diff --git a/Changelog b/Changelog
index 31d542c..3017da4 100644
--- a/Changelog
+++ b/Changelog
@@ -69,6 +69,7 @@
 	Thu, 31 Aug 2006
 	Fri, 01 Sep 2006
 	Tue, 05 Sep 2006
+	Wed, 20 Sep 2006
 - Added modules:
 	afs
 	amavis (Erich Schubert)
diff --git a/policy/flask/mkaccess_vector.sh b/policy/flask/mkaccess_vector.sh
index b5da734..02f895c 100755
--- a/policy/flask/mkaccess_vector.sh
+++ b/policy/flask/mkaccess_vector.sh
@@ -118,7 +118,6 @@ $1 == "inherits" {
 					printf(" ") > outfile; 
 				printf("0x%08xUL\n", ind[i]) > outfile; 
 			}
-			printf("\n") > outfile;
                         for (i in ind) delete ind[i];
                         for (i in inherited_perms) delete inherited_perms[i];
 
@@ -214,8 +213,6 @@ $1 == "}"	{
 				printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; 
 			}
 
-			printf("\n") > outfile;
-
 			nextstate = "COMMON_OR_AV";
 		}
 END	{
diff --git a/policy/mcs b/policy/mcs
index 89cdec9..d51cf97 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -78,6 +78,9 @@ level s0:c0.c255;
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 
+mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
+	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 4caaa8f..74ebff5 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -14,10 +14,13 @@
 /usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
 /var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/[^/]+(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/[^/]*/log(/.*)?		gen_context(system_u:object_r:amanda_log_t,s0)
 /var/lib/amanda/\.amandahosts	--	gen_context(system_u:object_r:amanda_config_t,s0)
-/var/lib/amanda/disklist	--	gen_context(system_u:object_r:amanda_data_t,s0)
 /var/lib/amanda/gnutar-lists(/.*)?	gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
-/var/lib/amanda/index			gen_context(system_u:object_r:amanda_data_t,s0)
+# the null string in here because index is a m4 builtin function
+/var/lib/amanda/[^/]+/index`'(/.*)?	gen_context(system_u:object_r:amanda_var_lib_t,s0)
 
 /var/log/amanda(/.*)?			gen_context(system_u:object_r:amanda_log_t,s0)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index b07c612..40815e0 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.3.6)
+policy_module(amanda,1.3.7)
 
 #######################################
 #
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 209fa45..14e63d7 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.1.3)
+policy_module(logwatch,1.1.4)
 
 #################################
 #
@@ -63,8 +63,10 @@ files_read_usr_files(logwatch_t)
 files_search_spool(logwatch_t)
 files_search_mnt(logwatch_t)
 files_dontaudit_search_home(logwatch_t)
+files_dontaudit_search_boot(logwatch_t)
 
 fs_getattr_all_fs(logwatch_t)
+fs_dontaudit_list_auto_mountpoints(logwatch_t)
 
 term_dontaudit_getattr_pty_dirs(logwatch_t)
 term_dontaudit_list_ptys(logwatch_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 384715c..7ebe9f6 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -10,11 +10,13 @@
 /usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pirut			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index da38ad5..70d96be 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.3.10)
+policy_module(rpm,1.3.11)
 
 ########################################
 #
@@ -178,6 +178,8 @@ ifdef(`distro_redhat',`
 
 ifdef(`targeted_policy',`
 	unconfined_domain(rpm_t)
+	# yum-updatesd requires this
+	unconfined_dbus_chat(rpm_t)
 ',`
 	# cjp: these are here to stop type_transition
 	# conflicts since rpm_t is an alias of
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 8be3a0c..46300c4 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -43,6 +43,7 @@ template(`su_restricted_domain_template', `
 
 	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:key { search write };
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
@@ -62,6 +63,7 @@ template(`su_restricted_domain_template', `
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
+	kernel_search_key($1_su_t)
 
 	# for SSP
 	dev_read_urand($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index d9ef86a..22085b2 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su,1.3.3)
+policy_module(su,1.3.4)
 
 ########################################
 #
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6e3d737..35352e8 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.10)
+policy_module(usermanage,1.3.11)
 
 ########################################
 #
@@ -442,6 +442,10 @@ optional_policy(`
 	nis_use_ypbind(sysadm_passwd_t)
 ')
 
+optional_policy(`
+	nscd_domtrans(sysadm_passwd_t)
+')
+
 ########################################
 #
 # Useradd local policy
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 0505302..c924b16 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.1.3)
+policy_module(mono,1.1.4)
 
 ########################################
 #
@@ -7,10 +7,8 @@ policy_module(mono,1.1.3)
 #
 
 type mono_t;
-domain_type(mono_t)
-
 type mono_exec_t;
-domain_entry_file(mono_t,mono_exec_t)
+init_system_domain(mono_t,mono_exec_t)
 
 ########################################
 #
@@ -32,6 +30,10 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
+		cups_dbus_chat(mono_t)
+	')
+
+	optional_policy(`
 		hal_dbus_chat(mono_t)
 	')
 
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index b00f0ee..f7ea49e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -125,7 +125,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -143,6 +142,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib(64)?/debug/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 513514e..5658693 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.15)
+policy_module(corecommands,1.3.16)
 
 ########################################
 #
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 1aa840b..7ded82b 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -14,6 +14,7 @@
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -46,6 +47,7 @@
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
+/dev/raw1394.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/(misc/)?rtc	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index bc5b1c0..9564c3d 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.22)
+policy_module(devices,1.1.23)
 
 ########################################
 #
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a9d4601..1aa4279 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -386,7 +386,7 @@ interface(`files_write_non_security_dirs',`
 		attribute file_type, security_file_type;
 	')
 
-	allow $1 file_type:dir write;
+	allow $1 { file_type -security_file_type }:dir write;
 ')
 
 ########################################
@@ -4497,3 +4497,47 @@ interface(`files_unconfined',`
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Allow attempts to monage any directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`files_manage_non_security_dirs',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	allow $1 { file_type -security_file_type }:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create a aliased type to etc_runtime_t files.
+## </summary>
+## <desc>
+##	<p>
+##	Create a aliased type to etc runtime files.
+##	</p>
+##	<p>
+##	This is added to remove types that should have been etc_runtime_t
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Alias type for etc_runtime_t.
+##	</summary>
+## </param>
+#
+interface(`corecmd_etc_runtime_alias',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	typealias etc_runtime_t alias $1;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 81e4660..e35bab1 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.17)
+policy_module(files,1.2.18)
 
 ########################################
 #
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5a7769c..c704c3f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2437,6 +2437,24 @@ interface(`fs_getattr_rpc_pipefs',`
 	allow $1 rpc_pipefs_t:filesystem getattr;
 ')
 
+#########################################
+## <summary>
+##	Read and write RPC pipe filesystem named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_rpc_named_pipes',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 rpc_pipefs_t:fifo_file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Mount a tmpfs filesystem.
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index b9fa21b..dab2451 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.14)
+policy_module(filesystem,1.3.15)
 
 ########################################
 #
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 5f8b1f4..e75d5de 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
 
-policy_module(mcs,1.0.3)
+policy_module(mcs,1.0.4)
 
 ########################################
 #
@@ -43,6 +43,7 @@ range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
 range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
 range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
 range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
 
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 0b8fa12..9a3b190 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -917,7 +917,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 		type tty_device_t;
 	')
 
-	dontaudit $1 tty_device_t:chr_file rw_file_perms;
+	dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
 ')
 
 ########################################
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index fb4e1c2..d87def7 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.8)
+policy_module(terminal,1.1.9)
 
 ########################################
 #
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index e8f7662..ebac567 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.0.8)
+policy_module(amavis,1.0.9)
 
