diff --git a/policy-F16.patch b/policy-F16.patch
index e5be303..db283ea 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4870,10 +4870,10 @@ index 0000000..1553356
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..acb325c
+index 0000000..aff461c
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,184 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4903,6 +4903,10 @@ index 0000000..acb325c
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
++tunable_policy(`deny_ptrace',`',`
++ allow chrome_sandbox_t self:capability sys_ptrace;
++')
++
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
@@ -5049,6 +5053,11 @@ index 0000000..acb325c
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++
++optional_policy(`
++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
++')
++
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 37475dd..6026789 100644
--- a/policy/modules/apps/cpufreqselector.te
@@ -5446,10 +5455,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c57fc1e 100644
+index f5afe78..45580b5 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,862 @@
+@@ -1,44 +1,880 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -5684,6 +5693,24 @@ index f5afe78..c57fc1e 100644
+
+########################################
+##
++## Dontaudit write gnome homedir content (.config)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`gnome_dontaudit_write_config_files',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:file write;
++')
++
++########################################
++##
+## manage gnome homedir content (.config)
+##
+##
@@ -6330,7 +6357,7 @@ index f5afe78..c57fc1e 100644
##
##
##
-@@ -46,37 +864,92 @@ interface(`gnome_role',`
+@@ -46,37 +882,92 @@ interface(`gnome_role',`
##
##
#
@@ -6434,7 +6461,7 @@ index f5afe78..c57fc1e 100644
##
##
##
-@@ -84,37 +957,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +975,53 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -6499,7 +6526,7 @@ index f5afe78..c57fc1e 100644
##
##
##
-@@ -122,17 +1011,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1029,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -6521,7 +6548,7 @@ index f5afe78..c57fc1e 100644
##
##
##
-@@ -140,51 +1029,298 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1047,298 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -12767,7 +12794,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..cdd0dcf 100644
+index 3fae11a..ab97bec 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,7 +1,7 @@
@@ -13050,18 +13077,19 @@ index 3fae11a..cdd0dcf 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +412,8 @@ ifdef(`distro_suse', `
+@@ -375,8 +412,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +422,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +423,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -41791,10 +41819,10 @@ index 9878499..8643cd3 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..a666df2 100644
+index da2127e..24e20b0 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
-@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0)
+@@ -5,90 +5,148 @@ policy_module(jabber, 1.8.0)
# Declarations
#
@@ -41872,45 +41900,43 @@ index da2127e..a666df2 100644
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-+
+
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
-+
+
+-domain_use_interactive_fds(jabberd_t)
+fs_getattr_all_fs(jabberd_router_t)
--dev_read_sysfs(jabberd_t)
--# For SSL
--dev_read_rand(jabberd_t)
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+miscfiles_read_generic_certs(jabberd_router_t)
--domain_use_interactive_fds(jabberd_t)
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
+-logging_send_syslog_msg(jabberd_t)
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
+-miscfiles_read_localization(jabberd_t)
+#####################################
+#
+# Local policy for other jabberd components
+#
-
--logging_send_syslog_msg(jabberd_t)
++
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--miscfiles_read_localization(jabberd_t)
-+kernel_read_system_state(jabberd_t)
-
-sysnet_read_config(jabberd_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
@@ -41926,8 +41952,8 @@ index da2127e..a666df2 100644
optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
+ udev_read_db(jabberd_t)
- ')
-
++')
++
+######################################
+#
+# Local policy for pyicq-t
@@ -41942,8 +41968,6 @@ index da2127e..a666df2 100644
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
+
-+kernel_read_system_state(pyicqt_t)
-+
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
+
@@ -41960,14 +41984,14 @@ index da2127e..a666df2 100644
+libs_use_shared_libs(pyicqt_t)
+
+# needed for pyicq-t-mysql
- optional_policy(`
-- udev_read_db(jabberd_t)
++optional_policy(`
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
-+
-+optional_policy(`
+
+ optional_policy(`
+- udev_read_db(jabberd_t)
+ sysnet_use_ldap(pyicqt_t)
-+')
+ ')
+
+#######################################
+#
@@ -41979,6 +42003,8 @@ index da2127e..a666df2 100644
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
+
++kernel_read_system_state(jabberd_domain)
++
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
@@ -47464,7 +47490,7 @@ index 2324d9e..8666a3c 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..e5fb258 100644
+index 0619395..be38b9d 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -47534,7 +47560,13 @@ index 0619395..e5fb258 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -100,6 +129,7 @@ dev_read_rand(NetworkManager_t)
+@@ -95,11 +124,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+ corenet_rw_tun_tap_dev(NetworkManager_t)
+ corenet_getattr_ppp_dev(NetworkManager_t)
+
+-dev_read_sysfs(NetworkManager_t)
++dev_rw_sysfs(NetworkManager_t)
+ dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 54e97bc..2e91c7d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 68%{?dist}
+Release: 69%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 14 2011 Miroslav Grepl 3.10.0-69
+- Add label for /var/lib/iscan/interpreter
+- Dont audit writes to leaked file descriptors or redirected output for nacl
+- NetworkManager needs to write to /sys/class/net/ib*/mode
+
* Tue Dec 13 2011 Miroslav Grepl 3.10.0-68
- Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly