diff --git a/modules-targeted.conf b/modules-targeted.conf
index 97df528..06360e6 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1735,9 +1735,16 @@ unconfined = module
 ulogd = module
 
 # Layer: services
+# Module: vdagent
+#
+# vdagent
+# 
+vdagent = module
+
+# Layer: services
 # Module: vhostmd
 #
-# vhostmd - A metrics gathering daemon
+# vhostmd - spice guest agent daemon.
 # 
 vhostmd = module
 
diff --git a/policy-F14.patch b/policy-F14.patch
index 4a79637..6454d83 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2045,10 +2045,10 @@ index 7fd0900..899e234 100644
  	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
 diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
 new file mode 100644
-index 0000000..9bd4f45
+index 0000000..278b3a3
 --- /dev/null
 +++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,49 @@
 +
 +/usr/bin/aticonfig	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 +/usr/bin/compiz		--	gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2080,7 +2080,8 @@ index 0000000..9bd4f45
 +/usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 +/usr/lib(64)/virtualbox/VirtualBox  --	gen_context(system_u:object_r:execmem_exec_t,s0)
 +
-+/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/real/(.*/)?realplay\.bin	    --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/secondlife-install/bin/SLPlugin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 +
 +/opt/real/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 +
@@ -12265,7 +12266,7 @@ index 0ecc786..dbf2710 100644
  userdom_dontaudit_search_user_home_dirs(webadm_t)
  
 diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..e76f7a7 100644
+index e88b95f..b8b5c15 100644
 --- a/policy/modules/roles/xguest.te
 +++ b/policy/modules/roles/xguest.te
 @@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
@@ -12326,7 +12327,7 @@ index e88b95f..e76f7a7 100644
  	')
  ')
  
-@@ -76,23 +84,90 @@ optional_policy(`
+@@ -76,23 +84,95 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12345,23 +12346,28 @@ index e88b95f..e76f7a7 100644
 +
 +optional_policy(`
 +	gnomeclock_dontaudit_dbus_chat(xguest_t)
+ ')
+ 
+ optional_policy(`
+-	mozilla_role(xguest_r, xguest_t)
++	java_role_template(xguest, xguest_r, xguest_t)
 +')
 +
 +optional_policy(`
-+	java_role_template(xguest, xguest_r, xguest_t)
++	mono_role_template(xguest, xguest_r, xguest_t)
 +')
 +
 +optional_policy(`
-+	mono_role_template(xguest, xguest_r, xguest_t)
- ')
- 
- optional_policy(`
--	mozilla_role(xguest_r, xguest_t)
 +	mozilla_run_plugin(xguest_t, xguest_r)
 +')
 +
 +optional_policy(`
 +	nsplugin_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++	pcscd_read_pub_files(xguest_usertype)
++	pcscd_stream_connect(xguest_usertype)
  ')
  
  optional_policy(`
@@ -12404,7 +12410,7 @@ index e88b95f..e76f7a7 100644
 +		corenet_tcp_connect_speech_port(xguest_usertype)
 +		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_transproxy_port(xguest_usertype)
- 	')
++	')
 +
 +	optional_policy(`
 +		telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -12414,7 +12420,7 @@ index e88b95f..e76f7a7 100644
 +optional_policy(`
 +	gen_require(`
 +		type mozilla_t;
-+	')
+ 	')
 +
 +	allow xguest_t mozilla_t:process transition;
 +	role xguest_r types mozilla_t;
@@ -13281,7 +13287,7 @@ index 9e39aa5..8603d4d 100644
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..6918ff2 100644
+index c9e1a44..ef353c7 100644
 --- a/policy/modules/services/apache.if
 +++ b/policy/modules/services/apache.if
 @@ -13,17 +13,13 @@
@@ -13305,7 +13311,7 @@ index c9e1a44..6918ff2 100644
  	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
  	files_type(httpd_$1_content_t)
  
-@@ -36,25 +32,25 @@ template(`apache_content_template',`
+@@ -36,32 +32,32 @@ template(`apache_content_template',`
  	domain_type(httpd_$1_script_t)
  	role system_r types httpd_$1_script_t;
  
@@ -13336,6 +13342,14 @@ index c9e1a44..6918ff2 100644
  
  	allow httpd_$1_script_t self:fifo_file rw_file_perms;
  	allow httpd_$1_script_t self:unix_stream_socket connectto;
+ 
+ 	allow httpd_$1_script_t httpd_t:fifo_file write;
+ 	# apache should set close-on-exec
+-	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
++	apache_dontaudit_leaks(httpd_$1_script_t)
+ 
+ 	# Allow the script process to search the cgi directory, and users directory
+ 	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
 @@ -86,7 +82,6 @@ template(`apache_content_template',`
  	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
  	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -13799,7 +13813,7 @@ index c9e1a44..6918ff2 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1367,41 @@ interface(`apache_admin',`
+@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -13839,12 +13853,14 @@ index c9e1a44..6918ff2 100644
 +interface(`apache_dontaudit_leaks',`
 +	gen_require(`
 +		type httpd_t;
++		type httpd_tmp_t;
 +	')
 +
 +	dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
 +	dontaudit $1 httpd_t:tcp_socket { read write };
 +	dontaudit $1 httpd_t:unix_dgram_socket { read write };
 +	dontaudit $1 httpd_t:unix_stream_socket { read write };
++	dontaudit $1 httpd_tmp_t:file { read write };
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
 index 08dfa0c..b9fc802 100644
@@ -16202,10 +16218,18 @@ index 7a6e5ba..d664be8 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..5595c96 100644
+index 1a65b5e..e281c74 100644
 --- a/policy/modules/services/certmonger.te
 +++ b/policy/modules/services/certmonger.te
-@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
+ #
+ 
+ allow certmonger_t self:capability { kill sys_nice };
++dontaudit certmonger_t self:capability sys_tty_config;
+ allow certmonger_t self:process { getsched setsched sigkill };
+ allow certmonger_t self:fifo_file rw_file_perms;
+ allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
  
  manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
  manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -16214,7 +16238,16 @@ index 1a65b5e..5595c96 100644
  
  manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
  manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
-@@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t)
+ files_read_usr_files(certmonger_t)
+ files_list_tmp(certmonger_t)
+ 
++auth_rw_cache(certmonger_t)
++
+ logging_send_syslog_msg(certmonger_t)
+ 
+ miscfiles_read_localization(certmonger_t)
+@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
  
  sysnet_dns_name_resolve(certmonger_t)
  
@@ -16231,8 +16264,11 @@ index 1a65b5e..5595c96 100644
  optional_policy(`
  	dbus_system_bus_client(certmonger_t)
  	dbus_connect_system_bus(certmonger_t)
-@@ -70,3 +80,4 @@ optional_policy(`
+@@ -68,5 +81,7 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
++	pcscd_read_pub_files(certmonger_t)
  	pcscd_stream_connect(certmonger_t)
  ')
 +
@@ -18434,7 +18470,7 @@ index 305ddf4..777091a 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..b3ab30f 100644
+index 0f28095..cf33683 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -18564,6 +18600,14 @@ index 0f28095..b3ab30f 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t)
+ files_read_etc_files(hplip_t)
+ files_read_etc_runtime_files(hplip_t)
+ files_read_usr_files(hplip_t)
++files_dontaudit_write_usr_dirs(hplip_t)
+ 
+ logging_send_syslog_msg(hplip_t)
+ 
 diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
 index c43ff4c..5bf3e60 100644
 --- a/policy/modules/services/cvs.if
@@ -21956,7 +22000,7 @@ index 6fd0b4c..b733e45 100644
 -
  ')
 diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..01adbed 100644
+index a73b7a1..83a4f38 100644
 --- a/policy/modules/services/ksmtuned.te
 +++ b/policy/modules/services/ksmtuned.te
 @@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -21980,7 +22024,7 @@ index a73b7a1..01adbed 100644
  manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
  files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
  
-@@ -31,9 +38,14 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
  dev_rw_sysfs(ksmtuned_t)
  
  domain_read_all_domains_state(ksmtuned_t)
@@ -21994,6 +22038,8 @@ index a73b7a1..01adbed 100644
 +
 +term_use_all_terms(ksmtuned_t)
 +
++logging_send_syslog_msg(ksmtuned_t)
++
  miscfiles_read_localization(ksmtuned_t)
 diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
 index c62f23e..335fda1 100644
@@ -23822,7 +23868,7 @@ index 343cee3..2f948ad 100644
 +	')
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..7521b9e 100644
+index 64268e4..1acd149 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
 @@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -23859,17 +23905,18 @@ index 64268e4..7521b9e 100644
  dev_read_sysfs(system_mail_t)
  dev_read_rand(system_mail_t)
  dev_read_urand(system_mail_t)
-@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t)
+@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t)
  
