diff --git a/policy-20100106.patch b/policy-20100106.patch
index 87e0eaf..4b276a1 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1,3 +1,14 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
+--- nsaserefpolicy/policy/modules/services/abrt.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2010-01-08 14:42:10.000000000 +0100
+@@ -96,6 +96,7 @@
+ corenet_tcp_connect_ftp_port(abrt_t)
+ corenet_tcp_connect_all_ports(abrt_t)
+ 
++dev_getattr_all_chr_files(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+ dev_dontaudit_read_memory_dev(abrt_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-01-06 11:05:50.000000000 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/apache.if	2010-01-06 15:16:37.000000000 +0100
@@ -30,9 +41,151 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow apcupsd_t self:fifo_file rw_file_perms;
  allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
  allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cups.te	2010-01-08 20:32:23.000000000 +0100
+@@ -555,6 +555,7 @@
+ logging_send_syslog_msg(cupsd_lpd_t)
+ 
+ miscfiles_read_localization(cupsd_lpd_t)
++miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+ 
+ cups_stream_connect(cupsd_lpd_t)
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-01-08 14:24:25.000000000 +0100
+@@ -276,7 +276,11 @@
+ 	mta_manage_spool(dovecot_deliver_t)
+ ')
+ 
++
++
+ tunable_policy(`use_nfs_home_dirs',`
++    fs_manage_nfs_dirs(dovecot_deliver_t)
++    fs_manage_nfs_dirs(dovecot_t)
+ 	fs_manage_nfs_files(dovecot_deliver_t)
+ 	fs_manage_nfs_symlinks(dovecot_deliver_t)
+ 	fs_manage_nfs_files(dovecot_t)
+@@ -284,6 +288,8 @@
+ ')
+ 
+ tunable_policy(`use_samba_home_dirs',`
++    fs_manage_cifs_dirs(dovecot_deliver_t)
++    fs_manage_cifs_dirs(dovecot_t)
+ 	fs_manage_cifs_files(dovecot_deliver_t)
+ 	fs_manage_cifs_symlinks(dovecot_deliver_t)
+ 	fs_manage_cifs_files(dovecot_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
+--- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if	2010-01-08 16:30:32.000000000 +0100
+@@ -138,6 +138,24 @@
+ 	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ ')
+ 
++#######################################
++## <summary>
++## Read and write to an fail2ban unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fail2ban_rw_stream_sockets',`
++    gen_require(`
++        type fail2ban_t;
++    ')
++
++    allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
++')
++     
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
+--- nsaserefpolicy/policy/modules/services/nagios.fc	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc	2010-01-08 15:00:18.000000000 +0100
+@@ -27,26 +27,59 @@
+ 
+ # check disk plugins
+ /usr/lib(64)?/nagios/plugins/check_disk  	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_disk_smb     --      gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_ide_smart 	--  	gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_linux_raid   --      gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+ 
+ # system plugins
+-/usr/lib(64)?/nagios/plugins/check_users	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_breeze       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dummy        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_file_age  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_flexlm       --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifoperstatus --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifstatus     --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_load         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_log		--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mailq        --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtg         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtgtraf     --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_nagios    	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nwstat       --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_overcr       --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_procs  	--      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_sensors	--	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_swap         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_users	    --  	gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_wave         --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ 
+ # services plugins
+ /usr/lib(64)?/nagios/plugins/check_cluster   	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_dhcp		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dig        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_dns		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_game       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_fping      --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_hpjd       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_http      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_icmp       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ircd       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ldap       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_mysql     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mysql_query --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nrpe       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nt         --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_ntp.*     	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_oracle     --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_pgsql      --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_ping      	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_radius     --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_real		--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_rpc       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ssh       	--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_tcp		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_time		--      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_sip        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_smtp       --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_snmp.*     --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ssh        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ups        --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
+--- nsaserefpolicy/policy/modules/services/nagios.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te	2010-01-08 15:01:28.000000000 +0100
+@@ -118,6 +118,10 @@
+ corenet_udp_sendrecv_all_ports(nagios_t)
+ corenet_tcp_connect_all_ports(nagios_t)
+ 
++# neede by rpcinfo
++corenet_dontaudit_tcp_bind_all_ports(nagios_t)
++corenet_dontaudit_udp_bind_all_ports(nagios_t)
++
+ dev_read_sysfs(nagios_t)
+ dev_read_urand(nagios_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-06 15:41:16.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te	2010-01-08 20:27:51.000000000 +0100
 @@ -443,6 +443,7 @@
  
  optional_policy(`
@@ -41,6 +194,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+@@ -486,7 +487,7 @@
+ ')
+ 
+ optional_policy(`
+-	sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
++	sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+ ')
+ 
+ optional_policy(`
 @@ -573,6 +574,8 @@
  # Postfix smtp delivery local policy
  #
@@ -79,6 +241,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow swat_t nmbd_t:process { signal signull };
  
