diff --git a/policy-F12.patch b/policy-F12.patch
index 3aa78b0..9d7cb43 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -2211,7 +2211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
 --- nsaserefpolicy/policy/modules/apps/chrome.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te	2009-12-03 13:45:10.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te	2009-12-15 15:31:21.000000000 -0500
 @@ -0,0 +1,78 @@
 +policy_module(chrome,1.0.0)
 +
@@ -2351,8 +2351,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
 --- nsaserefpolicy/policy/modules/apps/execmem.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if	2009-12-03 13:45:10.000000000 -0500
-@@ -0,0 +1,80 @@
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if	2009-12-15 15:25:07.000000000 -0500
+@@ -0,0 +1,104 @@
 +## <summary>execmem domain</summary>
 +
 +########################################
@@ -2433,6 +2433,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		xserver_role($2, $1_execmem_t)
 +	')
 +')
++
++########################################
++## <summary>
++##	Execute a execmem_exec file
++##	in the specified domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`execmem_domtrans',`
++	gen_require(`
++		type execmem_exec_t;
++	')
++
++	domtrans_pattern($1, execmem_exec_t, $2)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.6.32/policy/modules/apps/execmem.te
 --- nsaserefpolicy/policy/modules/apps/execmem.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.te	2009-12-03 13:45:10.000000000 -0500
@@ -5852,8 +5876,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.32/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te	2009-12-03 13:45:10.000000000 -0500
-@@ -0,0 +1,43 @@
++++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te	2009-12-15 15:30:08.000000000 -0500
+@@ -0,0 +1,42 @@
 +policy_module(seunshare,1.0.0)
 +
 +########################################
@@ -5871,10 +5895,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# seunshare local policy
 +#
 +
-+allow seunshare_t self:process { fork setexec signal };
-+allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-+allow seunshare_t self:process { getcap setcap };
++allow seunshare_t self:process { fork setexec signal getcap setcap };
 +
++allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 +allow seunshare_t self:fifo_file rw_file_perms;
 +allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
 +
@@ -6126,7 +6149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2009-12-06 11:18:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2009-12-15 15:09:33.000000000 -0500
 @@ -1,4 +1,4 @@
 -
 +c
@@ -6286,7 +6309,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in	2009-12-09 09:43:30.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in	2009-12-15 15:01:52.000000000 -0500
+@@ -1,5 +1,5 @@
+ 
+-policy_module(corenetwork, 1.12.1)
++policy_module(corenetwork, 1.13.0)
+ 
+ ########################################
+ #
 @@ -65,6 +65,7 @@
  type server_packet_t, packet_type, server_packet_type;
  
@@ -6358,7 +6388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(memcache, tcp,11211,s0, udp,11211,s0)
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
  network_port(monopd, tcp,1234,s0)
-@@ -138,21 +148,29 @@
+@@ -138,24 +148,33 @@
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
  network_port(nessus, tcp,1241,s0)
@@ -6389,7 +6419,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pulseaudio, tcp,4713,s0)
-@@ -171,29 +189,37 @@
++network_port(puppet, tcp, 8140, s0)
+ network_port(pxe, udp,4011,s0)
+ network_port(pyzor, udp,24441,s0)
+ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -171,29 +190,37 @@
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
  network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -6430,7 +6464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
-@@ -222,6 +248,8 @@
+@@ -222,6 +249,8 @@
  type node_t, node_type;
  sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
  
