diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 395b847..25515ae 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -23809,7 +23809,7 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..3b3225a 100644
+index 5fc0391..d6519a1 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3)
@@ -24057,7 +24057,7 @@ index 5fc0391..3b3225a 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +261,54 @@ optional_policy(`
+@@ -223,33 +261,55 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -24070,12 +24070,13 @@ index 5fc0391..3b3225a 100644
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
-
++kernel_read_net_sysctls(sshd_t)
++
+files_search_all(sshd_t)
+
+fs_search_cgroup_dirs(sshd_t)
+fs_rw_cgroup_files(sshd_t)
-+
+
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
@@ -24121,7 +24122,7 @@ index 5fc0391..3b3225a 100644
')
optional_policy(`
-@@ -257,11 +316,28 @@ optional_policy(`
+@@ -257,11 +317,28 @@ optional_policy(`
')
optional_policy(`
@@ -24151,7 +24152,7 @@ index 5fc0391..3b3225a 100644
')
optional_policy(`
-@@ -269,6 +345,10 @@ optional_policy(`
+@@ -269,6 +346,10 @@ optional_policy(`
')
optional_policy(`
@@ -24162,7 +24163,7 @@ index 5fc0391..3b3225a 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +359,93 @@ optional_policy(`
+@@ -279,13 +360,93 @@ optional_policy(`
')
optional_policy(`
@@ -24256,7 +24257,7 @@ index 5fc0391..3b3225a 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +454,29 @@ optional_policy(`
+@@ -294,19 +455,29 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -24287,7 +24288,7 @@ index 5fc0391..3b3225a 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +493,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +494,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -24300,7 +24301,7 @@ index 5fc0391..3b3225a 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +507,140 @@ optional_policy(`
+@@ -331,3 +508,140 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index d7fa6a4..6efd3be 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2389,8 +2389,76 @@ index c960f92..486e9ed 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
+diff --git a/anaconda.fc b/anaconda.fc
+index b098089..b2c4d10 100644
+--- a/anaconda.fc
++++ b/anaconda.fc
+@@ -1 +1,4 @@
+ # No file context specifications.
++
++/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
+diff --git a/anaconda.if b/anaconda.if
+index 14a61b7..21bbf36 100644
+--- a/anaconda.if
++++ b/anaconda.if
+@@ -1 +1,54 @@
+ ## Anaconda installer.
++
++########################################
++##
++## Execute a domain transition to run install.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`anaconda_domtrans_install',`
++ gen_require(`
++ type install_t, install_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, install_exec_t, install_t)
++')
++
++########################################
++##
++## Execute install in the install
++## domain, and allow the specified
++## role the install domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++#
++interface(`anaconda_run_install',`
++ gen_require(`
++ type install_t;
++ type install_exec_t;
++ attribute_role install_roles;
++ ')
++
++ anaconda_domtrans_install($1)
++ roleattribute $2 install_roles;
++ role_transition $2 install_exec_t system_r;
++
++ optional_policy(`
++ rpm_transition_script(install_t, $2)
++ ')
++')
++
diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..9f23456 100644
+index 6f1384c..4d36f22 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2404,7 +2472,22 @@ index 6f1384c..9f23456 100644
########################################
#
# Declarations
-@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -16,6 +20,14 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
+ domain_obj_id_change_exemption(anaconda_t)
+ role system_r types anaconda_t;
+
++attribute_role install_roles;
++roleattribute system_r install_roles;
++
++type install_t;
++type install_exec_t;
++application_domain(install_t, install_exec_t)
++role install_roles types install_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -34,8 +46,9 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
@@ -2415,6 +2498,39 @@ index 6f1384c..9f23456 100644
optional_policy(`
rpm_domtrans(anaconda_t)
+@@ -53,3 +66,32 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain_noaudit(anaconda_t)
+ ')
++
++########################################
++#
++# Local policy
++#
++
++allow install_t self:capability2 mac_admin;
++
++tunable_policy(`deny_ptrace',`',`
++ domain_ptrace_all_domains(install_t)
++')
++
++optional_policy(`
++ mount_run(install_t, install_roles)
++')
++
++optional_policy(`
++ networkmanager_dbus_chat(install_t)
++')
++
++optional_policy(`
++ seutil_run_setfiles_mac(install_t, install_roles)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(install_t)
++')
++
++
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..9d5214b
@@ -3073,10 +3189,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..d75de2b 100644
+index 550a69e..43bb1c9 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,211 @@
+@@ -1,161 +1,212 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3162,6 +3278,7 @@ index 550a69e..d75de2b 100644
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -23290,10 +23407,10 @@ index 0000000..cc6846a