  allow swat_t nmbd_exec_t:file mmap_file_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te	2010-01-08 16:31:13.000000000 +0100
+@@ -136,6 +136,8 @@
+ 
+ optional_policy(`
+ 	fail2ban_read_lib_files(sendmail_t)
++    fail2ban_rw_stream_sockets(sendmail_t)
++
+ ')
+ 
+ optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
 --- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-06 11:05:50.000000000 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/snmp.te	2010-01-06 15:41:37.000000000 +0100
@@ -131,9 +305,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
+--- nsaserefpolicy/policy/modules/services/xserver.fc	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2010-01-08 14:49:31.000000000 +0100
+@@ -65,6 +65,8 @@
+ /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/lxdm       --  gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/Xephyr		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -105,6 +107,7 @@
+ /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+ /var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
+ 
+ /var/spool/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
+@@ -116,6 +119,7 @@
+ /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm\.pid   -- gen_context(system_u:object_r:xdm_var_run_t,s0)  
+ /var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+ 
+ /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-01-08 14:07:19.000000000 +0100
+@@ -301,6 +301,8 @@
+ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+ 
++allow xauth_t xserver_t:unix_stream_socket connectto;  
++
+ domain_use_interactive_fds(xauth_t)
+ 
+ dev_rw_xserver_misc(xauth_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-01-06 15:08:52.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc	2010-01-08 20:06:50.000000000 +0100
 @@ -245,6 +245,7 @@
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
  /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -142,3 +356,111 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  HOME_DIR/.*/plugins/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -433,8 +434,13 @@
+ /usr/lib(64)?/octagaplayer/libapplication\.so		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ /opt/AutoScan/usr/lib/libvte\.so.*			     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lampp/lib/libsybdb\.so.*                    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Unify/SQLBase/libgptsblmsui11.so.*          -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ /usr/bin/bsnes		     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ /usr/lib/firefox/plugins/libractrl\.so	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGLcore\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libkmplayercommon\.so.*      --   gen_context(system_u:object_r:textrel_shlib_t,s0)  
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if	2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if	2010-01-08 20:32:11.000000000 +0100
+@@ -618,3 +618,22 @@
+ 	manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+ 
++#######################################
++## <summary>
++## Set the attributes on a fonts cache directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_setattr_fonts_cache_dirs',`
++    gen_require(`
++        type fonts_cache_t;
++    ')
++
++    allow $1 fonts_cache_t:dir setattr;    
++')
++     
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if	2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/unconfined.if	2010-01-08 16:35:49.000000000 +0100
+@@ -21,6 +21,8 @@
+ 	allow $1 self:capability all_capabilities;
+ 	allow $1 self:fifo_file manage_fifo_file_perms;
+ 
++    allow $1 self:socket_class_set create_socket_perms;
++
+ 	# Transition to myself, to make get_ordered_context_list happy.
+ 	allow $1 self:process transition;
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
+--- nsaserefpolicy/policy/modules/system/userdomain.fc	2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc	2010-01-07 16:46:35.000000000 +0100
+@@ -6,4 +6,5 @@
+ /dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
+ /dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
+ HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/\.pki(/.*)?    gen_context(system_u:object_r:home_cert_t,s0)
+ HOME_DIR/\.gvfs(/.*)?	<<none>>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te	2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/xen.te	2010-01-08 14:14:45.000000000 +0100
+@@ -248,10 +248,11 @@
+ #
+ 
+ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
++allow xenconsoled_t self:process setrlimit;
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+ allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+ 
+-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
++allow xenconsoled_t xen_devpts_t:chr_file manage_term_perms;
+ 
+ # pid file
+ manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+@@ -268,6 +269,7 @@
+ 
+ domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+ 
++files_read_etc_files(xenconsoled_t)
+ files_read_usr_files(xenconsoled_t)
+ 
+ fs_list_tmpfs(xenconsoled_t)
+@@ -286,6 +288,10 @@
+ xen_manage_log(xenconsoled_t)
+ xen_stream_connect_xenstore(xenconsoled_t)
+ 
++optional_policy(`
++   ptchown_domtrans(xenconsoled_t)
++')
++
+ ########################################
+ #
+ # Xen store local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt	2010-01-08 20:35:13.000000000 +0100
+@@ -310,7 +310,7 @@
+ #
+ define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
+ define(`rw_term_perms', `{ open rw_inherited_term_perms }')
+-
++define(`manage_term_perms',`{ create open setattr rename link unlink rw_inherited_term_perms }')
+ #
+ # Sockets
+ #
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 77ed37a..f6595ee 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 67%{?dist}
+Release: 68%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -451,6 +451,15 @@ exit 0
 %endif
 
 %changelog
+* Fri Jan 8 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-68
+- Fixes for xenconsoled
+- Allow xauth to connectto xserver_t unix_stream_socket
+- Add textrel_shlib_t fixes
+- Add labeling for LXDM
+- Allow cupsd_lpd_t to setattr fontconfig directory
+- Allow abrt to getattr on all character file device nodes.
+- Add labeling for the rest nagios plugins
+
 * Wed Jan 6 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-67
 - Allow snmbd to send itself signal
 - Allow virt_domain to read /dev/random