diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 02be679..8e3e35a 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -6030,7 +6030,7 @@ index 3f6e168..51ad69a 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..7991715 100644
+index b31c054..0ad8553 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -6108,7 +6108,7 @@ index b31c054..7991715 100644
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +212,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -6120,6 +6120,11 @@ index b31c054..7991715 100644
  /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
++/var/named/chroot_sdb/dev	-d	gen_context(system_u:object_r:device_t,s0)
++/var/named/chroot_sdb/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
++/var/named/chroot_sdb/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
++/var/named/chroot_sdb/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
++/
 +/var/spool/postfix/dev    -d    gen_context(system_u:object_r:device_t,s0)
  ')
 +
@@ -28030,7 +28035,7 @@ index 28ad538..36fbb93 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..08c3e93 100644
+index 3efd5b6..c74d0d5 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -28599,7 +28604,7 @@ index 3efd5b6..08c3e93 100644
  ')
  
  ########################################
-@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1989,17 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -28613,10 +28618,14 @@ index 3efd5b6..08c3e93 100644
  	typeattribute $1 nsswitch_domain;
 +
 +	corenet_all_recvfrom_netlabel($1)
++
++    optional_policy(`
++        kerberos_keytab_domains($1)
++    ')
  ')
  
  ########################################
-@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2033,242 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -32791,10 +32800,10 @@ index dd3be8d..c983546 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..08589f8 100644
+index 662e79b..15116db 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,23 @@
+@@ -1,14 +1,28 @@
  /etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/strongswan	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -32802,37 +32811,45 @@ index 662e79b..08589f8 100644
 -/etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/usr/lib/systemd/system/ipsec.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +/usr/lib/systemd/system/strongswan.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongimcv.*    --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +
 +/etc/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +/etc/strongswan/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/etc/strongswan/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongimcv/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
  /etc/racoon(/.*)?			gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/certs(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
 +/etc/strongswan(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv(/.*)?       gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +
  /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/etc/strongswan/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongimcv/ipsec\.d(/.*)?          gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
  /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
  
-@@ -26,16 +35,24 @@
+@@ -26,16 +40,27 @@
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 +/usr/libexec/nm-libreswan-service   --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan/.*	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongswan/.*      --	gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongimcv/.*      --  gen_context(system_u:object_r:ipsec_exec_t,s0)
  
  /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
  /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
  /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 +/usr/sbin/strongswan	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/sbin/strongimcv    --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
  
  /var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
 +/var/lock/subsys/strongswan		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongimcv		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
  
 -/var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
 +/var/log/pluto\.log.*		--	gen_context(system_u:object_r:ipsec_log_t,s0)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 117a26a..560a4d1 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4954,10 +4954,10 @@ index 83e899c..64beed7 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..0b9c048 100644
+index 1a82e29..21d7195 100644
 --- a/apache.te
 +++ b/apache.te
-@@ -1,297 +1,375 @@
+@@ -1,297 +1,381 @@
 -policy_module(apache, 2.6.10)
 +policy_module(apache, 2.4.0)
 +
@@ -4996,7 +4996,6 @@ index 1a82e29..0b9c048 100644
  ## </desc>
 -gen_tunable(allow_httpd_anon_write, false)
 +gen_tunable(httpd_anon_write, false)
-+
  
  ## <desc>
 -##	<p>
@@ -5117,61 +5116,55 @@ index 1a82e29..0b9c048 100644
 +## <p>
 +## Allow httpd to connect to memcache server
 +## </p>
-+## </desc>
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+## <desc>
-+## <p>
-+## Allow httpd to act as a relay
-+## </p>
  ## </desc>
- gen_tunable(httpd_can_network_relay, false)
+-gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_network_memcache, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd daemon can
 -##	connect to zabbix over the network.
 -##	</p>
-+##  <p>
-+##  Allow http daemon to connect to zabbix
-+##  </p>
++## <p>
++## Allow httpd to act as a relay
++## </p>
  ## </desc>
 -gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
++gen_tunable(httpd_can_network_relay, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can send mail.
 -##	</p>
 +##  <p>
-+##  Allow http daemon to connect to mythtv
++##  Allow http daemon to connect to zabbix
 +##  </p>
  ## </desc>
 -gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
++gen_tunable(httpd_can_connect_zabbix, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can communicate
 -##	with avahi service via dbus.
 -##	</p>
-+## <p>
-+## Allow http daemon to check spam
-+## </p>
++##  <p>
++##  Allow http daemon to connect to mythtv
++##  </p>
  ## </desc>
 -gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_can_connect_mythtv, false)
  
  ## <desc>
 -##	<p>
 -##	Determine wether httpd can use support.
 -##	</p>
 +## <p>
-+## Allow http daemon to send mail
++## Allow http daemon to check spam
 +## </p>
  ## </desc>
 -gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_check_spam, false)
  
  ## <desc>
 -##	<p>
@@ -5179,11 +5172,11 @@ index 1a82e29..0b9c048 100644
 -##	FTP server by listening on the ftp port.
 -##	</p>
 +## <p>
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to send mail
 +## </p>
  ## </desc>
 -gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_sendmail, false)
  
  ## <desc>
 -##	<p>
@@ -5191,11 +5184,11 @@ index 1a82e29..0b9c048 100644
 -##	user home directories.
 -##	</p>
 +## <p>
-+## Allow httpd cgi support
++## Allow Apache to communicate with avahi service via dbus
 +## </p>
  ## </desc>
 -gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_dbus_avahi, false)
  
  ## <desc>
 -##	<p>
@@ -5205,12 +5198,11 @@ index 1a82e29..0b9c048 100644
 -##	be labeled public_content_rw_t.
 -##	</p>
 +## <p>
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with sssd service via dbus
 +## </p>
  ## </desc>
 -gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_sssd, false)
  
  ## <desc>
 -##	<p>
@@ -5218,24 +5210,24 @@ index 1a82e29..0b9c048 100644
 -##	its temporary content.
 -##	</p>
 +## <p>
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
 +## </p>
  ## </desc>
 -gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd scripts and
 -##	modules can use execmem and execstack.
 -##	</p>
-+##  <p>
-+##  Allow httpd to connect to the ldap port 
-+##  </p>
++## <p>
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++## </p>
  ## </desc>
 -gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
  
  ## <desc>
 -##	<p>
@@ -5243,34 +5235,35 @@ index 1a82e29..0b9c048 100644
 -##	to port 80 for graceful shutdown.
 -##	</p>
 +## <p>
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
 +## </p>
  ## </desc>
 -gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can
 -##	manage IPA content files.
 -##	</p>
-+## <p>
-+## Allow httpd to read user content 
-+## </p>
++##  <p>
++##  Allow httpd to connect to the ldap port 
++##  </p>
  ## </desc>
 -gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can use mod_auth_ntlm_winbind.
 -##	</p>
 +## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
 +## </p>
  ## </desc>
 -gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
  
  ## <desc>
 -##	<p>
@@ -5278,11 +5271,10 @@ index 1a82e29..0b9c048 100644
 -##	generic user home content files.
 -##	</p>
 +## <p>
-+## Allow Apache to query NS records
++## Allow httpd to read user content 
 +## </p>
  ## </desc>
--gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_verify_dns, false)
+ gen_tunable(httpd_read_user_content, false)
  
  ## <desc>
 -##	<p>
@@ -5290,6 +5282,20 @@ index 1a82e29..0b9c048 100644
 -##	its resource limits.
 -##	</p>
 +## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++## <p>
++## Allow Apache to query NS records
++## </p>
++## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
++## <p>
 +## Allow httpd daemon to change its resource limits
 +## </p>
  ## </desc>
@@ -5482,7 +5488,7 @@ index 1a82e29..0b9c048 100644
  type httpd_rotatelogs_t;
  type httpd_rotatelogs_exec_t;
  init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +377,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
  type httpd_squirrelmail_t;
  files_type(httpd_squirrelmail_t)
  
@@ -5495,7 +5501,7 @@ index 1a82e29..0b9c048 100644
  type httpd_suexec_exec_t;
  domain_type(httpd_suexec_t)
  domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +387,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
  type httpd_suexec_tmp_t;
  files_tmp_file(httpd_suexec_tmp_t)
  
@@ -5517,7 +5523,7 @@ index 1a82e29..0b9c048 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -323,12 +409,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -5537,7 +5543,7 @@ index 1a82e29..0b9c048 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +436,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
  typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
  typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
  