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..5171c33
+index 0000000..cf5fc98
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,264 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -23518,6 +23635,10 @@ index 0000000..5171c33
+optional_policy(`
+ dbus_system_bus_client(docker_t)
+ init_dbus_chat(docker_t)
++
++ optional_policy(`
++ systemd_dbus_chat_logind(docker_t)
++ ')
+')
+
+optional_policy(`
@@ -55333,10 +55454,10 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..79aa756
+index 0000000..1d4e039
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -55344,6 +55465,7 @@ index 0000000..79aa756
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
@@ -100005,7 +100127,7 @@ index 9dec06c..fddb027 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..2dba7ec 100644
+index 1f22fba..dc92ae6 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,194 @@
@@ -101126,14 +101248,14 @@ index 1f22fba..2dba7ec 100644
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
+')
-
++
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
+')
-+
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
@@ -101271,10 +101393,10 @@ index 1f22fba..2dba7ec 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -101454,30 +101576,30 @@ index 1f22fba..2dba7ec 100644
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-+
+
+-miscfiles_read_localization(virtd_lxc_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
--miscfiles_read_localization(virtd_lxc_t)
-+optional_policy(`
-+ docker_exec_lib(virtd_lxc_t)
-+')
-
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
+optional_policy(`
-+ gnome_read_generic_cache_files(virtd_lxc_t)
++ docker_exec_lib(virtd_lxc_t)
+')
+
+optional_policy(`
-+ setrans_manage_pid_files(virtd_lxc_t)
++ gnome_read_generic_cache_files(virtd_lxc_t)
+')
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(`
++ setrans_manage_pid_files(virtd_lxc_t)
++')
++
++optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -101580,6 +101702,10 @@ index 1f22fba..2dba7ec 100644
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
++
++optional_policy(`
++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -101664,10 +101790,6 @@ index 1f22fba..2dba7ec 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
-+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
@@ -101706,6 +101828,10 @@ index 1f22fba..2dba7ec 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++ allow svirt_lxc_net_t self:capability sys_admin;
++')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -101717,13 +101843,6 @@ index 1f22fba..2dba7ec 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+tunable_policy(`virt_sandbox_use_sys_admin',`
-+ allow svirt_lxc_net_t self:capability sys_admin;
-+')
-
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -101732,11 +101851,14 @@ index 1f22fba..2dba7ec 100644
+ logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
+')
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
-+
+
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+kernel_read_irq_sysctls(svirt_lxc_net_t)
+dev_read_sysfs(svirt_lxc_net_t)
@@ -101809,8 +101931,7 @@ index 1f22fba..2dba7ec 100644
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
@@ -101822,7 +101943,8 @@ index 1f22fba..2dba7ec 100644
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+term_pty(svirt_sandbox_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
@@ -101875,7 +101997,7 @@ index 1f22fba..2dba7ec 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1421,206 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1421,210 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -102084,6 +102206,10 @@ index 1f22fba..2dba7ec 100644
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
++
++optional_policy(`
++ systemd_dbus_chat_logind(sandbox_net_domain)
++')
diff --git a/vlock.te b/vlock.te
index 9ead775..b5285e7 100644
--- a/vlock.te
@@ -102239,10 +102365,10 @@ index 0000000..7933d80
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..ab589a9
+index 0000000..5ce7d9c
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,89 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -102329,6 +102455,8 @@ index 0000000..ab589a9
+domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
+can_exec(vmtools_helper_t, vmtools_helper_exec_t)
+
++corecmd_exec_bin(vmtools_helper_t)
++
+userdom_stream_connect(vmtools_helper_t)
diff --git a/vmware.if b/vmware.if
index 20a1fb2..470ea95 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c2c3db4..262a9a8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 136%{?dist}
+Release: 137%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 13 2014 Miroslav Grepl 3.12.1-137
+- Allow vmtools_helper_t to execute bin_t
+- Add support for /usr/share/joomla
+- /var/lib/containers should be labeled as openshift content for now
+- Allow docker domains to talk to the login programs, to allow a process to login into the container
+- Allow install_t do dbus chat with NM
+- Fix interface names in anaconda.if
+- Add install_t for anaconda. A new type is a part of anaconda policy
+- sshd to read network sysctls
+
* Wed Mar 12 2014 Miroslav Grepl 3.12.1-136
- Allow zabbix to send system log msgs
- Allow init_t to stream connect to ipsec