diff --git a/policy-20100106.patch b/policy-20100106.patch
index aa12c15..863a19d 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -563,6 +563,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +class x_keyboard		# userspace
 +
  # FLASK
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.32/policy/mcs
+--- nsaserefpolicy/policy/mcs	2010-01-18 18:24:22.535791555 +0100
++++ serefpolicy-3.6.32/policy/mcs	2010-04-22 18:07:54.688859476 +0200
+@@ -64,30 +64,33 @@
+ # the high range of the file.  We use the high range of the process so
+ # that processes can always simply run at s0.
+ #
+-# Note that getattr on files is always permitted.
+-#
+-mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
+-	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
++# Note:
++#  - getattr on dirs/files is not constrained.
++#  - /proc/pid operations are not constrained.
++
++mlsconstrain file { read ioctl lock execute execute_no_trans }
++	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++
++mlsconstrain file { write setattr append unlink link rename }
++	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++
++mlsconstrain dir { search read ioctl lock }
++	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ 
+-mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
+-	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
++mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
++	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ 
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+ mlsconstrain file { create relabelto }
+-	     ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
+-
+-# At this time we do not restrict "ps" type operations via MCS.  This
+-# will probably change in future.
+-mlsconstrain file { read }
+-	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
++	(( h1 dom h2 ) and ( l2 eq h2 ));
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+-	(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
++	( h1 dom h2 );
+ 
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	((( h1 dom h2 ) and ( l2 eq h2 ))  or ( t1 == mlsfilewrite ));
++	(( h1 dom h2 ) and ( l2 eq h2 ));
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.32/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2010-01-18 18:24:22.536797130 +0100
 +++ serefpolicy-3.6.32/policy/modules/admin/alsa.te	2010-03-30 09:07:39.038611245 +0200
@@ -1735,6 +1786,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  seutil_domtrans_setfiles_mac(livecd_t)
  
 -allow livecd_t self:passwd { passwd chfn chsh };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
+--- nsaserefpolicy/policy/modules/apps/mono.if	2010-01-18 18:24:22.615530188 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/mono.if	2010-04-22 18:24:07.182611127 +0200
+@@ -113,6 +113,10 @@
+ 	fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ 	corecmd_bin_domtrans($1_mono_t, $1_t)
+ 
++	ifdef(`hide_broken_symptoms', `
++		 dontaudit $1_t $1_mono_t:socket_class_set { read write };
++	')
++
+ 	optional_policy(`
+ 		xserver_role($1_r, $1_mono_t)
+ 	')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
 --- nsaserefpolicy/policy/modules/apps/mozilla.fc	2010-01-18 18:24:22.616539953 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc	2010-01-18 18:27:02.741544960 +0100
@@ -2051,7 +2116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2010-02-21 20:47:43.404568303 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te	2010-03-08 12:59:06.980892887 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te	2010-04-21 14:10:04.244409189 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(pulseaudio, 1.0.1)
@@ -2137,7 +2202,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	dbus_system_bus_client(pulseaudio_t)
  	dbus_session_bus_client(pulseaudio_t)
  	dbus_connect_session_bus(pulseaudio_t)
-@@ -108,7 +139,9 @@
+@@ -105,10 +136,13 @@
+ 
+ optional_policy(`
+ 	udev_read_db(pulseaudio_t)
++	udev_read_state(pulseaudio_t) 
  ')
  
  optional_policy(`
@@ -5273,6 +5342,65 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 kernel_t:process sigkill;
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.6.32/policy/modules/kernel/mcs.if
+--- nsaserefpolicy/policy/modules/kernel/mcs.if	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/mcs.if	2010-04-22 18:28:30.008859987 +0200
+@@ -3,6 +3,46 @@
+ ##	Contains attributes used in MCS policy.
+ ## </required>
+ 
++#######################################
++## <summary>
++##  This domain is allowed to read files and directories
++##  regardless of their MCS category set.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain target for user exemption.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mcs_file_read_all',`
++    gen_require(`
++        attribute mcsreadall;
++    ')
++
++    typeattribute $1 mcsreadall;
++')
++
++#######################################
++## <summary>
++##  This domain is allowed to write files and directories
++##  regardless of their MCS category set.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain target for user exemption.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mcs_file_write_all',`
++    gen_require(`
++        attribute mcswriteall;
++    ')
++
++    typeattribute $1 mcswriteall;
++')
++
+ ########################################
+ ## <summary>
+ ##	This domain is allowed to sigkill and sigstop 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.6.32/policy/modules/kernel/mcs.te
+--- nsaserefpolicy/policy/modules/kernel/mcs.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/mcs.te	2010-04-22 18:28:45.940609483 +0200
+@@ -9,3 +9,5 @@
+ attribute mcskillall;
+ attribute mcsptraceall;
+ attribute mcssetcats;
++attribute mcswriteall;
++attribute mcsreadall;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2010-01-18 18:24:22.714539638 +0100
 +++ serefpolicy-3.6.32/policy/modules/kernel/storage.if	2010-04-08 11:06:41.815365567 +0200
@@ -9114,6 +9242,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/gpm		--	gen_context(system_u:object_r:gpm_exec_t,s0)
 +
 +/var/run/gpm\.pid  -- gen_context(system_u:object_r:gpm_var_run_t,s0) 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
+--- nsaserefpolicy/policy/modules/services/hal.if	2010-01-18 18:24:22.794542550 +0100
++++ serefpolicy-3.6.32/policy/modules/services/hal.if	2010-04-21 14:18:06.698657484 +0200
+@@ -357,6 +357,24 @@
+ 	allow $1 hald_var_run_t:file read_file_perms;
+ ')
+ 
++#######################################
++## <summary>
++## dontaudit read hald PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_read_pid_files',`
++	gen_require(` 
++		type hald_var_run_t;
++	')
++
++	dontaudit $1 hald_var_run_t:file read_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read/Write hald PID files.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2010-01-18 18:24:22.795530524 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/hal.te	2010-04-02 10:03:49.167852833 +0200
@@ -9320,6 +9476,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
  /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
 +#/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.6.32/policy/modules/services/ldap.if
+--- nsaserefpolicy/policy/modules/services/ldap.if	2010-01-18 18:24:22.804529993 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ldap.if	2010-04-22 18:18:40.382610878 +0200
+@@ -109,6 +109,30 @@
+ 	files_search_pids($1)
+ 	allow $1 slapd_var_run_t:sock_file write;
+ 	allow $1 slapd_t:unix_stream_socket connectto;
++
++	optional_policy(`
++		ldap_stream_connect_dirsrv($1) 
++	')
++')
++
++#######################################
++## <summary>
++## Connect to dirsrv over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ldap_stream_connect_dirsrv',`
++	gen_require(`
++		type dirsrv_t, dirsrv_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 dirsrv_var_run_t:sock_file write;
++	allow $1 dirsrv_t:unix_stream_socket connectto;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
 --- nsaserefpolicy/policy/modules/services/ldap.te	2009-09-16 16:01:19.000000000 +0200
 +++ serefpolicy-3.6.32/policy/modules/services/ldap.te	2010-03-09 15:08:52.333753712 +0100
@@ -10777,7 +10967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read nx home directory content
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2010-01-18 18:24:22.843530414 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te	2010-03-30 16:18:00.117861110 +0200
++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te	2010-04-21 14:15:29.816658068 +0200
 @@ -36,6 +36,9 @@
  type openvpn_var_run_t;
  files_pid_file(openvpn_var_run_t)
@@ -10816,6 +11006,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(openvpn_t)
  
  miscfiles_read_localization(openvpn_t)
+@@ -112,6 +122,7 @@
+ sysnet_manage_config(openvpn_t)
+ sysnet_etc_filetrans_config(openvpn_t)
+ 
++userdom_read_home_certs(openvpn_t)  
+ userdom_use_user_terminals(openvpn_t)
+ 
+ tunable_policy(`openvpn_enable_homedirs',`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.6.32/policy/modules/services/plymouthd.fc
 --- nsaserefpolicy/policy/modules/services/plymouthd.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/plymouthd.fc	2010-03-03 10:39:47.602620848 +0100
@@ -11690,7 +11888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2010-01-18 18:24:22.850542758 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2010-03-26 07:58:03.235601446 +0100
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te	2010-04-22 18:10:13.476860158 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(policykit, 1.0.1)
@@ -11741,16 +11939,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
  
  allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -115,6 +119,8 @@
+@@ -115,6 +119,10 @@
  manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
  
++kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
++
 +dev_read_video_dev(policykit_auth_t)
 +
  files_read_etc_files(policykit_auth_t)
  files_read_usr_files(policykit_auth_t)
  files_search_home(policykit_auth_t)
-@@ -129,8 +135,11 @@
+@@ -129,8 +137,11 @@
  
  miscfiles_read_localization(policykit_auth_t)
  miscfiles_read_fonts(policykit_auth_t)
@@ -17557,7 +17757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-03-05 09:36:36.314559997 +0100
++++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-04-16 14:59:03.256613224 +0200
 @@ -41,6 +41,14 @@
  type mount_var_run_t;
  files_pid_file(mount_var_run_t)
@@ -17573,6 +17773,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # mount local policy
+@@ -48,7 +56,7 @@
+ 
+ # setuid/setgid needed to mount cifs 
+ allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
+-allow mount_t self:process { getsched ptrace signal };
++allow mount_t self:process { getcap getsched ptrace setcap signal };
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+ allow mount_t self:unix_stream_socket create_stream_socket_perms;
+ allow mount_t self:unix_dgram_socket create_socket_perms; 
 @@ -155,6 +163,8 @@
  seutil_read_config(mount_t)
  
@@ -17991,7 +18200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-01-18 18:24:22.971530073 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te	2010-02-21 19:46:42.369309573 +0100
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te	2010-04-21 14:18:56.424659141 +0200
 @@ -87,6 +87,7 @@
  
  kernel_read_system_state(dhcpc_t)
@@ -18009,6 +18218,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+@@ -374,6 +375,7 @@
+ 
+ optional_policy(`
+ 	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
++	hal_dontaudit_read_pid_files(ifconfig_t)
+ 	hal_dontaudit_rw_pipes(ifconfig_t)
+ 	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2010-01-18 18:24:22.973540245 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/udev.te	2010-02-09 09:59:57.514626722 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 123ce62..a2ba15d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 112%{?dist}
+Release: 113%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-113
+- Allow pulseaudio to read udev process state.
+- Dontaudit hal leaks
+
 * Fri Apr 16 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-112
 - Fix label for /usr/share/system-config-services/gui.py
 - Allow snort to read network state information