diff --git a/policy-20100106.patch b/policy-20100106.patch
index e62f751..54a9dfc 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -82,6 +82,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_manage_user_home_content(prelink_t)
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.6.32/policy/modules/admin/quota.te
+--- nsaserefpolicy/policy/modules/admin/quota.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/admin/quota.te	2010-02-11 17:52:39.497458571 +0100
+@@ -39,6 +39,7 @@
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+ kernel_read_kernel_sysctls(quota_t)
++kernel_setsched(quota_t)
+ 
+ dev_read_sysfs(quota_t)
+ dev_getattr_all_blk_files(quota_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2010-01-18 18:24:22.565530533 +0100
 +++ serefpolicy-3.6.32/policy/modules/admin/readahead.te	2010-02-09 10:21:28.868615982 +0100
@@ -190,6 +201,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
+--- nsaserefpolicy/policy/modules/apps/execmem.if	2010-01-18 18:24:22.590539929 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if	2010-02-11 17:58:09.307708740 +0100
+@@ -74,6 +74,11 @@
+ 	')
+ 
+ 	optional_policy(`
++		nsplugin_rw_shm($1_execmem_t)
++		nsplugin_rw_semaphores($1_execmem_t)
++	')
++
++	optional_policy(`
+ 		xserver_common_app($1_execmem_t)
+ 		xserver_role($2, $1_execmem_t)
+ 	')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
 --- nsaserefpolicy/policy/modules/apps/firewallgui.te	2010-01-18 18:24:22.593530742 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te	2010-02-02 18:41:27.873067758 +0100
@@ -455,6 +481,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
  HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
+--- nsaserefpolicy/policy/modules/apps/nsplugin.if	2010-01-18 18:24:22.627530248 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if	2010-02-11 17:58:29.270708387 +0100
+@@ -321,3 +321,39 @@
+ 
+ 	allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; 
+ ')
++
++########################################
++## <summary>
++##	Read and write to nsplugin shared memory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`nsplugin_rw_shm',`
++	gen_require(`
++		type nsplugin_t;
++	')
++
++	allow $1 nsplugin_t:shm rw_shm_perms;
++')
++
++#####################################
++## <summary>
++##      Allow read and write access to nsplugin semaphores.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`nsplugin_rw_semaphores',`
++        gen_require(`
++                type nsplugin_t;
++        ')
++
++        allow $1 nsplugin_t:sem rw_sem_perms;
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2010-01-18 18:24:22.631540185 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te	2010-01-19 11:53:14.080857057 +0100
@@ -475,7 +544,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	2010-01-18 18:24:22.632542198 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if	2010-02-01 17:25:51.033096867 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if	2010-02-11 17:58:33.409458697 +0100
+@@ -29,7 +29,7 @@
+ 	ps_process_pattern($2, pulseaudio_t)
+ 
+ 	allow pulseaudio_t $2:process { signal signull };
+-	allow $2 pulseaudio_t:process { signal signull };
++	allow $2 pulseaudio_t:process { signal signull sigkill };
+ 	ps_process_pattern(pulseaudio_t, $2)
+ 
+ 	allow pulseaudio_t $2:unix_stream_socket connectto;
 @@ -137,10 +137,10 @@
  #
  interface(`pulseaudio_stream_connect',`
@@ -530,7 +608,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	2010-01-18 18:24:22.648539903 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2010-01-22 15:41:50.752727640 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2010-02-11 17:41:13.265459296 +0100
+@@ -29,7 +29,7 @@
+ 	dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ 	role $2 types sandbox_domain;
+ 	allow sandbox_domain $1:process sigchld;
+-	allow sandbox_domain $1:fifo_file rw_fifo_file_perms;
++	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+ 
+ 	allow $1 sandbox_x_domain:process { signal_perms transition };
+ 	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+@@ -37,7 +37,7 @@
+ 	role $2 types sandbox_x_domain;
+ 	role $2 types sandbox_xserver_t;
+ 	allow $1 sandbox_xserver_t:process signal_perms;
+-	dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms;
++	dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ 	dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ 	dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ 	allow sandbox_xserver_t $1:unix_stream_socket { read write };
 @@ -45,9 +45,10 @@
  	allow sandbox_x_domain $1:process { sigchld signal };
  	allow sandbox_x_domain sandbox_x_domain:process signal;
@@ -626,7 +722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	2010-01-18 18:24:22.649539960 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2010-02-01 20:25:27.706170172 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2010-02-11 17:45:05.778708766 +0100
 @@ -10,14 +10,15 @@
  #
  