@@ -6441,27 +6475,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2009-12-12 07:47:41.000000000 -0500
-@@ -17,6 +17,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2009-12-15 15:08:19.000000000 -0500
+@@ -16,13 +16,16 @@
+ /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
  /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
  /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 +/dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -47,8 +48,10 @@
+ /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
+ /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
+@@ -47,8 +50,10 @@
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
  /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
 +/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
  /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
  /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/lirc[0-9]+        -c      gen_context(system_u:object_r:lirc_device_t,s0)
++/dev/lirc[0-9]+	-c	gen_context(system_u:object_r:lirc_device_t,s0)
  /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
-@@ -82,6 +85,7 @@
+@@ -61,10 +66,12 @@
+ /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
++/dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
++/dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+@@ -82,6 +89,7 @@
  /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
  /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -6469,44 +6525,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -101,7 +105,7 @@
+@@ -101,7 +109,8 @@
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  ')
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 -/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 +/dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -138,9 +142,14 @@
- /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
- 
- /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
-+/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
-+/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
- 
-+/dev/modem -c	gen_context(system_u:object_r:modem_device_t,s0)
- /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
- 
-+/dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
-+
- /dev/pts(/.*)?			<<none>>
- 
- /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -148,6 +157,8 @@
- /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
- 
-+/dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+
- /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +179,7 @@
+@@ -168,6 +176,7 @@
  
  ifdef(`distro_redhat',`
  # originally from named.fc
-+/var/named/chroot/dev -d	gen_context(system_u:object_r:device_t,s0)
++/var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
  /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
@@ -8872,7 +8905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/staff.te	2009-12-06 10:20:16.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/roles/staff.te	2009-12-15 15:29:13.000000000 -0500
 @@ -10,161 +10,121 @@
  
  userdom_unpriv_user_template(staff)
@@ -8934,111 +8967,111 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -optional_policy(`
 -	gift_role(staff_r, staff_t)
-+	sudo_role_template(staff, staff_r, staff_t)
++	auditadm_role_change(staff_r)
  ')
  
  optional_policy(`
 -	gnome_role(staff_r, staff_t)
-+	auditadm_role_change(staff_r)
++	kerneloops_manage_tmp_files(staff_t)
  ')
  
  optional_policy(`
 -	gpg_role(staff_r, staff_t)
-+	firewallgui_dbus_chat(staff_t)
++	logadm_role_change(staff_r)
  ')
  
  optional_policy(`
 -	irc_role(staff_r, staff_t)
-+	logadm_role_change(staff_r)
++	postgresql_role(staff_r, staff_t)
  ')
  
  optional_policy(`
 -	java_role(staff_r, staff_t)
-+	kerneloops_manage_tmp_files(staff_t)
++	rtkit_daemon_system_domain(staff_t)
  ')
  
  optional_policy(`
 -	lockdev_role(staff_r, staff_t)
-+	postgresql_role(staff_r, staff_t)
++	secadm_role_change(staff_r)
  ')
  
  optional_policy(`
 -	lpd_role(staff_r, staff_t)
-+	rtkit_daemon_system_domain(staff_t)
++	ssh_role_template(staff, staff_r, staff_t)
  ')
  
  optional_policy(`
 -	mozilla_role(staff_r, staff_t)
-+	secadm_role_change(staff_r)
++	sudo_role_template(staff, staff_r, staff_t)
  ')
  
  optional_policy(`
 -	mplayer_role(staff_r, staff_t)
-+	ssh_role_template(staff, staff_r, staff_t)
++	sysadm_role_change(staff_r)
  ')
  
  optional_policy(`
 -	mta_role(staff_r, staff_t)
-+	sysadm_role_change(staff_r)
++	usernetctl_run(staff_t, staff_r)
  ')
  
  optional_policy(`
 -	oident_manage_user_content(staff_t)
 -	oident_relabel_user_content(staff_t)
-+	usernetctl_run(staff_t, staff_r)
- ')
- 
- optional_policy(`
--	pyzor_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
  ')
  
  optional_policy(`
--	razor_role(staff_r, staff_t)
+-	pyzor_role(staff_r, staff_t)
 +	webadm_role_change(staff_r)
  ')
  
 -optional_policy(`
--	rssh_role(staff_r, staff_t)
+-	razor_role(staff_r, staff_t)
 -')
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
  
 -optional_policy(`
--	screen_role_template(staff, staff_r, staff_t)
+-	rssh_role(staff_r, staff_t)
 -')
 +files_read_kernel_modules(staff_t)
  
