diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 3cd488e..7734ed6 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -7359,7 +7359,7 @@ index f3c0aba..cbe3d4a 100644
 +	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..a370cb8 100644
+index b236327..5206035 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7406,11 +7406,13 @@ index b236327..a370cb8 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
 -files_read_etc_files(apcupsd_t)
++domain_signull_all_domains(apcupsd_t)
++
  files_manage_etc_runtime_files(apcupsd_t)
  files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
  
@@ -7434,7 +7436,7 @@ index b236327..a370cb8 100644
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
-@@ -101,6 +113,11 @@ optional_policy(`
+@@ -101,6 +115,11 @@ optional_policy(`
  	shutdown_domtrans(apcupsd_t)
  ')
  
@@ -7446,7 +7448,7 @@ index b236327..a370cb8 100644
  ########################################
  #
  # CGI local policy
-@@ -112,7 +129,6 @@ optional_policy(`
+@@ -112,7 +131,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -28168,10 +28170,10 @@ index 0000000..04e159f
 +')
 diff --git a/gear.te b/gear.te
 new file mode 100644
-index 0000000..7f1639a
+index 0000000..db1c340
 --- /dev/null
 +++ b/gear.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,110 @@
 +policy_module(gear, 1.0.0)
 +
 +########################################
@@ -28243,6 +28245,11 @@ index 0000000..7f1639a
 +corenet_tcp_sendrecv_generic_port(gear_t)
 +corenet_tcp_bind_gear_port(gear_t)
 +
++dev_mounton_sysfs(gear_t)
++dev_mount_sysfs_fs(gear_t)
++dev_unmount_sysfs_fs(gear_t)
++
++files_mounton_rootfs(gear_t)
 +files_read_etc_files(gear_t)
 +
 +fs_read_cgroup_files(gear_t)
@@ -38145,7 +38152,7 @@ index d3e7fc9..f20248c 100644
 +	')
  ')
 diff --git a/keystone.te b/keystone.te
-index 3494d9b..c21beab 100644
+index 3494d9b..e1fd252 100644
 --- a/keystone.te
 +++ b/keystone.te
 @@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -38163,13 +38170,12 @@ index 3494d9b..c21beab 100644
  
  allow keystone_t self:fifo_file rw_fifo_file_perms;
  allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,30 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t)
  corenet_tcp_sendrecv_generic_if(keystone_t)
  corenet_tcp_sendrecv_generic_node(keystone_t)
  corenet_tcp_bind_generic_node(keystone_t)
 +corenet_tcp_connect_mysqld_port(keystone_t)
-+
-+corenet_tcp_connect_mysqld_port(keystone_t)
++corenet_tcp_connect_ldap_port(keystone_t)
  
  corenet_sendrecv_commplex_main_server_packets(keystone_t)
  corenet_tcp_bind_commplex_main_port(keystone_t)
@@ -38183,11 +38189,14 @@ index 3494d9b..c21beab 100644
  libs_exec_ldconfig(keystone_t)
  
 -miscfiles_read_localization(keystone_t)
--
++optional_policy(`
++	ldap_stream_connect(keystone_t)
++')
+ 
  optional_policy(`
  	mysql_stream_connect(keystone_t)
  	mysql_tcp_connect(keystone_t)
-+    mysql_read_db_lnk_files(keystone_t)
++	mysql_read_db_lnk_files(keystone_t)
 +')
 +
 +optional_policy(`
@@ -73737,10 +73746,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..495cac4 100644
+index 769d1fd..375e2e3 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,137 @@
+@@ -1,96 +1,139 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
  