@@ -5588,7 +5594,7 @@ index 1a82e29..0b9c048 100644
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +478,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,36 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -5630,7 +5636,7 @@ index 1a82e29..0b9c048 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,14 +515,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +521,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -5652,7 +5658,7 @@ index 1a82e29..0b9c048 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +560,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +566,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5726,10 +5732,10 @@ index 1a82e29..0b9c048 100644
 +# execute perl
 +corecmd_exec_bin(httpd_t)
 +corecmd_exec_shell(httpd_t)
-+
+ 
 +domain_use_interactive_fds(httpd_t)
 +domain_dontaudit_read_all_domains_state(httpd_t)
- 
++
 +files_dontaudit_search_all_pids(httpd_t)
  files_dontaudit_getattr_all_pids(httpd_t)
 -files_read_usr_files(httpd_t)
@@ -5890,7 +5896,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +736,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +742,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5950,7 +5956,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +788,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +794,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6041,7 +6047,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,66 +835,56 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +841,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6076,26 +6082,15 @@ index 1a82e29..0b9c048 100644
 -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
 -	fs_exec_cifs_files(httpd_t)
 -')
--
--tunable_policy(`httpd_use_fusefs',`
--	fs_list_auto_mountpoints(httpd_t)
--	fs_manage_fusefs_dirs(httpd_t)
--	fs_manage_fusefs_files(httpd_t)
--	fs_read_fusefs_symlinks(httpd_t)
--')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
--	fs_exec_fusefs_files(httpd_t)
--')
 +optional_policy(`
 +	cobbler_list_config(httpd_t)
 +	cobbler_read_config(httpd_t)
  
--tunable_policy(`httpd_use_nfs',`
+-tunable_policy(`httpd_use_fusefs',`
 -	fs_list_auto_mountpoints(httpd_t)
--	fs_manage_nfs_dirs(httpd_t)
--	fs_manage_nfs_files(httpd_t)
--	fs_manage_nfs_symlinks(httpd_t)
+-	fs_manage_fusefs_dirs(httpd_t)
+-	fs_manage_fusefs_files(httpd_t)
+-	fs_read_fusefs_symlinks(httpd_t)
 -')
 +    tunable_policy(`httpd_serve_cobbler_files',`
 +        cobbler_manage_lib_files(httpd_t)
@@ -6104,22 +6099,27 @@ index 1a82e29..0b9c048 100644
 +	    cobbler_search_lib(httpd_t)
 +    ')
  
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
--	fs_exec_nfs_files(httpd_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+-	fs_exec_fusefs_files(httpd_t)
 +    tunable_policy(`httpd_can_network_connect_cobbler',`
 +        corenet_tcp_connect_cobbler_port(httpd_t)
 +    ')
  ')
  
- optional_policy(`
--	calamaris_read_www_files(httpd_t)
+-tunable_policy(`httpd_use_nfs',`
+-	fs_list_auto_mountpoints(httpd_t)
+-	fs_manage_nfs_dirs(httpd_t)
+-	fs_manage_nfs_files(httpd_t)
+-	fs_manage_nfs_symlinks(httpd_t)
++optional_policy(`
 +    tunable_policy(`httpd_use_sasl',`
 +        sasl_connect(httpd_t)
 +    ')
  ')
  
- optional_policy(`
--	ccs_read_config(httpd_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+-	fs_exec_nfs_files(httpd_t)
++optional_policy(`
 +	# Support for ABRT retrace server
 +	# mod_wsgi
 +	abrt_manage_spool_retrace(httpd_t)
@@ -6128,26 +6128,33 @@ index 1a82e29..0b9c048 100644
  ')
  
  optional_policy(`
+@@ -744,24 +894,32 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
 -	clamav_domtrans_clamscan(httpd_t)
-+	calamaris_read_www_files(httpd_t)
++	cron_system_entry(httpd_t, httpd_exec_t)
  ')
  
  optional_policy(`
 -	cobbler_read_config(httpd_t)
 -	cobbler_read_lib_files(httpd_t)
-+	ccs_read_config(httpd_t)
++	cvs_read_data(httpd_t)
  ')
  
