diff --git a/policy-20071130.patch b/policy-20071130.patch
index f69ba27..b321fe8 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1732,6 +1732,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
libs_use_ld_so(brctl_t)
libs_use_shared_libs(brctl_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.3.1/policy/modules/admin/certwatch.te
+--- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/certwatch.te 2008-11-13 18:32:21.000000000 -0500
+@@ -18,6 +18,9 @@
+
+ files_read_etc_files(certwatch_t)
+
++auth_manage_cache(certwatch_t)
++auth_filetrans_cache(certwatch_t)
++
+ libs_use_ld_so(certwatch_t)
+ libs_use_shared_libs(certwatch_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.3.1/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/consoletype.te 2008-11-03 16:14:53.000000000 -0500
@@ -22227,74 +22240,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.3.1/policy/modules/services/pki.fc
--- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/pki.fc 2008-11-13 14:24:04.000000000 -0500
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.3.1/policy/modules/services/pki.fc 2008-11-13 18:20:44.000000000 -0500
+@@ -0,0 +1,46 @@
+
-+/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0)
-+
-+/etc/init.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
+
+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
-+/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
-+
-+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
-+
-+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0)
-+
-+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0)
-+
-+/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0)
-+
-+/etc/init.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
-+
++/etc/pki-ca/tomcat5\.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
-+/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
-+
-+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
-+
-+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0)
-+
-+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0)
++/etc/pki-kra/tomcat5\.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
++/etc/pki-ocsp/tomcat5\.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
++/etc/pki-tks/tomcat5\.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+
++/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0)
++/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0)
+/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
++/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0)
+
-+/etc/init.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
-+
-+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
-+/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
+
++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+
-+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
-+
++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0)
++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0)
+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0)
-+
-+/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
-+/etc/init.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
-+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
-+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
-+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
-+
-+
-+/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0)
-+
-+/etc/init.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
-+
-+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
-+/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
-+
-+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
-+
-+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0)
-+
++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0)
-+
-+/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
-+/etc/init.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
-+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
-+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
-+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
-+
++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
++
++/var/run/pki-ca\.pid -- gen_context(system_u:object_r:pki_ca_var_run_t,s0)
++/var/run/pki-kra\.pid -- gen_context(system_u:object_r:pki_kra_var_run_t,s0)
++/var/run/pki-ocsp\.pid -- gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++/var/run/pki-ra\.pid -- gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++/var/run/pki-tks\.pid -- gen_context(system_u:object_r:pki_tks_var_run_t,s0)
++/var/run/pki-tps\.pid -- gen_context(system_u:object_r:pki_tks_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.3.1/policy/modules/services/pki.if
--- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/pki.if 2008-11-13 14:24:04.000000000 -0500
@@ -33867,7 +33860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-11-03 16:14:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-11-13 18:32:07.000000000 -0500
@@ -56,10 +56,6 @@
miscfiles_read_localization($1_chkpwd_t)
@@ -33998,11 +33991,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
+- optional_policy(`
- kerberos_use($1)
- ')
-
-- optional_policy(`
+ optional_policy(`
- nis_use_ypbind($1)
+ kerberos_read_keytab($1)
+ kerberos_524_connect($1)
@@ -34080,7 +34073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -1491,3 +1561,59 @@
+@@ -1491,3 +1561,78 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -34140,6 +34133,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+')
++
++
++#######################################
++##
++## Automatic transition from cache_t to cache.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_filetrans_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ files_var_filetrans($1,auth_cache_t,file)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-11-03 16:14:39.000000000 -0500
@@ -35254,7 +35266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-11-05 11:29:06.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-11-13 18:43:05.000000000 -0500
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -35347,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +318,16 @@
+@@ -304,3 +318,17 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -35364,6 +35376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/sse2/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-11-03 16:14:39.000000000 -0500
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ba1b2c3..32b03f9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 109%{?dist}
+Release: 110%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -382,7 +382,7 @@ exit 0
%endif
%changelog
-* Thu Nov 13 2008 Dan Walsh 3.3.1-109
+* Thu Nov 13 2008 Dan Walsh 3.3.1-110
- Allow openvpn to create /etc/openvpn/ipp.txt
* Tue Nov 5 2008 Dan Walsh 3.3.1-108