diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index ce89934..d9ee08e 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -29900,7 +29900,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..50a981b 100644
+index 24e7804..2863546 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -30287,7 +30287,7 @@ index 24e7804..50a981b 100644
')
########################################
-@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -30312,6 +30312,7 @@ index 24e7804..50a981b 100644
- ')
+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
++ dontaudit $1 self:capability net_admin;
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
@@ -30320,7 +30321,7 @@ index 24e7804..50a981b 100644
')
########################################
-@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
##
##
##
@@ -30329,7 +30330,7 @@ index 24e7804..50a981b 100644
##
##
#
-@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -30344,7 +30345,7 @@ index 24e7804..50a981b 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -30358,7 +30359,7 @@ index 24e7804..50a981b 100644
')
')
-@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -30404,7 +30405,7 @@ index 24e7804..50a981b 100644
')
########################################
-@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -30419,7 +30420,7 @@ index 24e7804..50a981b 100644
files_search_etc($1)
')
-@@ -1012,6 +1221,42 @@ interface(`init_read_state',`
+@@ -1012,6 +1222,42 @@ interface(`init_read_state',`
########################################
##
@@ -30462,7 +30463,7 @@ index 24e7804..50a981b 100644
## Ptrace init
##
##
-@@ -1026,7 +1271,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1272,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -30473,7 +30474,7 @@ index 24e7804..50a981b 100644
')
########################################
-@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',`
########################################
##
@@ -30499,7 +30500,7 @@ index 24e7804..50a981b 100644
## Read all init script files.
##
##
-@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -30524,7 +30525,7 @@ index 24e7804..50a981b 100644
## Dontaudit read all init script files.
##
##
-@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -30538,7 +30539,7 @@ index 24e7804..50a981b 100644
')
########################################
-@@ -1314,7 +1593,7 @@ interface(`init_signal_script',`
+@@ -1314,7 +1594,7 @@ interface(`init_signal_script',`
########################################
##
@@ -30547,7 +30548,7 @@ index 24e7804..50a981b 100644
##
##
##
-@@ -1322,17 +1601,17 @@ interface(`init_signal_script',`
+@@ -1322,17 +1602,17 @@ interface(`init_signal_script',`
##
##
#
@@ -30568,7 +30569,7 @@ index 24e7804..50a981b 100644
##
##
##
-@@ -1340,17 +1619,17 @@ interface(`init_signull_script',`
+@@ -1340,17 +1620,17 @@ interface(`init_signull_script',`
##
##
#
@@ -30589,7 +30590,7 @@ index 24e7804..50a981b 100644
##
##
##
-@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',`
+@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',`
##
##
#
@@ -30616,7 +30617,7 @@ index 24e7804..50a981b 100644
refpolicywarn(`$0($*) has been deprecated.')
')
-@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -30644,7 +30645,7 @@ index 24e7804..50a981b 100644
## init scripts over dbus.
##
##
-@@ -1526,6 +1844,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1845,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -30670,7 +30671,7 @@ index 24e7804..50a981b 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1584,6 +1921,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1922,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -30695,7 +30696,7 @@ index 24e7804..50a981b 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1656,6 +2011,43 @@ interface(`init_read_utmp',`
+@@ -1656,6 +2012,43 @@ interface(`init_read_utmp',`
########################################
##
@@ -30739,7 +30740,7 @@ index 24e7804..50a981b 100644
## Do not audit attempts to write utmp.
##
##
-@@ -1744,7 +2136,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2137,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -30748,7 +30749,7 @@ index 24e7804..50a981b 100644
')
########################################
-@@ -1785,6 +2177,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2178,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -30882,7 +30883,7 @@ index 24e7804..50a981b 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2338,450 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2339,450 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -41337,10 +41338,10 @@ index 0000000..8bca1d7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..976116e
+index 0000000..8c56513
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,634 @@
+@@ -0,0 +1,635 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41558,7 +41559,7 @@ index 0000000..976116e
+# Local policy
+#
+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
@@ -41602,7 +41603,7 @@ index 0000000..976116e
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -41949,6 +41950,7 @@ index 0000000..976116e
+# Common rules for systemd domains
+#
+allow systemd_domain self:process { setfscreate signal_perms };
++dontaudit systemd_domain self:capability net_admin;
+
+dev_read_urand(systemd_domain)
+
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 16af07d..348ca46 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -56026,10 +56026,10 @@ index 0000000..9451b83
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..e13b578
+index 0000000..ebd0c68
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,573 @@
+@@ -0,0 +1,575 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -56545,6 +56545,8 @@ index 0000000..e13b578
+kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
++files_dontaudit_search_all_mountpoints(openshift_cron_t)
++
+corecmd_exec_bin(openshift_cron_t)
+corecmd_exec_shell(openshift_cron_t)
+
@@ -58971,10 +58973,10 @@ index 0000000..ba24b40
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 0000000..3bd4aa3
+index 0000000..fc9dd48
--- /dev/null
+++ b/pcp.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,215 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@@ -59028,11 +59030,12 @@ index 0000000..3bd4aa3
+manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
+manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
-+files_pid_filetrans(pcp_domain, pcp_var_run_t, { file sock_file })
++files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
+manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
-+files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file })
++manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
+manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
@@ -59057,10 +59060,11 @@ index 0000000..3bd4aa3
+
+allow pcp_pmcd_t self:process { setsched };
+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
-+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
+
+auth_use_nsswitch(pcp_pmcd_t)
+
++kernel_get_sysvipc_info(pcp_pmcd_t)
+kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t)
@@ -59069,9 +59073,13 @@ index 0000000..3bd4aa3
+
+corecmd_exec_bin(pcp_pmcd_t)
+
++corenet_tcp_bind_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_amqp_port(pcp_pmcd_t)
++
+dev_read_sysfs(pcp_pmcd_t)
+
+domain_read_all_domains_state(pcp_pmcd_t)
++domain_getattr_all_domains(pcp_pmcd_t)
+
+dev_getattr_all_blk_files(pcp_pmcd_t)
+dev_getattr_all_chr_files(pcp_pmcd_t)
@@ -59083,10 +59091,14 @@ index 0000000..3bd4aa3
+fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
+
++init_read_utmp(pcp_pmcd_t)
++
+logging_send_syslog_msg(pcp_pmcd_t)
+
+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+
++userdom_read_user_tmp_files(pcp_pmcd_t)
++
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t)
+
@@ -59154,10 +59166,16 @@ index 0000000..3bd4aa3
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
++kernel_read_system_state(pcp_pmie_t)
++
++corecmd_exec_bin(pcp_pmie_t)
++
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
+logging_send_syslog_msg(pcp_pmie_t)
+
++userdom_read_user_tmp_files(pcp_pmie_t)
++
+########################################
+#
+# pcp_pmlogger local policy
@@ -59169,8 +59187,11 @@ index 0000000..3bd4aa3
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t)
++
diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644
--- a/pcscd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ba5fbc1..208f93c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 130%{?dist}
+Release: 131%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 6 2014 Miroslav Grepl 3.12.1-131
+- Added pcp rules
+- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6
+- clean up ctdb.te
+- Allow ctdbd to connect own ports
+- Fix samba_export_all_rw booleanto cover also non security dirs
+- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
+- Allow neutron to create /run/netns with correct labeling
+- Allow certmonger to list home dirs
+
* Wed Mar 5 2014 Miroslav Grepl 3.12.1-130
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
- Add sysnet_filetrans_named_content_ifconfig() interface