diff --git a/policy-F15.patch b/policy-F15.patch
index bb4daba..6f8d414 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -10411,10 +10411,18 @@ index 3994e57..ee146ae 100644
 +
 +/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 492bf76..87a6942 100644
+index 492bf76..a177011 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
-@@ -292,9 +292,11 @@ interface(`term_use_console',`
+@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`term_use_console',`
+ 	gen_require(`
+@@ -292,9 +291,11 @@ interface(`term_use_console',`
  interface(`term_dontaudit_use_console',`
  	gen_require(`
  		type console_device_t;
@@ -10427,7 +10435,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
+@@ -334,7 +335,7 @@ interface(`term_relabel_console',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -10436,7 +10444,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',`
  		attribute ptynode;
  	')
  
@@ -10445,7 +10453,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -10454,7 +10462,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  		type tty_device_t;
  	')
  
@@ -10463,7 +10471,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  #
  interface(`term_getattr_all_ttys',`
  	gen_require(`
@@ -10477,7 +10485,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',`
  interface(`term_dontaudit_getattr_all_ttys',`
  	gen_require(`
  		attribute ttynode;
@@ -10490,7 +10498,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -10499,7 +10507,7 @@ index 492bf76..87a6942 100644
  ')
  
  ########################################
-@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',`
  		attribute ttynode;
  	')
  
@@ -13304,7 +13312,7 @@ index ceb2142..e31d92a 100644
  ')
  
 diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index c3a1903..ec40291 100644
+index c3a1903..b0e48c6 100644
 --- a/policy/modules/services/amavis.te
 +++ b/policy/modules/services/amavis.te
 @@ -76,7 +76,7 @@ files_search_spool(amavis_t)
@@ -13325,6 +13333,14 @@ index c3a1903..ec40291 100644
  manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
  manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
  logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
+ 
+ # find perl
+ corecmd_exec_bin(amavis_t)
++corecmd_exec_shell(amavis_t)
+ 
+ corenet_all_recvfrom_unlabeled(amavis_t)
+ corenet_all_recvfrom_netlabel(amavis_t)
 diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
 index 9e39aa5..3bfac20 100644
 --- a/policy/modules/services/apache.fc
@@ -16148,10 +16164,10 @@ index fa62787..ffd0da5 100644
  	admin_pattern($1, certmaster_etc_rw_t)
  
 diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index 73f03ff..dbfd0a6 100644
+index 73f03ff..d5c4c94 100644
 --- a/policy/modules/services/certmaster.te
 +++ b/policy/modules/services/certmaster.te
-@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
  
  # log files
  manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
@@ -16166,7 +16182,12 @@ index 73f03ff..dbfd0a6 100644
  
  # read meminfo
  kernel_read_system_state(certmaster_t)
-@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
+ 
+-corecmd_search_bin(certmaster_t)
+-corecmd_getattr_bin_files(certmaster_t)
++corecmd_exec_bin(certmaster_t)
+ 
+ corenet_tcp_bind_generic_node(certmaster_t)
  corenet_tcp_bind_certmaster_port(certmaster_t)
  
  files_search_etc(certmaster_t)
@@ -18940,7 +18961,7 @@ index 0a1a61b..da508f4 100644
  
  	allow $1 ddclient_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
-index 24ba98a..0910356 100644
+index 24ba98a..41559cf 100644
 --- a/policy/modules/services/ddclient.te
 +++ b/policy/modules/services/ddclient.te
 @@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
@@ -18953,13 +18974,15 @@ index 24ba98a..0910356 100644
  type ddclient_var_t;
  files_type(ddclient_var_t)
  
-@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
+@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
  allow ddclient_t self:fifo_file rw_fifo_file_perms;
  allow ddclient_t self:tcp_socket create_socket_perms;
  allow ddclient_t self:udp_socket create_socket_perms;
 +allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
  
- allow ddclient_t ddclient_etc_t:file read_file_perms;
+-allow ddclient_t ddclient_etc_t:file read_file_perms;
++read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
++setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
  
  allow ddclient_t ddclient_log_t:file manage_file_perms;
  logging_log_filetrans(ddclient_t, ddclient_log_t, file)
@@ -18970,7 +18993,7 @@ index 24ba98a..0910356 100644
  manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
  manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
  manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
-@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
  corenet_udp_sendrecv_generic_node(ddclient_t)
  corenet_tcp_sendrecv_all_ports(ddclient_t)
  corenet_udp_sendrecv_all_ports(ddclient_t)
@@ -18979,7 +19002,7 @@ index 24ba98a..0910356 100644
  corenet_tcp_connect_all_ports(ddclient_t)
  corenet_sendrecv_all_client_packets(ddclient_t)
  
-@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
+@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t)
  fs_getattr_all_fs(ddclient_t)
  fs_search_auto_mountpoints(ddclient_t)
  
@@ -23191,6 +23214,18 @@ index ae9d49f..65e6d81 100644
  
  manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
  
+diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
+index 49e04e5..69db026 100644
+--- a/policy/modules/services/lircd.fc
++++ b/policy/modules/services/lircd.fc
+@@ -2,6 +2,7 @@
+ 
+ /etc/rc\.d/init\.d/lirc	--	gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+ /etc/lircd\.conf	--	gen_context(system_u:object_r:lircd_etc_t,s0)
++/etc/lirc(/.*)?			gen_context(system_u:object_r:lircd_etc_t,s0)
+ 
+ /usr/sbin/lircd		--	gen_context(system_u:object_r:lircd_exec_t,s0)
+ 
 diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
 index 6a78de1..b229ba0 100644
 --- a/policy/modules/services/lircd.te
@@ -31725,6 +31760,16 @@ index 779fa44..0155ca7 100644
  
  remotelogin_domtrans(rlogind_t)
  remotelogin_signal(rlogind_t)
+diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
+index 5c70c0c..6842295 100644
+--- a/policy/modules/services/rpc.fc
++++ b/policy/modules/services/rpc.fc
+@@ -29,3 +29,5 @@
+ 
+ /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
++
++/var/tmp/nfs_0 		 --	gen_context(system_u:object_r:gssd_tmp_t,s0)
 diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
 index cda37bb..484e552 100644
 --- a/policy/modules/services/rpc.if
@@ -40449,7 +40494,7 @@ index 9775375..41a244a 100644
  #
  # /var
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..852a6ad 100644
+index df3fa64..b123b4a 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -40476,7 +40521,7 @@ index df3fa64..852a6ad 100644
  	')
  
  	typeattribute $1 daemon;
-@@ -205,6 +211,20 @@ interface(`init_daemon_domain',`
+@@ -205,6 +211,21 @@ interface(`init_daemon_domain',`
  	role system_r types $1;
  
  	domtrans_pattern(initrc_t,$2,$1)
@@ -40493,11 +40538,12 @@ index df3fa64..852a6ad 100644
 +	tunable_policy(`init_systemd',`
 +		allow init_t $1:unix_stream_socket create_stream_socket_perms;
 +		allow $1 init_t:unix_dgram_socket sendto;
++		dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
 +	')
  
  	# daemons started from init will
  	# inherit fds from init for the console
-@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',`
+@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',`
  		type initrc_t;
  	')
  
@@ -40506,7 +40552,7 @@ index df3fa64..852a6ad 100644
  
  	ifdef(`enable_mcs',`
  		range_transition initrc_t $2:process $3;
-@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -40517,7 +40563,7 @@ index df3fa64..852a6ad 100644
  	')
  
  	application_domain($1,$2)
-@@ -345,6 +367,19 @@ interface(`init_system_domain',`
+@@ -345,6 +368,19 @@ interface(`init_system_domain',`
  	role system_r types $1;
  
  	domtrans_pattern(initrc_t,$2,$1)
@@ -40537,7 +40583,7 @@ index df3fa64..852a6ad 100644
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -353,6 +388,37 @@ interface(`init_system_domain',`
+@@ -353,6 +389,37 @@ interface(`init_system_domain',`
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -40575,7 +40621,7 @@ index df3fa64..852a6ad 100644
  ')
  
  ########################################
-@@ -687,19 +753,24 @@ interface(`init_telinit',`
+@@ -687,19 +754,24 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -40601,7 +40647,7 @@ index df3fa64..852a6ad 100644
  	')
  ')
  
-@@ -772,18 +843,19 @@ interface(`init_script_file_entry_type',`
+@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -40625,7 +40671,7 @@ index df3fa64..852a6ad 100644
  	')
  ')
  
-@@ -799,23 +871,45 @@ interface(`init_spec_domtrans_script',`
+@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -40675,7 +40721,7 @@ index df3fa64..852a6ad 100644
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -867,8 +961,12 @@ interface(`init_script_file_domtrans',`
+@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -40688,7 +40734,7 @@ index df3fa64..852a6ad 100644
  	domtrans_pattern($1, $2, initrc_t)
  	files_search_etc($1)
  ')
-@@ -1129,12 +1227,7 @@ interface(`init_read_script_state',`
+@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -40702,7 +40748,7 @@ index df3fa64..852a6ad 100644
  ')
  
  ########################################
-@@ -1374,6 +1467,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -40730,7 +40776,7 @@ index df3fa64..852a6ad 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1460,6 +1574,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -40756,7 +40802,7 @@ index df3fa64..852a6ad 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1673,7 +1806,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -40765,7 +40811,7 @@ index df3fa64..852a6ad 100644
  ')
  
  ########################################
-@@ -1748,3 +1881,74 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c1d405..0c5a81d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.9
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
 %endif
 
 %changelog
+* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4
+- Allow ddclient to fix file mode bits of ddclient conf file
+- init leaks file descriptors to daemons
+- Add labels for /etc/lirc/ and
+- Allow amavis_t to exec shell
+- Add label for gssd_tmp_t for /var/tmp/nfs_0
+
 * Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3
 - Put back in lircd_etc_t so policy will install