 ########################################
 #
@@ -156,6 +156,7 @@ mta_read_config(amavis_t)
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(amavis_t)
+	term_dontaudit_use_unallocated_ttys(amavis_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 9e0e150..7a2570c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.17)
+policy_module(apache,1.3.18)
 
 #
 # NOTES: 
@@ -514,6 +514,7 @@ optional_policy(`
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
 
 ifdef(`targeted_policy',`
 	gen_tunable(httpd_suexec_disable_trans,false)
@@ -691,6 +692,10 @@ optional_policy(`
 	nscd_socket_use(httpd_unconfined_script_t)
 ')
 
+optional_policy(`
+	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+')
+
 ########################################
 #
 # httpd_rotatelogs local policy
@@ -712,4 +717,5 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
 ')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index c92b118..ab4e301 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.2.8)
+policy_module(automount,1.2.9)
 
 ########################################
 #
@@ -99,6 +99,8 @@ corenet_sendrecv_all_client_packets(automount_t)
 # Someone writes a showmount policy
 corenet_tcp_bind_reserved_port(automount_t)
 corenet_tcp_bind_all_rpc_ports(automount_t)
+corenet_udp_bind_reserved_port(automount_t)
+corenet_udp_bind_all_rpc_ports(automount_t)
 
 dev_read_sysfs(automount_t)
 # for SSP
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
index ad82661..3cb34d0 100644
--- a/policy/modules/services/bluetooth.fc
+++ b/policy/modules/services/bluetooth.fc
@@ -8,6 +8,7 @@
 # /usr
 #
 /usr/bin/blue.*pin	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/dund		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/hidd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/bin/rfcomm		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index dac26bf..fd6c738 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.2.9)
+policy_module(bluetooth,1.2.10)
 
 ########################################
 #
@@ -217,6 +217,7 @@ ifdef(`targeted_policy',`
 	fs_rw_tmpfs_files(bluetooth_helper_t)
 
 	term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+	term_dontaudit_use_unallocated_ttys(bluetooth_helper_t)
 
 	unconfined_stream_connect(bluetooth_helper_t)
 
@@ -224,7 +225,8 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`
 	        corenet_tcp_connect_xserver_port(bluetooth_helper_t)
-
+		#Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205956
+		xserver_read_xdm_tmp_files(bluetooth_helper_t)
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 		xserver_use_xdm_fds(bluetooth_helper_t)
 		xserver_rw_xdm_pipes(bluetooth_helper_t)
@@ -245,5 +247,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ppp_domtrans(bluetooth_t)
+')
+
+optional_policy(`
        	xserver_stream_connect_xdm(bluetooth_helper_t)
 ')	
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index e79e014..a66b0ae 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
 
-policy_module(clamav,1.0.5)
+policy_module(clamav,1.0.6)
 
 ########################################
 #
@@ -121,6 +121,7 @@ cron_use_system_job_fds(clamd_t)
 cron_rw_pipes(clamd_t)
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(clamd_t)
 	term_dontaudit_use_generic_ptys(clamd_t)
 ')
 
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 6043f6c..e0c3284 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.3.13)
+policy_module(cups,1.3.14)
 
 ########################################
 #
@@ -159,7 +159,7 @@ fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 
 term_dontaudit_use_console(cupsd_t)
-term_write_unallocated_ttys(cupsd_t)
+term_use_unallocated_ttys(cupsd_t)
 term_search_ptys(cupsd_t)
 
 auth_domtrans_chk_passwd(cupsd_t)
@@ -530,7 +530,8 @@ optional_policy(`
 # HPLIP local policy
 #
 
-allow hplip_t self:capability net_raw;
+# Needed for USB Scanneer and xsane
+allow hplip_t self:capability { dac_override dac_read_search net_raw };
 dontaudit hplip_t self:capability sys_tty_config;
 allow hplip_t self:fifo_file rw_file_perms;
 allow hplip_t self:process signal_perms;
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index eff134a..3392bc4 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
 
-policy_module(dhcp,1.1.2)
+policy_module(dhcp,1.1.3)
 
