diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 2f5cbbb..756c54a 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -5428,7 +5428,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..0402154 100644
+index 4edc40d..c38f0a6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5530,9 +5530,10 @@ index 4edc40d..0402154 100644
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
- network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
@@ -14145,7 +14146,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d47750f 100644
+index 649e458..bb7d1a2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14223,7 +14224,33 @@ index 649e458..d47750f 100644
')
########################################
-@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to check the
++## access on generic proc entries.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kernel_dontaudit_access_check_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++##
+ ## Do not audit attempts by caller to
+ ## read system state information in proc.
+ ##
+@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -14248,7 +14275,7 @@ index 649e458..d47750f 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14257,7 +14284,7 @@ index 649e458..d47750f 100644
')
########################################
-@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -14283,7 +14310,7 @@ index 649e458..d47750f 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -14292,7 +14319,7 @@ index 649e458..d47750f 100644
##
##
#
-@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -14317,7 +14344,7 @@ index 649e458..d47750f 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -14342,7 +14369,7 @@ index 649e458..d47750f 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2757,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -14351,7 +14378,7 @@ index 649e458..d47750f 100644
')
########################################
-@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2795,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -14376,7 +14403,7 @@ index 649e458..d47750f 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2840,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -14402,7 +14429,7 @@ index 649e458..d47750f 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2968,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -14436,7 +14463,7 @@ index 649e458..d47750f 100644
########################################
##
-@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3150,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -14461,7 +14488,7 @@ index 649e458..d47750f 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3182,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -21254,7 +21281,7 @@ index d1f64a0..9a5dab5 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..307cefc 100644
+index 6bf0ecc..97e9162 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21982,10 +22009,30 @@ index 6bf0ecc..307cefc 100644
')
########################################
-@@ -1004,6 +1229,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1229,84 @@ interface(`xserver_read_xkb_libs',`
########################################
##
++## Manage X keyboard extension libraries.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_manage_xkb_libs',`
++ gen_require(`
++ type xkb_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 xkb_var_lib_t:dir list_dir_perms;
++ manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++##
+## dontaudit access checks X keyboard extension libraries.
+##
+##
@@ -22047,7 +22094,7 @@ index 6bf0ecc..307cefc 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1300,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1320,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22056,7 +22103,7 @@ index 6bf0ecc..307cefc 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1362,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1382,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -22099,7 +22146,7 @@ index 6bf0ecc..307cefc 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1093,7 +1412,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1432,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22108,7 +22155,7 @@ index 6bf0ecc..307cefc 100644
')
########################################
-@@ -1111,8 +1430,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1450,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22120,7 +22167,7 @@ index 6bf0ecc..307cefc 100644
')
########################################
-@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1551,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -22146,7 +22193,7 @@ index 6bf0ecc..307cefc 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1586,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22173,7 +22220,7 @@ index 6bf0ecc..307cefc 100644
')
########################################
-@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1631,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22182,7 +22229,7 @@ index 6bf0ecc..307cefc 100644
##
##
##
-@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1641,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22207,7 +22254,7 @@ index 6bf0ecc..307cefc 100644
')
########################################
-@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1674,623 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -32369,7 +32416,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..4f4ac3a 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -32426,7 +32473,32 @@ index 7449974..6375786 100644
## Read the configuration options used when
## loading modules.
##
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+
+ ########################################
+ ##
++## Allow send signal to insmod.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`modutils_signal_insmod',`
++ gen_require(`
++ type insmod_t;
++ ')
++
++ allow $1 insmod_t:process signal;
++')
++
++########################################
++##
+ ## Execute insmod in the insmod domain, and
+ ## allow the specified role the insmod domain,
+ ## and use the caller's terminal. Has a sigchld
+@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -32447,7 +32519,7 @@ index 7449974..6375786 100644
')
########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index e7d435f..e9bfd72 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -9669,6 +9669,212 @@ index 41f8251..57f094e 100644
optional_policy(`
mta_send_mail(httpd_bugzilla_script_t)
')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..b5ee23b
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..de66654
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,121 @@
++## policy for bumblebee
++
++########################################
++##
++## Execute bumblebee in the bumblebee domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bumblebee_domtrans',`
++ gen_require(`
++ type bumblebee_t, bumblebee_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
++')
++
++########################################
++##
++## Read bumblebee PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bumblebee_read_pid_files',`
++ gen_require(`
++ type bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
++')
++
++########################################
++##
++## Execute bumblebee server in the bumblebee domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`bumblebee_systemctl',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 bumblebee_unit_file_t:file read_file_perms;
++ allow $1 bumblebee_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bumblebee_t)
++')
++
++########################################
++##
++## Connect to bumblebee over a unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bumblebee_stream_connect',`
++ gen_require(`
++ type bumblebee_t, bumblebee_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an bumblebee environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`bumblebee_admin',`
++ gen_require(`
++ type bumblebee_t;
++ type bumblebee_var_run_t;
++ type bumblebee_unit_file_t;
++ ')
++
++ allow $1 bumblebee_t:process { signal_perms };
++ ps_process_pattern($1, bumblebee_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bumblebee_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, bumblebee_var_run_t)
++
++ bumblebee_systemctl($1)
++ admin_pattern($1, bumblebee_unit_file_t)
++ allow $1 bumblebee_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/bumblebee.te b/bumblebee.te
+new file mode 100644
+index 0000000..1076e6a
+--- /dev/null
++++ b/bumblebee.te
+@@ -0,0 +1,60 @@
++policy_module(bumblebee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bumblebee_t;
++type bumblebee_exec_t;
++init_daemon_domain(bumblebee_t, bumblebee_exec_t)
++
++type bumblebee_var_run_t;
++files_pid_file(bumblebee_var_run_t)
++
++type bumblebee_unit_file_t;
++systemd_unit_file(bumblebee_unit_file_t)
++
++########################################
++#
++# bumblebee local policy
++#
++
++allow bumblebee_t self:capability { setgid };
++allow bumblebee_t self:process { fork signal_perms };
++allow bumblebee_t self:fifo_file rw_fifo_file_perms;
++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
++
++corecmd_exec_shell(bumblebee_t)
++corecmd_exec_bin(bumblebee_t)
++
++dev_read_sysfs(bumblebee_t)
++
++auth_read_passwd(bumblebee_t)
++
++logging_send_syslog_msg(bumblebee_t)
++
++modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
++
++sysnet_dns_name_resolve(bumblebee_t)
++
++xserver_domtrans(bumblebee_t)
++xserver_signal(bumblebee_t)
++xserver_stream_connect(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++corenet_tcp_connect_xserver_port(bumblebee_t)
++
++optional_policy(`
++ apm_stream_connect(bumblebee_t)
++')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
@@ -10820,10 +11026,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..25f2d55
+index 0000000..307b083
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,242 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -11003,6 +11209,10 @@ index 0000000..25f2d55
+ sandbox_use_ptys(chrome_sandbox_t)
+')
+
++optional_policy(`
++ bumblebee_stream_connect(chrome_sandbox_t)
++')
++
+
+########################################
+#
@@ -24750,7 +24960,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..6edd471 100644
+index e50f33c..38584c5 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -24854,11 +25064,9 @@ index e50f33c..6edd471 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
-
+@@ -255,31 +269,47 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
-+userdom_filetrans_home_content(ftpd_t)
-tunable_policy(`allow_ftpd_anon_write',`
+tunable_policy(`ftpd_anon_write',`
@@ -24911,7 +25119,7 @@ index e50f33c..6edd471 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +329,20 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -24925,10 +25133,12 @@ index e50f33c..6edd471 100644
tunable_policy(`ftp_home_dir',`
allow ftpd_t self:capability { dac_override dac_read_search };
-
+-
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
++
++ files_list_home(ftpd_t)
+ userdom_manage_all_user_home_type_dirs(ftpd_t)
+ userdom_manage_all_user_home_type_files(ftpd_t)
userdom_manage_user_tmp_dirs(ftpd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ca4b71..2b0c97f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.21%{?dist}
+Release: 74.22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -542,7 +542,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Mon Mar 18 2014 Lukas Vrabec 3.12.1-74.21
+* Thu Mar 20 2014 Lukas Vrabec 3.12.1-74.22
+- Allow couchdb to listen on port 6984
+- Added kernel_dontaudit_access_check_proc interface
+- Added modutils_signal_insmod interface
+- Add xserver_manage_xkb_libs interface
+- Fixed ftp_home_dir boolean
+- Added policy for bumblebee
+
+* Mon Mar 17 2014 Lukas Vrabec 3.12.1-74.21
- Added sysnet_domtrans_ifconfig in neutron policy
* Mon Mar 17 2014 Lukas Vrabec 3.12.1-74.20
@@ -665,7 +673,7 @@ SELinux Reference policy mls base module.
- Allow to su_domain to read init states
- Update labeling for /dev/cdc-wdm
-* Thu Oct 08 2013 Lukas Vrabec 3.12.1-74.9
+* Tue Oct 08 2013 Lukas Vrabec 3.12.1-74.9
- Allow systemd domains to read /dev/urand
- Remove duplicated interfaces
- Fix port definition for ctdb ports