diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 756c54a..9e6f2d3 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -32416,7 +32416,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..4f4ac3a 100644
+index 7449974..23bbbf2 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -32498,7 +32498,32 @@ index 7449974..4f4ac3a 100644
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
-@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
+ can_exec($1, insmod_exec_t)
+ ')
+
++#######################################
++##
++## Don't audit execute insmod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modutils_dontaudit_exec_insmod',`
++ gen_require(`
++ type insmod_exec_t;
++ ')
++
++ dontaudit $1 insmod_exec_t:file exec_file_perms;
++')
++
+ ########################################
+ ##
+ ## Execute depmod in the depmod domain.
+@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -32519,7 +32544,7 @@ index 7449974..4f4ac3a 100644
')
########################################
-@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 7dca49b..ef54c62 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -9258,7 +9258,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..e27b377 100644
+index 7c92aa1..ae20918 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
@@ -9460,13 +9460,14 @@ index 7c92aa1..e27b377 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,71 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
--
++modutils_dontaudit_exec_insmod(boinc_t)
+
optional_policy(`
mta_send_mail(boinc_t)
')
@@ -23627,7 +23628,7 @@ index 6041113..ef3b449 100644
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
-index 19325ce..3e86b12 100644
+index 19325ce..37e31a4 100644
--- a/exim.te
+++ b/exim.te
@@ -49,7 +49,7 @@ type exim_log_t;
@@ -23652,7 +23653,11 @@ index 19325ce..3e86b12 100644
corenet_all_recvfrom_netlabel(exim_t)
corenet_tcp_sendrecv_generic_if(exim_t)
corenet_udp_sendrecv_generic_if(exim_t)
-@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t)
+@@ -135,10 +134,10 @@ fs_getattr_xattr_fs(exim_t)
+ fs_list_inotifyfs(exim_t)
+
+ auth_use_nsswitch(exim_t)
++auth_domtrans_chk_passwd(exim_t)
logging_send_syslog_msg(exim_t)
@@ -23660,7 +23665,7 @@ index 19325ce..3e86b12 100644
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',`
+@@ -154,9 +153,9 @@ tunable_policy(`exim_can_connect_db',`
corenet_sendrecv_mssql_client_packets(exim_t)
corenet_tcp_connect_mssql_port(exim_t)
corenet_tcp_sendrecv_mssql_port(exim_t)
@@ -23673,7 +23678,7 @@ index 19325ce..3e86b12 100644
')
tunable_policy(`exim_read_user_files',`
-@@ -170,8 +168,8 @@ tunable_policy(`exim_manage_user_files',`
+@@ -170,8 +169,8 @@ tunable_policy(`exim_manage_user_files',`
')
optional_policy(`
@@ -23684,7 +23689,7 @@ index 19325ce..3e86b12 100644
')
optional_policy(`
-@@ -192,11 +190,6 @@ optional_policy(`
+@@ -192,11 +191,6 @@ optional_policy(`
')
optional_policy(`
@@ -23696,7 +23701,7 @@ index 19325ce..3e86b12 100644
nagios_search_spool(exim_t)
')
-@@ -218,6 +211,7 @@ optional_policy(`
+@@ -218,6 +212,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -67770,7 +67775,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..4e0be2d 100644
+index 3698b51..e306360 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -67831,7 +67836,7 @@ index 3698b51..4e0be2d 100644
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +81,47 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -67841,6 +67846,8 @@ index 3698b51..4e0be2d 100644
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+
++corenet_tcp_bind_amanda_port(rabbitmq_beam_t)
++
+domain_read_all_domains_state(rabbitmq_beam_t)
+
+auth_read_passwd(rabbitmq_beam_t)
@@ -67883,7 +67890,7 @@ index 3698b51..4e0be2d 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +139,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -76777,7 +76784,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..f177430 100644
+index 57c034b..9c81334 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -77761,10 +77768,12 @@ index 57c034b..f177430 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +841,19 @@ optional_policy(`
+@@ -833,17 +840,20 @@ optional_policy(`
+ # Winbind local policy
#
- allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6480312..31c6914 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.23%{?dist}
+Release: 74.24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Apr 14 2014 Lukas Vrabec 3.12.1-74.24
+- Add modutils_dontaudit_exec_insmod interface
+- Allow rabbitmq to bind to amanda port
+- Allow kill capability to winbind_t
+- Dontaudit exec insmod in boinc policy
+- Allow exim to use pam stack to check passwords
+
* Fri Mar 21 2014 Lukas Vrabec 3.12.1-74.23
- Add bumblebee to unconfined_domain