diff --git a/policy-20090105.patch b/policy-20090105.patch
index c0737fc..25cb9db 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -1524,7 +1524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  application_executable_file(sudo_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.12/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/su.if	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/su.if	2009-04-21 15:49:55.000000000 -0400
 @@ -90,15 +90,6 @@
  
  	miscfiles_read_localization($1_su_t)
@@ -2777,8 +2777,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if	2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,272 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if	2009-04-21 15:54:32.000000000 -0400
+@@ -0,0 +1,274 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -2889,6 +2889,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
++	allow nsplugin_t $2:sem { unix_read unix_write };
++	allow nsplugin_t $2:shm { unix_read unix_write };
 +
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -5079,7 +5081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-04-21 16:08:44.000000000 -0400
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -5150,7 +5152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -153,3 +172,43 @@
+@@ -153,3 +172,45 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5164,7 +5166,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	cron_dontaudit_write_system_job_tmp_files(domain)
 +	cron_rw_pipes(domain)
 +	cron_rw_system_job_pipes(domain)
++
 +ifdef(`hide_broken_symptoms',`
++	fs_list_inotifyfs(domain)
 +	allow domain domain:key { link search };
 +')
 +')
@@ -6319,7 +6323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	requiring the caller to use setexeccon().
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-21 15:50:14.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -6367,15 +6371,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -127,18 +114,10 @@
+@@ -127,7 +114,7 @@
  ')
  
  optional_policy(`
 -	cron_admin_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	cvs_exec(sysadm_t)
++	su_exec(sysadm_t)
+ ')
+ 
+ optional_policy(`
+@@ -135,10 +122,6 @@
  ')
  
  optional_policy(`
@@ -6386,7 +6391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	dcc_run_cdcc(sysadm_t, sysadm_r)
  	dcc_run_client(sysadm_t, sysadm_r)
  	dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +145,6 @@
+@@ -166,10 +149,6 @@
  ')
  
  optional_policy(`
@@ -6397,7 +6402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	firstboot_run(sysadm_t, sysadm_r)
  ')
  
-@@ -178,22 +153,6 @@
+@@ -178,22 +157,6 @@
  ')
  
  optional_policy(`
@@ -6420,7 +6425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hostname_run(sysadm_t, sysadm_r)
  ')
  
-@@ -212,11 +171,7 @@
+@@ -212,11 +175,7 @@
  ')
  
  optional_policy(`
@@ -6433,7 +6438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -228,10 +183,6 @@
+@@ -228,10 +187,6 @@
  ')
  
  optional_policy(`
@@ -6444,7 +6449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	logrotate_run(sysadm_t, sysadm_r)
  ')
  
-@@ -255,14 +206,6 @@
+@@ -255,14 +210,6 @@
  ')
  
  optional_policy(`
@@ -6459,7 +6464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	mta_role(sysadm_r, sysadm_t)
  ')
  
-@@ -290,11 +233,6 @@
+@@ -290,11 +237,6 @@
  ')
  
  optional_policy(`
@@ -6471,7 +6476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	pcmcia_run_cardctl(sysadm_t, sysadm_r)
  ')
  
-@@ -308,10 +246,6 @@
+@@ -308,10 +250,6 @@
  ')
  
  optional_policy(`
@@ -6482,7 +6487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	quota_run(sysadm_t, sysadm_r)
  ')
  
-@@ -320,22 +254,10 @@
+@@ -320,22 +258,10 @@
  ')
  
  optional_policy(`
@@ -6505,7 +6510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rsync_exec(sysadm_t)
  ')
  
-@@ -345,10 +267,6 @@
+@@ -345,10 +271,6 @@
  ')
  
  optional_policy(`
@@ -6516,7 +6521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	secadm_role_change(sysadm_r)
  ')
  
-@@ -358,35 +276,15 @@
+@@ -358,35 +280,15 @@
  ')
  
  optional_policy(`
@@ -6552,7 +6557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +292,10 @@
+@@ -394,18 +296,10 @@
  ')
  
  optional_policy(`
@@ -6571,7 +6576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domtrans(sysadm_t)
  ')
  
-@@ -418,20 +308,12 @@
+@@ -418,20 +312,12 @@
  ')
  
  optional_policy(`
@@ -6592,7 +6597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	vpn_run(sysadm_t, sysadm_r)
  ')
  
-@@ -440,13 +322,5 @@
+@@ -440,13 +326,5 @@
  ')
  
  optional_policy(`
@@ -10688,7 +10693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cron.te	2009-04-21 09:44:30.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cron.te	2009-04-21 16:03:54.000000000 -0400
 @@ -38,6 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -10919,7 +10924,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  kernel_read_kernel_sysctls(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +434,8 @@
+@@ -345,6 +409,7 @@
+ fs_getattr_all_symlinks(system_cronjob_t)
+ fs_getattr_all_pipes(system_cronjob_t)
+ fs_getattr_all_sockets(system_cronjob_t)
++fs_list_inotifyfs(system_cronjob_t)
+ 
+ # quiet other ps operations
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
+@@ -370,7 +435,8 @@
  init_read_utmp(system_cronjob_t)
  init_dontaudit_rw_utmp(system_cronjob_t)
  # prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10929,7 +10942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(system_cronjob_t)
  
-@@ -378,6 +443,7 @@
+@@ -378,6 +444,7 @@
  libs_exec_ld_so(system_cronjob_t)
  
  logging_read_generic_logs(system_cronjob_t)
@@ -10937,7 +10950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(system_cronjob_t)
  
  miscfiles_read_localization(system_cronjob_t)
-@@ -418,6 +484,10 @@
+@@ -418,6 +485,10 @@
  ')
  
  optional_policy(`
@@ -10948,7 +10961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -428,11 +498,20 @@
+@@ -428,11 +499,20 @@
  ')
  
  optional_policy(`
@@ -10969,7 +10982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -447,6 +526,7 @@
+@@ -447,6 +527,7 @@
  	prelink_read_cache(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_delete_cache(system_cronjob_t)
@@ -10977,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -460,8 +540,7 @@
+@@ -460,8 +541,7 @@
  ')
  
  optional_policy(`
@@ -10987,7 +11000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -469,24 +548,17 @@
+@@ -469,24 +549,17 @@
  ')
  
  optional_policy(`
@@ -11015,7 +11028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow cronjob_t self:process { signal_perms setsched };
  allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -570,6 +642,9 @@
+@@ -570,6 +643,9 @@
  userdom_manage_user_home_content_sockets(cronjob_t)
  #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
  
@@ -19942,7 +19955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-04-21 13:16:52.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-04-21 15:17:25.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 40eb0a3..a5feca4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,7 +446,12 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-11
+- Allow nsplugin unix_read and write on users shm and sem
+- Allow sysadm_t to execute su
+
 * Tue Apr 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-10
+- Dontaudit attempts to getattr user_tmpfs_t by lvm
 - Allow nfs to share removable media
 
 * Mon Apr 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-9