diff --git a/policy-20100106.patch b/policy-20100106.patch
index abc313a..e62f751 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -866,17 +866,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	domain_mmap_low(wine_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-02-09 09:59:17.989881706 +0100
-@@ -219,7 +219,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc	2010-02-10 11:51:39.387858338 +0100
+@@ -218,8 +218,9 @@
+ /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/e16/misc(/.*)?  		gen_context(system_u:object_r:bin_t,s0) 
  /usr/share/cluster/.*\.sh               gen_context(system_u:object_r:bin_t,s0)
 -/usr/share/cluster/ocf-shellfunc --     gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/cluster/ocf-shellfuncs  --   gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock  --   gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/SAPInstance  --      gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/SAPDatabase  --      gen_context(system_u:object_r:bin_t,s0)
-@@ -237,6 +237,7 @@
+@@ -237,6 +238,7 @@
  /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/sectool/.*\.py       --      gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -964,7 +966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-01-18 18:24:22.673530022 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-02-09 09:59:21.541627154 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if	2010-02-10 13:59:22.783608332 +0100
 @@ -1398,6 +1398,42 @@
  	rw_chr_files_pattern($1, device_t, crypt_device_t)
  ')
@@ -1033,7 +1035,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Get the attributes of the ksm devices.
  ## </summary>
  ## <param name="domain">
-@@ -3551,6 +3605,24 @@
+@@ -2485,6 +2539,25 @@
+ 	rw_chr_files_pattern($1, device_t, mtrr_device_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Dontaudit write the memory type range registers (MTRR).
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`dev_dontaudit_write_mtrr',`
++    gen_require(`
++        type mtrr_device_t;
++    ')
++
++	dontaudit $1 mtrr_device_t:chr_file write;
++	dontaudit $1 mtrr_device_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ##	Get the attributes of the network control device
+@@ -3551,6 +3624,24 @@
  	rw_chr_files_pattern($1, device_t, usb_device_t)
  ')
  
@@ -1058,7 +1086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Mount a usbfs filesystem.
-@@ -3833,6 +3905,24 @@
+@@ -3833,6 +3924,24 @@
  	write_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
@@ -1396,8 +1424,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(amavis_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2010-01-18 18:24:22.733530530 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc	2010-01-27 17:22:29.733863060 +0100
-@@ -12,6 +12,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc	2010-02-10 11:49:16.515609331 +0100
+@@ -8,10 +8,12 @@
+ /etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
+ /etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
+ /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
++/etc/mock/koji(/.*)?		gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
  /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/lighttpd    	--      gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
  /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
@@ -1405,6 +1438,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /srv/([^/]*/)?www(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /srv/gallery2(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -71,6 +73,9 @@
+ /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
++
++/var/lib/koji(/.*)?				gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++
+ /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+ 
+ /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-01-18 18:24:22.736530563 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-02-01 15:06:59.560081274 +0100
@@ -1690,6 +1733,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_dontaudit_search_admin_dir($1)
  
  	optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
+--- nsaserefpolicy/policy/modules/services/djbdns.if	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/djbdns.if	2010-02-10 16:28:56.322607977 +0100
+@@ -26,6 +26,8 @@
+ 	daemontools_read_svc(djbdns_$1_t)
+ 
+ 	allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
++	allow djbdns_$1_t self:process signal;
++	allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
+ 	allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ 	allow djbdns_$1_t self:udp_socket create_socket_perms;
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-18 18:24:22.782530547 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-02-08 11:55:25.971336166 +0100
@@ -3447,7 +3502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2010-01-18 18:24:22.860530341 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ppp.te	2010-02-01 17:54:50.906099781 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ppp.te	2010-02-10 13:44:03.868859469 +0100
 @@ -71,7 +71,7 @@
  # PPPD Local policy
  #
@@ -3457,7 +3512,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit pppd_t self:capability sys_tty_config;
  allow pppd_t self:process signal;
  allow pppd_t self:fifo_file rw_fifo_file_perms;
-@@ -192,6 +192,10 @@
+@@ -122,6 +122,7 @@
+ kernel_read_network_state(pppd_t)
+ kernel_request_load_module(pppd_t)
+ 
++dev_getattr_modem_dev(pppd_t)
+ dev_read_urand(pppd_t)
+ dev_search_sysfs(pppd_t)
+ dev_read_sysfs(pppd_t)
+@@ -192,6 +193,10 @@
  ')
  
  optional_policy(`
@@ -4544,7 +4607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-02-09 10:08:14.902615674 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-02-10 13:42:43.220607710 +0100
 @@ -253,6 +253,7 @@
  allow xdm_t iceauth_home_t:file read_file_perms;
  
@@ -4553,17 +4616,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  fs_search_auto_mountpoints(iceauth_t)
  
-@@ -301,6 +302,9 @@
+@@ -301,6 +302,11 @@
  manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
  files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
  
