diff --git a/policy-20070703.patch b/policy-20070703.patch
index 7bba72a..0837497 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -2301,7 +2301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
  /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.8/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/gnome.if	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gnome.if	2007-10-25 15:10:45.000000000 -0400
 @@ -33,6 +33,51 @@
  ## </param>
  #
@@ -3733,7 +3733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-25 10:23:02.000000000 -0400
 @@ -6,6 +6,22 @@
  # Declarations
  #
@@ -3757,16 +3757,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  # Mark process types as domains
  attribute domain;
  
-@@ -80,6 +96,8 @@
+@@ -80,6 +96,9 @@
  allow domain self:lnk_file r_file_perms;
  allow domain self:file rw_file_perms;
  kernel_read_proc_symlinks(domain)
 +# Every domain gets the key ring, so we should default to no one allowed to look at it
 +kernel_dontaudit_search_key(domain)
++kernel_dontaudit_link_key(domain)
  
  # create child processes in the domain
  allow domain self:process { fork sigchld };
-@@ -134,3 +152,22 @@
+@@ -134,3 +153,22 @@
  
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
@@ -4421,7 +4422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  files_mountpoint(vxfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-25 10:22:41.000000000 -0400
 @@ -352,6 +352,24 @@
  
  ########################################
@@ -4447,7 +4448,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  ##	Allow link to the kernel key ring.
  ## </summary>
  ## <param name="domain">
-@@ -1867,6 +1885,27 @@
+@@ -370,6 +388,24 @@
+ 
+ ########################################
+ ## <summary>
++##	dontaudit link to the kernel key ring.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_link_key',`
++	gen_require(`
++		type kernel_t;
++	')
++
++	dontaudit $1 kernel_t:key link;
++')
++
++########################################
++## <summary>
+ ##	Allows caller to read the ring buffer.
+ ## </summary>
+ ## <param name="domain">
+@@ -1867,6 +1903,27 @@
  
  ########################################
  ## <summary>
@@ -6528,7 +6554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-10-22 13:22:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-10-25 10:22:16.000000000 -0400
 @@ -48,9 +48,8 @@
  type hplip_t;
  type hplip_exec_t;
@@ -6698,7 +6724,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	seutil_sigchld_newrole(cupsd_t)
  ')
  
-@@ -377,6 +398,14 @@
+@@ -331,6 +352,7 @@
+ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
++dev_rw_generic_usb_dev(cupsd_config_t)
+ 
+ fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+@@ -377,6 +399,14 @@
  ')
  
  optional_policy(`
@@ -6713,7 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -393,6 +422,7 @@
+@@ -393,6 +423,7 @@
  optional_policy(`
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
@@ -6721,7 +6755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ')
  
  optional_policy(`
-@@ -525,11 +555,9 @@
+@@ -525,11 +556,9 @@
  allow hplip_t cupsd_etc_t:dir search;
  
  cups_stream_connect(hplip_t)
@@ -6736,7 +6770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
  files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -560,7 +588,9 @@
+@@ -560,7 +589,9 @@
  dev_read_urand(hplip_t)
  dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
@@ -6747,7 +6781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  fs_getattr_all_fs(hplip_t)
  fs_search_auto_mountpoints(hplip_t)
-@@ -587,8 +617,6 @@
+@@ -587,8 +618,6 @@
  userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
  userdom_dontaudit_search_all_users_home_content(hplip_t)
  
@@ -6756,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  optional_policy(`
  	seutil_sigchld_newrole(hplip_t)
  ')
-@@ -668,3 +696,15 @@
+@@ -668,3 +697,15 @@
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -16200,8 +16234,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-22 16:43:49.000000000 -0400
-@@ -5,36 +5,51 @@
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-25 15:22:18.000000000 -0400
+@@ -5,36 +5,52 @@
  #
  # Declarations
  #
@@ -16222,6 +16256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +unconfined_terminal_type(unconfined_devpts_t)
 +unconfined_terminal_type(unconfined_tty_device_t)
++userdom_user_home_content(unconfined,unconfined_gnome_home_t)
  
  type unconfined_exec_t;
  init_system_domain(unconfined_t,unconfined_exec_t)
@@ -16260,7 +16295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,31 +57,29 @@
+@@ -42,31 +58,29 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16299,7 +16334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -107,6 +120,10 @@
+@@ -107,6 +121,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -16310,7 +16345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -114,15 +131,15 @@
+@@ -114,15 +132,15 @@
  ')
  
  optional_policy(`
@@ -16329,7 +16364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -130,15 +147,10 @@
+@@ -130,15 +148,10 @@
  ')
  
  optional_policy(`
@@ -16347,7 +16382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -155,32 +167,23 @@
+@@ -155,32 +168,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -16384,7 +16419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -205,11 +208,22 @@
+@@ -205,11 +209,22 @@
  ')
  
  optional_policy(`
@@ -16409,7 +16444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -225,8 +239,21 @@
+@@ -225,8 +240,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 07007ed..42dfb17 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 32%{?dist}
+Release: 33%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,8 +373,14 @@ exit 0
 %endif
 
 %changelog
+* Thu Oct 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-33
+- Allow cupsd_config_t to use usb_device_t
+- Dontaudit use of kernel_t
+- Fix creation of unconfined_gnome_home_t
+
 * Wed Oct 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-32
 - Dontaudit mail programs looking at munin_var_lib
+- Allow NetworkManager to restart/reload nscd
 
 * Tue Oct 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-31
 - Fixes for vmware