  optional_policy(`
-@@ -765,6 +900,23 @@ optional_policy(`
+-	cron_system_entry(httpd_t, httpd_exec_t)
++	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
  optional_policy(`
+-	cvs_read_data(httpd_t)
 +	#needed by FreeIPA 
 +	dirsrv_stream_connect(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	daemontools_service_domain(httpd_t, httpd_exec_t)
 +	dirsrv_manage_config(httpd_t)
 +	dirsrv_manage_log(httpd_t)
 +	dirsrv_manage_var_run(httpd_t)
@@ -6157,13 +6164,21 @@ index 1a82e29..0b9c048 100644
 +	dirsrvadmin_manage_config(httpd_t)
 +	dirsrvadmin_manage_tmp(httpd_t)
 +	dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
-+')
-+
-+ optional_policy(`
- 	dbus_system_bus_client(httpd_t)
+ ')
  
+ optional_policy(`
+@@ -770,6 +928,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +933,53 @@ optional_policy(`
+ 		avahi_dbus_chat(httpd_t)
+ 	')
++
++    tunable_policy(`httpd_dbus_sssd',
++        sssd_dbus_chat(httpd_t)
++    ')
+ ')
+ 
+ optional_policy(`
+@@ -781,34 +943,53 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6228,7 +6243,7 @@ index 1a82e29..0b9c048 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +987,18 @@ optional_policy(`
+@@ -816,8 +997,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6247,7 +6262,7 @@ index 1a82e29..0b9c048 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +1007,7 @@ optional_policy(`
+@@ -826,6 +1017,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6255,7 +6270,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  optional_policy(`
-@@ -836,20 +1018,39 @@ optional_policy(`
+@@ -836,20 +1028,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6301,7 +6316,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1058,35 @@ optional_policy(`
+@@ -857,19 +1068,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6337,7 +6352,7 @@ index 1a82e29..0b9c048 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1094,173 @@ optional_policy(`
+@@ -877,65 +1104,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6533,7 +6548,7 @@ index 1a82e29..0b9c048 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1269,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1279,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6688,7 +6703,7 @@ index 1a82e29..0b9c048 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1353,106 @@ optional_policy(`
+@@ -1077,172 +1363,106 @@ optional_policy(`
  	')
  ')
  
@@ -6925,7 +6940,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1460,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1470,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7022,7 +7037,7 @@ index 1a82e29..0b9c048 100644
  
  ########################################
  #
-@@ -1315,8 +1535,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1545,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7039,7 +7054,7 @@ index 1a82e29..0b9c048 100644
  ')
  
  ########################################
-@@ -1324,49 +1551,38 @@ optional_policy(`
+@@ -1324,49 +1561,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7104,7 +7119,7 @@ index 1a82e29..0b9c048 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1592,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1602,99 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -9633,7 +9648,7 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..47619ff 100644
+index 7c92aa1..44edba7 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,11 +1,20 @@
@@ -9835,22 +9850,24 @@ index 7c92aa1..47619ff 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
 -miscfiles_read_fonts(boinc_t)
 -miscfiles_read_localization(boinc_t)
++modutils_dontaudit_exec_insmod(boinc_t)
+ 
+-optional_policy(`
+-	mta_send_mail(boinc_t)
+-')
 +xserver_stream_connect(boinc_t)
  
  optional_policy(`
- 	mta_send_mail(boinc_t)
+-	sysnet_dns_name_resolve(boinc_t)
++	mta_send_mail(boinc_t)
  ')
  
--optional_policy(`
--	sysnet_dns_name_resolve(boinc_t)
--')
--
  ########################################
  #
 -# Project local policy
@@ -36161,7 +36178,7 @@ index 4fe75fd..b029c28 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..11504e6 100644
+index f9de9fc..b573f79 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -1,27 +1,29 @@
@@ -36434,12 +36451,13 @@ index f9de9fc..11504e6 100644
  ## <summary>
 -##	Create, read, write, and delete
 -##	kerberos key table files.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
++##	Create keytab file in /etc
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 -#
 -interface(`kerberos_manage_keytab_files',`
 -	gen_require(`
@@ -36455,13 +36473,12 @@ index f9de9fc..11504e6 100644
 -##	Create specified objects in generic
 -##	etc directories with the kerberos
 -##	keytab file type.
-+##	Create keytab file in /etc
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
 -## <param name="object_class">
 -##	<summary>
 -##	Class of the object being created.
@@ -36518,16 +36535,35 @@ index f9de9fc..11504e6 100644
  
  	kerberos_read_keytab($2)
  	kerberos_use($2)
-@@ -376,7 +277,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +277,26 @@ template(`kerberos_keytab_template',`
  
