diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index f442d63..d52b916 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -23412,10 +23412,10 @@ index 0000000..cc6846a
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..cf5fc98
+index 0000000..c80e06c
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,265 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -23552,6 +23552,7 @@ index 0000000..cf5fc98
 +files_read_etc_files(docker_t)
 +
 +fs_read_cgroup_files(docker_t)
++fs_read_tmpfs_symlinks(docker_t)
 +
 +storage_raw_rw_fixed_disk(docker_t)
 +
@@ -100215,7 +100216,7 @@ index 9dec06c..f2c0191 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..dc92ae6 100644
+index 1f22fba..49a7fce 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,147 +1,194 @@
@@ -101343,7 +101344,7 @@ index 1f22fba..dc92ae6 100644
 +	fs_read_fusefs_symlinks(virt_domain)
 +	fs_getattr_fusefs(virt_domain)
 +')
- 
++
 +tunable_policy(`virt_use_nfs',`
 +	fs_manage_nfs_dirs(virt_domain)
 +	fs_manage_nfs_files(virt_domain)
@@ -101393,7 +101394,7 @@ index 1f22fba..dc92ae6 100644
 +init_system_domain(virsh_t, virsh_exec_t)
 +typealias virsh_t alias xm_t;
 +typealias virsh_exec_t alias xm_exec_t;
-+
+ 
 +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
 +allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -101648,7 +101649,7 @@ index 1f22fba..dc92ae6 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1111,272 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1111,276 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -101681,12 +101682,12 @@ index 1f22fba..dc92ae6 100644
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
- 
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -101779,21 +101780,6 @@ index 1f22fba..dc92ae6 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+	apache_exec_modules(svirt_sandbox_domain)
-+	apache_read_sys_content(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	docker_read_share_files(svirt_sandbox_domain)
-+	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+	docker_use_ptys(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -101878,6 +101864,21 @@ index 1f22fba..dc92ae6 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
++	apache_exec_modules(svirt_sandbox_domain)
++	apache_read_sys_content(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	docker_read_share_files(svirt_sandbox_domain)
++	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++	docker_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	ssh_use_ptys(svirt_sandbox_domain)
 +')
  
@@ -101916,10 +101917,6 @@ index 1f22fba..dc92ae6 100644
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
 +allow svirt_lxc_net_t self:process { execstack execmem };
-+
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+	allow svirt_lxc_net_t self:capability sys_admin;
-+')
  
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -101931,6 +101928,13 @@ index 1f22fba..dc92ae6 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_sys_admin',`
++	allow svirt_lxc_net_t self:capability sys_admin;
++')
+ 
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -101939,14 +101943,11 @@ index 1f22fba..dc92ae6 100644
 +	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
 +')
  
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
- 
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
  
 +dev_read_sysfs(svirt_lxc_net_t)
@@ -101962,15 +101963,16 @@ index 1f22fba..dc92ae6 100644
  fs_manage_cgroup_dirs(svirt_lxc_net_t)
 -fs_rw_cgroup_files(svirt_lxc_net_t)
 +fs_manage_cgroup_files(svirt_lxc_net_t)
- 
--auth_use_nsswitch(svirt_lxc_net_t)
++
 +term_pty(svirt_sandbox_file_t)
  
+ auth_use_nsswitch(svirt_lxc_net_t)
+ 
 -logging_send_audit_msgs(svirt_lxc_net_t)
-+auth_use_nsswitch(svirt_lxc_net_t)
++rpm_read_db(svirt_lxc_net_t)
  
 -userdom_use_user_ptys(svirt_lxc_net_t)
-+rpm_read_db(svirt_lxc_net_t)
++logging_send_syslog_msg(svirt_lxc_net_t)
  
 -optional_policy(`
 -	rpm_read_db(svirt_lxc_net_t)
@@ -102012,7 +102014,8 @@ index 1f22fba..dc92ae6 100644
 +dev_rw_kvm(svirt_qemu_net_t)
 +
 +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
 +
@@ -102031,14 +102034,15 @@ index 1f22fba..dc92ae6 100644
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
 +fs_manage_cgroup_files(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +term_pty(svirt_sandbox_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
 +
 +rpm_read_db(svirt_qemu_net_t)
 +
++logging_send_syslog_msg(svirt_qemu_net_t)
++
 +tunable_policy(`virt_sandbox_use_audit',`
 +	logging_send_audit_msgs(svirt_qemu_net_t)
 +')
@@ -102059,7 +102063,7 @@ index 1f22fba..dc92ae6 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1389,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1393,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -102074,7 +102078,7 @@ index 1f22fba..dc92ae6 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1407,8 @@ optional_policy(`
+@@ -1183,9 +1411,8 @@ optional_policy(`
  
  ########################################
  #
@@ -102085,7 +102089,7 @@ index 1f22fba..dc92ae6 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1421,210 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1425,216 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -102270,6 +102274,8 @@ index 1f22fba..dc92ae6 100644
 +
 +rpm_read_db(svirt_kvm_net_t)
 +
++logging_send_syslog_msg(svirt_kvm_net_t)
++
 +tunable_policy(`virt_sandbox_use_audit',`
 +	logging_send_audit_msgs(svirt_kvm_net_t)
 +')
@@ -102296,6 +102302,10 @@ index 1f22fba..dc92ae6 100644
 +corenet_tcp_connect_all_ports(sandbox_net_domain)
 +
 +optional_policy(`
++	sssd_stream_connect(sandbox_net_domain)
++')
++
++optional_policy(`
 +	systemd_dbus_chat_logind(sandbox_net_domain)
 +')
 diff --git a/vlock.te b/vlock.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 34cefae..20b4912 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 139%{?dist}
+Release: 140%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-140
+- Allow docker to read tmpfs_t symlinks
+- Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets
+
 * Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-139
 - Allow collectd to talk to libvirt
 - Allow chrome_sandbox to use leaked unix_stream_sockets