 -optional_policy(`
--	secadm_role_change(staff_r)
+-	screen_role_template(staff, staff_r, staff_t)
 -')
 +kernel_read_fs_sysctls(staff_t)
  
 -optional_policy(`
--	spamassassin_role(staff_r, staff_t)
+-	secadm_role_change(staff_r)
 -')
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
  
 -optional_policy(`
--	ssh_role_template(staff, staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 -')
 +miscfiles_read_hwdata(staff_t)
  
 -optional_policy(`
--	su_role_template(staff, staff_r, staff_t)
+-	ssh_role_template(staff, staff_r, staff_t)
 -')
 +term_use_unallocated_ttys(staff_t)
  
  optional_policy(`
+-	su_role_template(staff, staff_r, staff_t)
++	gnomeclock_dbus_chat(staff_t)
+ ')
+ 
+ optional_policy(`
 -	sudo_role_template(staff, staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	sysadm_role_change(staff_r)
 -	userdom_dontaudit_use_user_terminals(staff_t)
-+	gnomeclock_dbus_chat(staff_t)
++	firewallgui_dbus_chat(staff_t)
  ')
  
  optional_policy(`
@@ -9404,7 +9437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if	2009-12-08 16:42:21.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if	2009-12-15 15:24:39.000000000 -0500
 @@ -0,0 +1,667 @@
 +## <summary>Unconfiend user role</summary>
 +
@@ -9994,10 +10027,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +interface(`unconfined_execmem_domtrans',`
 +
 +	gen_require(`
-+		type unconfined_execmem_t, execmem_exec_t;
++		type unconfined_execmem_t;
 +	')
 +
-+	domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t)
++	execmem_domtrans($1, unconfined_execmem_t)
 +')
 +
 +########################################
@@ -10075,8 +10108,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-12-10 15:25:20.000000000 -0500
-@@ -0,0 +1,450 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-12-15 15:26:13.000000000 -0500
+@@ -0,0 +1,447 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -10407,6 +10440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	rpm_run(unconfined_t, unconfined_r)
 +	# Allow SELinux aware applications to request rpm_script execution
 +	rpm_transition_script(unconfined_t)
++	rpm_dbus_chat(unconfined_t)
 +')
 +
 +optional_policy(`
@@ -10515,10 +10549,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +rpm_transition_script(unconfined_notrans_t)
 +domain_ptrace_all_domains(unconfined_notrans_t)
 +
-+optional_policy(`
-+	rtkit_daemon_system_domain(unconfined_notrans_t)
-+')
-+
 +########################################
 +#
 +# Unconfined mount local policy
@@ -10680,8 +10710,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2009-12-03 17:50:59.000000000 -0500
-@@ -35,12 +35,34 @@
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2009-12-15 15:16:29.000000000 -0500
+@@ -35,6 +35,23 @@
  #
  # Local policy
  #
@@ -10698,8 +10728,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		storage_raw_read_removable_device(xguest_t)
 +	')
 +')
-+storage_rw_fuse(xguest_t)
-+
 +# Dontaudit fusermount
 +mount_dontaudit_exec_fusermount(xguest_t)
 +
@@ -10707,16 +10735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Allow mounting of file systems
  optional_policy(`
- 	tunable_policy(`xguest_mount_media',`
- 		kernel_read_fs_sysctls(xguest_t)
- 
-+		# allow fusermount
-+		allow xguest_t self:capability sys_admin;
-+
- 		files_dontaudit_getattr_boot_dirs(xguest_t)
- 		files_search_mnt(xguest_t)
- 
-@@ -49,10 +71,9 @@
+@@ -49,10 +66,9 @@
  		fs_manage_noxattr_fs_dirs(xguest_t)
  		fs_getattr_noxattr_fs(xguest_t)
  		fs_read_noxattr_fs_symlinks(xguest_t)
@@ -10728,7 +10747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -67,17 +88,60 @@
+@@ -67,17 +83,60 @@
  ')
  
  optional_policy(`
@@ -10778,9 +10797,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		corenet_tcp_connect_speech_port(xguest_usertype)
 +		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_transproxy_port(xguest_usertype)
-+	')
  	')
-+
+ ')
+ 
+-#gen_user(xguest_u,, xguest_r, s0, s0)
 +optional_policy(`
 +	gen_require(`
 +		type mozilla_t;
@@ -10788,9 +10808,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow xguest_t mozilla_t:process transition;
 +	role xguest_r types mozilla_t;
- ')
- 
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc
 --- nsaserefpolicy/policy/modules/services/abrt.fc	2009-09-16 10:01:19.000000000 -0400
@@ -17488,13 +17507,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
 --- nsaserefpolicy/policy/modules/services/memcached.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/memcached.te	2009-12-03 13:45:11.000000000 -0500
-@@ -44,6 +44,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/memcached.te	2009-12-15 14:43:27.000000000 -0500
+@@ -44,6 +44,10 @@
  
  files_read_etc_files(memcached_t)
  
 +kernel_read_system_state(memcached_t)
 +
++auth_use_nsswitch(memcached_t)
++
  miscfiles_read_localization(memcached_t)
  
  sysnet_dns_name_resolve(memcached_t)
@@ -17767,8 +17788,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te	2009-12-11 15:50:04.000000000 -0500
-@@ -136,10 +136,19 @@
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te	2009-12-15 16:12:15.000000000 -0500
+@@ -1,6 +1,13 @@
+ 
+ policy_module(mysql, 1.11.0)
+ 
++## <desc>
++## <p>
++## Allow mysqld to connect to all ports
++## </p>
++## </desc>
++gen_tunable(mysql_connect_any, false)
++
+ ########################################
+ #
+ # Declarations
+@@ -109,6 +116,11 @@
+ # for /root/.my.cnf - should not be needed:
+ userdom_read_user_home_content_files(mysqld_t)
+ 
++tunable_policy(`mysql_connect_any',`
++	corenet_tcp_connect_all_ports(mysqld_t)
++	corenet_sendrecv_all_client_packets(mysqld_t)
++')
++
+ ifdef(`distro_redhat',`
+ 	# because Fedora has the sock_file in the database directory
+ 	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
+@@ -136,10 +148,19 @@
  
  domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
  
@@ -17788,7 +17835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  dev_list_sysfs(mysqld_safe_t)
  
-@@ -152,7 +161,7 @@
+@@ -152,7 +173,7 @@
  
  miscfiles_read_localization(mysqld_safe_t) 
  
@@ -28019,7 +28066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-12-15 10:07:56.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2009-12-15 14:58:12.000000000 -0500
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -29704,7 +29751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/init.te	2009-12-03 13:45:11.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/init.te	2009-12-15 16:44:06.000000000 -0500
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -29743,16 +29790,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # is ~sys_module really needed? observed: 
  # sys_boot
  # sys_tty_config
-@@ -101,7 +116,7 @@
+@@ -101,7 +116,8 @@
  # Re-exec itself
  can_exec(init_t, init_exec_t)
  
 -allow init_t initrc_t:unix_stream_socket connectto;
 +allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
++allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
  
  # For /var/run/shutdown.pid.
  allow init_t init_var_run_t:file manage_file_perms;
-@@ -140,6 +155,7 @@
+@@ -140,6 +156,7 @@
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
  
@@ -29760,7 +29808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # cjp: this may be related to /dev/log
  fs_write_ramfs_sockets(init_t)
  
-@@ -167,6 +183,8 @@
+@@ -167,6 +184,8 @@
  
  miscfiles_read_localization(init_t)
  
@@ -29769,7 +29817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -189,6 +207,18 @@
+@@ -189,6 +208,18 @@
  ')
  
  optional_policy(`
@@ -29788,7 +29836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	nscd_socket_use(init_t)
  ')
  
