diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index e631c63..8185e71 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -9759,7 +9759,7 @@ index b876c48..ad25566 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..6eef570 100644
+index f962f76..eafba08 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -13075,7 +13075,7 @@ index f962f76..6eef570 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +7950,839 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7950,857 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -13554,6 +13554,24 @@ index f962f76..6eef570 100644
 +
 +########################################
 +## <summary>
++##	Do not audit attempts to read security dirs 
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_list_security_dirs',`
++	gen_require(`
++		attribute security_file_type;
++	')
++
++	dontaudit $1 security_file_type:dir list_dir_perms;
++')
++
++########################################
++## <summary>
 +##	rw any files inherited from another process
 +## </summary>
 +## <param name="domain">
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 57c8d02..01b68b1 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -16299,7 +16299,7 @@ index 715a826..a1cbdb2 100644
 +	')
  ')
 diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..0d8ca8f 100644
+index ae1c1b1..6238c82 100644
 --- a/couchdb.te
 +++ b/couchdb.te
 @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@@ -16341,30 +16341,34 @@ index ae1c1b1..0d8ca8f 100644
  
  corecmd_exec_bin(couchdb_t)
  corecmd_exec_shell(couchdb_t)
-@@ -75,14 +79,20 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +79,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
  corenet_tcp_bind_couchdb_port(couchdb_t)
  corenet_tcp_sendrecv_couchdb_port(couchdb_t)
  
++# disksup tries to monitor the local disks
 +fs_getattr_all_files(couchdb_t)
 +fs_getattr_all_dirs(couchdb_t)
 +fs_getattr_all_fs(couchdb_t)
++files_getattr_all_mountpoints(couchdb_t)
++files_search_all_mountpoints(couchdb_t)
++files_getattr_lost_found_dirs(couchdb_t)
++files_dontaudit_list_var(couchdb_t)
 +
  dev_list_sysfs(couchdb_t)
  dev_read_sysfs(couchdb_t)
  dev_read_urand(couchdb_t)
  
 -files_read_usr_files(couchdb_t)
--
- fs_getattr_xattr_fs(couchdb_t)
- 
- auth_use_nsswitch(couchdb_t)
++auth_use_nsswitch(couchdb_t)
  
--miscfiles_read_localization(couchdb_t)
+-fs_getattr_xattr_fs(couchdb_t)
 +optional_policy(`
 +    rpc_read_nfs_state_data(couchdb_t)
 +')
-+
-+
+ 
+-auth_use_nsswitch(couchdb_t)
+ 
+-miscfiles_read_localization(couchdb_t)
 diff --git a/courier.fc b/courier.fc
 index 2f017a0..defdc87 100644
 --- a/courier.fc
@@ -24722,10 +24726,10 @@ index 0000000..fd679a1
 +/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..114764c
+index 0000000..b2c82df
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,366 @@
+@@ -0,0 +1,367 @@
 +
 +## <summary>The open-source application container engine.</summary>
 +
@@ -25012,8 +25016,9 @@ index 0000000..114764c
 +    gen_require(`
 +        type docker_var_lib_t;
 +        type docker_share_t;
-+	type docker_log_t;
-+	type docker_var_run_t;
++    	type docker_log_t;
++	    type docker_var_run_t;
++        type docker_home_t;
 +    ')
 +
 +    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
@@ -25094,7 +25099,7 @@ index 0000000..114764c
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..17a2829
+index 0000000..559af49
 --- /dev/null
 +++ b/docker.te
 @@ -0,0 +1,285 @@
@@ -25194,7 +25199,7 @@ index 0000000..17a2829
 +manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
 +allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto };
 +can_exec(docker_t, docker_share_t)
-+docker_filetrans_named_content(docker_t)
++#docker_filetrans_named_content(docker_t)
 +
 +manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 +manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
@@ -83862,7 +83867,7 @@ index 050479d..0e1b364 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index ee27948..2a5413a 100644
+index ee27948..c2826a1 100644
 --- a/rlogin.te
 +++ b/rlogin.te
 @@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t)
@@ -83892,7 +83897,18 @@ index ee27948..2a5413a 100644
  corenet_all_recvfrom_netlabel(rlogind_t)
  corenet_tcp_sendrecv_generic_if(rlogind_t)
  corenet_tcp_sendrecv_generic_node(rlogind_t)
-@@ -73,6 +73,7 @@ fs_getattr_all_fs(rlogind_t)
+@@ -65,6 +65,10 @@ corenet_sendrecv_rlogind_server_packets(rlogind_t)
+ corenet_tcp_bind_rlogind_port(rlogind_t)
+ corenet_tcp_sendrecv_rlogind_port(rlogind_t)
+ 
++corenet_sendrecv_rlogin_server_packets(rlogind_t)
++corenet_tcp_bind_rlogin_port(rlogind_t)
++corenet_tcp_sendrecv_rlogin_port(rlogind_t)
++
+ dev_read_urand(rlogind_t)
+ 
+ domain_interactive_fd(rlogind_t)
+@@ -73,6 +77,7 @@ fs_getattr_all_fs(rlogind_t)
  fs_search_auto_mountpoints(rlogind_t)
  
  auth_domtrans_chk_passwd(rlogind_t)
@@ -83900,7 +83916,7 @@ index ee27948..2a5413a 100644
  auth_rw_login_records(rlogind_t)
  auth_use_nsswitch(rlogind_t)
  
-@@ -83,29 +84,23 @@ init_rw_utmp(rlogind_t)
+@@ -83,29 +88,23 @@ init_rw_utmp(rlogind_t)
  
  logging_send_syslog_msg(rlogind_t)
  
@@ -85257,10 +85273,10 @@ index 54de77c..cb05fbf 100644
  ifdef(`distro_debian',`
  	term_dontaudit_use_unallocated_ttys(rpcbind_t)
 diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..576ca21 100644
+index ebe91fc..fc8f8ac 100644
 --- a/rpm.fc
 +++ b/rpm.fc
-@@ -1,61 +1,74 @@
+@@ -1,61 +1,75 @@
 -/bin/rpm	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
 -/etc/rc\.d/init\.d/bcfg2	--	gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -85344,6 +85360,7 @@ index ebe91fc..576ca21 100644
 +/var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/rpmrebuilddb.*(/.*)?  gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
  
@@ -88469,7 +88486,7 @@ index 50d07fb..dc069c8 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..3fb8192 100644
+index 2b7c441..b2692f5 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -89078,7 +89095,7 @@ index 2b7c441..3fb8192 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,9 +522,44 @@ optional_policy(`
+@@ -499,9 +522,47 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -89097,6 +89114,7 @@ index 2b7c441..3fb8192 100644
 +    files_dontaudit_read_security_files(smbd_t)
 +	fs_read_noxattr_fs_files(nmbd_t) 
 +	files_read_non_security_files(nmbd_t) 
++    files_dontaudit_list_security_dirs(nmbd_t)
 +    files_dontaudit_search_security_files(nmbd_t)
 +    files_dontaudit_read_security_files(nmbd_t)
 +')
@@ -89106,11 +89124,13 @@ index 2b7c441..3fb8192 100644
 +	fs_manage_noxattr_fs_files(smbd_t) 
 +	files_manage_non_security_files(smbd_t)
 +    files_manage_non_security_dirs(smbd_t)
++    files_dontaudit_list_security_dirs(smbd_t)
 +    files_dontaudit_search_security_files(smbd_t)
 +    files_dontaudit_read_security_files(smbd_t)
 +	fs_manage_noxattr_fs_files(nmbd_t) 
 +	files_manage_non_security_files(nmbd_t)
 +    files_manage_non_security_dirs(nmbd_t)
++    files_dontaudit_list_security_dirs(nmbd_t)
 +    files_dontaudit_search_security_files(nmbd_t)
 +    files_dontaudit_read_security_files(nmbd_t)
 +')
@@ -89124,7 +89144,7 @@ index 2b7c441..3fb8192 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +570,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +573,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -89139,7 +89159,7 @@ index 2b7c441..3fb8192 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +586,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +589,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -89163,7 +89183,7 @@ index 2b7c441..3fb8192 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +602,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +605,44 @@ kernel_read_kernel_sysctls(nmbd_t)
  kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
@@ -89232,7 +89252,7 @@ index 2b7c441..3fb8192 100644
  ')
  
  optional_policy(`
-@@ -606,16 +652,22 @@ optional_policy(`
+@@ -606,16 +655,22 @@ optional_policy(`
  
  ########################################
  #
@@ -89259,7 +89279,7 @@ index 2b7c441..3fb8192 100644
  
  manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
  
-@@ -627,16 +679,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +682,11 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -89277,7 +89297,7 @@ index 2b7c441..3fb8192 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +691,23 @@ optional_policy(`
+@@ -644,22 +694,23 @@ optional_policy(`
  
  ########################################
  #
@@ -89309,7 +89329,7 @@ index 2b7c441..3fb8192 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +716,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +719,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -89345,7 +89365,7 @@ index 2b7c441..3fb8192 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +743,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +746,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -89437,7 +89457,7 @@ index 2b7c441..3fb8192 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +822,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +825,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -89461,7 +89481,7 @@ index 2b7c441..3fb8192 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +836,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +839,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -89504,7 +89524,7 @@ index 2b7c441..3fb8192 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +866,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +869,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -89518,7 +89538,7 @@ index 2b7c441..3fb8192 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +889,20 @@ optional_policy(`
+@@ -840,17 +892,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -89544,7 +89564,7 @@ index 2b7c441..3fb8192 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +912,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +915,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -89555,7 +89575,7 @@ index 2b7c441..3fb8192 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +923,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +926,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -89608,7 +89628,7 @@ index 2b7c441..3fb8192 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +965,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +968,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -89667,7 +89687,7 @@ index 2b7c441..3fb8192 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1026,35 @@ optional_policy(`
+@@ -959,31 +1029,35 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -89710,7 +89730,7 @@ index 2b7c441..3fb8192 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1068,38 @@ optional_policy(`
+@@ -997,25 +1071,38 @@ optional_policy(`
  
  ########################################
  #
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e8520d3..7af10fe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 100%{?dist}
+Release: 101%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Dec 02 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-101
+- Add files_dontaudit_list_security_dirs() interface
+- Allow rlogind to use also rlogin ports
+- Dontaudit couchdb to list /var
+- couchdb: allow disksup to monitor the local disks
+- dontaudit list security dirs for samba domain.
+- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
+
 * Wed Nov 25 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-100
 - Add seutil_dontaudit_access_check_semanage_module_store() interface
 - Update to have all _systemctl() interface also init_reload_services()