diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 8ea0f62..8e5e6d2 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5659,7 +5659,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..5ef57e0 100644
+index 4edc40d..8a190ce 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5835,12 +5835,13 @@ index 4edc40d..5ef57e0 100644
  network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
- network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jabber_interserver, tcp,5269,s0)
 -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
 -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 -network_port(kismet, tcp,2501,s0)
++network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
 +network_port(jabber_router, tcp,5347,s0)
 +network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
 +network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 288f66f..943387d 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -15668,10 +15668,10 @@ index eeea48d..691ca11 100644
 +    wdmd_rw_tmpfs(corosync_t)
 +')
 diff --git a/couchdb.fc b/couchdb.fc
-index c086302..5380ab6 100644
+index c086302..5d94628 100644
 --- a/couchdb.fc
 +++ b/couchdb.fc
-@@ -1,8 +1,10 @@
+@@ -1,11 +1,15 @@
 -/etc/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_conf_t,s0)
 -
  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
@@ -15685,6 +15685,11 @@ index c086302..5380ab6 100644
  
  /var/lib/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_lib_t,s0)
  
+ /var/log/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_log_t,s0)
+ 
+ /var/run/couchdb(/.*)?	gen_context(system_u:object_r:couchdb_var_run_t,s0)
++
++/usr/lib/erlang/lib/couch-.*/priv/couchjs	--	gen_context(system_u:object_r:couchdb_js_exec_t,s0)
 diff --git a/couchdb.if b/couchdb.if
 index 83d6744..3f0c0dc 100644
 --- a/couchdb.if
@@ -15922,20 +15927,24 @@ index 83d6744..3f0c0dc 100644
 +	')
  ')
 diff --git a/couchdb.te b/couchdb.te
-index 503adab..fcb0a4b 100644
+index 503adab..1253764 100644
 --- a/couchdb.te
 +++ b/couchdb.te
-@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
+@@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t)
  type couchdb_var_run_t;
  files_pid_file(couchdb_var_run_t)
  
 +type couchdb_unit_file_t;
 +systemd_unit_file(couchdb_unit_file_t)
 +
++type couchdb_js_t;
++type couchdb_js_exec_t;
++init_daemon_domain(couchdb_js_t, couchdb_js_exec_t)
++
  ########################################
  #
  # Local policy
-@@ -35,10 +38,10 @@ files_pid_file(couchdb_var_run_t)
+@@ -35,10 +42,10 @@ files_pid_file(couchdb_var_run_t)
  allow couchdb_t self:process { setsched signal signull sigkill };
  allow couchdb_t self:fifo_file rw_fifo_file_perms;
  allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
@@ -15948,7 +15957,7 @@ index 503adab..fcb0a4b 100644
  
  manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
  append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,11 +59,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+@@ -56,11 +63,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
  
  manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
  manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
@@ -15962,23 +15971,41 @@ index 503adab..fcb0a4b 100644
  
  corecmd_exec_bin(couchdb_t)
  corecmd_exec_shell(couchdb_t)
-@@ -75,14 +79,15 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +83,32 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
  corenet_tcp_bind_couchdb_port(couchdb_t)
  corenet_tcp_sendrecv_couchdb_port(couchdb_t)
  
++# disksup tries to monitor the local disks
 +fs_getattr_all_files(couchdb_t)
 +fs_getattr_all_dirs(couchdb_t)
 +fs_getattr_all_fs(couchdb_t)
++files_getattr_all_mountpoints(couchdb_t)
++files_search_all_mountpoints(couchdb_t)
++files_getattr_lost_found_dirs(couchdb_t)
++files_dontaudit_list_var(couchdb_t)
 +
  dev_list_sysfs(couchdb_t)
  dev_read_sysfs(couchdb_t)
  dev_read_urand(couchdb_t)
  
 -files_read_usr_files(couchdb_t)
--
- fs_getattr_xattr_fs(couchdb_t)
++auth_use_nsswitch(couchdb_t)
+ 
+-fs_getattr_xattr_fs(couchdb_t)
++domtrans_pattern(couchdb_t, couchdb_js_exec_t, couchdb_js_t)
  
- auth_use_nsswitch(couchdb_t)
+-auth_use_nsswitch(couchdb_t)
++########################################
++#
++# couchdb_js policy
++#
++
++# this is a complete policy. It processes the javascript
++# ouside the main process, passing data via FIFO.
++allow couchdb_js_t self:process { execmem getsched setsched };
++
++files_read_usr_files(couchdb_js_t)
++miscfiles_read_localization(couchdb_js_t)
  
 -miscfiles_read_localization(couchdb_t)
 diff --git a/courier.fc b/courier.fc
@@ -100257,7 +100284,7 @@ index cb9b5bb..3aa7952 100644
 +	modutils_read_module_deps(usbmodules_t)
 +')
 diff --git a/usbmuxd.fc b/usbmuxd.fc
-index 220f6ad..8e3bbd2 100644
+index 220f6ad..ccbb5da 100644
 --- a/usbmuxd.fc
 +++ b/usbmuxd.fc
 @@ -1,3 +1,6 @@
@@ -100267,7 +100294,7 @@ index 220f6ad..8e3bbd2 100644
 +/var/run/usbmuxd.*	 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
 +/usr/lib/systemd/system/usbmuxd.*	--	gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
 +
-+/var/lib/lockdown -- gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
++/var/lib/lockdown(/.*)? 	gen_context(system_u:object_r:usbmuxd_var_lib_t,s0)
 diff --git a/usbmuxd.if b/usbmuxd.if
 index 1ec5e99..88e287d 100644
 --- a/usbmuxd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dc6fb95..e863167 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 195%{?dist}
+Release: 196%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-196
+- Dontaudit couchdb to list /var
+- Couchdb policy fixes
+- I guess there can be content under /var/lib/lockdown #1167502
+- Label tcp port 5280 as ejabberd port. BZ(1059930)
+
 * Fri Nov 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-195
 - Allow all systemd domains to search file systems
 - Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)