diff --git a/policy-20090521.patch b/policy-20090521.patch
index a7a6e32..6a0de7e 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -1736,6 +1736,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2010-01-19 12:51:11.968607327 +0100
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in	2010-02-15 11:55:04.801319350 +0100
+@@ -1703,6 +1703,24 @@
+ 	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
++#######################################
++## <summary>
++## Dontaudit read and write the TUN/TAP virtual network device.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_rw_tun_tap_dev',`
++	gen_require(`
++		type tun_tap_device_t;
++	')
++
++	dontaudit $1 tun_tap_device_t:chr_file { read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Getattr the point-to-point device.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-01-19 12:51:11.969607384 +0100
 +++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in	2010-01-19 12:51:30.720620172 +0100
@@ -2527,7 +2555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2010-01-19 12:51:12.011613147 +0100
-+++ serefpolicy-3.6.12/policy/modules/services/avahi.te	2010-01-19 12:51:30.753620389 +0100
++++ serefpolicy-3.6.12/policy/modules/services/avahi.te	2010-02-19 16:26:20.062788152 +0100
 @@ -24,7 +24,7 @@
  # Local policy
  #
@@ -2537,6 +2565,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit avahi_t self:capability sys_tty_config;
  allow avahi_t self:process { setrlimit signal_perms getcap setcap };
  allow avahi_t self:fifo_file rw_fifo_file_perms;
+@@ -32,6 +32,7 @@
+ allow avahi_t self:unix_dgram_socket create_socket_perms;
+ allow avahi_t self:tcp_socket create_stream_socket_perms;
+ allow avahi_t self:udp_socket create_socket_perms;
++allow avahi_t self:packet_socket create_socket_perms;
+ 
+ files_search_var_lib(avahi_t)
+ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2010-01-19 12:51:12.015607859 +0100
 +++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te	2010-01-19 12:51:30.754620516 +0100
@@ -5071,7 +5107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2010-01-19 12:51:12.172608000 +0100
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te	2010-01-19 12:51:30.870608939 +0100
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te	2010-02-19 17:06:55.362786312 +0100
 @@ -263,6 +263,7 @@
  corenet_tcp_sendrecv_generic_node(spamc_t)
  corenet_tcp_connect_spamd_port(spamc_t)
@@ -5088,6 +5124,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -469,6 +471,10 @@
+ userdom_search_user_home_dirs(spamd_t)
+ 
+ optional_policy(`
++	dcc_domtrans_cdcc(spamd_t) 
++')
++
++optional_policy(`
+ 	exim_manage_spool_dirs(spamd_t)
+ 	exim_manage_spool_files(spamd_t)
+ ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2010-01-19 12:51:12.176608090 +0100
 +++ serefpolicy-3.6.12/policy/modules/services/squid.te	2010-01-19 12:51:30.871608089 +0100
@@ -6104,6 +6151,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
  
  /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if	2010-01-19 12:51:12.215617940 +0100
++++ serefpolicy-3.6.12/policy/modules/system/init.if	2010-02-19 17:14:08.890786923 +0100
+@@ -1641,3 +1641,26 @@
+ 	allow $1 init_t:unix_dgram_socket sendto;
+ 	allow init_t $1:unix_dgram_socket sendto;
+ ')
++
++#######################################
++## <summary>
++## Dontaudit read and write an leaked init scrip file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_script_leaks',`
++	gen_require(`
++		type initrc_t;
++	')
++
++	dontaudit $1 initrc_t:tcp_socket { read write };
++	dontaudit $1 initrc_t:unix_dgram_socket { read write };
++	dontaudit $1 initrc_t:unix_stream_socket { read write };
++	dontaudit $1 initrc_t:shm rw_shm_perms;
++	init_dontaudit_use_script_ptys($1)
++	init_dontaudit_use_script_fds($1)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-01-19 12:51:12.218608055 +0100
 +++ serefpolicy-3.6.12/policy/modules/system/init.te	2010-01-19 12:51:30.897609022 +0100
@@ -6328,8 +6405,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ipsec_setcontext_default_spd(setkey_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2010-01-19 12:51:12.220618087 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.te	2010-01-19 12:51:30.899617658 +0100
-@@ -101,10 +101,18 @@
++++ serefpolicy-3.6.12/policy/modules/system/iptables.te	2010-02-19 17:01:13.929787818 +0100
+@@ -43,6 +43,7 @@
+ kernel_use_fds(iptables_t)
+ 
+ corenet_relabelto_all_packets(iptables_t)
++corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+ 
+ dev_read_sysfs(iptables_t)
+ 
+@@ -67,6 +68,7 @@
+ # to allow rules to be saved on reboot:
+ init_rw_script_tmp_files(iptables_t)
+ init_rw_script_stream_sockets(iptables_t)
++init_dontaudit_script_leaks(iptables_t)
+ 
+ logging_send_syslog_msg(iptables_t)
+ 
+@@ -101,10 +103,18 @@
  ')
  
  optional_policy(`
@@ -6461,7 +6554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow sulogin_t self:capability sys_tty_config;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2010-01-19 12:51:12.227608292 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/logging.fc	2010-01-19 12:51:30.903607202 +0100
++++ serefpolicy-3.6.12/policy/modules/system/logging.fc	2010-02-16 17:57:57.974848550 +0100
 @@ -50,6 +50,7 @@
  ')
  
@@ -6470,6 +6563,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
  ')
  
+@@ -62,6 +63,7 @@
+ /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ 
++/var/spool/bacula/log(/.*)?  gen_context(system_u:object_r:var_log_t,s0) 
+ /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+ /var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-01-19 12:51:12.230617963 +0100
 +++ serefpolicy-3.6.12/policy/modules/system/logging.te	2010-01-19 12:51:30.903607202 +0100
@@ -6525,8 +6626,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Do not audit attempts to search man pages.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if
 --- nsaserefpolicy/policy/modules/system/mount.if	2010-01-19 12:51:12.236617958 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/mount.if	2010-01-19 12:51:30.907607780 +0100
-@@ -175,7 +175,9 @@
++++ serefpolicy-3.6.12/policy/modules/system/mount.if	2010-02-15 11:50:23.579325271 +0100
+@@ -16,6 +16,12 @@
+ 	')
+ 
+ 	domtrans_pattern($1,mount_exec_t,mount_t)
++
++	ifdef(`hide_broken_symptoms', `
++        dontaudit mount_t $1:unix_stream_socket { read write };
++        dontaudit mount_t $1:tcp_socket  { read write };
++        dontaudit mount_t $1:udp_socket { read write };
++    ')
+ ')
+ 
+ ########################################
+@@ -175,7 +181,9 @@
  interface(`mount_signal',`
  	gen_require(`
  		type mount_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 440fbac..a2fde53 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 94%{?dist}
+Release: 95%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -442,6 +442,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Feb 19 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-95
+- Fixes for avahi policy
+
 * Tue Jan 19 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.12-94
 - Allow hotplug to transition to brctl domain
 - Allow sendmail to read and write to an fail2ban unix stream socket