diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 1617852..8ea0f62 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -31412,7 +31412,7 @@ index dd3be8d..0973a7f 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..15116db 100644
+index 662e79b..042f10d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,28 @@
@@ -31445,7 +31445,7 @@ index 662e79b..15116db 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +40,27 @@
+@@ -26,16 +40,28 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -31469,6 +31469,7 @@ index 662e79b..15116db 100644
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -40268,10 +40269,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a35f6c6
+index 0000000..a10f4ee
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,637 @@
+@@ -0,0 +1,639 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -40886,6 +40887,8 @@ index 0000000..a35f6c6
+
+dev_read_urand(systemd_domain)
+
++fs_search_all(systemd_domain)
++
+files_read_etc_files(systemd_domain)
+files_read_etc_runtime_files(systemd_domain)
+files_read_usr_files(systemd_domain)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 3af5411..288f66f 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -10379,7 +10379,7 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..cc9002e
+index 0000000..253cb77
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,66 @@
@@ -10426,7 +10426,7 @@ index 0000000..cc9002e
+
+dev_read_sysfs(bumblebee_t)
+
-+auth_read_passwd(bumblebee_t)
++auth_use_nsswitch(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
@@ -44890,15 +44890,28 @@ index 7e534cf..3652584 100644
+ postgresql_stream_connect(httpd_mojomojo_script_t)
+ ')
+')
+diff --git a/mongodb.fc b/mongodb.fc
+index 6fcfc31..9e6d170 100644
+--- a/mongodb.fc
++++ b/mongodb.fc
+@@ -1,6 +1,7 @@
+ /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+ /usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+ /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
diff --git a/mongodb.te b/mongodb.te
-index 4de8949..7bd7e35 100644
+index 4de8949..c27b44b 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
+@@ -49,13 +49,12 @@ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
corenet_tcp_bind_generic_node(mongod_t)
dev_read_sysfs(mongod_t)
@@ -52209,7 +52222,7 @@ index a1fb3c3..dfb99d2 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..9a7332c 100644
+index 0e8508c..cde8567 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -52442,19 +52455,38 @@ index 0e8508c..9a7332c 100644
##
##
##
-@@ -201,25 +266,44 @@ interface(`networkmanager_append_log_files',`
+@@ -201,25 +266,63 @@ interface(`networkmanager_append_log_files',`
##
##
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++##
++## Manage NetworkManager PID sock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_manage_pid_sock_files',`
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
-+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
')
########################################
@@ -52491,7 +52523,7 @@ index 0e8508c..9a7332c 100644
##
##
## Role allowed access.
-@@ -227,33 +311,152 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +330,152 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -59586,7 +59618,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..272a34c 100644
+index 3270ff9..e148dc4 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -59723,7 +59755,7 @@ index 3270ff9..272a34c 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,6 +178,14 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+@@ -143,11 +178,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
@@ -59738,7 +59770,18 @@ index 3270ff9..272a34c 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-@@ -155,3 +198,27 @@ optional_policy(`
+
+ optional_policy(`
++ networkmanager_stream_connect(openvpn_t)
++ networkmanager_manage_pid_files(openvpn_t)
++ networkmanager_manage_pid_sock_files(openvpn_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
+
+@@ -155,3 +204,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -90175,7 +90218,7 @@ index 88e753f..133d993 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..50651d2 100644
+index 5f35d78..65aed74 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -1,18 +1,10 @@
@@ -90343,7 +90386,7 @@ index 5f35d78..50651d2 100644
')
optional_policy(`
-@@ -158,6 +152,10 @@ optional_policy(`
+@@ -158,14 +152,27 @@ optional_policy(`
')
optional_policy(`
@@ -90354,7 +90397,12 @@ index 5f35d78..50651d2 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -166,6 +164,11 @@ optional_policy(`
+ optional_policy(`
++ mta_filetrans_home_content(sendmail_t)
++')
++
++optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
')
optional_policy(`
@@ -90366,7 +90414,7 @@ index 5f35d78..50651d2 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +190,13 @@ optional_policy(`
+@@ -187,21 +194,13 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5c77ecd..dc6fb95 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 194%{?dist}
+Release: 195%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,7 +582,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Fri Nov 14 2014 Lukas vrabec 3.12.1-194
+* Fri Nov 21 2014 Lukas Vrabec 3.12.1-195
+- Allow all systemd domains to search file systems
+- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
+- Allow mongodb to bind to the mongo port and mongos to run as mongod_t
+- Allow networkmanager manage also openvpn sock pid files.
+- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
+- Allow sendmail to create dead.letter. BZ(1165443)
+- Allow bumblebee to use nsswitch. BZ(1155339)
+
+* Fri Nov 14 2014 Lukas Vrabec 3.12.1-194
- New interface dev_rw_uhid_dev
- Allow systemd-logind to mount /run/user/1000 to get gdm working
- Remove label for /var/lib/glpi/ in cron policy. BZ(1033025)