-@@ -202,9 +232,10 @@
+@@ -202,9 +233,10 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29800,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Allow IPC with self
  allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +248,8 @@
+@@ -217,7 +249,8 @@
  term_create_pty(initrc_t, initrc_devpts_t)
  
  # Going to single user mode
@@ -29810,7 +29858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  can_exec(initrc_t, init_script_file_type)
  
-@@ -230,10 +262,16 @@
+@@ -230,10 +263,16 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29829,7 +29877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
  
  init_write_initctl(initrc_t)
-@@ -246,13 +284,19 @@
+@@ -246,13 +285,19 @@
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29851,7 +29899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(initrc_t)
  corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +316,63 @@
+@@ -272,16 +317,63 @@
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
@@ -29916,7 +29964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -291,7 +382,7 @@
+@@ -291,7 +383,7 @@
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -29925,7 +29973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -306,14 +397,15 @@
+@@ -306,14 +398,15 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29943,7 +29991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_exec_etc_files(initrc_t)
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
-@@ -324,48 +416,16 @@
+@@ -324,48 +417,16 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -29996,7 +30044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(initrc_t)
  logging_manage_generic_logs(initrc_t)
  logging_read_all_logs(initrc_t)
-@@ -374,19 +434,22 @@
+@@ -374,19 +435,22 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -30020,7 +30068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
  
-@@ -422,16 +485,12 @@
+@@ -422,16 +486,12 @@
  	# init scripts touch this
  	clock_dontaudit_write_adjtime(initrc_t)
  
@@ -30038,7 +30086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +509,9 @@
+@@ -450,11 +510,9 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -30051,7 +30099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# These seem to be from the initrd
  	# during device initialization:
  	dev_create_generic_dirs(initrc_t)
-@@ -464,6 +521,7 @@
+@@ -464,6 +522,7 @@
  	storage_raw_read_fixed_disk(initrc_t)
  	storage_raw_write_fixed_disk(initrc_t)
  
@@ -30059,7 +30107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
  	# wants to read /.fonts directory
-@@ -492,11 +550,17 @@
+@@ -492,15 +551,22 @@
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -30077,7 +30125,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	optional_policy(`
-@@ -515,6 +579,33 @@
+ 		sysnet_rw_dhcp_config(initrc_t)
++		sysnet_manage_config(initrc_t)
+ 	')
+ 
+ 	optional_policy(`
+@@ -515,6 +581,33 @@
  	')
  ')
  
@@ -30111,7 +30164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +658,19 @@
+@@ -567,10 +660,19 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -30131,7 +30184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -590,6 +690,10 @@
+@@ -590,6 +692,10 @@
  ')
  
  optional_policy(`
@@ -30142,7 +30195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	dev_read_usbfs(initrc_t)
  
  	# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +750,20 @@
+@@ -646,20 +752,20 @@
  ')
  
  optional_policy(`
@@ -30169,7 +30222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -668,6 +772,7 @@
+@@ -668,6 +774,7 @@
  
  	mysql_stream_connect(initrc_t)
  	mysql_write_log(initrc_t)
@@ -30177,7 +30230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -696,7 +801,6 @@
+@@ -696,7 +803,6 @@
  ')
  
  optional_policy(`
@@ -30185,7 +30238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -718,8 +822,6 @@
+@@ -718,8 +824,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -30194,7 +30247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -732,13 +834,16 @@
+@@ -732,13 +836,16 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -30211,7 +30264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -747,6 +852,7 @@
+@@ -747,6 +854,7 @@
  
  optional_policy(`
  	udev_rw_db(initrc_t)
@@ -30219,7 +30272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -754,6 +860,15 @@
+@@ -754,6 +862,15 @@
  ')
  
  optional_policy(`
@@ -30235,7 +30288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domain(initrc_t)
  
  	ifdef(`distro_redhat',`
-@@ -764,6 +879,21 @@
+@@ -764,6 +881,21 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -30257,7 +30310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -789,3 +919,31 @@
+@@ -789,3 +921,31 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -30370,7 +30423,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2009-12-10 11:41:15.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2009-12-15 15:50:05.000000000 -0500
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -30418,12 +30471,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type setkey_t;
  type setkey_exec_t;
  init_system_domain(setkey_t, setkey_exec_t)
-@@ -53,21 +72,23 @@
+@@ -53,23 +72,29 @@
  # ipsec Local policy
  #
  
 -allow ipsec_t self:capability { net_admin dac_override dac_read_search };
-+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
++allow ipsec_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
  dontaudit ipsec_t self:capability sys_tty_config;
 -allow ipsec_t self:process { signal setsched };
 +allow ipsec_t self:process { getcap setcap getsched signal setsched };
@@ -30441,11 +30494,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
 -read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
-+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
++manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  
++manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
++
  manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,16 +103,17 @@
+ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
+@@ -82,16 +107,17 @@
  # so try flipping back into the ipsec_mgmt_t domain
  corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
  allow ipsec_mgmt_t ipsec_t:fd use;
@@ -30465,7 +30524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_getattr_core_if(ipsec_t)
  kernel_getattr_message_if(ipsec_t)
  
-@@ -120,7 +142,9 @@
+@@ -120,7 +146,9 @@
  
  domain_use_interactive_fds(ipsec_t)
  
@@ -30475,11 +30534,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  fs_getattr_all_fs(ipsec_t)
  fs_search_auto_mountpoints(ipsec_t)
-@@ -154,16 +178,19 @@
+@@ -153,17 +181,20 @@
+ # ipsec_mgmt Local policy
  #
  
- allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
+-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
 -allow ipsec_mgmt_t self:process { signal setrlimit };
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap };
 +allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
  allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
@@ -30497,17 +30558,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
  
-@@ -188,6 +215,10 @@
- manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
- files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
- 
-+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
-+
- # whack needs to connect to pluto
- stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
- 
 @@ -241,6 +272,7 @@
  init_use_script_ptys(ipsec_mgmt_t)
  init_exec_script_files(ipsec_mgmt_t)
@@ -30530,21 +30580,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # manage pid file
  manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +336,13 @@
+@@ -296,6 +335,14 @@
+ 
  kernel_read_system_state(racoon_t)
  kernel_read_network_state(racoon_t)
- 
++kernel_request_load_module(racoon_t)
++
 +can_exec(racoon_t, racoon_exec_t)
 +
 +corecmd_exec_shell(racoon_t)
 +corecmd_exec_bin(racoon_t)
 +
 +sysnet_exec_ifconfig(racoon_t)
-+
+ 
  corenet_all_recvfrom_unlabeled(racoon_t)
  corenet_tcp_sendrecv_all_if(racoon_t)
- corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +360,8 @@
+@@ -314,6 +361,8 @@
  
  files_read_etc_files(racoon_t)
  
@@ -30553,7 +30604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # allow racoon to use avc_has_perm to check context on proposed SA
  selinux_compute_access_vector(racoon_t)
  
-@@ -328,6 +376,14 @@
+@@ -328,6 +377,14 @@
  
  miscfiles_read_localization(racoon_t)
  
@@ -30568,7 +30619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Setkey local policy
-@@ -341,12 +397,15 @@
+@@ -341,12 +398,15 @@
  read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
  read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
  
@@ -30584,7 +30635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-@@ -358,3 +417,5 @@
+@@ -358,3 +418,5 @@
  seutil_read_config(setkey_t)
  
  userdom_use_user_terminals(setkey_t)
@@ -32140,7 +32191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
 --- nsaserefpolicy/policy/modules/system/mount.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/mount.if	2009-12-03 17:54:50.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/mount.if	2009-12-15 15:15:35.000000000 -0500
 @@ -20,6 +20,60 @@
  
  ########################################