 ########################################
 #
@@ -124,6 +124,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client_template(dhcpd,dhcpd_t)
+	dbus_connect_system_bus(dhcpd_t)
+	dbus_send_system_bus(dhcpd_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(dhcpd_t)
 ')
 
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index a475645..7854a02 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -34,11 +34,13 @@
 interface(`kerberos_use',`
 	gen_require(`
 		type krb5_conf_t;
+		type krb5kdc_conf_t;
 	')
 
 	files_search_etc($1)
 	allow $1 krb5_conf_t:file { getattr read };
 	dontaudit $1 krb5_conf_t:file write;
+	dontaudit $1 krb5kdc_conf_t:dir r_dir_perms;
 
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 2a9c1dd..4e85529 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
 
-policy_module(kerberos,1.1.3)
+policy_module(kerberos,1.1.4)
 
 ########################################
 #
diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
index e97eb7a..adef45f 100644
--- a/policy/modules/services/lpd.fc
+++ b/policy/modules/services/lpd.fc
@@ -9,6 +9,7 @@
 /usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
 /usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
+/usr/bin/lp(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpr(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpq(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 6adb181..615069a 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.2.6)
+policy_module(lpd,1.2.7)
 
 ########################################
 #
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index da1e1e5..a1b3e62 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -3,3 +3,4 @@
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant-global	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index a9de827..6b157e7 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.3.7)
+policy_module(networkmanager,1.3.8)
 
 ########################################
 #
@@ -21,7 +21,7 @@ files_pid_file(NetworkManager_var_run_t)
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
 allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
-dontaudit NetworkManager_t self:capability sys_tty_config;
+dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_file_perms;
 allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
@@ -78,6 +78,7 @@ corecmd_exec_ls(NetworkManager_t)
 
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_confined_domains_state(NetworkManager_t)
+domain_dontaudit_read_all_domains_state(NetworkManager_t)
 
 files_read_etc_files(NetworkManager_t)
 files_read_etc_runtime_files(NetworkManager_t)
@@ -161,6 +162,7 @@ optional_policy(`
 
 optional_policy(`
 	ppp_domtrans(NetworkManager_t)
+	ppp_read_pid_files(NetworkManager_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 534d219..63b256a 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
 
-policy_module(ntp,1.1.5)
+policy_module(ntp,1.1.6)
 
 ########################################
 #
@@ -122,6 +122,12 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_ttys(ntpd_t)
 	term_dontaudit_use_generic_ptys(ntpd_t)
 	files_dontaudit_read_root_files(ntpd_t)
+
+	optional_policy(`
+		# The Gnome date GUI code is requesting that 
+		# the ntp code change the date of the machine.
+		unconfined_rw_pipes(ntpd_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 9f574d2..60a5f71 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.12)
+policy_module(postfix,1.2.13)
 
 ########################################
 #
@@ -171,6 +171,11 @@ sysnet_read_config(postfix_master_t)
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(postfix_master_t)
+	term_dontaudit_use_generic_ptys(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -361,6 +366,7 @@ seutil_read_config(postfix_map_t)
 sysnet_read_config(postfix_map_t)
 
 ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(postfix_map_t)
 	term_dontaudit_use_generic_ptys(postfix_map_t)
 ')
 
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 3b2595c..ed6561f 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -1,8 +1,9 @@
 #
 # /etc
 #
-/etc/ppp				-d	gen_context(system_u:object_r:pppd_etc_t,s0)
-/etc/ppp/.*			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 /etc/ppp/.*secrets		--	gen_context(system_u:object_r:pppd_secret_t,s0)
 /etc/ppp/resolv\.conf 		--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
 
@@ -10,6 +11,11 @@
 /etc/ppp/(auth|ip(v6|x)?)-(up|down) --	gen_context(system_u:object_r:pppd_script_exec_t,s0)
 
