diff --git a/policy-20071130.patch b/policy-20071130.patch
index aebfb5b..91b0aac 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -12096,7 +12096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-08 11:43:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-04-15 15:47:56.000000000 -0400
@@ -43,14 +43,13 @@
type cupsd_var_run_t;
@@ -12438,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
+lpd_manage_spool(cups_pdf_t)
+
-+rw_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-04-04 12:06:55.000000000 -0400
@@ -15048,7 +15048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-07 22:47:29.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-15 15:52:42.000000000 -0400
@@ -0,0 +1,53 @@
+policy_module(gnomeclock,1.0.0)
+########################################
@@ -15064,7 +15064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+#
+# gnomeclock local policy
+#
-+allow gnomeclock_t self:capability { sys_nice sys_time };
++allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process getsched;
+
+# internal communication is often done using fifo and unix sockets.
@@ -15826,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-04-15 15:36:38.000000000 -0400
@@ -54,6 +54,12 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -15857,17 +15857,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +125,9 @@
+@@ -118,6 +125,12 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
++
++selinux_validate_context(kadmind_t)
++seutil_read_file_contexts(kadmind_t)
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -127,6 +137,7 @@
+@@ -127,6 +140,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -15875,7 +15878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +148,7 @@
+@@ -137,6 +151,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -15883,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
-@@ -151,7 +163,7 @@
+@@ -151,7 +166,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -15892,7 +15895,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +235,7 @@
+@@ -215,6 +230,9 @@
+ files_read_usr_symlinks(krb5kdc_t)
+ files_read_var_files(krb5kdc_t)
+
++selinux_validate_context(krb5kdc_t)
++seutil_read_file_contexts(krb5kdc_t)
++
+ libs_use_ld_so(krb5kdc_t)
+ libs_use_shared_libs(krb5kdc_t)
+
+@@ -223,6 +241,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -15900,7 +15913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,8 +246,10 @@
+@@ -233,8 +252,10 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -16296,7 +16309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-04-15 14:13:13.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -16310,7 +16323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
')
########################################
-@@ -65,8 +64,14 @@
+@@ -65,8 +64,15 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -16319,6 +16332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+allow mailman_mail_t self:capability { setuid setgid };
+
+files_search_spool(mailman_mail_t)
++fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
@@ -19078,8 +19092,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-04 12:06:55.000000000 -0400
-@@ -38,3 +38,5 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-15 16:03:04.000000000 -0400
+@@ -31,6 +31,7 @@
+ /var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ /var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+ /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ ifdef(`distro_redhat', `
+@@ -38,3 +39,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b0b21db..a2c409d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -383,7 +383,10 @@ exit 0
%endif
%changelog
-* Mon Apr 14 2008 Dan Walsh 3.3.1-35
+* Mon Apr 14 2008 Dan Walsh 3.3.1-36
+- dontaudit mrtg reading /proc
+- Allow iscsi to signal itself
+- Allow gnomeclock sys_ptrace
* Thu Apr 10 2008 Dan Walsh 3.3.1-33
- Allow dhcpd to read kernel network state