diff --git a/policy-20090105.patch b/policy-20090105.patch
index 60f2104..0ad5723 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -5003,7 +5003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-03-05 14:09:51.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc	2009-04-23 08:12:34.000000000 -0400
 @@ -91,6 +91,7 @@
  /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -5014,7 +5014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-03-05 12:28:57.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-04-14 12:49:22.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-04-23 08:12:42.000000000 -0400
 @@ -188,6 +188,12 @@
  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
  
@@ -6355,7 +6355,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	requiring the caller to use setexeccon().
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-21 15:50:14.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te	2009-04-22 15:56:34.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -6519,7 +6519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	quota_run(sysadm_t, sysadm_r)
  ')
  
-@@ -320,22 +258,10 @@
+@@ -320,19 +258,12 @@
  ')
  
  optional_policy(`
@@ -6531,18 +6531,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
--	rpm_run(sysadm_t, sysadm_r)
+ 	rpm_run(sysadm_t, sysadm_r)
 -')
 -
 -optional_policy(`
 -	rssh_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	rsync_exec(sysadm_t)
++	rpm_role_transition(sysadm_r)
  ')
  
-@@ -345,10 +271,6 @@
+ optional_policy(`
+@@ -345,10 +276,6 @@
  ')
  
  optional_policy(`
@@ -6553,7 +6551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	secadm_role_change(sysadm_r)
  ')
  
-@@ -358,35 +280,15 @@
+@@ -358,35 +285,15 @@
  ')
  
  optional_policy(`
@@ -6589,7 +6587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +296,10 @@
+@@ -394,18 +301,10 @@
  ')
  
  optional_policy(`
@@ -6608,7 +6606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_domtrans(sysadm_t)
  ')
  
-@@ -418,20 +312,12 @@
+@@ -418,20 +317,12 @@
  ')
  
  optional_policy(`
@@ -6629,7 +6627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	vpn_run(sysadm_t, sysadm_r)
  ')
  
-@@ -440,13 +326,5 @@
+@@ -440,13 +331,10 @@
  ')
  
  optional_policy(`
@@ -6643,6 +6641,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
  	yam_run(sysadm_t, sysadm_r)
  ')
++
++domain_user_exemption_target(sysadm_t)
++allow sysadm_r system_r;
++init_script_role_transition(sysadm_r)
++role system_r types sysadm_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc	2009-04-15 10:01:33.000000000 -0400
@@ -9489,7 +9492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/automount.te	2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/automount.te	2009-04-23 08:19:25.000000000 -0400
 @@ -71,6 +71,7 @@
  files_mounton_all_mountpoints(automount_t)
  files_mount_all_file_type_fs(automount_t)
@@ -23228,7 +23231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-04-20 07:48:51.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-04-23 07:20:35.000000000 -0400
 @@ -8,19 +8,24 @@
  
  ## <desc>
@@ -23300,7 +23303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
 -allow virtd_t self:process { getsched sigkill signal execmem };
-+allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
 +allow virtd_t self:process { getsched sigkill signal signull execmem setexec setfscreate setsched };
  allow virtd_t self:fifo_file rw_file_perms;
  allow virtd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a3daa82..2ff3b27 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-13
+- Allow sysadm_t to run rpm directly
+- libvirt needs fowner
+
 * Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-12
 - Allow sshd to read var_lib symlinks for freenx