 #
+# /sbin
+#
+/sbin/ppp-watch			--	gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
 # /usr
 #
 /usr/sbin/pppd			--	gen_context(system_u:object_r:pppd_exec_t,s0)
@@ -20,11 +26,10 @@
 # /var
 #
 /var/run/(i)?ppp.*pid		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
-/var/run/pppd[0-9]*\.tdb		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
 /var/run/ppp(/.*)?			gen_context(system_u:object_r:pppd_var_run_t,s0)
 # Fix pptp sockets
 /var/run/pptp(/.*)?			gen_context(system_u:object_r:pptp_var_run_t,s0)
 
 /var/log/ppp-connect-errors.*	--	gen_context(system_u:object_r:pppd_log_t,s0)
 /var/log/ppp/.*			--	gen_context(system_u:object_r:pppd_log_t,s0)
-
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index d6453d2..4617701 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -204,6 +204,24 @@ interface(`ppp_read_secrets',`
 
 ########################################
 ## <summary>
+##	Read PPP pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ppp_read_pid_files',`
+	gen_require(`
+		type pppd_var_run_t;
+	')
+
+	allow $1 pppd_var_run_t:file r_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete PPP pid files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 4f48f9b..fea68f7 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
 
-policy_module(ppp,1.2.4)
+policy_module(ppp,1.2.5)
 
 ########################################
 #
@@ -64,7 +64,7 @@ allow pppd_t self:fifo_file rw_file_perms;
 allow pppd_t self:socket create_socket_perms;
 allow pppd_t self:unix_dgram_socket create_socket_perms;
 allow pppd_t self:unix_stream_socket create_socket_perms;
-allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
 allow pppd_t self:tcp_socket create_stream_socket_perms;
 allow pppd_t self:udp_socket { connect connected_socket_perms };
 allow pppd_t self:packet_socket create_socket_perms;
@@ -80,9 +80,11 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
 allow pppd_t pppd_etc_t:dir rw_dir_perms;
 allow pppd_t pppd_etc_t:file r_file_perms;
 allow pppd_t pppd_etc_t:lnk_file { getattr read };
-files_etc_filetrans(pppd_t,pppd_etc_t,file)
 
+allow pppd_t pppd_etc_rw_t:dir rw_dir_perms;
 allow pppd_t pppd_etc_rw_t:file create_file_perms;
+# Automatically label newly created files under /etc/ppp with this type
+type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
 
 allow pppd_t pppd_lock_t:file create_file_perms;
 files_lock_filetrans(pppd_t,pppd_lock_t,file)
@@ -104,9 +106,6 @@ allow pppd_t pptp_t:process signal;
 # Access secret files
 allow pppd_t pppd_secret_t:file r_file_perms;
 
-# Automatically label newly created files under /etc/ppp with this type
-type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
-
 kernel_read_kernel_sysctls(pppd_t)
 kernel_read_system_state(pppd_t)
 kernel_read_net_sysctls(pppd_t)
@@ -147,7 +146,10 @@ corecmd_exec_shell(pppd_t)
 domain_use_interactive_fds(pppd_t)
 
 files_exec_etc_files(pppd_t)
-files_read_etc_runtime_files(pppd_t)
+files_manage_etc_runtime_files(pppd_t)
+files_etc_filetrans_etc_runtime(pppd_t, { dir file })
+files_dontaudit_write_etc_files(pppd_t)
+
 # for scripts
 files_read_etc_files(pppd_t)
 
@@ -174,6 +176,8 @@ userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
 userdom_search_sysadm_home_dirs(pppd_t)
 userdom_search_unpriv_users_home_dirs(pppd_t)
 
+ppp_exec(pppd_t)
+
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_ttys(pppd_t)
 	term_dontaudit_use_generic_ptys(pppd_t)
@@ -306,6 +310,10 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`
+	consoletype_exec(pppd_t)
+')
+
+optional_policy(`
 	hostname_exec(pptp_t)
 ')
 