@@ -733,21 +829,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
  
  dev_read_rand(sandbox_web_client_t)
-+dev_read_sound(sandbox_web_client_t)    
 +dev_write_sound(sandbox_web_client_t)
++dev_read_sound(sandbox_web_client_t)
  
  # Browse the web, connect to printer
  corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
-@@ -267,7 +276,7 @@
+@@ -249,14 +258,19 @@
+ corenet_raw_sendrecv_all_nodes(sandbox_web_client_t)
+ corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
+ corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_flash_port(sandbox_web_client_t)
+ corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
+ corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_streaming_port(sandbox_web_client_t)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+ corenet_tcp_connect_http_port(sandbox_web_client_t)
+ corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
+ corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+ corenet_tcp_connect_ipp_port(sandbox_web_client_t)
+ corenet_tcp_connect_generic_port(sandbox_web_client_t)
+ corenet_tcp_connect_soundd_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+ corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+ corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+ corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
+@@ -265,9 +279,8 @@
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
  corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
- corenet_tcp_connect_speech_port(sandbox_web_client_t)
+-corenet_tcp_connect_speech_port(sandbox_web_client_t)
  
 -#auth_use_nsswitch(sandbox_web_client_t)
 +auth_use_nsswitch(sandbox_web_client_t)
  
  dbus_system_bus_client(sandbox_web_client_t)
  dbus_read_config(sandbox_web_client_t)
-@@ -279,6 +288,8 @@
+@@ -279,6 +292,8 @@
  selinux_compute_user_contexts(sandbox_web_client_t)
  seutil_read_default_contexts(sandbox_web_client_t)
  
@@ -756,7 +874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	nsplugin_read_rw_files(sandbox_web_client_t)
  	nsplugin_rw_exec(sandbox_web_client_t)
-@@ -310,7 +321,7 @@
+@@ -310,7 +325,7 @@
  corenet_tcp_connect_all_ports(sandbox_net_client_t)
  corenet_sendrecv_all_client_packets(sandbox_net_client_t)
  
@@ -1180,8 +1298,70 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-01-18 18:24:22.697530142 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2010-02-09 09:59:39.756615405 +0100
-@@ -3496,6 +3496,24 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2010-02-11 20:29:48.903440849 +0100
+@@ -1632,6 +1632,36 @@
+ 
+ ########################################
+ ## <summary>
++##	Create an object in a hugetlbfs filesystem, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++#
++interface(`fs_hugetlbfs_filetrans',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	allow $2 hugetlbfs_t:filesystem associate;
++	filetrans_pattern($1, hugetlbfs_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ##	Search inotifyfs filesystem. 
+ ## </summary>
+ ## <param name="domain">
+@@ -1668,6 +1698,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Dontaudit List inotifyfs filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_list_inotifyfs',`
++	gen_require(`
++		type inotifyfs_t;
++	')
++
++	dontaudit $1 inotifyfs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Mount an iso9660 filesystem, which
+ ##	is usually used on CDs.
+ ## </summary>
+@@ -3496,6 +3544,24 @@
  
  ########################################
  ## <summary>
@@ -1206,7 +1386,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write generic tmpfs files.
  ## </summary>
  ## <param name="domain">
-@@ -4297,6 +4315,26 @@
+@@ -3722,7 +3788,7 @@
+ 
+ ########################################
+ ## <summary>
+-##	Mount a XENFS filesystem.
++##	Search the XENFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3730,17 +3796,17 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mount_xenfs',`
++interface(`fs_search_xenfs',`
+ 	gen_require(`
+ 		type xenfs_t;
+ 	')
+ 
+-	allow $1 xenfs_t:filesystem mount;
++	allow $1 xenfs_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the XENFS filesystem.
++##	Mount a XENFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3748,12 +3814,12 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_search_xenfs',`
++interface(`fs_mount_xenfs',`
+ 	gen_require(`
+ 		type xenfs_t;
+ 	')
+ 
+-	allow $1 xenfs_t:dir search_dir_perms;
++	allow $1 xenfs_t:filesystem mount;
+ ')
+ 
+ ########################################
+@@ -4297,6 +4363,26 @@
  
  ########################################
  ## <summary>
@@ -1233,7 +1458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write files on cgroup
  ##	file systems.
  ## </summary>
-@@ -4409,3 +4447,23 @@
+@@ -4409,3 +4495,23 @@
  	write_files_pattern($1, cgroup_t, cgroup_t)
  ')
  
@@ -1257,6 +1482,86 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dontaudit $1 filesystem_type:file rw_inherited_file_perms;
 +	dontaudit $1 filesystem_type:lnk_file { read };
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2010-01-18 18:24:22.705531020 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te	2010-02-11 20:29:53.802696084 +0100
+@@ -1,5 +1,5 @@
+ 
+-policy_module(filesystem, 1.12.0)
++policy_module(filesystem, 1.12.1)
+ 
+ ########################################
+ #
+@@ -178,6 +178,11 @@
+ 
+ allow tmpfs_t noxattrfs:filesystem associate;
+ 
++type xenfs_t;
++fs_noxattr_type(xenfs_t)
++files_mountpoint(xenfs_t)
++genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
++
+ ##############################
+ #
+ # Filesystems without extended attribute support
+@@ -260,11 +265,6 @@
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+ 
+-type xenfs_t;
+-fs_noxattr_type(xenfs_t)
+-files_mountpoint(xenfs_t)
+-genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+-
+ ########################################
+ #
+ # Rules for all filesystem types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
+--- nsaserefpolicy/policy/modules/roles/staff.te	2010-01-18 18:24:22.718544267 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/staff.te	2010-02-11 17:58:37.444708661 +0100
+@@ -76,20 +76,20 @@
+ 	webadm_role_change(staff_r)
+ ')
+ 
+-domain_read_all_domains_state(staff_t)
+-domain_getattr_all_domains(staff_t)
++domain_read_all_domains_state(staff_usertype)
++domain_getattr_all_domains(staff_usertype)
+ domain_obj_id_change_exemption(staff_t)
+ 
+-files_read_kernel_modules(staff_t)
++files_read_kernel_modules(staff_usertype)
+ 
+-kernel_read_fs_sysctls(staff_t)
++kernel_read_fs_sysctls(staff_usertype)
+ 
+-modutils_read_module_config(staff_t)
+-modutils_read_module_deps(staff_t)
++modutils_read_module_config(staff_usertype)
++modutils_read_module_deps(staff_usertype)
+ 
+-miscfiles_read_hwdata(staff_t)
++miscfiles_read_hwdata(staff_usertype)
+ 
+-term_use_unallocated_ttys(staff_t)
++term_use_unallocated_ttys(staff_usertype)
+ 
+ optional_policy(`
+ 	gnomeclock_dbus_chat(staff_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te
+--- nsaserefpolicy/policy/modules/roles/sysadm.te	2010-01-18 18:24:22.719529727 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te	2010-02-11 14:08:45.869618803 +0100
+@@ -129,6 +129,10 @@
+ ')
+ 
+ optional_policy(`
++	daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ 	dcc_run_cdcc(sysadm_t, sysadm_r)
+ 	dcc_run_client(sysadm_t, sysadm_r)
+ 	dcc_run_dbclean(sysadm_t, sysadm_r)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	2010-01-18 18:24:22.720530134 +0100
 +++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc	2010-02-02 10:47:12.668175161 +0100
@@ -1565,12 +1870,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow apcupsd_t self:tcp_socket create_stream_socket_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
 --- nsaserefpolicy/policy/modules/services/arpwatch.te	2010-01-18 18:24:22.741530430 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te	2010-01-27 17:37:31.626864275 +0100
-@@ -64,6 +64,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te	2010-02-11 20:25:58.833441037 +0100
+@@ -64,6 +64,8 @@
  corenet_udp_sendrecv_all_ports(arpwatch_t)
  
  dev_read_sysfs(arpwatch_t)
 +dev_read_usbmon_dev(arpwatch_t)
++dev_rw_generic_usb_dev(arpwatch_t)
  
  fs_getattr_all_fs(arpwatch_t)
  fs_search_auto_mountpoints(arpwatch_t)
@@ -1668,8 +1974,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
          ccs_read_config(corosync_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2010-01-18 18:24:22.769530360 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cron.te	2010-02-03 21:39:39.157822554 +0100
-@@ -323,6 +323,10 @@
++++ serefpolicy-3.6.32/policy/modules/services/cron.te	2010-02-11 12:37:32.141868288 +0100
+@@ -268,6 +268,11 @@
+ ')
+ 
+ optional_policy(`
++    djbdns_search_key_tinydns(crond_t)
++    djbdns_link_key_tinydns(crond_t)
++')
++
++optional_policy(`
+ 	locallogin_search_keys(crond_t)
+ 	locallogin_link_keys(crond_t)
+ ')
+@@ -323,6 +328,10 @@
  	udev_read_db(crond_t)
  ')
  
