diff --git a/policy-20090105.patch b/policy-20090105.patch
index a08a37e..b12e2f9 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -4262,7 +4262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(xfs, tcp,7100,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.3/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2008-10-08 21:42:58.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc	2009-01-19 14:33:15.000000000 -0500
 @@ -1,7 +1,7 @@
  
  /dev			-d	gen_context(system_u:object_r:device_t,s0)
@@ -4350,15 +4350,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -91,6 +108,7 @@
+@@ -91,20 +108,32 @@
  
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
+-/dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 +/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
- /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
++/dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
  
-@@ -98,13 +116,23 @@
+ /dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)
  
  /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  
@@ -4378,6 +4379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 +/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 +/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  
  /dev/pts(/.*)?			<<none>>
@@ -5404,6 +5406,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.3/policy/modules/kernel/filesystem.fc
+--- nsaserefpolicy/policy/modules/kernel/filesystem.fc	2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.fc	2009-01-19 13:53:22.000000000 -0500
+@@ -1 +1 @@
+-# This module currently does not have any file contexts.
++/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-01-05 15:39:38.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if	2009-01-19 13:10:02.000000000 -0500
@@ -6040,7 +6048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.3/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-10-08 19:00:23.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc	2009-01-19 13:53:59.000000000 -0500
 @@ -36,7 +36,7 @@
  /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -6050,6 +6058,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  ifdef(`distro_redhat', `
  /dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -67,6 +67,8 @@
+ /dev/md/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mapper/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ 
++/dev/device-mapper	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++
+ /dev/raw/raw[0-9]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ 
+ /dev/scramdisk/.*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.3/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-11-11 16:13:41.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if	2009-01-19 13:10:02.000000000 -0500
@@ -8332,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.te	2009-01-19 15:38:07.000000000 -0500
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -8427,15 +8444,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
  
-@@ -196,6 +242,7 @@
- userdom_user_home_content(httpd_user_script_rw_t)
+@@ -187,15 +233,22 @@
+ files_tmpfs_file(httpd_tmpfs_t)
+ 
+ apache_content_template(user)
++
+ ubac_constrained(httpd_user_script_t)
++typeattribue httpd_user_content_t, httpdcontent;
++typeattribue httpd_user_content_rw_t, httpdcontent;
++typeattribue httpd_user_content_ra_t, httpdcontent;
++typeattribue httpd_user_script_exec_t, httpdcontent;
++
+ userdom_user_home_content(httpd_user_content_t)
+ userdom_user_home_content(httpd_user_htaccess_t)
+ userdom_user_home_content(httpd_user_script_exec_t)
+-userdom_user_home_content(httpd_user_script_ra_t)
+-userdom_user_home_content(httpd_user_script_ro_t)
+-userdom_user_home_content(httpd_user_script_rw_t)
++userdom_user_home_content(httpd_user_content_ra_t)
++userdom_user_home_content(httpd_user_content_ro_t)
++userdom_user_home_content(httpd_user_content_rw_t)
  typeattribute httpd_user_script_t httpd_script_domains;
  typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
 +typealias httpd_user_content_t alias httpd_unconfined_content_t;
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
  typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-@@ -230,7 +277,7 @@
+@@ -230,7 +283,7 @@
  # Apache server local policy
  #
  
@@ -8444,7 +8479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -272,6 +319,7 @@
+@@ -272,6 +325,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -8452,7 +8487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +331,9 @@
+@@ -283,9 +337,9 @@
  
  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
  
@@ -8465,7 +8500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,6 +349,7 @@
+@@ -301,6 +355,7 @@
  manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
  files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
  
@@ -8473,7 +8508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -312,6 +361,7 @@
+@@ -312,6 +367,7 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -8481,7 +8516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -322,6 +372,7 @@
+@@ -322,6 +378,7 @@
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -8489,7 +8524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_bind_http_port(httpd_t)
  corenet_tcp_bind_http_cache_port(httpd_t)
  corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +386,12 @@
+@@ -335,12 +392,12 @@
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -8505,7 +8540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -358,6 +409,10 @@
+@@ -358,6 +415,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -8516,7 +8551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  libs_read_lib_files(httpd_t)
  
-@@ -372,18 +427,33 @@
+@@ -372,18 +433,33 @@
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -8554,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  ')
  
-@@ -391,20 +461,54 @@
+@@ -391,20 +467,54 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -8610,7 +8645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
  	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +519,28 @@
+@@ -415,20 +525,28 @@
  	corenet_tcp_bind_ftp_port(httpd_t)
  ')
  
@@ -8643,7 +8678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,8 +571,13 @@
+@@ -459,8 +577,13 @@
  ')
  
  optional_policy(`
@@ -8659,7 +8694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -472,18 +589,13 @@
+@@ -472,18 +595,13 @@
  ')
  
  optional_policy(`
@@ -8679,7 +8714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -493,6 +605,12 @@
+@@ -493,6 +611,12 @@
  	openca_kill(httpd_t)
  ')
  
@@ -8692,7 +8727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
-@@ -500,6 +618,7 @@
+@@ -500,6 +624,7 @@
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		postgresql_tcp_connect(httpd_t)
@@ -8700,7 +8735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -508,6 +627,7 @@
+@@ -508,6 +633,7 @@
  ')
  
  optional_policy(`
@@ -8708,7 +8743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -535,6 +655,22 @@
+@@ -535,6 +661,22 @@
  
  userdom_use_user_terminals(httpd_helper_t)
  
@@ -8731,7 +8766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Apache PHP script local policy
-@@ -564,20 +700,25 @@
+@@ -564,20 +706,25 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -8763,7 +8798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -595,23 +736,24 @@
+@@ -595,23 +742,24 @@
  append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  
@@ -8792,7 +8827,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -641,12 +783,25 @@
+@@ -624,6 +772,7 @@
+ logging_send_syslog_msg(httpd_suexec_t)
+ 
+ miscfiles_read_localization(httpd_suexec_t)
++miscfiles_read_public_files(httpd_suexec_t)
+ 
+ tunable_policy(`httpd_can_network_connect',`
+ 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+@@ -641,12 +790,25 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -8821,7 +8864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +810,12 @@
+@@ -655,6 +817,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -8834,7 +8877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,15 +833,14 @@
+@@ -672,15 +840,14 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -8853,7 +8896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow httpd_sys_script_t httpd_t:tcp_socket { read write };
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +859,24 @@
+@@ -699,12 +866,24 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -8880,7 +8923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +884,35 @@
+@@ -712,6 +891,35 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -8916,7 +8959,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +925,10 @@
+@@ -724,6 +932,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -8927,7 +8970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -735,6 +940,8 @@
+@@ -735,6 +947,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -8936,7 +8979,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -762,3 +969,66 @@
+@@ -754,6 +968,9 @@
+ 
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ 	allow httpd_user_script_t httpdcontent:file entrypoint;
++	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++	manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
++	manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
+ ')
+ 
+ # allow accessing files/dirs below the users home dir
+@@ -762,3 +979,66 @@
  	userdom_search_user_home_dirs(httpd_suexec_t)
  	userdom_search_user_home_dirs(httpd_user_script_t)
  ')
@@ -9811,7 +9864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.3/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/consolekit.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/consolekit.te	2009-01-19 14:46:22.000000000 -0500
 @@ -13,6 +13,9 @@
  type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
@@ -9889,11 +9942,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		unconfined_dbus_chat(consolekit_t)
-@@ -61,6 +93,29 @@
+@@ -61,6 +93,30 @@
  ')
  
  optional_policy(`
 +	polkit_domtrans_auth(consolekit_t)
++	polkit_read_lib(consolekit_t)
 +	polkit_read_reload(consolekit_t)
 +')
 +
@@ -12187,8 +12241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.3/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/gnomeclock.te	2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,50 @@
++++ serefpolicy-3.6.3/policy/modules/services/gnomeclock.te	2009-01-19 14:46:31.000000000 -0500
+@@ -0,0 +1,51 @@
 +policy_module(gnomeclock, 1.0.0)
 +########################################
 +#
@@ -12236,6 +12290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	polkit_domtrans_auth(gnomeclock_t)
++	polkit_read_lib(gnomeclock_t)
 +	polkit_read_reload(gnomeclock_t)
 +')
 +
@@ -12267,7 +12322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/hal.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/hal.te	2009-01-19 14:46:49.000000000 -0500
 @@ -49,6 +49,15 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -12309,12 +12364,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_dontaudit_use_unpriv_user_fds(hald_t)
  userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -277,6 +292,12 @@
+@@ -277,6 +292,13 @@
  ')
  
  optional_policy(`
 +	polkit_domtrans_auth(hald_t)
 +	polkit_domtrans_resolve(hald_t)
++	polkit_read_lib(hald_t)
 +	polkit_read_reload(hald_t)
 +')
 +
@@ -12322,7 +12378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -301,12 +322,16 @@
+@@ -301,12 +323,16 @@
  	virt_manage_images(hald_t)
  ')
  
@@ -12340,7 +12396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow hald_acl_t self:process { getattr signal };
  allow hald_acl_t self:fifo_file rw_fifo_file_perms;
  
-@@ -321,6 +346,7 @@
+@@ -321,6 +347,7 @@
  manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -12348,7 +12404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_bin(hald_acl_t)
  
-@@ -339,6 +365,8 @@
+@@ -339,6 +366,8 @@
  
  storage_getattr_removable_dev(hald_acl_t)
  storage_setattr_removable_dev(hald_acl_t)
@@ -12357,12 +12413,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(hald_acl_t)
  
-@@ -346,12 +374,17 @@
+@@ -346,12 +375,18 @@
  
  miscfiles_read_localization(hald_acl_t)
  
 +optional_policy(`
 +	polkit_domtrans_auth(hald_acl_t)
++	polkit_read_lib(hald_acl_t)
 +	polkit_read_reload(hald_acl_t)
 +')
 +
@@ -12376,7 +12433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
  allow hald_t hald_mac_t:process signal;
-@@ -418,3 +451,49 @@
+@@ -418,3 +453,49 @@
  files_read_usr_files(hald_keymap_t)
  
  miscfiles_read_localization(hald_keymap_t)
@@ -12896,7 +12953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.3/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/mailman.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/mailman.te	2009-01-19 15:30:18.000000000 -0500
 @@ -53,10 +53,8 @@
  	apache_use_fds(mailman_cgi_t)
  	apache_dontaudit_append_log(mailman_cgi_t)
@@ -12910,7 +12967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -65,15 +63,22 @@
+@@ -65,15 +63,27 @@
  #
  
  allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -12920,6 +12977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +files_search_spool(mailman_mail_t)
 +fs_rw_anon_inodefs_files(mailman_mail_t)
++fs_list_inotifyfs(mailman_mail_t)
 +
 +manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
 +manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
@@ -12933,12 +12991,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
 -	# do we really need this?
 -	allow mailman_mail_t qmail_lspawn_t:fifo_file write;
--')
 +	postfix_search_spool(mailman_mail_t)
  ')
++
++optional_policy(`
++        cron_read_pipes(mailman_mail_t)
+ ')
  
  ########################################
-@@ -99,11 +104,15 @@
+@@ -99,11 +109,15 @@
  # for su
  seutil_dontaudit_search_config(mailman_queue_t)
  
@@ -13813,7 +13874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.3/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te	2009-01-19 14:46:55.000000000 -0500
 @@ -33,9 +33,9 @@
  
  # networkmanager will ptrace itself if gdb is installed
@@ -13956,7 +14017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -155,23 +199,48 @@
+@@ -155,23 +199,49 @@
  ')
  
  optional_policy(`
@@ -13987,6 +14048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	polkit_domtrans_auth(NetworkManager_t)
++	polkit_read_lib(NetworkManager_t)
 +	polkit_read_reload(NetworkManager_t)
  ')
  
@@ -14007,7 +14069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -184,7 +253,9 @@
+@@ -184,7 +254,9 @@
  
  optional_policy(`
  	vpn_domtrans(NetworkManager_t)
@@ -15974,8 +16036,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.3/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/polkit.if	2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,240 @@
++++ serefpolicy-3.6.3/policy/modules/services/polkit.if	2009-01-19 14:47:07.000000000 -0500
+@@ -0,0 +1,241 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@@ -16193,6 +16255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +template(`polkit_role',`
 +	polkit_run_auth($2, $1)
 +	polkit_run_grant($2, $1)
++	polkit_read_lib($2)
 +	polkit_read_reload($2)
 +')
 +
@@ -20250,17 +20313,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.3/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/squid.te	2009-01-19 13:10:02.000000000 -0500
-@@ -118,6 +118,8 @@
++++ serefpolicy-3.6.3/policy/modules/services/squid.te	2009-01-19 15:16:22.000000000 -0500
+@@ -118,6 +118,9 @@
  
  fs_getattr_all_fs(squid_t)
  fs_search_auto_mountpoints(squid_t)
 +#squid requires the following when run in diskd mode, the recommended setting
 +fs_rw_tmpfs_files(squid_t)
++fs_list_inotify(squid_t)
  
  selinux_dontaudit_getattr_dir(squid_t)
  
-@@ -185,8 +187,3 @@
+@@ -185,8 +188,3 @@
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -21444,7 +21508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	display.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te	2009-01-19 14:47:14.000000000 -0500
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -21810,11 +21874,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,6 +622,18 @@
+@@ -542,6 +622,19 @@
  ')
  
  optional_policy(`
 +	polkit_domtrans_auth(xdm_t)
++	polkit_read_lib(xdm_t)
 +	polkit_read_reload(xdm_t)
 +')
 +
@@ -21829,7 +21894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -550,8 +642,8 @@
+@@ -550,8 +643,8 @@
  ')
  
  optional_policy(`
@@ -21839,7 +21904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -571,6 +663,10 @@
+@@ -571,6 +664,10 @@
  ')
  
  optional_policy(`
@@ -21850,7 +21915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -635,6 +731,15 @@
+@@ -635,6 +732,15 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -21866,7 +21931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Create files in /var/log with the xserver_log_t type.
  manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
  logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +787,7 @@
+@@ -682,6 +788,7 @@
  dev_rw_input_dev(xserver_t)
  dev_rwx_zero(xserver_t)
  
@@ -21874,7 +21939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_mmap_low(xserver_t)
  
  files_read_etc_files(xserver_t)
-@@ -697,6 +803,7 @@
+@@ -697,6 +804,7 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -21882,7 +21947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mls_xwin_read_to_clearance(xserver_t)
  
-@@ -806,7 +913,7 @@
+@@ -806,7 +914,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -21891,7 +21956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +937,10 @@
+@@ -830,6 +938,10 @@
  
  xserver_use_user_fonts(xserver_t)
  
@@ -21902,7 +21967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -844,11 +955,14 @@
+@@ -844,11 +956,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -21918,7 +21983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -856,6 +970,11 @@
+@@ -856,6 +971,11 @@
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -21930,7 +21995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Rules common to all X window domains
-@@ -972,6 +1091,37 @@
+@@ -972,6 +1092,37 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -21968,7 +22033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`TODO',`
  tunable_policy(`allow_polyinstantiation',`
  # xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1136,13 @@
+@@ -986,3 +1137,13 @@
  #
  allow xdm_t user_home_type:file unlink;
  ') dnl end TODO