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 32b5371..30c3244 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -92,6 +92,7 @@ template(`rpc_domain_template', `
 	corenet_udp_bind_reserved_port($1_t)
 	corenet_sendrecv_generic_server_packets($1_t)
 
+	fs_rw_rpc_named_pipes($1_t) 
 	fs_search_auto_mountpoints($1_t)
 
 	term_dontaudit_use_console($1_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 955933c..e5ec339 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.14)
+policy_module(rpc,1.2.15)
 
 ########################################
 #
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 66ae8fe..37a1f90 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.2.2)
+policy_module(sendmail,1.2.3)
 
 ########################################
 #
@@ -37,6 +37,13 @@ allow sendmail_t sendmail_log_t:file create_file_perms;
 allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
 logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir })
 
+allow sendmail_t sendmail_tmp_t:dir manage_dir_perms;
+allow sendmail_t sendmail_tmp_t:file manage_file_perms;
+files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+
+allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
+
 kernel_read_kernel_sysctls(sendmail_t)
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
@@ -104,13 +111,6 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(sendmail_t)
 	term_dontaudit_use_generic_ptys(sendmail_t)
 	files_dontaudit_read_root_files(sendmail_t)
-',`
-	allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
-	allow sendmail_t sendmail_tmp_t:file create_file_perms;
-	files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
-
-	allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
-	files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index c3ced2a..34a8e5d 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.0.1)
+policy_module(setroubleshoot,1.0.2)
 
 ########################################
 #
@@ -69,6 +69,8 @@ corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
 
 dev_read_urand(setroubleshootd_t)
 
+domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
 files_getattr_all_dirs(setroubleshootd_t)
@@ -82,6 +84,7 @@ term_dontaudit_use_all_user_ttys(setroubleshootd_t)
 init_read_utmp(setroubleshootd_t)
 init_dontaudit_write_utmp(setroubleshootd_t)
 init_use_fds(setroubleshootd_t)
+init_use_script_ptys(setroubleshootd_t)
 
 libs_use_ld_so(setroubleshootd_t)
 libs_use_shared_libs(setroubleshootd_t)
@@ -107,3 +110,7 @@ optional_policy(`
 	rpm_dontaudit_manage_db(setroubleshootd_t)
         rpm_use_script_fds(setroubleshootd_t)
 ')
+
+optional_policy(`
+	nis_use_ypbind(setroubleshootd_t)
+')
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 730a1ac..cbe73e4 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -46,3 +46,22 @@ interface(`snmp_read_snmp_var_lib_files',`
 	allow $1 snmpd_var_lib_t:file r_file_perms;
 	allow $1 snmpd_var_lib_t:lnk_file { getattr read };
 ')
+
+########################################
+## <summary>
+##	dontaudit Read snmpd libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+	gen_require(`
+		type snmpd_var_lib_t;
+	')
+	dontaudit $1 snmpd_var_lib_t:dir r_dir_perms;
+	dontaudit $1 snmpd_var_lib_t:file r_file_perms;
+	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index a5f45da..68ccd3e 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.1.3)
+policy_module(snmp,1.1.4)
 
 ########################################
 #
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index a7b4e7e..11723c0 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
 
-policy_module(xfs,1.0.4)
+policy_module(xfs,1.0.5)
 
 ########################################
 #
@@ -21,7 +21,7 @@ files_pid_file(xfs_var_run_t)
 # Local policy
 #
 
-allow xfs_t self:capability { setgid setuid };
+allow xfs_t self:capability { dac_override setgid setuid };
 dontaudit xfs_t self:capability sys_tty_config;
 allow xfs_t self:process { signal_perms setpgid };
 allow xfs_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index ca83c75..bfa78ae 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.14)
+policy_module(authlogin,1.3.15)
 
 ########################################
 #
@@ -206,6 +206,8 @@ files_list_mnt(pam_console_t)
 # read /etc/mtab
 files_read_etc_runtime_files(pam_console_t)
 
+fs_list_auto_mountpoints(pam_console_t)
+
 init_use_fds(pam_console_t)
 init_use_script_ptys(pam_console_t)
 
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 0ef6d0b..bfa3b7f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.3.4)
+policy_module(fstools,1.3.5)
 
 ########################################
 #
@@ -112,6 +112,9 @@ corecmd_list_bin(fsadm_t)
 corecmd_list_sbin(fsadm_t)
 corecmd_read_bin_symlinks(fsadm_t)
 corecmd_read_sbin_symlinks(fsadm_t)
+#RedHat bug #201164
+corecmd_exec_shell(fsadm_t)
+
 # cjp: these are probably not needed:
 corecmd_read_bin_files(fsadm_t)
 corecmd_read_bin_pipes(fsadm_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d35db82..b95fa3d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.24)
+policy_module(init,1.3.25)
 
 gen_require(`
 	class passwd rootok;
@@ -520,6 +520,11 @@ ifdef(`targeted_policy',`
 #	optional_policy(`',`
 #		mta_send_mail(initrc_t)
 #	')
+
+	# allow init scripts to su
+	optional_policy(`
+		su_restricted_domain_template(initrc,initrc_t,system_r)
+	')
 ')
 
 optional_policy(`
@@ -732,11 +737,6 @@ optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
 ')
 
-# allow init scripts to su
-optional_policy(`
-	su_restricted_domain_template(initrc,initrc_t,system_r)
-')
-
 optional_policy(`
 	sysnet_read_dhcpc_state(initrc_t)
 ')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index bc9a6ac..ef686ba 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -128,6 +128,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -140,8 +141,7 @@ ifdef(`distro_gentoo',`
 
 /usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/(local/)?lib(64)?/wine/.+\.so  	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-
+/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -252,7 +252,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -263,6 +263,7 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib/xchat/plugins/systray.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1aad262..634b95c 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.13)
+policy_module(libraries,1.3.14)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 8b2ede9..ba03328 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.15)
+policy_module(selinuxutil,1.2.16)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -449,8 +449,6 @@ selinux_compute_create_context(restorecond_t)
 selinux_compute_relabel_context(restorecond_t)
 selinux_compute_user_contexts(restorecond_t)
 
-term_dontaudit_use_generic_ptys(restorecond_t)
-
 auth_relabel_all_files_except_shadow(restorecond_t )
 auth_read_all_files_except_shadow(restorecond_t)
 
@@ -466,6 +464,11 @@ logging_send_syslog_msg(restorecond_t)
 
 miscfiles_read_localization(restorecond_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(restorecond_t)
+	term_dontaudit_use_unallocated_ttys(restorecond_t)
+')
+
 optional_policy(`
 	rpm_use_script_fds(restorecond_t)
 ')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 4ab9df0..a42a0de 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,5 +1,5 @@
 
-policy_module(setrans,1.0.2)
+policy_module(setrans,1.0.3)
 
 ########################################
 #
@@ -43,6 +43,7 @@ kernel_read_proc_symlinks(setrans_t)
 
 # allow performing getpidcon() on all processes
 domain_read_all_domains_state(setrans_t)
+domain_dontaudit_search_all_domains_state(setrans_t)
 domain_getattr_all_domains(setrans_t)
 domain_getsession_all_domains(setrans_t)
 
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index 339e7a9..0a44f00 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -7,6 +7,7 @@
 /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
 
+/var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 4954537..b0ce265 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.10)
+policy_module(xen,1.0.11)
 
 ########################################
 #
@@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t)
 # xend local policy
 #
 
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
 dontaudit xend_t self:capability { sys_ptrace };
 allow xend_t self:process { signal sigkill };
 dontaudit xend_t self:process ptrace;
@@ -153,6 +153,7 @@ files_etc_filetrans_etc_runtime(xend_t,file)
 files_read_usr_files(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
+storage_raw_read_removable_device(xend_t)
 
 term_getattr_all_user_ptys(xend_t)
 term_use_generic_ptys(xend_t)