@@ -1735,7 +2053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
 --- nsaserefpolicy/policy/modules/services/djbdns.if	2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/services/djbdns.if	2010-02-10 16:28:56.322607977 +0100
++++ serefpolicy-3.6.32/policy/modules/services/djbdns.if	2010-02-11 12:35:57.243619172 +0100
 @@ -26,6 +26,8 @@
  	daemontools_read_svc(djbdns_$1_t)
  
@@ -1745,6 +2063,61 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
  	allow djbdns_$1_t self:udp_socket create_socket_perms;
  
+@@ -50,3 +52,39 @@
+ 
+ 	files_search_var(djbdns_$1_t)
+ ')
++
++######################################
++## <summary>
++##  Allow search the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`djbdns_search_key_tinydns',`
++    gen_require(`
++        type djbdns_tinydns_t;
++    ')
++
++    allow $1 djbdns_tinydns_t:key search;
++')
++
++######################################
++## <summary>
++##  Allow link to the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`djbdns_link_key_tinydns',`
++    gen_require(`
++        type djbdns_tinydn_t;
++    ')
++
++    allow $1 djbdns_tinydn_t:key link;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.6.32/policy/modules/services/djbdns.te
+--- nsaserefpolicy/policy/modules/services/djbdns.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/djbdns.te	2010-02-11 14:26:09.789868676 +0100
+@@ -42,3 +42,11 @@
+ files_search_var(djbdns_axfrdns_t)
+ 
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
++
++#####################################
++#
++# Local policy for djbdns_tinydns_t
++#
++
++init_dontaudit_use_script_fds(djbdns_tinydns_t)
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-18 18:24:22.782530547 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/dovecot.te	2010-02-08 11:55:25.971336166 +0100
@@ -3954,9 +4327,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	exim_manage_spool_dirs(spamd_t)
  	exim_manage_spool_files(spamd_t)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if	2010-01-18 18:24:22.898539086 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ssh.if	2010-02-11 17:58:41.983708667 +0100
+@@ -393,6 +393,7 @@
+ 	logging_send_syslog_msg($1_ssh_agent_t)
+ 
+ 	miscfiles_read_localization($1_ssh_agent_t)
++	miscfiles_read_certs($1_ssh_agent_t)
+ 
+ 	seutil_dontaudit_read_config($1_ssh_agent_t)
+ 
+@@ -400,6 +401,7 @@
+ 	userdom_use_user_terminals($1_ssh_agent_t)
+ 
+ 	# for the transition back to normal privs upon exec
++	userdom_search_user_home_content($1_ssh_agent_t)
+ 	userdom_user_home_domtrans($1_ssh_agent_t, $3)
+ 	allow $3 $1_ssh_agent_t:fd use;
+ 	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-01-18 18:24:22.899530064 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-02-08 00:22:54.835167354 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te	2010-02-11 18:35:06.034708401 +0100
 @@ -8,31 +8,6 @@
  
  ## <desc>
@@ -4000,7 +4392,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -365,6 +337,11 @@
+@@ -209,6 +180,7 @@
+ # needs to read krb tgt
+ userdom_read_user_tmp_files(ssh_t)
+ userdom_read_user_home_content_symlinks(ssh_t)
++userdom_write_user_tmp_files(ssh_t)
+ 
+ tunable_policy(`allow_ssh_keysign',`
+ 	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+@@ -365,6 +338,11 @@
  ')
  
  optional_policy(`
@@ -4012,7 +4412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xserver_getattr_xauth(sshd_t)
  ')
  
-@@ -468,49 +445,3 @@
+@@ -468,49 +446,3 @@
  	udev_read_db(ssh_keygen_t)
  ')
  
