diff --git a/policy-20090105.patch b/policy-20090105.patch
index 25f4405..01858fe 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -358,6 +358,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
  .SH BOOLEANS
  .TP
  You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-3.6.12/policy/global_booleans
+--- nsaserefpolicy/policy/global_booleans	2008-08-07 11:15:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/global_booleans	2009-04-28 09:51:52.000000000 -0400
+@@ -28,3 +28,11 @@
+ ## </p>
+ ## </desc>
+ gen_bool(secure_mode_policyload,false)
++
++## <desc>
++## <p>
++## Allow unconfined domain to map low memory in the kernel
++## </p>
++## </desc>
++gen_tunable(allow_unconfined_mmap_low, false)
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2008-11-11 16:13:50.000000000 -0500
 +++ serefpolicy-3.6.12/policy/global_tunables	2009-04-23 09:44:57.000000000 -0400
@@ -7402,8 +7417,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-24 00:00:31.000000000 -0400
-@@ -0,0 +1,400 @@
++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-27 15:35:55.000000000 -0400
+@@ -0,0 +1,393 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -7428,13 +7443,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +## <desc>
 +## <p>
-+## Allow unconfined domain to map low memory in the kernel
-+## </p>
-+## </desc>
-+gen_tunable(allow_unconfined_mmap_low, false)
-+
-+## <desc>
-+## <p>
 +## Transition to confined qemu domains from unconfined user
 +## </p>
 +## </desc>
@@ -29430,8 +29438,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.12/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/unconfined.te	2009-04-23 09:44:57.000000000 -0400
-@@ -5,227 +5,6 @@
++++ serefpolicy-3.6.12/policy/modules/system/unconfined.te	2009-04-28 09:51:35.000000000 -0400
+@@ -1,231 +1,9 @@
+ 
+-policy_module(unconfined, 3.0.0)
++policy_module(unconfined, 3.0.1)
+ 
+ ########################################
  #
  # Declarations
  #
@@ -29444,7 +29457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -userdom_manage_home_role(unconfined_r, unconfined_t)
 -userdom_manage_tmp_role(unconfined_r, unconfined_t)
 -userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
- 
+-
 -type unconfined_exec_t;
 -init_system_domain(unconfined_t, unconfined_exec_t)
 -
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e6aaa9d..23568bd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -160,7 +160,7 @@ bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp
 if [ -s /etc/selinux/config ]; then \
 	. %{_sysconfdir}/selinux/config; \
 	FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-	if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
+	if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
 		cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
 	fi \
 fi
@@ -179,7 +179,7 @@ semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
 . %{_sysconfdir}/selinux/config; \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 selinuxenabled; \
-if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \
+if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
 	fixfiles -C ${FILE_CONTEXT}.pre restore; \
 	restorecon -R /var/log /var/run 2> /dev/null; \
 	rm -f ${FILE_CONTEXT}.pre; \
@@ -311,22 +311,56 @@ SELinux Reference policy targeted base module.
 %saveFileContext targeted
 
 %post targeted
-if [ $1 -eq 1 ]; then
-packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
-%loadpolicy targeted $packages
-restorecon -R /root /var/log /var/run 2> /dev/null
-else
-semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
-
+function get_unconfined() {
+# We only want to upgrade unconfined.pp and unconfineduser if they are 
+# currently installed.  If you have a version 3.0.0 or less of unconfined 
+# installed, you will need to install both, since unconfineduser did not exist 
+# prior to this.
+both="unconfined.pp.bz2 unconfineduser.pp.bz2"
 packages=""
-for i in `semodule -l | awk '{print $1 }' | grep -E "(^unconfined$|^unconfineduser$)"`; do
-packages="$packages $i.pp.bz2"
+ctr=0
+while [ "$1" != "" ]; do
+    if [ "$1" = "unconfineduser" ]; then
+	packages="unconfineduser.pp.bz2 $packages"
+	let "ctr+=1"
+    fi
+    if [ "$1" = "unconfined" ]; then
+	packages="unconfined.pp.bz2 $packages"
+	version=$2
+	let "ctr+=1"
+    fi
+    shift; 
+    shift; 
 done
-%loadpolicy targeted $packages
-%relabel targeted
+
+if [ $ctr -lt 2 -a "$version" != "" ]; then
+    f1=`echo $version | cut -d. -f 1`
+    if [ $f1 -lt 3 ]; then
+	packages=$both
+    else
+        if [ $f1 -eq  3 ]; then
+	    f2=`echo $version | cut -s -d. -f2`
+	    f3=`echo $version | cut -s -d. -f3`
+	    if [ \( -z "$f2" \) -o \( \( "$f2" -eq 0 \)  -a \( -z "f3" -o "$f3" -eq 0 \) \) ]; then 
+	        packages=$both
+	    fi
+	fi
+    fi
 fi
-exit 0
+echo $packages
+}
 
+if [ $1 -eq 1 ]; then
+   packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+   %loadpolicy targeted $packages
+   restorecon -R /root /var/log /var/run 2> /dev/null
+else
+   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
+   packages=`get_unconfined $(semodule -l)`
+   %loadpolicy targeted $packages
+   %relabel targeted
+fi
+exit 0
 
 %triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
 . /etc/selinux/config
@@ -341,7 +375,7 @@ fi
 seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
 [ "$seuser" != "unconfined_u" ]  && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
 seuser=`semanage login -l | grep root | awk '{ print $2 }'`
-[ "$seuser" == "system_u" ] && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 root
+[ "$seuser" = "system_u" ] && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 root
 restorecon -R /root /etc/selinux/targeted 2> /dev/null
 semodule -r qmail 2> /dev/null
 exit 0
@@ -446,8 +480,11 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-22
+- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less
+
 * Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21
-- Allow confined users to manace virt_content_t, since this is home dir content
+- Allow confined users to manage virt_content_t, since this is home dir content
 - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
 
 * Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20