diff --git a/.criu.metadata b/.criu.metadata
index f33f9a7..52bb375 100644
--- a/.criu.metadata
+++ b/.criu.metadata
@@ -1 +1 @@
-b2ceaf9705aa8239915010136a59664d31044fe3 SOURCES/criu-3.12.tar.bz2
+548d575d89e872c153a756c274e438995eb4e823 SOURCES/criu-3.14.tar.bz2
diff --git a/.gitignore b/.gitignore
index d9f1e8d..1c6f0d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/criu-3.12.tar.bz2
+SOURCES/criu-3.14.tar.bz2
diff --git a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch b/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
deleted file mode 100644
index 3b2fbd8..0000000
--- a/SOURCES/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Fri, 3 May 2019 06:27:51 +0000
-Subject: [PATCH] lsm: fix compiler error 'unused-result'
-
-Reading out the xattr 'security.selinux' of checkpointed sockets with
-fscanf() works (at least in theory) without checking the result of
-fscanf(). There are, however, multiple CI failures when ignoring the
-return value of fscanf().
-
-This adds ferror() to check if the stream has an actual error or if '-1'
-just mean EOF.
-
-Handle all errors of fscanf() // Andrei
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
-Signed-off-by: Andrei Vagin <avagin@gmail.com>
----
- criu/lsm.c | 22 +++++++++++++---------
- 1 file changed, 13 insertions(+), 9 deletions(-)
-
-diff --git a/criu/lsm.c b/criu/lsm.c
-index ef6ba112b3..9c9ac7f80e 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
- 		return -1;
- 
- 	if (fscanf(f, "%ms", profile_name) != 1) {
--		fclose(f);
- 		pr_perror("err scanfing");
-+		fclose(f);
- 		return -1;
- 	}
- 
-@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
- static int selinux_get_sockcreate_label(pid_t pid, char **output)
- {
- 	FILE *f;
-+	int ret;
- 
- 	f = fopen_proc(pid, "attr/sockcreate");
- 	if (!f)
- 		return -1;
- 
--	fscanf(f, "%ms", output);
--	/*
--	 * No need to check the result of fscanf(). If there is something
--	 * in /proc/PID/attr/sockcreate it will be copied to *output. If
--	 * there is nothing it will stay NULL. So whatever fscanf() does
--	 * it should be correct.
--	 */
--
-+	ret = fscanf(f, "%ms", output);
-+	if (ret == -1 && errno != 0) {
-+		pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
-+		/*
-+		 * Only if the error indicator is set it is a real error.
-+		 * -1 could also be EOF, which would mean that sockcreate
-+		 * was just empty, which is the most common case.
-+		 */
-+		fclose(f);
-+		return -1;
-+	}
- 	fclose(f);
- 	return 0;
- }
diff --git a/SOURCES/685.patch b/SOURCES/685.patch
deleted file mode 100644
index 30e1728..0000000
--- a/SOURCES/685.patch
+++ /dev/null
@@ -1,834 +0,0 @@
-From 3313343ba7803bff077af5d87df2260cdcd2d678 Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Thu, 2 May 2019 13:41:46 +0000
-Subject: [PATCH 1/4] lsm: also dump and restore sockcreate
-
-The file /proc/PID/attr/sockcreate is used by SELinux to label newly
-created sockets with the label available at sockcreate.
-
-If it is NULL, the default label of the process will be used.
-
-This reads out that file during checkpoint and restores the value during
-restore.
-
-This value is irrelevant for existing sockets as they might have been
-created with another context. This is only to make sure that newly
-created sockets have the correct context.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- criu/cr-restore.c       | 36 ++++++++++++++++++++++++++++++++++++
- criu/include/restorer.h |  2 ++
- criu/lsm.c              | 32 ++++++++++++++++++++++++++++++++
- criu/pie/restorer.c     | 15 ++++++++++-----
- images/creds.proto      |  1 +
- 5 files changed, 81 insertions(+), 5 deletions(-)
-
-diff --git a/criu/cr-restore.c b/criu/cr-restore.c
-index 5fd22e9246..f254cbc0eb 100644
---- a/criu/cr-restore.c
-+++ b/criu/cr-restore.c
-@@ -2997,6 +2997,8 @@ static void rst_reloc_creds(struct thread_restore_args *thread_args,
- 
- 	if (args->lsm_profile)
- 		args->lsm_profile = rst_mem_remap_ptr(args->mem_lsm_profile_pos, RM_PRIVATE);
-+	if (args->lsm_sockcreate)
-+		args->lsm_sockcreate = rst_mem_remap_ptr(args->mem_lsm_sockcreate_pos, RM_PRIVATE);
- 	if (args->groups)
- 		args->groups = rst_mem_remap_ptr(args->mem_groups_pos, RM_PRIVATE);
- 
-@@ -3062,6 +3064,40 @@ rst_prep_creds_args(CredsEntry *ce, unsigned long *prev_pos)
- 		args->mem_lsm_profile_pos = 0;
- 	}
- 
-+	if (ce->lsm_sockcreate) {
-+		char *rendered = NULL;
-+		char *profile;
-+
-+		profile = ce->lsm_sockcreate;
-+
-+		if (validate_lsm(profile) < 0)
-+			return ERR_PTR(-EINVAL);
-+
-+		if (profile && render_lsm_profile(profile, &rendered)) {
-+			return ERR_PTR(-EINVAL);
-+		}
-+		if (rendered) {
-+			size_t lsm_sockcreate_len;
-+			char *lsm_sockcreate;
-+
-+			args->mem_lsm_sockcreate_pos = rst_mem_align_cpos(RM_PRIVATE);
-+			lsm_sockcreate_len = strlen(rendered);
-+			lsm_sockcreate = rst_mem_alloc(lsm_sockcreate_len + 1, RM_PRIVATE);
-+			if (!lsm_sockcreate) {
-+				xfree(rendered);
-+				return ERR_PTR(-ENOMEM);
-+			}
-+
-+			args = rst_mem_remap_ptr(this_pos, RM_PRIVATE);
-+			args->lsm_sockcreate = lsm_sockcreate;
-+			strncpy(args->lsm_sockcreate, rendered, lsm_sockcreate_len);
-+			xfree(rendered);
-+		}
-+	} else {
-+		args->lsm_sockcreate = NULL;
-+		args->mem_lsm_sockcreate_pos = 0;
-+	}
-+
- 	/*
- 	 * Zap fields which we can't use.
- 	 */
-diff --git a/criu/include/restorer.h b/criu/include/restorer.h
-index 2884ce9e6d..b83e9130c5 100644
---- a/criu/include/restorer.h
-+++ b/criu/include/restorer.h
-@@ -69,8 +69,10 @@ struct thread_creds_args {
- 	unsigned int			secbits;
- 	char				*lsm_profile;
- 	unsigned int			*groups;
-+	char				*lsm_sockcreate;
- 
- 	unsigned long			mem_lsm_profile_pos;
-+	unsigned long			mem_lsm_sockcreate_pos;
- 	unsigned long			mem_groups_pos;
- 
- 	unsigned long			mem_pos_next;
-diff --git a/criu/lsm.c b/criu/lsm.c
-index 849ec37cde..b0ef0c396c 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -98,6 +98,32 @@ static int selinux_get_label(pid_t pid, char **output)
- 	freecon(ctx);
- 	return ret;
- }
-+
-+/*
-+ * selinux_get_sockcreate_label reads /proc/PID/attr/sockcreate
-+ * to see if the PID has a special label specified for sockets.
-+ * Most of the time this will be empty and the process will use
-+ * the process context also for sockets.
-+ */
-+static int selinux_get_sockcreate_label(pid_t pid, char **output)
-+{
-+	FILE *f;
-+
-+	f = fopen_proc(pid, "attr/sockcreate");
-+	if (!f)
-+		return -1;
-+
-+	fscanf(f, "%ms", output);
-+	/*
-+	 * No need to check the result of fscanf(). If there is something
-+	 * in /proc/PID/attr/sockcreate it will be copied to *output. If
-+	 * there is nothing it will stay NULL. So whatever fscanf() does
-+	 * it should be correct.
-+	 */
-+
-+	fclose(f);
-+	return 0;
-+}
- #endif
- 
- void kerndat_lsm(void)
-@@ -132,6 +158,7 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
- 	int ret;
- 
- 	ce->lsm_profile = NULL;
-+	ce->lsm_sockcreate = NULL;
- 
- 	switch (kdat.lsm) {
- 	case LSMTYPE__NO_LSM:
-@@ -143,6 +170,9 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
- #ifdef CONFIG_HAS_SELINUX
- 	case LSMTYPE__SELINUX:
- 		ret = selinux_get_label(pid, &ce->lsm_profile);
-+		if (ret)
-+			break;
-+		ret = selinux_get_sockcreate_label(pid, &ce->lsm_sockcreate);
- 		break;
- #endif
- 	default:
-@@ -153,6 +183,8 @@ int collect_lsm_profile(pid_t pid, CredsEntry *ce)
- 
- 	if (ce->lsm_profile)
- 		pr_info("%d has lsm profile %s\n", pid, ce->lsm_profile);
-+	if (ce->lsm_sockcreate)
-+		pr_info("%d has lsm sockcreate label %s\n", pid, ce->lsm_sockcreate);
- 
- 	return ret;
- }
-diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
-index 6e18cc2606..4f42605a09 100644
---- a/criu/pie/restorer.c
-+++ b/criu/pie/restorer.c
-@@ -149,7 +149,7 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
- 	sys_exit_group(1);
- }
- 
--static int lsm_set_label(char *label, int procfd)
-+static int lsm_set_label(char *label, char *type, int procfd)
- {
- 	int ret = -1, len, lsmfd;
- 	char path[STD_LOG_SIMPLE_CHUNK];
-@@ -157,9 +157,9 @@ static int lsm_set_label(char *label, int procfd)
- 	if (!label)
- 		return 0;
- 
--	pr_info("restoring lsm profile %s\n", label);
-+	pr_info("restoring lsm profile (%s) %s\n", type, label);
- 
--	std_sprintf(path, "self/task/%ld/attr/current", sys_gettid());
-+	std_sprintf(path, "self/task/%ld/attr/%s", sys_gettid(), type);
- 
- 	lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
- 	if (lsmfd < 0) {
-@@ -305,9 +305,14 @@ static int restore_creds(struct thread_creds_args *args, int procfd,
- 		 * SELinux and instead the process context is set before the
- 		 * threads are created.
- 		 */
--		if (lsm_set_label(args->lsm_profile, procfd) < 0)
-+		if (lsm_set_label(args->lsm_profile, "current", procfd) < 0)
- 			return -1;
- 	}
-+
-+	/* Also set the sockcreate label for all threads */
-+	if (lsm_set_label(args->lsm_sockcreate, "sockcreate", procfd) < 0)
-+		return -1;
-+
- 	return 0;
- }
- 
-@@ -1571,7 +1576,7 @@ long __export_restore_task(struct task_restore_args *args)
- 	if (args->lsm_type == LSMTYPE__SELINUX) {
- 		/* Only for SELinux */
- 		if (lsm_set_label(args->t->creds_args->lsm_profile,
--				  args->proc_fd) < 0)
-+				  "current", args->proc_fd) < 0)
- 			goto core_restore_end;
- 	}
- 
-diff --git a/images/creds.proto b/images/creds.proto
-index 29fb8652eb..23b84c7e50 100644
---- a/images/creds.proto
-+++ b/images/creds.proto
-@@ -20,4 +20,5 @@ message creds_entry {
- 	repeated uint32	groups	= 14;
- 
- 	optional string lsm_profile = 15;
-+	optional string lsm_sockcreate = 16;
- }
-
-From 495e6aa7ac51fcb36e6bc5f6c97f44cab7649b9c Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Thu, 2 May 2019 13:47:29 +0000
-Subject: [PATCH 2/4] test: Verify that sockcreate does not change during
- restore
-
-This makes sure that sockcreate stays empty for selinux00 before and
-after checkpoint/restore.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- test/zdtm/static/selinux00.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/test/zdtm/static/selinux00.c b/test/zdtm/static/selinux00.c
-index dd9096a6fc..db8420eacb 100644
---- a/test/zdtm/static/selinux00.c
-+++ b/test/zdtm/static/selinux00.c
-@@ -83,6 +83,31 @@ int checkprofile()
- 	return 0;
- }
- 
-+int check_sockcreate()
-+{
-+	char *output = NULL;
-+	FILE *f = fopen("/proc/self/attr/sockcreate", "r");
-+	int ret = fscanf(f, "%ms", &output);
-+	fclose(f);
-+
-+	if (ret >= 1) {
-+		free(output);
-+		/* sockcreate should be empty, if fscanf found something
-+		 * it is wrong.*/
-+		fail("sockcreate should be empty\n");
-+		return -1;
-+	}
-+
-+	if (output) {
-+		free(output);
-+		/* Same here, output should still be NULL. */
-+		fail("sockcreate should be empty\n");
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
- int main(int argc, char **argv)
- {
- 	test_init(argc, argv);
-@@ -95,12 +120,21 @@ int main(int argc, char **argv)
- 		return 0;
- 	}
- 
-+	if (check_sockcreate())
-+		return -1;
-+
- 	if (setprofile())
- 		return -1;
- 
-+	if (check_sockcreate())
-+		return -1;
-+
- 	test_daemon();
- 	test_waitsig();
- 
-+	if (check_sockcreate())
-+		return -1;
-+
- 	if (checkprofile() == 0)
- 		pass();
- 
-
-From fe52cf66b38a261846ff40fc425085724b2acc15 Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Mon, 29 Apr 2019 15:21:59 +0200
-Subject: [PATCH 3/4] sockets: dump and restore xattr security labels
-
-Restoring a SELinux process also requires to correctly label sockets.
-
-During checkpointing fgetxattr() is used to retrieve the
-"security.selinux" xattr and during restore setsockcreatecon() is used
-before a socket is created.
-
-Previous commits are already restoring the sockcreate SELinux setting if
-set by the process.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- criu/include/lsm.h  | 18 +++++++++++++++
- criu/lsm.c          | 56 +++++++++++++++++++++++++++++++++++++++++++++
- criu/sk-inet.c      | 12 ++++++++++
- criu/sockets.c      |  4 ++++
- images/fdinfo.proto |  1 +
- 5 files changed, 91 insertions(+)
-
-diff --git a/criu/include/lsm.h b/criu/include/lsm.h
-index b4fce13039..3b82712829 100644
---- a/criu/include/lsm.h
-+++ b/criu/include/lsm.h
-@@ -3,6 +3,7 @@
- 
- #include "images/inventory.pb-c.h"
- #include "images/creds.pb-c.h"
-+#include "images/fdinfo.pb-c.h"
- 
- #define AA_SECURITYFS_PATH "/sys/kernel/security/apparmor"
- 
-@@ -34,4 +35,21 @@ int validate_lsm(char *profile);
- int render_lsm_profile(char *profile, char **val);
- 
- extern int lsm_check_opts(void);
-+
-+#ifdef CONFIG_HAS_SELINUX
-+int dump_xattr_security_selinux(int fd, FdinfoEntry *e);
-+int run_setsockcreatecon(FdinfoEntry *e);
-+int reset_setsockcreatecon();
-+#else
-+static inline int dump_xattr_security_selinux(int fd, FdinfoEntry *e) {
-+	return 0;
-+}
-+static inline int run_setsockcreatecon(FdinfoEntry *e) {
-+	return 0;
-+}
-+static inline int reset_setsockcreatecon() {
-+	return 0;
-+}
-+#endif
-+
- #endif /* __CR_LSM_H__ */
-diff --git a/criu/lsm.c b/criu/lsm.c
-index b0ef0c396c..ef6ba112b3 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -3,6 +3,7 @@
- #include <stdlib.h>
- #include <fcntl.h>
- #include <sys/types.h>
-+#include <sys/xattr.h>
- #include <unistd.h>
- 
- #include "common/config.h"
-@@ -11,10 +12,12 @@
- #include "util.h"
- #include "cr_options.h"
- #include "lsm.h"
-+#include "fdstore.h"
- 
- #include "protobuf.h"
- #include "images/inventory.pb-c.h"
- #include "images/creds.pb-c.h"
-+#include "images/fdinfo.pb-c.h"
- 
- #ifdef CONFIG_HAS_SELINUX
- #include <selinux/selinux.h>
-@@ -124,6 +127,59 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
- 	fclose(f);
- 	return 0;
- }
-+
-+int reset_setsockcreatecon()
-+{
-+	return setsockcreatecon_raw(NULL);
-+}
-+
-+int run_setsockcreatecon(FdinfoEntry *e)
-+{
-+	char *ctx = NULL;
-+
-+	/* Currently this only works for SELinux. */
-+	if (kdat.lsm != LSMTYPE__SELINUX)
-+		return 0;
-+
-+	ctx = e->xattr_security_selinux;
-+	/* Writing to the FD using fsetxattr() did not work for some reason. */
-+	return setsockcreatecon_raw(ctx);
-+}
-+
-+int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
-+{
-+	char *ctx = NULL;
-+	int len;
-+	int ret;
-+
-+	/* Currently this only works for SELinux. */
-+	if (kdat.lsm != LSMTYPE__SELINUX)
-+		return 0;
-+
-+	/* Get the size of the xattr. */
-+	len = fgetxattr(fd, "security.selinux", ctx, 0);
-+	if (len == -1) {
-+		pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-+		return -1;
-+	}
-+
-+	ctx = xmalloc(len);
-+	if (!ctx) {
-+		pr_err("xmalloc to read xattr for FD %d failed\n", fd);
-+		return -1;
-+	}
-+
-+	ret = fgetxattr(fd, "security.selinux", ctx, len);
-+	if (len != ret) {
-+		pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-+		return -1;
-+	}
-+
-+	e->xattr_security_selinux = ctx;
-+
-+	return 0;
-+}
-+
- #endif
- 
- void kerndat_lsm(void)
-diff --git a/criu/sk-inet.c b/criu/sk-inet.c
-index 60ee4c3155..ca5c9bf2cd 100644
---- a/criu/sk-inet.c
-+++ b/criu/sk-inet.c
-@@ -23,6 +23,9 @@
- #include "files.h"
- #include "image.h"
- #include "log.h"
-+#include "lsm.h"
-+#include "kerndat.h"
-+#include "pstree.h"
- #include "rst-malloc.h"
- #include "sockets.h"
- #include "sk-inet.h"
-@@ -30,6 +33,8 @@
- #include "util.h"
- #include "namespaces.h"
- 
-+#include "images/inventory.pb-c.h"
-+
- #undef  LOG_PREFIX
- #define LOG_PREFIX "inet: "
- 
-@@ -804,12 +809,18 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
- 	if (set_netns(ie->ns_id))
- 		return -1;
- 
-+	if (run_setsockcreatecon(fle->fe))
-+		return -1;
-+
- 	sk = socket(ie->family, ie->type, ie->proto);
- 	if (sk < 0) {
- 		pr_perror("Can't create inet socket");
- 		return -1;
- 	}
- 
-+	if (reset_setsockcreatecon())
-+		return -1;
-+
- 	if (ie->v6only) {
- 		if (restore_opt(sk, SOL_IPV6, IPV6_V6ONLY, &yes) == -1)
- 			goto err;
-@@ -895,6 +906,7 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
- 	}
- 
- 	*new_fd = sk;
-+
- 	return 1;
- err:
- 	close(sk);
-diff --git a/criu/sockets.c b/criu/sockets.c
-index 30072ac737..7f7453ca1d 100644
---- a/criu/sockets.c
-+++ b/criu/sockets.c
-@@ -22,6 +22,7 @@
- #include "util-pie.h"
- #include "sk-packet.h"
- #include "namespaces.h"
-+#include "lsm.h"
- #include "net.h"
- #include "xmalloc.h"
- #include "fs-magic.h"
-@@ -663,6 +664,9 @@ int dump_socket(struct fd_parms *p, int lfd, FdinfoEntry *e)
- 	int family;
- 	const struct fdtype_ops *ops;
- 
-+	if (dump_xattr_security_selinux(lfd, e))
-+		return -1;
-+
- 	if (dump_opt(lfd, SOL_SOCKET, SO_DOMAIN, &family))
- 		return -1;
- 
-diff --git a/images/fdinfo.proto b/images/fdinfo.proto
-index ed82ceffe7..77e375aa94 100644
---- a/images/fdinfo.proto
-+++ b/images/fdinfo.proto
-@@ -47,6 +47,7 @@ message fdinfo_entry {
- 	required uint32		flags	= 2;
- 	required fd_types	type	= 3;
- 	required uint32		fd	= 4;
-+	optional string		xattr_security_selinux = 5;
- }
- 
- message file_entry {
-
-From ba42d30fad82f17a66617a33f03d3da05cc73bfe Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Tue, 30 Apr 2019 09:47:32 +0000
-Subject: [PATCH 4/4] selinux: add socket label test
-
-This adds two more SELinux test to verfy that checkpointing and
-restoring SELinux socket labels works correctly, if the process uses
-setsockcreatecon() or if the process leaves the default context for
-newly created sockets.
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- test/zdtm/static/Makefile            |   3 +
- test/zdtm/static/selinux01.c         | 200 +++++++++++++++++++++++++++
- test/zdtm/static/selinux01.checkskip |   1 +
- test/zdtm/static/selinux01.desc      |   1 +
- test/zdtm/static/selinux01.hook      |   1 +
- test/zdtm/static/selinux02.c         |   1 +
- test/zdtm/static/selinux02.checkskip |   1 +
- test/zdtm/static/selinux02.desc      |   1 +
- test/zdtm/static/selinux02.hook      |   1 +
- 9 files changed, 210 insertions(+)
- create mode 100644 test/zdtm/static/selinux01.c
- create mode 120000 test/zdtm/static/selinux01.checkskip
- create mode 120000 test/zdtm/static/selinux01.desc
- create mode 120000 test/zdtm/static/selinux01.hook
- create mode 120000 test/zdtm/static/selinux02.c
- create mode 120000 test/zdtm/static/selinux02.checkskip
- create mode 120000 test/zdtm/static/selinux02.desc
- create mode 120000 test/zdtm/static/selinux02.hook
-
-diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
-index 8e3f39276a..1ffaa90394 100644
---- a/test/zdtm/static/Makefile
-+++ b/test/zdtm/static/Makefile
-@@ -211,6 +211,8 @@ TST_NOFILE	:=				\
- 		thp_disable			\
- 		pid_file			\
- 		selinux00			\
-+		selinux01			\
-+		selinux02			\
- #		jobctl00			\
- 
- ifneq ($(SRCARCH),arm)
-@@ -513,6 +515,7 @@ unlink_fstat041:		CFLAGS += -DUNLINK_FSTAT041 -DUNLINK_FSTAT04
- ghost_holes01:		CFLAGS += -DTAIL_HOLE
- ghost_holes02:		CFLAGS += -DHEAD_HOLE
- sk-freebind-false:	CFLAGS += -DZDTM_FREEBIND_FALSE
-+selinux02:		CFLAGS += -DUSING_SOCKCREATE
- stopped01:		CFLAGS += -DZDTM_STOPPED_KILL
- stopped02:		CFLAGS += -DZDTM_STOPPED_TKILL
- stopped12:		CFLAGS += -DZDTM_STOPPED_KILL -DZDTM_STOPPED_TKILL
-diff --git a/test/zdtm/static/selinux01.c b/test/zdtm/static/selinux01.c
-new file mode 100644
-index 0000000000..9966455c47
---- /dev/null
-+++ b/test/zdtm/static/selinux01.c
-@@ -0,0 +1,200 @@
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <fcntl.h>
-+#include <sys/stat.h>
-+#include <sys/types.h>
-+#include <sys/mount.h>
-+#include <sys/socket.h>
-+#include <sys/xattr.h>
-+#include <linux/limits.h>
-+#include <signal.h>
-+#include "zdtmtst.h"
-+
-+/* Enabling the right policy happens in selinux00.hook and selinx00.checkskip */
-+
-+const char *test_doc	= "Check that a SELinux socket context is restored";
-+const char *test_author	= "Adrian Reber <areber@redhat.com>";
-+
-+/* This is all based on Tycho's apparmor code */
-+
-+#define CONTEXT "unconfined_u:unconfined_r:unconfined_dbusd_t:s0"
-+
-+/*
-+ * This is used to store the state of SELinux. For this test
-+ * SELinux is switched to permissive mode and later the previous
-+ * SELinux state is restored.
-+ */
-+char state;
-+
-+int check_for_selinux()
-+{
-+	if (access("/sys/fs/selinux", F_OK) == 0)
-+		return 0;
-+	return 1;
-+}
-+
-+int setprofile()
-+{
-+	int fd, len;
-+
-+	fd = open("/proc/self/attr/current", O_WRONLY);
-+	if (fd < 0) {
-+		fail("Could not open /proc/self/attr/current\n");
-+		return -1;
-+	}
-+
-+	len = write(fd, CONTEXT, strlen(CONTEXT));
-+	close(fd);
-+
-+	if (len < 0) {
-+		fail("Could not write context\n");
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
-+int set_sockcreate()
-+{
-+	int fd, len;
-+
-+	fd = open("/proc/self/attr/sockcreate", O_WRONLY);
-+	if (fd < 0) {
-+		fail("Could not open /proc/self/attr/sockcreate\n");
-+		return -1;
-+	}
-+
-+	len = write(fd, CONTEXT, strlen(CONTEXT));
-+	close(fd);
-+
-+	if (len < 0) {
-+		fail("Could not write context\n");
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
-+int check_sockcreate()
-+{
-+	int fd;
-+	char context[1024];
-+	int len;
-+
-+
-+	fd = open("/proc/self/attr/sockcreate", O_RDONLY);
-+	if (fd < 0) {
-+		fail("Could not open /proc/self/attr/sockcreate\n");
-+		return -1;
-+	}
-+
-+	len = read(fd, context, strlen(CONTEXT));
-+	close(fd);
-+	if (len != strlen(CONTEXT)) {
-+		fail("SELinux context has unexpected length %d, expected %zd\n",
-+			len, strlen(CONTEXT));
-+		return -1;
-+	}
-+
-+	if (strncmp(context, CONTEXT, strlen(CONTEXT)) != 0) {
-+		fail("Wrong SELinux context %s expected %s\n", context, CONTEXT);
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
-+int check_sockcreate_empty()
-+{
-+	char *output = NULL;
-+	FILE *f = fopen("/proc/self/attr/sockcreate", "r");
-+	int ret = fscanf(f, "%ms", &output);
-+	fclose(f);
-+
-+	if (ret >= 1) {
-+		free(output);
-+		/* sockcreate should be empty, if fscanf found something
-+		 * it is wrong.*/
-+		fail("sockcreate should be empty\n");
-+		return -1;
-+	}
-+
-+	if (output) {
-+		free(output);
-+		/* Same here, output should still be NULL. */
-+		fail("sockcreate should be empty\n");
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
-+int main(int argc, char **argv)
-+{
-+	char ctx[1024];
-+	test_init(argc, argv);
-+
-+	if (check_for_selinux()) {
-+		skip("SELinux not found on this system.");
-+		test_daemon();
-+		test_waitsig();
-+		pass();
-+		return 0;
-+	}
-+
-+#ifdef USING_SOCKCREATE
-+	if (set_sockcreate())
-+		return -1;
-+#else
-+	if (check_sockcreate_empty())
-+		return -1;
-+
-+	if (setprofile())
-+		return -1;
-+
-+	if (check_sockcreate_empty())
-+		return -1;
-+#endif
-+
-+	/* Open our test socket */
-+	int sk = socket(AF_INET, SOCK_STREAM, 0);
-+	memset(ctx, 0, 1024);
-+	/* Read out the socket label */
-+	if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
-+		fail("Reading xattr 'security.selinux' failed.\n");
-+		return -1;
-+	}
-+	if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
-+		fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
-+		return -1;
-+	}
-+	memset(ctx, 0, 1024);
-+
-+	test_daemon();
-+	test_waitsig();
-+
-+	/* Read out the socket label again */
-+
-+	if (fgetxattr(sk, "security.selinux", ctx, 1024) == -1) {
-+		fail("Reading xattr 'security.selinux' failed.\n");
-+		return -1;
-+	}
-+	if (strncmp(ctx, CONTEXT, strlen(CONTEXT)) != 0) {
-+		fail("Wrong SELinux context %s expected %s\n", ctx, CONTEXT);
-+		return -1;
-+	}
-+
-+#ifdef USING_SOCKCREATE
-+	if (check_sockcreate())
-+		return -1;
-+#else
-+	if (check_sockcreate_empty())
-+		return -1;
-+#endif
-+
-+	pass();
-+
-+	return 0;
-+}
-diff --git a/test/zdtm/static/selinux01.checkskip b/test/zdtm/static/selinux01.checkskip
-new file mode 120000
-index 0000000000..e8a172479e
---- /dev/null
-+++ b/test/zdtm/static/selinux01.checkskip
-@@ -0,0 +1 @@
-+selinux00.checkskip
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux01.desc b/test/zdtm/static/selinux01.desc
-new file mode 120000
-index 0000000000..2d2961a764
---- /dev/null
-+++ b/test/zdtm/static/selinux01.desc
-@@ -0,0 +1 @@
-+selinux00.desc
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux01.hook b/test/zdtm/static/selinux01.hook
-new file mode 120000
-index 0000000000..dd7ed6bb33
---- /dev/null
-+++ b/test/zdtm/static/selinux01.hook
-@@ -0,0 +1 @@
-+selinux00.hook
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.c b/test/zdtm/static/selinux02.c
-new file mode 120000
-index 0000000000..5702677858
---- /dev/null
-+++ b/test/zdtm/static/selinux02.c
-@@ -0,0 +1 @@
-+selinux01.c
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.checkskip b/test/zdtm/static/selinux02.checkskip
-new file mode 120000
-index 0000000000..2696e6e3de
---- /dev/null
-+++ b/test/zdtm/static/selinux02.checkskip
-@@ -0,0 +1 @@
-+selinux01.checkskip
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.desc b/test/zdtm/static/selinux02.desc
-new file mode 120000
-index 0000000000..9c6802c4da
---- /dev/null
-+++ b/test/zdtm/static/selinux02.desc
-@@ -0,0 +1 @@
-+selinux01.desc
-\ No newline at end of file
-diff --git a/test/zdtm/static/selinux02.hook b/test/zdtm/static/selinux02.hook
-new file mode 120000
-index 0000000000..e3ea0a6c80
---- /dev/null
-+++ b/test/zdtm/static/selinux02.hook
-@@ -0,0 +1 @@
-+selinux01.hook
-\ No newline at end of file
diff --git a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch b/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
deleted file mode 100644
index 09446a6..0000000
--- a/SOURCES/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
-From: Andrei Vagin <avagin@gmail.com>
-Date: Sat, 4 May 2019 20:01:52 -0700
-Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
-
-Fixes #693
----
- criu/lsm.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/criu/lsm.c b/criu/lsm.c
-index 9c9ac7f80e..5921138392 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
- 
- int reset_setsockcreatecon()
- {
--	return setsockcreatecon_raw(NULL);
-+	/* Currently this only works for SELinux. */
-+	if (kdat.lsm != LSMTYPE__SELINUX)
-+		return 0;
-+
-+	if (setsockcreatecon_raw(NULL)) {
-+		pr_perror("Unable to reset socket SELinux context");
-+		return -1;
-+	}
-+	return 0;
- }
- 
- int run_setsockcreatecon(FdinfoEntry *e)
-@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
- 
- 	ctx = e->xattr_security_selinux;
- 	/* Writing to the FD using fsetxattr() did not work for some reason. */
--	return setsockcreatecon_raw(ctx);
-+	if (setsockcreatecon_raw(ctx)) {
-+		pr_perror("Unable to set the %s socket SELinux context", ctx);
-+		return -1;
-+	}
-+	return 0;
- }
- 
- int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
diff --git a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch b/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
deleted file mode 100644
index ec0cf00..0000000
--- a/SOURCES/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
-From: Adrian Reber <areber@redhat.com>
-Date: Sat, 4 May 2019 15:27:32 +0200
-Subject: [PATCH] lsm: fix compiler error on Fedora 30
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes following compiler error:
-
-criu/lsm.c: In function ‘dump_xattr_security_selinux’:
-criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
-   51 |  print_on_level(LOG_ERROR,     \
-      |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-   52 |          "Error (%s:%d): " LOG_PREFIX fmt,  \
-      |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-   53 |          __FILE__, __LINE__, ##__VA_ARGS__)
-      |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’
-  166 |   pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-      |   ^~~~~~
-
-Signed-off-by: Adrian Reber <areber@redhat.com>
----
- criu/lsm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/criu/lsm.c b/criu/lsm.c
-index 5921138392..420585ba4f 100644
---- a/criu/lsm.c
-+++ b/criu/lsm.c
-@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
- 	/* Get the size of the xattr. */
- 	len = fgetxattr(fd, "security.selinux", ctx, 0);
- 	if (len == -1) {
--		pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
-+		pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
- 		return -1;
- 	}
- 
diff --git a/SOURCES/criu-1838991.patch b/SOURCES/criu-1838991.patch
new file mode 100644
index 0000000..f8c2a03
--- /dev/null
+++ b/SOURCES/criu-1838991.patch
@@ -0,0 +1,121 @@
+From ce733f4be5791911c009c57e803f3a08d3270a0c Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Wed, 20 May 2020 11:57:22 +0000
+Subject: [PATCH 1/3] coverity: fix RESOURCE_LEAK criu/timens.c: 67
+
+ 7. criu-3.14/criu/timens.c:67: leaked_storage: Variable "img" going out of scope leaks the storage it points to.
+    65|   	if (id == 0 && empty_image(img)) {
+    66|   		pr_warn("Clocks values have not been dumped\n");
+    67|-> 		return 0;
+    68|   	}
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/timens.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/criu/timens.c b/criu/timens.c
+index 2a7e952845..f81808abf8 100644
+--- criu-3.14/criu/timens.c
++++ criu-3.14/criu/timens.c
+@@ -64,6 +64,7 @@ int prepare_timens(int id)
+ 
+ 	if (id == 0 && empty_image(img)) {
+ 		pr_warn("Clocks values have not been dumped\n");
++		close_image(img);
+ 		return 0;
+ 	}
+ 
+
+From e7e4e46cfebd69efe8681395380528826df0d529 Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Wed, 20 May 2020 12:19:36 +0000
+Subject: [PATCH 2/3] coverity: fix FORWARD_NULL in criu/proc_parse.c: 1481
+
+8. criu-3.14/criu/proc_parse.c:1511: var_deref_model: Passing null pointer "f" to "fclose", which dereferences it.
+  1509|   	exit_code = 0;
+  1510|   out:
+  1511|-> 	fclose(f);
+  1512|   	return exit_code;
+  1513|   }
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/proc_parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/criu/proc_parse.c b/criu/proc_parse.c
+index 4a22700aa3..d1ccd9281b 100644
+--- criu-3.14/criu/proc_parse.c
++++ criu-3.14/criu/proc_parse.c
+@@ -1480,7 +1480,7 @@ int parse_timens_offsets(struct timespec *boff, struct timespec *moff)
+ 	f = fopen_proc(PROC_SELF, "timens_offsets");
+ 	if (!f) {
+ 		pr_perror("Unable to open /proc/self/timens_offsets");
+-		goto out;
++		return exit_code;
+ 	}
+ 	while (fgets(buf, BUF_SIZE, f)) {
+ 		int64_t sec, nsec;
+
+From 6b44ddf4587ecbda65c15d462a94708ac2f6f602 Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Wed, 20 May 2020 12:38:55 +0000
+Subject: [PATCH 3/3] clang: Branch condition evaluates to a garbage value
+
+criu-3.14/criu/namespaces.c:692:7: warning: Branch condition evaluates to a garbage value
+
+criu-3.14/criu/namespaces.c:690:3: note: 'supported' declared without an initial value
+              protobuf_c_boolean supported;
+              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:691:8: note: Calling 'get_ns_id'
+              id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:479:9: note: Calling '__get_ns_id'
+      return __get_ns_id(pid, nd, supported, NULL);
+             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:454:6: note: Assuming 'proc_dir' is < 0
+      if (proc_dir < 0)
+          ^~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:454:2: note: Taking true branch
+      if (proc_dir < 0)
+      ^
+criu-3.14/criu/namespaces.c:455:3: note: Returning without writing to '*supported'
+              return 0;
+              ^
+criu-3.14/criu/namespaces.c:479:9: note: Returning from '__get_ns_id'
+      return __get_ns_id(pid, nd, supported, NULL);
+             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:479:2: note: Returning without writing to '*supported'
+      return __get_ns_id(pid, nd, supported, NULL);
+      ^
+criu-3.14/criu/namespaces.c:691:8: note: Returning from 'get_ns_id'
+              id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu-3.14/criu/namespaces.c:692:7: note: Branch condition evaluates to a garbage value
+              if (!supported || !id) {
+                  ^~~~~~~~~~
+690|   		protobuf_c_boolean supported;
+691|   		id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+692|-> 		if (!supported || !id) {
+693|   			pr_err("Can't make timens id\n");
+694|
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/namespaces.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/criu/namespaces.c b/criu/namespaces.c
+index 89d97c7bce..04f242505d 100644
+--- criu-3.14/criu/namespaces.c
++++ criu-3.14/criu/namespaces.c
+@@ -687,7 +687,7 @@ int dump_task_ns_ids(struct pstree_item *item)
+ 	}
+ 	if (ids->has_time_ns_id) {
+ 		unsigned int id;
+-		protobuf_c_boolean supported;
++		protobuf_c_boolean supported = false;
+ 		id = get_ns_id(pid, &time_for_children_ns_desc, &supported);
+ 		if (!supported || !id) {
+ 			pr_err("Can't make timens id\n");
diff --git a/SPECS/criu.spec b/SPECS/criu.spec
index 44e484e..75ba0d9 100644
--- a/SPECS/criu.spec
+++ b/SPECS/criu.spec
@@ -1,57 +1,32 @@
-%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
 %global py_prefix python3
 %global py_binary %{py_prefix}
-%else
-%global py_prefix python
-%global py_binary python2
-%endif
 
 # With annobin enabled, CRIU does not work anymore. It seems CRIU's
 # parasite code breaks if annobin is enabled.
 %undefine _annotated_build
 
 Name: criu
-Version: 3.12
-Release: 9%{?dist}
+Version: 3.14
+Release: 2%{?dist}
 Provides: crtools = %{version}-%{release}
 Obsoletes: crtools <= 1.0-2
 Summary: Tool for Checkpoint/Restore in User-space
 License: GPLv2
 URL: http://criu.org/
 Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
-
-Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
-Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
-Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
-Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
-
-%if 0%{?rhel} && 0%{?rhel} <= 7
-BuildRequires: perl
-# RHEL has no asciidoc; take man-page from Fedora 26
-# zcat /usr/share/man/man8/criu.8.gz > criu.8
-Source1: criu.8
-Source2: crit.1
-# The patch aio-fix.patch is needed as RHEL7
-# doesn't do "nr_events *= 2" in ioctx_alloc().
-Patch100: aio-fix.patch
-%endif
-
-Source3: criu-tmpfiles.conf
-
+Source1: criu-tmpfiles.conf
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1838991
+# patch:       https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/1075.patch
+Patch0: criu-1838991.patch
 BuildRequires: gcc
 BuildRequires: systemd
 BuildRequires: libnet-devel
 BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel
-%if 0%{?fedora} || 0%{?rhel} > 7
 BuildRequires: asciidoc xmlto
 BuildRequires: perl-interpreter
 BuildRequires: libselinux-devel
 # Checkpointing containers with a tmpfs requires tar
 Recommends: tar
-%if 0%{?fedora}
-BuildRequires: libbsd-devel
-%endif
-%endif
 
 # user-space and kernel changes are only available for x86_64, arm,
 # ppc64le, aarch64 and s390x
@@ -63,32 +38,11 @@ criu is the user-space part of Checkpoint/Restore in User-space
 (CRIU), a project to implement checkpoint/restore functionality for
 Linux in user-space.
 
-%if 0%{?fedora}
-%package devel
-Summary: Header files and libraries for %{name}
-Requires: %{name} = %{version}-%{release}
-
-%description devel
-This package contains header files and libraries for %{name}.
-
-%package libs
-Summary: Libraries for %{name}
-Requires: %{name} = %{version}-%{release}
-
-%description libs
-This package contains the libraries for %{name}
-%endif
-
 %package -n %{py_prefix}-%{name}
 %{?python_provide:%python_provide %{py_prefix}-%{name}}
 Summary: Python bindings for %{name}
-%if 0%{?rhel} && 0%{?rhel} <= 7
-Requires: protobuf-python
-Requires: %{name} = %{version}-%{release} %{py_prefix}-ipaddr
-%else
 Requires: %{py_prefix}-protobuf
 Obsoletes: python2-criu < 3.10-1
-%endif
 
 %description -n %{py_prefix}-%{name}
 %{py_prefix}-%{name} contains Python bindings for %{name}.
@@ -101,86 +55,59 @@ Requires: %{py_prefix}-%{name} = %{version}-%{release}
 crit is a tool designed to decode CRIU binary dump files and show
 their content in human-readable form.
 
-
 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%patch100 -p1
-%endif
+%autosetup -p1
 
 %build
 # %{?_smp_mflags} does not work
 # -fstack-protector breaks build
 CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'` make V=1 WERROR=0 PREFIX=%{_prefix} RUNDIR=/run/criu PYTHON=%{py_binary}
-%if 0%{?fedora} || 0%{?rhel} > 7
 make docs V=1
-%endif
-
 
 %install
 make install-criu DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
 make install-lib DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir} PYTHON=%{py_binary}
-%if 0%{?fedora} || 0%{?rhel} > 7
-# only install documentation on Fedora as it requires asciidoc,
-# which is not available on RHEL7
 make install-man DESTDIR=$RPM_BUILD_ROOT PREFIX=%{_prefix} LIBDIR=%{_libdir}
-%else
-install -p -m 644  -D %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
-install -p -m 644  -D %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/crit.1
-%endif
-
 mkdir -p %{buildroot}%{_tmpfilesdir}
-install -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
 install -d -m 0755 %{buildroot}/run/%{name}/
 
-%if 0%{?rhel}
 # remove devel and libs packages
 rm -rf $RPM_BUILD_ROOT%{_includedir}/criu
 rm $RPM_BUILD_ROOT%{_libdir}/*.so*
+rm $RPM_BUILD_ROOT%{_libdir}/*.a
+rm $RPM_BUILD_ROOT%{_mandir}/man1/compel.1*
 rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
 rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
-%endif
 
 %files
 %{_sbindir}/%{name}
-%doc %{_mandir}/man8/criu.8*
-%if 0%{?fedora}
-%{_libexecdir}/%{name}
-%endif
+%{_mandir}/man8/criu.8*
 %dir /run/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %doc README.md COPYING
 
-%if 0%{?fedora}
-%files devel
-%{_includedir}/criu
-%{_libdir}/*.so
-%{_libdir}/pkgconfig/*.pc
-
-%files libs
-%{_libdir}/*.so.*
-%endif
-
 %files -n %{py_prefix}-%{name}
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%{python2_sitelib}/pycriu/*
-%{python2_sitelib}/*egg-info
-%else
 %{python3_sitelib}/pycriu/*
 %{python3_sitelib}/*egg-info
-%endif
 
 %files -n crit
 %{_bindir}/crit
 %doc %{_mandir}/man1/crit.1*
 
-
 %changelog
+* Mon May 25 2020 Jindrich Novy <jnovy@redhat.com> - 3.14-2
+- fix "Need to fix bugs found by coverity."
+- Resolves: #1838991
+
+* Thu Apr 30 2020 Jindrich Novy <jnovy@redhat.com> - 3.14-1
+- update to https://github.com/checkpoint-restore/criu/releases/tag/v3.14
+- Related: RHELPLAN-39206
+
+* Sat Apr 18 2020 Jindrich Novy <jnovy@redhat.com> - 3.13-1
+- update to 3.13
+- Related: RHELPLAN-39206
+
 * Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
 - Added additional fixup patches for the socket labelling