 +allow xauth_t xserver_t:unix_stream_socket connectto;  
 +
++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) 
++
 +domain_dontaudit_leaks(xauth_t)
  domain_use_interactive_fds(xauth_t)
  
  dev_rw_xserver_misc(xauth_t)
-@@ -309,8 +313,12 @@
+@@ -309,8 +315,12 @@
  files_read_usr_files(xauth_t)
  files_search_pids(xauth_t)
  files_dontaudit_getattr_all_dirs(xauth_t)
@@ -4576,7 +4641,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_search_auto_mountpoints(xauth_t)
  
  # cjp: why?
-@@ -506,6 +514,7 @@
+@@ -341,6 +351,7 @@
+         term_dontaudit_use_unallocated_ttys(xauth_t)
+ 	dev_dontaudit_rw_dri(xauth_t)
+ 	dev_dontaudit_rw_generic_dev_nodes(xauth_t)
++	fs_list_inotifyfs(xauth_t)
+ ')
+ 
+ optional_policy(`
+@@ -506,6 +517,7 @@
  dev_dontaudit_rw_misc(xdm_t)
  dev_getattr_video_dev(xdm_t)
  dev_setattr_video_dev(xdm_t)
@@ -4584,7 +4657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
  dev_read_sound(xdm_t)
-@@ -582,6 +591,7 @@
+@@ -582,6 +594,7 @@
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
  userdom_stream_connect(xdm_t)
@@ -4592,7 +4665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_tmp_dirs(xdm_t)
  userdom_manage_user_tmp_sockets(xdm_t)
  userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +678,7 @@
+@@ -668,6 +681,7 @@
  
  optional_policy(`
  	gnome_read_gconf_config(xdm_t)
@@ -4600,7 +4673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -675,6 +686,10 @@
+@@ -675,6 +689,10 @@
  ')
  
  optional_policy(`
@@ -4611,7 +4684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -712,6 +727,7 @@
+@@ -712,6 +730,7 @@
  optional_policy(`
  	pulseaudio_exec(xdm_t)
  	pulseaudio_dbus_chat(xdm_t)
@@ -4651,6 +4724,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	ssh_sigchld(application_domain_type)
  	ssh_rw_stream_sockets(application_domain_type)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.6.32/policy/modules/system/daemontools.te
+--- nsaserefpolicy/policy/modules/system/daemontools.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/daemontools.te	2010-02-10 17:52:29.728608954 +0100
+@@ -65,6 +65,8 @@
+ 
+ kernel_read_system_state(svc_run_t)
+ 
++dev_read_urand(svc_run_t)
++
+ corecmd_exec_bin(svc_run_t)
+ corecmd_exec_shell(svc_run_t)
+ 
+@@ -93,10 +95,14 @@
+ 
+ allow svc_start_t self:fifo_file rw_fifo_file_perms;
+ allow svc_start_t self:capability kill;
++allow svc_start_t self:tcp_socket create_stream_socket_perms;
+ allow svc_start_t self:unix_stream_socket create_socket_perms;
+ 
+ can_exec(svc_start_t, svc_start_exec_t)
+ 
++kernel_read_kernel_sysctls(svc_start_t)
++kernel_read_system_state(svc_start_t)
++
+ corecmd_exec_bin(svc_start_t)
+ corecmd_exec_shell(svc_start_t)
+ 
+@@ -105,5 +111,9 @@
+ files_search_var(svc_start_t)
+ files_search_pids(svc_start_t)
+ 
++logging_send_syslog_msg(svc_start_t)
++
++miscfiles_read_localization(svc_start_t)
++
+ daemontools_domtrans_run(svc_start_t)
+ daemontools_manage_svc(svc_start_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2010-01-18 18:24:22.930540014 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/fstools.fc	2010-01-27 18:13:10.349614395 +0100
@@ -4784,7 +4894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +') 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-09 15:33:01.072616199 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te	2010-02-10 12:35:56.244868320 +0100
 @@ -40,6 +40,7 @@
  attribute init_script_domain_type;
  attribute init_script_file_type;
@@ -4818,7 +4928,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_rw_tmpfs_chr_files(init_t)
  	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
  ')
-@@ -212,6 +215,11 @@
+@@ -204,6 +207,11 @@
+ ')
+ 
+ optional_policy(`
++	# webmin seems to cause this.
++	apache_search_sys_content(daemon)
++')
++
++optional_policy(`
+ 	auth_rw_login_records(init_t)
+ ')
+ 
+@@ -212,6 +220,11 @@
  ')
  
  optional_policy(`
@@ -4830,7 +4952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
  	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
  	# the directory. But we do not want to allow this.
-@@ -224,6 +232,10 @@
+@@ -224,6 +237,10 @@
  ')
  
  optional_policy(`
@@ -4841,7 +4963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domain(init_t)
  ')
  
-@@ -312,6 +324,7 @@
+@@ -312,6 +329,7 @@
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -4849,7 +4971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
  dev_rw_sysfs(initrc_t)
-@@ -531,6 +544,7 @@
+@@ -531,6 +549,7 @@
  	# Needs to cp localtime to /var dirs
  	files_write_var_dirs(initrc_t)
  
@@ -4857,7 +4979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_rw_tmpfs_chr_files(initrc_t)
  
  	storage_manage_fixed_disk(initrc_t)
-@@ -872,6 +886,7 @@
+@@ -872,6 +891,7 @@
  
  optional_policy(`
  	unconfined_domain(initrc_t)
@@ -4865,7 +4987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -885,6 +900,9 @@
+@@ -885,6 +905,9 @@
  	# Allow SELinux aware applications to request rpm_script_t execution
  	rpm_transition_script(initrc_t)
  
@@ -4877,8 +4999,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		gen_require(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-01-18 18:24:22.939530053 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2010-01-27 17:43:20.027613211 +0100
-@@ -215,6 +215,8 @@
++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te	2010-02-10 13:41:21.003609488 +0100
+@@ -182,9 +182,9 @@
+ # ipsec_mgmt Local policy
+ #
+ 
+-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap };
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+ dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+-allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
++allow ipsec_mgmt_t self:process { getsched signal setrlimit ptrace };
+ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+@@ -206,6 +206,10 @@
+ allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
+ 
++manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) 
++
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
+ read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+@@ -215,6 +219,8 @@
  allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
  allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
  
@@ -4887,6 +5032,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+@@ -241,6 +247,7 @@
+ 
+ files_read_kernel_symbol_table(ipsec_mgmt_t)
+ files_getattr_kernel_modules(ipsec_mgmt_t)
++files_read_usr_files(ipsec_mgmt_t)
+ 
+ # the default updown script wants to run route
+ # the ipsec wrapper wants to run /usr/bin/logger (should we put
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
 --- nsaserefpolicy/policy/modules/system/iptables.if	2010-01-18 18:24:22.941530168 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/iptables.if	2010-02-09 10:36:30.616615893 +0100
@@ -4906,7 +5059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2010-01-18 18:24:22.941530168 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/iptables.te	2010-02-02 15:25:03.135335306 +0100
++++ serefpolicy-3.6.32/policy/modules/system/iptables.te	2010-02-10 13:59:49.976859557 +0100
 @@ -52,6 +52,7 @@
  kernel_use_fds(iptables_t)
  
@@ -4923,6 +5076,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  init_use_fds(iptables_t)
  init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
+@@ -87,6 +89,10 @@
+ userdom_use_user_terminals(iptables_t)
+ userdom_use_all_users_fds(iptables_t)
+ 
++ifdef(`hide_broken_symptoms',`
++    dev_dontaudit_write_mtrr(iptables_t)
++')
++
+ optional_policy(`
+ 	fail2ban_append_log(iptables_t)
+ 	fail2ban_dontaudit_leaks(iptables_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
 --- nsaserefpolicy/policy/modules/system/iscsi.fc	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc	2010-02-02 15:17:13.812067843 +0100
@@ -4982,7 +5146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_read_all_domains_state(iscsid_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-02-02 10:45:09.949162869 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-02-10 12:10:25.609868564 +0100
 @@ -245,8 +245,12 @@
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
  /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -5007,9 +5171,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -433,8 +435,16 @@
+@@ -432,9 +434,19 @@
+ 
  /usr/lib(64)?/octagaplayer/libapplication\.so		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
++/usr/autodesk/maya2010-x64/lib/.*\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)  
++
  /opt/AutoScan/usr/lib/libvte\.so.*			     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/lampp/lib/libsybdb\.so.*                    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/Unify/SQLBase/libgptsblmsui11.so.*          -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -5026,8 +5193,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.*	--   gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2010-01-18 18:24:22.948530849 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te	2010-01-21 14:31:52.834862007 +0100
-@@ -207,7 +207,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/locallogin.te	2010-02-10 11:55:45.380624491 +0100
+@@ -74,6 +74,7 @@
+ dev_setattr_power_mgmt_dev(local_login_t)
+ dev_getattr_sound_dev(local_login_t)
+ dev_setattr_sound_dev(local_login_t)
++dev_read_video_dev(local_login_t)    
+ dev_rw_generic_usb_dev(local_login_t)
+ dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+ dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+@@ -207,7 +208,7 @@
  allow sulogin_t self:capability dac_override;
  allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow sulogin_t self:fd use;
@@ -5036,7 +5211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow sulogin_t self:unix_dgram_socket create_socket_perms;
  allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
  allow sulogin_t self:unix_dgram_socket sendto;
-@@ -241,6 +241,9 @@
+@@ -241,6 +242,9 @@
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e1568c6..7f915f3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 86%{?dist}
+Release: 87%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Feb 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-87
+- Fixes for ipsec policy
+- Allow pppd to get attributes of the modem devices
+- Add label for /usr/share/e16/misc directory
+
 * Tue Feb 9 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-86
 - Allow mysql ipc_lock capability
 - Allow passwd sys_nice capability