@@ -4418,6 +4818,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # to allow cpu tuning
  dev_rw_netcontrol(tuned_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.6.32/policy/modules/services/ucspitcp.te
+--- nsaserefpolicy/policy/modules/services/ucspitcp.te	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ucspitcp.te	2010-02-11 14:18:05.345868624 +0100
+@@ -92,3 +92,8 @@
+ 	daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ 	daemontools_read_svc(ucspitcp_t)
+ ')
++
++optional_policy(`
++    daemontools_sigchld_run(ucspitcp_t)
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
 --- nsaserefpolicy/policy/modules/services/usbmuxd.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc	2010-02-02 19:00:16.333067308 +0100
@@ -4498,8 +4910,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
 --- nsaserefpolicy/policy/modules/services/usbmuxd.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te	2010-02-02 19:28:04.029318349 +0100
-@@ -0,0 +1,44 @@
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te	2010-02-11 18:39:18.455708622 +0100
+@@ -0,0 +1,48 @@
 +
 +policy_module(usbmuxd,1.0.0)
 +
@@ -4537,6 +4949,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
 +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
 +
++kernel_read_system_state(usbmuxd_t)
++
++dev_rw_generic_usb_dev(usbmuxd_t)
++
 +files_read_etc_files(usbmuxd_t)
 +
 +miscfiles_read_localization(usbmuxd_t)
@@ -4544,9 +4960,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_use_nsswitch(usbmuxd_t)
 +
 +logging_send_syslog_msg(usbmuxd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
+--- nsaserefpolicy/policy/modules/services/virt.if	2010-01-18 18:24:22.913542181 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.if	2010-02-11 20:29:58.819441475 +0100
+@@ -194,6 +194,7 @@
+ 
+ 	files_search_var_lib($1)
+ 	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-01-18 18:24:22.915540061 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-02-01 17:46:33.611080298 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-02-11 20:30:04.756691338 +0100
+@@ -1,5 +1,5 @@
+ 
+-policy_module(virt, 1.2.1)
++policy_module(virt, 1.3.0)
+ 
+ ########################################
+ #
 @@ -226,7 +226,7 @@
  sysnet_domtrans_ifconfig(virtd_t)
  sysnet_read_config(virtd_t)
@@ -4556,7 +4990,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_getattr_all_users(virtd_t)
  userdom_list_user_home_content(virtd_t)
  userdom_read_all_users_state(virtd_t)
-@@ -370,6 +370,7 @@
+@@ -337,6 +337,7 @@
+ allow svirt_t svirt_image_t:dir search_dir_perms;
+ manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+ manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
++fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+ 
+ list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+@@ -370,6 +371,7 @@
  
