diff --git a/.gitignore b/.gitignore
index 5c00acd..d9cccef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -226,3 +226,4 @@ serefpolicy*
 /serefpolicy-3.9.3.tgz
 /serefpolicy-3.9.4.tgz
 /serefpolicy-3.9.5.tgz
+/serefpolicy-3.9.7.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index c9db2fc..1ed8b30 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -344,10 +344,10 @@ index a2e9cb5..cec5c56 100644
  optional_policy(`
  	apache_exec_modules(certwatch_t)
 diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index a768511..c07eff8 100644
+index 66fee7d..6ddebdb 100644
 --- a/policy/modules/admin/consoletype.te
 +++ b/policy/modules/admin/consoletype.te
-@@ -82,10 +82,7 @@ optional_policy(`
+@@ -85,10 +85,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1447,10 +1447,10 @@ index 3863241..5280124 100644
  	xserver_dontaudit_write_log(shutdown_t)
  ')
 diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index a0aa8c5..1b60ad8 100644
+index 8c5fa3c..1a46f56 100644
 --- a/policy/modules/admin/su.if
 +++ b/policy/modules/admin/su.if
-@@ -212,7 +212,7 @@ template(`su_role_template',`
+@@ -210,7 +210,7 @@ template(`su_role_template',`
  
  	auth_domtrans_chk_passwd($1_su_t)
  	auth_dontaudit_read_shadow($1_su_t)
@@ -1459,7 +1459,7 @@ index a0aa8c5..1b60ad8 100644
  	auth_rw_faillog($1_su_t)
  
  	corecmd_search_bin($1_su_t)
-@@ -236,6 +236,7 @@ template(`su_role_template',`
+@@ -234,6 +234,7 @@ template(`su_role_template',`
  
  	userdom_use_user_terminals($1_su_t)
  	userdom_search_user_home_dirs($1_su_t)
@@ -1477,7 +1477,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 5f44f1b..bb95e79 100644
+index 975af1a..30a7f38 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -1505,10 +1505,10 @@ index 5f44f1b..bb95e79 100644
 +	userdom_domtrans_user_home($1_sudo_t, $3)
 +	userdom_domtrans_user_tmp($1_sudo_t, $3)
  	allow $3 $1_sudo_t:fd use;
- 	allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ 	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
  	allow $3 $1_sudo_t:process signal_perms;
-@@ -111,12 +117,15 @@ template(`sudo_role_template',`
- 
+@@ -113,12 +119,15 @@ template(`sudo_role_template',`
+ 	term_getattr_pty_fs($1_sudo_t)
  	term_relabel_all_ttys($1_sudo_t)
  	term_relabel_all_ptys($1_sudo_t)
 +	term_getattr_pty_fs($1_sudo_t)
@@ -1523,7 +1523,7 @@ index 5f44f1b..bb95e79 100644
  	init_rw_utmp($1_sudo_t)
  
  	logging_send_audit_msgs($1_sudo_t)
-@@ -133,13 +142,18 @@ template(`sudo_role_template',`
+@@ -135,13 +144,18 @@ template(`sudo_role_template',`
  	userdom_manage_user_tmp_files($1_sudo_t)
  	userdom_manage_user_tmp_symlinks($1_sudo_t)
  	userdom_use_user_terminals($1_sudo_t)
@@ -1544,7 +1544,7 @@ index 5f44f1b..bb95e79 100644
  		fs_manage_nfs_files($1_sudo_t)
  	')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index c368bdc..c927b85 100644
+index 91944a8..d1c11b9 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
 @@ -7,3 +7,7 @@ attribute sudodomain;
@@ -1555,14 +1555,6 @@ index c368bdc..c927b85 100644
 +type sudo_db_t;
 +files_type(sudo_db_t)
 +
-diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
-index 81077db..8208e86 100644
---- a/policy/modules/admin/tmpreaper.fc
-+++ b/policy/modules/admin/tmpreaper.fc
-@@ -1,2 +1,3 @@
- /usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
- /usr/sbin/tmpwatch		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-+/lib/systemd/systemd-tmpfiles	--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
 index 6a5004b..c59c3cd 100644
 --- a/policy/modules/admin/tmpreaper.te
@@ -7636,10 +7628,10 @@ index 3b2da10..7c29e17 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 8b09281..3fb8756 100644
+index 99482ca..8d34173 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
-@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
  
  ########################################
  ## <summary>
@@ -7664,7 +7656,7 @@ index 8b09281..3fb8756 100644
  ##	Read and write generic files in /dev.
  ## </summary>
  ## <param name="domain">
-@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -516,6 +534,24 @@ interface(`dev_getattr_generic_chr_files',`
  
  ########################################
  ## <summary>
@@ -7689,7 +7681,7 @@ index 8b09281..3fb8756 100644
  ##	Dontaudit getattr for generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -552,6 +588,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
  
  ########################################
  ## <summary>
@@ -7714,7 +7706,7 @@ index 8b09281..3fb8756 100644
  ##	Read and write generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -570,6 +624,24 @@ interface(`dev_rw_generic_chr_files',`
  
  ########################################
  ## <summary>
@@ -7739,7 +7731,7 @@ index 8b09281..3fb8756 100644
  ##	Dontaudit attempts to read/write generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -679,6 +751,24 @@ interface(`dev_delete_generic_symlinks',`
  
  ########################################
  ## <summary>
@@ -7764,7 +7756,7 @@ index 8b09281..3fb8756 100644
  ##	Create, delete, read, and write symbolic links in device directories.
  ## </summary>
  ## <param name="domain">
-@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1088,6 +1178,42 @@ interface(`dev_create_all_chr_files',`
  
  ########################################
  ## <summary>
@@ -7807,7 +7799,7 @@ index 8b09281..3fb8756 100644
  ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1350,6 +1476,24 @@ interface(`dev_getattr_autofs_dev',`
  
  ########################################
  ## <summary>
@@ -7832,7 +7824,7 @@ index 8b09281..3fb8756 100644
  ##	Do not audit attempts to get the attributes of
  ##	the autofs device node.
  ## </summary>
-@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',`
+@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
  
  ########################################
  ## <summary>
@@ -7857,7 +7849,7 @@ index 8b09281..3fb8756 100644
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',`
+@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
@@ -7882,7 +7874,7 @@ index 8b09281..3fb8756 100644
  ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
  ## </summary>
  ## <desc>
-@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
  
  ########################################
  ## <summary>
@@ -7907,7 +7899,7 @@ index 8b09281..3fb8756 100644
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
+@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
  #
  interface(`dev_rw_vhost',`
  	gen_require(`
@@ -7922,7 +7914,7 @@ index 8b09281..3fb8756 100644
  
  ########################################
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index eb9c360..20c2d34 100644
+index 7047f2f..ef76289 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -102,6 +102,7 @@ dev_node(ksm_device_t)
@@ -18206,7 +18198,7 @@ index e182bf4..f80e725 100644
  	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
  	snmp_stream_connect(cyrus_t)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..74fa3d6 100644
+index 0d5711c..ea74262 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -18328,7 +18320,7 @@ index 39e901a..74fa3d6 100644
  		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
  	')
  ')
-@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
  
  	typeattribute $1 dbusd_unconfined;
  ')
@@ -18352,7 +18344,7 @@ index 39e901a..74fa3d6 100644
 +	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
 +')
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index b354128..d9416fc 100644
+index 9ce6713..ea78dc1 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
 @@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@@ -38418,7 +38410,7 @@ index 9775375..b338481 100644
  #
  # /var
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 8419a01..5865dba 100644
+index df3fa64..73dc579 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -38669,7 +38661,7 @@ index 8419a01..5865dba 100644
  ')
  
  ########################################
-@@ -1356,6 +1447,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1465,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -38697,7 +38689,7 @@ index 8419a01..5865dba 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1442,6 +1554,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1572,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -38723,7 +38715,7 @@ index 8419a01..5865dba 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1655,7 +1786,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1804,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -38732,7 +38724,7 @@ index 8419a01..5865dba 100644
  ')
  
  ########################################
-@@ -1730,3 +1861,74 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1879,74 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -38808,7 +38800,7 @@ index 8419a01..5865dba 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..63030ba 100644
+index 8a105fd..e858520 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,27 @@ gen_require(`
@@ -46909,7 +46901,7 @@ index 22ca011..df6b5de 100644
  
  #
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index b785e35..d9b0868 100644
+index effb6c5..a903444 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -46996,13 +46988,11 @@ index b785e35..d9b0868 100644
  define(`create_chr_file_perms',`{ getattr create }')
  define(`rename_chr_file_perms',`{ getattr rename }')
  define(`delete_chr_file_perms',`{ getattr unlink }')
-@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
- #
+@@ -306,6 +312,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
  # Use (read and write) terminals
  #
--define(`rw_term_perms', `{ getattr open read write ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
-+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
+ define(`rw_term_perms', `{ getattr open read write append ioctl }')
++define(`rw_inherited_term_perms', `{ rw_term_perms -open }')
  
  #
  # Sockets
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 47f2acb..5a8be2a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
 %define CHECKPOLICYVER 2.0.21-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.9.6
-Release: 3%{?dist}
+Version: 3.9.7
+Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-1
+- Update to upstream
+
 * Tue Oct 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.6-3
 -Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
 - dovecot-auth_t needs ipc_lock
diff --git a/sources b/sources
index d834e79..6d66d22 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-21e517616738920ab9db791eec691b00  serefpolicy-3.9.6.tgz
+04730b4c56ff60274b246bcf4576355c  serefpolicy-3.9.7.tgz