  userdom_use_user_terminals(system_mail_t)
  userdom_dontaudit_search_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
++userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
 +
 +logging_append_all_logs(system_mail_t)
  
  optional_policy(`
  	apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +82,28 @@ optional_policy(`
+@@ -92,17 +83,28 @@ optional_policy(`
  	apache_dontaudit_rw_stream_sockets(system_mail_t)
  	apache_dontaudit_rw_tcp_sockets(system_mail_t)
  	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -23899,7 +23946,7 @@ index 64268e4..7521b9e 100644
  	clamav_stream_connect(system_mail_t)
  	clamav_append_log(system_mail_t)
  ')
-@@ -111,6 +112,8 @@ optional_policy(`
+@@ -111,6 +113,8 @@ optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
  	cron_rw_system_job_stream_sockets(system_mail_t)
@@ -23908,7 +23955,7 @@ index 64268e4..7521b9e 100644
  ')
  
  optional_policy(`
-@@ -124,12 +127,8 @@ optional_policy(`
+@@ -124,12 +128,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23922,7 +23969,7 @@ index 64268e4..7521b9e 100644
  ')
  
  optional_policy(`
-@@ -146,6 +145,10 @@ optional_policy(`
+@@ -146,6 +146,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23933,7 +23980,7 @@ index 64268e4..7521b9e 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -158,18 +161,6 @@ optional_policy(`
+@@ -158,18 +162,6 @@ optional_policy(`
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
  
  	domain_use_interactive_fds(system_mail_t)
@@ -23952,7 +23999,7 @@ index 64268e4..7521b9e 100644
  ')
  
  optional_policy(`
-@@ -189,6 +180,10 @@ optional_policy(`
+@@ -189,6 +181,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23963,7 +24010,7 @@ index 64268e4..7521b9e 100644
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -199,7 +194,7 @@ optional_policy(`
+@@ -199,7 +195,7 @@ optional_policy(`
  	arpwatch_search_data(mailserver_delivery)
  	arpwatch_manage_tmp_files(mta_user_agent)
  
@@ -23972,7 +24019,7 @@ index 64268e4..7521b9e 100644
  		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
  	')
  
-@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -23982,7 +24029,7 @@ index 64268e4..7521b9e 100644
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
  
-@@ -249,11 +245,16 @@ optional_policy(`
+@@ -249,11 +246,16 @@ optional_policy(`
  	mailman_read_data_symlinks(mailserver_delivery)
  ')
  
@@ -23999,7 +24046,7 @@ index 64268e4..7521b9e 100644
  domain_use_interactive_fds(user_mail_t)
  
  userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +293,44 @@ optional_policy(`
+@@ -292,3 +294,44 @@ optional_policy(`
  	postfix_read_config(user_mail_t)
  	postfix_list_spool(user_mail_t)
  ')
@@ -24727,7 +24774,7 @@ index 2324d9e..8069487 100644
 +	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..a074153 100644
+index 0619395..4898ef8 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
 @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -24844,7 +24891,15 @@ index 0619395..a074153 100644
  	iptables_domtrans(NetworkManager_t)
  ')
  
-@@ -263,6 +298,7 @@ optional_policy(`
+@@ -219,6 +254,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	openvpn_read_config(NetworkManager_t)
+ 	openvpn_domtrans(NetworkManager_t)
+ 	openvpn_kill(NetworkManager_t)
+ 	openvpn_signal(NetworkManager_t)
+@@ -263,6 +299,7 @@ optional_policy(`
  	vpn_kill(NetworkManager_t)
  	vpn_signal(NetworkManager_t)
  	vpn_signull(NetworkManager_t)
@@ -32299,10 +32354,10 @@ index 93fe7bf..4a15633 100644
  
  	allow $1 soundd_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..540981f 100644
+index 6b3abf9..d445f78 100644
 --- a/policy/modules/services/spamassassin.fc
 +++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,26 @@
+@@ -1,15 +1,27 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 +/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -32317,6 +32372,7 @@ index 6b3abf9..540981f 100644
  /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/mimedefang	--	gen_context(system_u:object_r:spamd_exec_t,s0)
 +/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -34643,6 +34699,105 @@ index 1cc80e8..c6bf70e 100644
  
  manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
  manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
+new file mode 100644
+index 0000000..bb0a79c
+--- /dev/null
++++ b/policy/modules/services/vdagent.fc
+@@ -0,0 +1,4 @@
++
++/sbin/vdagent		--	gen_context(system_u:object_r:vdagent_exec_t,s0)
++
++/var/run/spice-vdagentd(/.*)?	gen_context(system_u:object_r:vdagent_var_run_t,s0)
+diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
+new file mode 100644
+index 0000000..35020c8
+--- /dev/null
++++ b/policy/modules/services/vdagent.if
+@@ -0,0 +1,39 @@
++## <summary>The spice guest agent daemon.</summary>
++
++
++########################################
++## <summary>
++##	Execute a domain transition to run vdagent.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vdagent_domtrans',`
++	gen_require(`
++		type vdagent_t, vdagent_exec_t;
++	')
++
++	domtrans_pattern($1, vdagent_exec_t, vdagent_t)
++')
++
++########################################
++## <summary>
++##	Connect to vdagent over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`vdagent_stream_connect',`
++	gen_require(`
++		type vdagent_t, vdagent_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++')
+diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
+new file mode 100644
+index 0000000..87d5c8c
+--- /dev/null
++++ b/policy/modules/services/vdagent.te
+@@ -0,0 +1,38 @@
++policy_module(vdagent,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type vdagent_t;
++type vdagent_exec_t;
++udev_system_domain(vdagent_t, vdagent_exec_t)
++
++type vdagent_var_run_t;
++files_pid_file(vdagent_var_run_t)
++
++permissive vdagent_t;
++
++########################################
++#
++# vdagent local policy
++#
++allow vdagent_t self:process { fork };
++
++allow vdagent_t self:fifo_file rw_fifo_file_perms;
++allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file })
++
++domain_use_interactive_fds(vdagent_t)
++
++files_read_etc_files(vdagent_t)
++
++miscfiles_read_localization(vdagent_t)
++
++userdom_use_user_ptys(vdagent_t)
 diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
 index 1f872b5..da605ba 100644
 --- a/policy/modules/services/vhostmd.if
@@ -38483,7 +38638,7 @@ index 1c4b1e7..2997dd7 100644
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..a1069bf 100644
+index bea0ade..6f47773 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -38530,7 +38685,18 @@ index bea0ade..a1069bf 100644
  	manage_files_pattern($1, var_auth_t, var_auth_t)
  
  	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',`
+@@ -119,6 +130,10 @@ interface(`auth_login_pgm_domain',`
+ 	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ 	kernel_rw_afs_state($1)
+ 
++	tunable_policy(`authlogin_radius',`
++		corenet_udp_bind_all_unreserved_ports($1)
++	')
++
+ 	# for fingerprint readers
+ 	dev_rw_input_dev($1)
+ 	dev_rw_generic_usb_dev($1)
+@@ -126,6 +141,8 @@ interface(`auth_login_pgm_domain',`
  	files_read_etc_files($1)
  
  	fs_list_auto_mountpoints($1)
@@ -38539,7 +38705,7 @@ index bea0ade..a1069bf 100644
  
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
-@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',`
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
@@ -38547,7 +38713,7 @@ index bea0ade..a1069bf 100644
  	auth_use_pam($1)
  
  	init_rw_utmp($1)
-@@ -151,8 +165,39 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +169,39 @@ interface(`auth_login_pgm_domain',`
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -38589,7 +38755,7 @@ index bea0ade..a1069bf 100644
  	')
  ')
  
-@@ -365,13 +410,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +414,15 @@ interface(`auth_domtrans_chk_passwd',`
  	')
  
  	optional_policy(`
@@ -38606,7 +38772,7 @@ index bea0ade..a1069bf 100644
  ')
  
  ########################################
-@@ -418,6 +465,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +469,7 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -38614,7 +38780,7 @@ index bea0ade..a1069bf 100644
  ')
  
  ########################################
-@@ -694,7 +742,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +746,7 @@ interface(`auth_relabel_shadow',`
  	')
  
  	files_search_etc($1)
@@ -38623,7 +38789,7 @@ index bea0ade..a1069bf 100644
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
  
-@@ -736,6 +784,25 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +788,25 @@ interface(`auth_rw_faillog',`
  	allow $1 faillog_t:file rw_file_perms;
  ')
  
@@ -38649,7 +38815,7 @@ index bea0ade..a1069bf 100644
  #######################################
  ## <summary>
  ##	Read the last logins log.
-@@ -874,6 +941,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +945,26 @@ interface(`auth_exec_pam',`
  
  ########################################
  ## <summary>
@@ -38676,7 +38842,7 @@ index bea0ade..a1069bf 100644
  ##	Manage var auth files. Used by various other applications
  ##	and pam applets etc.
  ## </summary>
-@@ -896,6 +983,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +987,26 @@ interface(`auth_manage_var_auth',`
  
  ########################################
  ## <summary>
@@ -38703,7 +38869,7 @@ index bea0ade..a1069bf 100644
  ##	Read PAM PID files.
  ## </summary>
  ## <param name="domain">
-@@ -1500,6 +1607,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1611,8 @@ interface(`auth_manage_login_records',`
  #
  interface(`auth_use_nsswitch',`
  
@@ -38712,7 +38878,7 @@ index bea0ade..a1069bf 100644
  	files_list_var_lib($1)
  
  	# read /etc/nsswitch.conf
-@@ -1531,7 +1640,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1644,15 @@ interface(`auth_use_nsswitch',`
  	')
  
  	optional_policy(`
@@ -38730,10 +38896,20 @@ index bea0ade..a1069bf 100644
  
  	optional_policy(`
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..ee0fe55 100644
+index 54d122b..87ad058 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
-@@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0)
+@@ -5,9 +5,17 @@ policy_module(authlogin, 2.2.0)
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow users to login using a radius server
++## </p>
++## </desc>
++gen_tunable(authlogin_radius, false)
++
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
  attribute can_relabelto_shadow_passwords;
@@ -38741,7 +38917,7 @@ index 54d122b..ee0fe55 100644
  
  type auth_cache_t;
  logging_log_file(auth_cache_t)
-@@ -83,7 +84,7 @@ logging_log_file(wtmp_t)
+@@ -83,7 +91,7 @@ logging_log_file(wtmp_t)
  
  allow chkpwd_t self:capability { dac_override setuid };
  dontaudit chkpwd_t self:capability sys_tty_config;
@@ -38750,7 +38926,7 @@ index 54d122b..ee0fe55 100644
  
  allow chkpwd_t shadow_t:file read_file_perms;
  files_list_etc(chkpwd_t)
-@@ -394,3 +395,11 @@ optional_policy(`
+@@ -394,3 +402,11 @@ optional_policy(`
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -40686,7 +40862,7 @@ index 57c645b..7682697 100644
  dev_read_framebuffer(kdump_t)
  dev_read_sysfs(kdump_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..b93f65a 100644
+index 9df8c4d..7a942fc 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
@@ -40697,7 +40873,15 @@ index 9df8c4d..b93f65a 100644
  
  ifdef(`distro_debian',`
  /lib32					-l	gen_context(system_u:object_r:lib_t,s0)
-@@ -129,15 +130,13 @@ ifdef(`distro_redhat',`
+@@ -90,6 +91,7 @@ ifdef(`distro_gentoo',`
+ ')
+ 
+ ifdef(`distro_redhat',`
++/opt/Adobe.*/libcurl\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/Adobe(/.*?)/nppdf\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+@@ -129,15 +131,13 @@ ifdef(`distro_redhat',`
  /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40716,7 +40900,7 @@ index 9df8c4d..b93f65a 100644
  /usr/lib(64)?/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/win32/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +150,7 @@ ifdef(`distro_redhat',`
+@@ -151,6 +151,7 @@ ifdef(`distro_redhat',`
  /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40724,7 +40908,7 @@ index 9df8c4d..b93f65a 100644
  /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +208,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40732,7 +40916,7 @@ index 9df8c4d..b93f65a 100644
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +248,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  /usr/lib(64)?/ladspa/sc3_1427\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/ladspa/sc4_1882\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/ladspa/se4_1883\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40740,7 +40924,7 @@ index 9df8c4d..b93f65a 100644
  /usr/lib(64)?/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +304,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40756,7 +40940,7 @@ index 9df8c4d..b93f65a 100644
  ') dnl end distro_redhat
  
  #
-@@ -319,14 +316,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
@@ -43978,7 +44162,7 @@ index 0291685..44fe366 100644
  /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
 +/var/run/libgpod(/.*)?	        gen_context(system_u:object_r:udev_var_run_t,s0)    
 diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..5b277ea 100644
+index 025348a..65971f9 100644
 --- a/policy/modules/system/udev.if
 +++ b/policy/modules/system/udev.if
 @@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -43999,6 +44183,43 @@ index 025348a..5b277ea 100644
  ')
  
  ########################################
+@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',`
+ 	files_search_var_lib($1)
+ 	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
++
++########################################
++## <summary>
++##	Create a domain for processes
++##	which can be started by udev.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Type to be used as a domain.
++##	</summary>
++## </param>
++## <param name="entry_point">
++##	<summary>
++##	Type of the program to be used as an entry point to this domain.
++##	</summary>
++## </param>
++#
++interface(`udev_system_domain',`
++	gen_require(`
++		type udev_t;
++		role system_r;
++	')
++
++	domain_type($1)
++	domain_entry_file($1, $2)
++
++	role system_r types $1;
++
++	domtrans_pattern(udev_t, $2, $1)
++
++	dontaudit $1 udev_t:unix_dgram_socket { read write };
++')
++
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
 index a054cf5..f24ab6b 100644
 --- a/policy/modules/system/udev.te
@@ -44123,10 +44344,10 @@ index ce2fbb9..8b34dbc 100644
 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..c6e8ffe 100644
+index 416e668..20a28e7 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
-@@ -12,14 +12,13 @@
+@@ -12,27 +12,33 @@
  #
  interface(`unconfined_domain_noaudit',`
  	gen_require(`
@@ -44134,15 +44355,20 @@ index 416e668..c6e8ffe 100644
  		class dbus all_dbus_perms;
  		class nscd all_nscd_perms;
  		class passwd all_passwd_perms;
++		bool secure_mode_insmod;
  	')
  
  	# Use any Linux capability.
 -	allow $1 self:capability *;
-+	allow $1 self:capability all_capabilities;
++	allow $1 self:capability ~sys_module;
  	allow $1 self:fifo_file manage_fifo_file_perms;
  
++	if (!secure_mode_insmod) {
++		allow $1 self:capability sys_module;
++	}
++
  	# Transition to myself, to make get_ordered_context_list happy.
-@@ -27,12 +26,14 @@ interface(`unconfined_domain_noaudit',`
+ 	allow $1 self:process transition;
  
  	# Write access is for setting attributes under /proc/self/attr.
  	allow $1 self:file rw_file_perms;
@@ -44161,7 +44387,7 @@ index 416e668..c6e8ffe 100644
  
  	kernel_unconfined($1)
  	corenet_unconfined($1)
-@@ -44,6 +45,12 @@ interface(`unconfined_domain_noaudit',`
+@@ -44,6 +50,12 @@ interface(`unconfined_domain_noaudit',`
  	fs_unconfined($1)
  	selinux_unconfined($1)
  
@@ -44174,7 +44400,7 @@ index 416e668..c6e8ffe 100644
  	tunable_policy(`allow_execheap',`
  		# Allow making the stack executable via mprotect.
  		allow $1 self:process execheap;
-@@ -69,6 +76,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',`
  	optional_policy(`
  		# Communicate via dbusd.
  		dbus_system_bus_unconfined($1)
@@ -44182,7 +44408,7 @@ index 416e668..c6e8ffe 100644
  	')
  
  	optional_policy(`
-@@ -122,6 +130,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',`
  ## </param>
  #
  interface(`unconfined_domain',`
@@ -44193,7 +44419,7 @@ index 416e668..c6e8ffe 100644
  	unconfined_domain_noaudit($1)
  
  	tunable_policy(`allow_execheap',`
-@@ -178,412 +190,3 @@ interface(`unconfined_alias_domain',`
+@@ -178,412 +195,3 @@ interface(`unconfined_alias_domain',`
  interface(`unconfined_execmem_alias_program',`
  	refpolicywarn(`$0($1) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b3e6413..161036b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,12 @@ exit 0
 %endif
 
 %changelog
+* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8
+- Allow NetworkManager to read openvpn_etc_t
+- Dontaudit hplip to write of /usr dirs
+- Allow system_mail_t to create /root/dead.letter as mail_home_t
+- Add vdagent policy for spice agent daemon
+
 * Thu Oct 28 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-7
 - Dontaudit sandbox sending sigkill to all user domains
 - Add policy for rssh_chroot_helper