  tunable_policy(`virt_use_fusefs',`
  	fs_read_fusefs_files(svirt_t)
@@ -4564,15 +5006,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`virt_use_nfs',`
-@@ -430,6 +431,8 @@
+@@ -429,11 +431,13 @@
+ corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
- dev_read_sound(virt_domain)
 +dev_read_rand(virt_domain)
+ dev_read_sound(virt_domain)
+-dev_write_sound(virt_domain)
 +dev_read_urand(virt_domain)
- dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
+ dev_rw_qemu(virt_domain)
++dev_write_sound(virt_domain)
+ 
+ domain_use_interactive_fds(virt_domain)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2010-01-18 18:24:22.917530119 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/xserver.fc	2010-02-03 14:24:48.062145095 +0100
@@ -4605,6 +5053,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
  /var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if	2010-01-18 18:24:22.920530710 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.if	2010-02-11 17:58:46.499708705 +0100
+@@ -49,7 +49,7 @@
+ 	allow xserver_t $2:shm rw_shm_perms;
+ 
+ 	domtrans_pattern($2, xserver_exec_t, xserver_t)
+-	allow xserver_t $2:process signal;
++	allow xserver_t $2:process { getpgid signal };
+ 
+ 	allow xserver_t $2:shm rw_shm_perms;
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-01-18 18:24:22.923530253 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/xserver.te	2010-02-10 13:42:43.220607710 +0100
@@ -4724,19 +5184,129 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	ssh_sigchld(application_domain_type)
  	ssh_rw_stream_sockets(application_domain_type)
  ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.6.32/policy/modules/system/daemontools.if
+--- nsaserefpolicy/policy/modules/system/daemontools.if	2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/daemontools.if	2010-02-11 14:55:16.780616974 +0100
+@@ -71,6 +71,32 @@
+ 	domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Execute svc_start in the svc_start domain, and
++##  allow the specified role the svc_start domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed the svc_start domain.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`daemonstools_run_start',`
++    gen_require(`
++        type svc_start_t;
++    ')
++
++    daemontools_domtrans_start($1)
++    role $2 types svc_start_t;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute in the svc_run_t domain.
+@@ -127,6 +153,24 @@
+ 	allow $1 svc_svc_t:file read_file_perms;
+ ')
+ 
++#######################################
++## <summary>
++##  Search svc_svc_t  directory.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`daemontools_search_svc_dir',`
++    gen_require(`
++        type svc_svc_t;
++    ')
++
++    allow $1 svc_svc_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow a domain to create svc_svc_t files.
+@@ -148,3 +192,21 @@
+ 	allow $1 svc_svc_t:file manage_file_perms;
+ 	allow $1 svc_svc_t:lnk_file { read create };
+ ')
++
++#####################################
++## <summary>
++##  Send a SIGCHLD signal to svc_run domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`daemontools_sigchld_run',`
++    gen_require(`
++        type svc_run_t;
++    ')
++
++    allow $1 svc_run_t:process sigchld;
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.6.32/policy/modules/system/daemontools.te
 --- nsaserefpolicy/policy/modules/system/daemontools.te	2009-09-16 16:01:19.000000000 +0200
-+++ serefpolicy-3.6.32/policy/modules/system/daemontools.te	2010-02-10 17:52:29.728608954 +0100
-@@ -65,6 +65,8 @@
++++ serefpolicy-3.6.32/policy/modules/system/daemontools.te	2010-02-11 14:40:01.632617547 +0100
+@@ -39,7 +39,10 @@
+ # multilog creates /service/*/log/status
+ manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+ 
++term_write_console(svc_multilog_t)
++
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+ 
+ # writes to /var/log/*/*
+ logging_manage_generic_logs(svc_multilog_t)
+@@ -53,7 +56,7 @@
+ # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+ #
+ 
+-allow svc_run_t self:capability { setgid setuid chown fsetid };
++allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource};
+ allow svc_run_t self:process setrlimit;
+ allow svc_run_t self:fifo_file rw_fifo_file_perms;
+ allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+@@ -65,6 +68,10 @@
  
  kernel_read_system_state(svc_run_t)
  
 +dev_read_urand(svc_run_t)
 +
++term_write_console(svc_run_t)
++
  corecmd_exec_bin(svc_run_t)
  corecmd_exec_shell(svc_run_t)
  
-@@ -93,10 +95,14 @@
+@@ -89,21 +96,36 @@
+ # ie svc, svscan, supervise ...
+ #
+ 
+-allow svc_start_t svc_run_t:process signal;
++allow svc_start_t svc_run_t:process { signal setrlimit };
  
  allow svc_start_t self:fifo_file rw_fifo_file_perms;
  allow svc_start_t self:capability kill;
@@ -4745,13 +5315,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  can_exec(svc_start_t, svc_start_exec_t)
  
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
++
 +kernel_read_kernel_sysctls(svc_start_t)
 +kernel_read_system_state(svc_start_t)
 +
  corecmd_exec_bin(svc_start_t)
  corecmd_exec_shell(svc_start_t)
  
-@@ -105,5 +111,9 @@
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
++
++term_write_console(svc_start_t)
++
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
  files_search_var(svc_start_t)
  files_search_pids(svc_start_t)
  
@@ -5260,7 +5838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read all log files.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2010-01-18 18:24:22.951535142 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/logging.te	2010-02-09 15:09:42.278616082 +0100
++++ serefpolicy-3.6.32/policy/modules/system/logging.te	2010-02-11 12:06:40.363618975 +0100
 @@ -101,6 +101,7 @@
  
  kernel_read_kernel_sysctls(auditctl_t)
@@ -5280,6 +5858,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	postgresql_stream_connect(syslogd_t)
  ')
  
+@@ -497,6 +502,10 @@
+ ')
+ 
+ optional_policy(`
++    daemontools_search_svc_dir(syslogd_t)
++')
++
++optional_policy(`
+ 	udev_read_db(syslogd_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2010-01-18 18:24:22.955540050 +0100
 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if	2010-01-22 16:24:01.851857861 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7f915f3..061fd60 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 87%{?dist}
+Release: 88%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 11 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-88
+- Fixes for sandbox
+- Allow quota to set priority of kernel threads
+- Fixes for svirt
+
 * Wed Feb 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-87
 - Fixes for ipsec policy
 - Allow pppd to get attributes of the modem devices