  ########################################
  ## <summary>
 -##	Read kerberos kdc configuration files.
 +##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`kerberos_keytab_domains',`
++    gen_require(`
++        attribute kerberos_keytab_domain;
++    ')
++
++    typeattribute $1 kerberos_keytab_domain;
++')
++
++########################################
++## <summary>
++##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -396,8 +297,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +316,7 @@ interface(`kerberos_read_kdc_config',`
  
  ########################################
  ## <summary>
@@ -36537,7 +36573,7 @@ index f9de9fc..11504e6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -411,34 +311,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +330,99 @@ interface(`kerberos_manage_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -36577,7 +36613,8 @@ index f9de9fc..11504e6 100644
  ## </param>
 -## <param name="object_class">
 +## <param name="role">
-+##	<summary>
+ ##	<summary>
+-##	Class of the object being created.
 +##	The role to be allowed to manage the kerberos domain.
 +##	</summary>
 +## </param>
@@ -36639,13 +36676,12 @@ index f9de9fc..11504e6 100644
 +##	to the krb5_host_rcache type.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	Class of the object being created.
++##	<summary>
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -452,12 +417,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +436,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -36661,7 +36697,7 @@ index f9de9fc..11504e6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -465,82 +431,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +450,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  ##	</summary>
  ## </param>
  #
@@ -54358,7 +54394,7 @@ index af3c91e..6882a3f 100644
  /var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
  
 diff --git a/ntp.if b/ntp.if
-index b59196f..1f30b63 100644
+index b59196f..24f45be 100644
 --- a/ntp.if
 +++ b/ntp.if
 @@ -1,4 +1,4 @@
@@ -54553,7 +54589,7 @@ index b59196f..1f30b63 100644
 +
 +	files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
 +	files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
-+    files_var_lib_filetrans($1, ntp_drift_t, dir, "sntp-kod")
++    files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
  ')
 diff --git a/ntp.te b/ntp.te
 index b90e343..ae081d4 100644
@@ -72994,10 +73030,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..8cfee4a 100644
+index 769d1fd..52bad99 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,131 @@
+@@ -1,96 +1,132 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
  
@@ -73047,7 +73083,7 @@ index 769d1fd..8cfee4a 100644
 -allow quantum_t self:key manage_key_perms;
 -allow quantum_t self:tcp_socket { accept listen };
 -allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
 +allow neutron_t self:process { setsched setrlimit };
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
@@ -73151,6 +73187,7 @@ index 769d1fd..8cfee4a 100644
 -	mysql_read_config(quantum_t)
 +    dnsmasq_domtrans(neutron_t)
 +    dnsmasq_signal(neutron_t)
++    dnsmasq_kill(neutron_t)
 +    dnsmasq_read_state(neutron_t)
 +')
  
@@ -84005,7 +84042,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..aa888c8 100644
+index 57c034b..8736764 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -85021,10 +85058,12 @@ index 57c034b..aa888c8 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -834,16 +859,19 @@ optional_policy(`
+@@ -833,17 +858,20 @@ optional_policy(`
+ # Winbind local policy
  #
  
- allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
 +allow winbind_t self:capability2 block_suspend;
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a9cc53a..ac56074 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 150%{?dist}
+Release: 151%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,22 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Apr 4 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-151
+- Fix Multiple same specifications for /var/named/chroot/dev/zero
+- Add labels for /var/named/chroot_sdb/dev devices
+- Add support for strongimcv
+- Use kerberos_keytab_domains in auth_use_nsswitch
+- Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to
+- Allow net_raw cap for neutron_t and send sigkill to dnsmasq
+- Fix ntp_filetrans_named_content for sntp-kod file
+- Add httpd_dbus_sssd boolean
+- Dontaudit exec insmod in boinc policy
+- Rename kerberos_keytab_domain to kerberos_keytab_domains
+- Add kerberos_keytab_domain()
+- Fix kerberos_keytab_template()
+- Make all domains which use kerberos as kerberos_keytab_domain
+- Allow kill capability to winbind_t
+
 * Wed Apr 2 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-150
 - varnishd wants chown capability
 - update ntp_filetrans_named_content() interface