@@ -73790,14 +73799,16 @@ index 769d1fd..495cac4 100644
 -allow quantum_t self:key manage_key_perms;
 -allow quantum_t self:tcp_socket { accept listen };
 -allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
 +allow neutron_t self:capability2 block_suspend;
 +allow neutron_t self:process { setsched setrlimit signal_perms };
++
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
 +allow neutron_t self:tcp_socket { accept listen };
 +allow neutron_t self:unix_stream_socket { accept listen };
 +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
++allow neutron_t self:rawip_socket create_socket_perms;
 +
 +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -73889,42 +73900,42 @@ index 769d1fd..495cac4 100644
 +sysnet_exec_ifconfig(neutron_t)
 +sysnet_manage_ifconfig_run(neutron_t)
 +sysnet_filetrans_named_content_ifconfig(neutron_t)
-+
-+optional_policy(`
-+	brctl_domtrans(neutron_t)
-+')
  
  optional_policy(`
 -	brctl_domtrans(quantum_t)
-+    dnsmasq_domtrans(neutron_t)
-+    dnsmasq_signal(neutron_t)
-+    dnsmasq_kill(neutron_t)
-+    dnsmasq_read_state(neutron_t)
++	brctl_domtrans(neutron_t)
  ')
  
  optional_policy(`
 -	mysql_stream_connect(quantum_t)
 -	mysql_read_config(quantum_t)
-+    iptables_domtrans(neutron_t)
++    dnsmasq_domtrans(neutron_t)
++    dnsmasq_signal(neutron_t)
++    dnsmasq_kill(neutron_t)
++    dnsmasq_read_state(neutron_t)
 +')
  
 -	mysql_tcp_connect(quantum_t)
 +optional_policy(`
-+	mysql_stream_connect(neutron_t)
-+    mysql_read_db_lnk_files(neutron_t)
-+	mysql_read_config(neutron_t)
-+	mysql_tcp_connect(neutron_t)
++    iptables_domtrans(neutron_t)
  ')
  
  optional_policy(`
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
++	mysql_stream_connect(neutron_t)
++    mysql_read_db_lnk_files(neutron_t)
++	mysql_read_config(neutron_t)
++	mysql_tcp_connect(neutron_t)
++')
+ 
+-	postgresql_tcp_connect(quantum_t)
++optional_policy(`
 +	postgresql_stream_connect(neutron_t)
 +	postgresql_unpriv_client(neutron_t)
 +	postgresql_tcp_connect(neutron_t)
 +')
- 
--	postgresql_tcp_connect(quantum_t)
++
 +optional_policy(`
 +    openvswitch_domtrans(neutron_t)
 +    openvswitch_stream_connect(neutron_t)
@@ -86082,10 +86093,10 @@ index 0000000..b7db254
 +# Empty
 diff --git a/sandbox.if b/sandbox.if
 new file mode 100644
-index 0000000..89bc443
+index 0000000..a2cb772
 --- /dev/null
 +++ b/sandbox.if
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,85 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -86110,14 +86121,42 @@ index 0000000..89bc443
 +		attribute sandbox_domain;
 +	')
 +
-+	allow $1 sandbox_domain:process transition;
-+	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-+	role $2 types sandbox_domain;
-+	allow sandbox_domain $1:process { sigchld signull };
-+	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+	dontaudit sandbox_domain $1:process signal;
-+	dontaudit sandbox_domain $1:key { link read search view };
-+	dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++    sandbox_dyntransition($1) #885288
++    allow $1 sandbox_domain:process transition;
++    dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++
++    role $2 types sandbox_domain;
++
++    allow sandbox_domain $1:process { sigchld signull };
++    allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++
++    dontaudit sandbox_domain $1:process signal;
++    dontaudit sandbox_domain $1:key { link read search view };
++    dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++## <summary>
++##	Execute sandbox in the sandbox domain, and
++##	allow the specified role the sandbox domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
++##	</summary>
++## </param>
++#
++interface(`sandbox_dyntransition',`
++	gen_require(`
++		attribute sandbox_domain;
++	')
++
++	allow $1 sandbox_domain:process dyntransition;
 +')
 +
 +########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7b9e03..5e6222d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 160%{?dist}
+Release: 161%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed May 07 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-161
+- Allow keystone to connect to ldap servers
+- Add additional caps for neutron_t
+- apcuspd_t can send signull to any domain
+- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
+- gear_t execs ip which for some reason is mounting content on sysfs and /
+
 * Mon May 05 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-160
 - Dontaudit leaked xserver_misc_device_t into plugins
 - Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy