diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 59592da..2480dc5 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -32228,10 +32228,10 @@ index 17eda24..d4113cc 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..fc34e78 100644
+index 662e79b..353c3b7 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,24 @@
+@@ -1,14 +1,25 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -32251,13 +32251,14 @@ index 662e79b..fc34e78 100644
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +36,26 @@
+@@ -26,16 +37,26 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -37267,10 +37268,35 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..270bde3 100644
+index 3822072..8686e0a 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
+@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',`
+
+ ########################################
+ ##
++## Dontaudit access check on load_policy.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_load_policy',`
++ gen_require(`
++ type load_policy_exec_t;
++ ')
++
++ dontaudit $1 load_policy_exec_t:file audit_access;
++')
++
++########################################
++##
+ ## Read the load_policy program file.
+ ##
+ ##
+@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',`
#
interface(`seutil_run_newrole',`
gen_require(`
@@ -37295,7 +37321,7 @@ index 3822072..270bde3 100644
')
########################################
-@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',`
+@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',`
########################################
##
@@ -37323,7 +37349,7 @@ index 3822072..270bde3 100644
## Execute run_init in the run_init domain.
##
##
-@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',`
#
interface(`seutil_run_runinit',`
gen_require(`
@@ -37347,7 +37373,7 @@ index 3822072..270bde3 100644
')
########################################
-@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',`
+@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',`
#
interface(`seutil_init_script_run_runinit',`
gen_require(`
@@ -37370,7 +37396,7 @@ index 3822072..270bde3 100644
')
########################################
-@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',`
+@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',`
########################################
##
@@ -37424,7 +37450,32 @@ index 3822072..270bde3 100644
## Execute setfiles in the caller domain.
##
##
-@@ -680,10 +776,115 @@ interface(`seutil_manage_config',`
+@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',`
+
+ ########################################
+ ##
++## Dontaudit access check on setfiles.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_setfiles',`
++ gen_require(`
++ type setfiles_exec_t;
++ ')
++
++ dontaudit $1 setfiles_exec_t:file audit_access;
++')
++
++########################################
++##
+ ## Do not audit attempts to search the SELinux
+ ## configuration directory (/etc/selinux).
+ ##
+@@ -680,10 +812,115 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -37540,7 +37591,7 @@ index 3822072..270bde3 100644
#######################################
##
## Create, read, write, and delete
-@@ -694,15 +895,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +931,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
##
##
@@ -37606,7 +37657,7 @@ index 3822072..270bde3 100644
')
########################################
-@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -37636,7 +37687,7 @@ index 3822072..270bde3 100644
########################################
##
## Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@@ -37646,7 +37697,7 @@ index 3822072..270bde3 100644
')
########################################
-@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',`
########################################
##
@@ -37673,7 +37724,7 @@ index 3822072..270bde3 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -37743,7 +37794,7 @@ index 3822072..270bde3 100644
')
########################################
-@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -37755,7 +37806,32 @@ index 3822072..270bde3 100644
')
#######################################
-@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',`
+
+ #######################################
+ ##
++## Dontaudit access check on module store
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dontaudit_access_check_semanage_read_lock',`
++ gen_require(`
++ type semanage_read_lock_t;
++ ')
++
++ dontaudit $1 semanage_read_lock_t:file audit_access;
++')
++
++#######################################
++##
+ ## Get trans lock on module store
+ ##
+ ##
+@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -39289,7 +39365,7 @@ index 2cea692..e094fc0 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..4302955 100644
+index a392fc4..ca1b2bc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -39648,12 +39724,13 @@ index a392fc4..4302955 100644
')
optional_policy(`
-@@ -350,7 +450,15 @@ optional_policy(`
+@@ -350,7 +450,16 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(ifconfig_t)
+ kdump_dontaudit_read_config(ifconfig_t)
++ kdump_rw_inherited_kdumpctl_tmp_pipes(ifconfig_t)
+')
+
+optional_policy(`
@@ -39665,7 +39742,7 @@ index a392fc4..4302955 100644
')
optional_policy(`
-@@ -371,3 +479,13 @@ optional_policy(`
+@@ -371,3 +480,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9cc8bac..99e193a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12502,7 +12502,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index e5b621c..f975594 100644
+index e5b621c..fc150e9 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -12533,7 +12533,7 @@ index e5b621c..f975594 100644
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,24 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,29 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@@ -12559,6 +12559,11 @@ index e5b621c..f975594 100644
optional_policy(`
- mta_send_mail(chronyd_t)
+ timemaster_stream_connect(chronyd_t)
++ timemaster_rw_shm(chronyd_t)
++')
++
++optional_policy(`
++ ptp4l_rw_shm(chronyd_t)
')
diff --git a/cinder.fc b/cinder.fc
new file mode 100644
@@ -37843,7 +37848,7 @@ index a49ae4e..0c0e987 100644
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..21efcc4 100644
+index 3a00b3a..6043fd6 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -37984,7 +37989,7 @@ index 3a00b3a..21efcc4 100644
##
##
##
-@@ -76,10 +177,69 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,88 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -38009,6 +38014,25 @@ index 3a00b3a..21efcc4 100644
+
+###################################
+##
++## Read/write inherited kdump /var/tmp named pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',`
++ gen_require(`
++ type kdumpctl_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++###################################
++##
+## Manage kdump /var/tmp files.
+##
+##
@@ -38056,7 +38080,7 @@ index 3a00b3a..21efcc4 100644
##
##
##
-@@ -88,19 +248,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +267,24 @@ interface(`kdump_manage_config',`
##
##
##
@@ -38086,7 +38110,7 @@ index 3a00b3a..21efcc4 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +275,10 @@ interface(`kdump_admin',`
+@@ -110,6 +294,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -39886,16 +39910,18 @@ index 628b78b..fe65617 100644
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
-index b273d80..6a07210 100644
+index b273d80..9b6e9bd 100644
--- a/keystone.fc
+++ b/keystone.fc
-@@ -1,3 +1,5 @@
+@@ -1,7 +1,13 @@
+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
+
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
-@@ -5,3 +7,5 @@
+
++/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
++
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
@@ -41912,10 +41938,10 @@ index 0000000..d2061a9
+/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0)
diff --git a/linuxptp.if b/linuxptp.if
new file mode 100644
-index 0000000..8d6873f
+index 0000000..236707b
--- /dev/null
+++ b/linuxptp.if
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,103 @@
+## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.
+
+########################################
@@ -41975,12 +42001,56 @@ index 0000000..8d6873f
+ stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
+')
+
++########################################
++##
++## Read and write timemaster shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`timemaster_rw_shm',`
++ gen_require(`
++ type timemaster_t, timemaster_tmpfs_t;
++ ')
++
++ allow $1 timemaster_t:shm rw_shm_perms;
++ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
++ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
++ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
++########################################
++##
++## Read and write ptp4l_t shared memory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ptp4l_rw_shm',`
++ gen_require(`
++ type ptp4l_t, timemaster_tmpfs_t;
++ ')
++
++ allow $1 ptp4l_t:shm rw_shm_perms;
++ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
++ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
++ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
++ fs_search_tmpfs($1)
++')
++
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
-index 0000000..5a1445c
+index 0000000..affa9bd
--- /dev/null
+++ b/linuxptp.te
-@@ -0,0 +1,144 @@
+@@ -0,0 +1,173 @@
+policy_module(linuxptp, 1.0.0)
+
+
@@ -41996,6 +42066,9 @@ index 0000000..5a1445c
+type timemaster_var_run_t;
+files_pid_file(timemaster_var_run_t)
+
++type timemaster_tmpfs_t;
++files_tmpfs_file(timemaster_tmpfs_t)
++
+type timemaster_unit_file_t;
+systemd_unit_file(timemaster_unit_file_t)
+
@@ -42028,11 +42101,17 @@ index 0000000..5a1445c
+allow timemaster_t ptp4l_t:process signal;
+allow timemaster_t phc2sys_t:process signal;
+
++allow timemaster_t ptp4l_t:shm rw_shm_perms;
++
+manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file })
+
++manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
++manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
++fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file })
++
+kernel_read_network_state(timemaster_t)
+
+auth_use_nsswitch(timemaster_t)
@@ -42040,11 +42119,17 @@ index 0000000..5a1445c
+corenet_udp_bind_generic_node(timemaster_t)
+corenet_udp_bind_ntp_port(timemaster_t)
+
++dev_read_urand(timemaster_t)
++
+logging_send_syslog_msg(timemaster_t)
+
+sysnet_read_config(timemaster_t)
+
+optional_policy(`
++ ntp_domtrans(timemaster_t)
++')
++
++optional_policy(`
+ chronyd_domtrans(timemaster_t)
+ chronyd_rw_shm(timemaster_t)
+')
@@ -42074,11 +42159,19 @@ index 0000000..5a1445c
+
+allow phc2sys_t ptp4l_t:unix_dgram_socket sendto;
+
++allow phc2sys_t timemaster_t:shm rw_shm_perms;
++
+manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file })
+
++manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
++manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
++fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file })
++
++dev_rw_realtime_clock(phc2sys_t)
++
+logging_send_syslog_msg(phc2sys_t)
+
+optional_policy(`
@@ -42112,9 +42205,15 @@ index 0000000..5a1445c
+manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
+files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file })
+
++manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
++manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
++fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
++
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
++dev_rw_realtime_clock(ptp4l_t)
++
+logging_send_syslog_msg(ptp4l_t)
+
+optional_policy(`
@@ -67101,7 +67200,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index ee91778..b00a474 100644
+index ee91778..945a36f 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@@ -67297,7 +67396,7 @@ index ee91778..b00a474 100644
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
-+userdom_dontaudit_manage_user_home_dirs(policykit_auth_t)
++userdom_dontaudit_access_check_user_content(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 86271b7..af9250f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 91%{?dist}
+Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Nov 10 2014 Lukas Vrabec 3.12.1-92
+- Add kdump_rw_inherited_kdumpctl_tmp_pipes()
+- Added fixes related to linuxptp. BZ (1149693)
+- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424
+- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
+- Fix seutil_dontaudit_access_check_load_policy()
+- Add dontaudit interfaces for audit_access in seutil
+- Label /etc/strongimcv as ipsec_conf_file_t.
+
* Fri Nov 07 2014 Lukas Vrabec 3.13.1-91
- Added interface userdom_dontaudit_manage_user_home_dirs
- Fix unconfined_server_dbus_chat() interface.