc_net_t)
+ docker_read_share_files(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
@@ -102063,7 +102068,7 @@ index 1f22fba..49a7fce 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1393,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1395,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -102078,7 +102083,7 @@ index 1f22fba..49a7fce 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1411,8 @@ optional_policy(`
+@@ -1183,9 +1413,8 @@ optional_policy(`
########################################
#
@@ -102089,7 +102094,7 @@ index 1f22fba..49a7fce 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1425,216 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1427,216 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 20b4912..6b9120e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 140%{?dist}
+Release: 141%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 19 2014 Miroslav Grepl 3.12.1-141
+- Allow docker containers to manage /var/lib/docker content
+
* Mon Mar 17 2014 Miroslav Grepl 3.12.1-140
- Allow docker to read tmpfs_t symlinks
- Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets