diff --git a/policy-20080509.patch b/policy-20080509.patch
index e127f0c..7775d3f 100644
--- a/policy-20080509.patch
+++ b/policy-20080509.patch
@@ -1670,9 +1670,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool
 +	xserver_exec_pid(vbetool_t)
 +	xserver_write_pid(vbetool_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.4.2/policy/modules/admin/vpn.if
+--- nsaserefpolicy/policy/modules/admin/vpn.if	2008-06-12 23:25:08.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/vpn.if	2008-06-26 07:40:44.000000000 -0400
+@@ -48,6 +48,7 @@
+ 	vpn_domtrans($1)
+ 	role $2 types vpnc_t;
+ 	allow vpnc_t $3:chr_file rw_term_perms;
++	sysnet_run_ifconfig(vpnc_t, $2, $3)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.4.2/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/vpn.te	2008-06-12 23:37:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/vpn.te	2008-06-26 07:39:30.000000000 -0400
 @@ -24,7 +24,8 @@
  
  allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
@@ -1683,6 +1694,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te 
  allow vpnc_t self:tcp_socket create_stream_socket_perms;
  allow vpnc_t self:udp_socket create_socket_perms;
  allow vpnc_t self:rawip_socket create_socket_perms;
+@@ -102,7 +103,6 @@
+ seutil_dontaudit_search_config(vpnc_t)
+ seutil_use_newrole_fds(vpnc_t)
+ 
+-sysnet_domtrans_ifconfig(vpnc_t)
+ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.4.2/policy/modules/apps/ethereal.fc
 --- nsaserefpolicy/policy/modules/apps/ethereal.fc	2008-06-12 23:25:03.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/apps/ethereal.fc	2008-06-12 23:37:51.000000000 -0400
@@ -13994,7 +14013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.4.2/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/dbus.if	2008-06-22 20:49:35.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/dbus.if	2008-06-26 07:23:57.000000000 -0400
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -14106,8 +14125,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	')
  ')
  
-@@ -209,12 +229,9 @@
+@@ -207,14 +227,12 @@
+ 		type system_dbusd_t, system_dbusd_t;
+ 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
++		attribute dbusd_unconfined;
  	')
  
 -#	type $1_dbusd_system_t;
@@ -14116,12 +14138,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	# SE-DBus specific permissions
 -#	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
 -	allow $2 { system_dbusd_t self }:dbus send_msg;
-+	allow $2 { system_dbusd_t $2 }:dbus send_msg;
-+	allow system_dbusd_t $2:dbus send_msg;
++	allow $2 { system_dbusd_t $2 dbusd_unconfined }:dbus send_msg;
++	allow { system_dbusd_t dbusd_unconfined } $2:dbus send_msg;
  
  	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($2)
-@@ -223,6 +240,10 @@
+@@ -223,6 +241,10 @@
  	files_search_pids($2)
  	stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
  	dbus_read_config($2)
@@ -14132,7 +14154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ')
  
  #######################################
-@@ -251,18 +272,16 @@
+@@ -251,18 +273,16 @@
  template(`dbus_user_bus_client_template',`
  	gen_require(`
  		type $1_dbusd_t;
@@ -14153,7 +14175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ')
  
  ########################################
-@@ -292,6 +311,55 @@
+@@ -292,6 +312,55 @@
  
  ########################################
  ## <summary>
@@ -14209,7 +14231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -366,3 +434,55 @@
+@@ -366,3 +435,55 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -14267,7 +14289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.4.2/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/dbus.te	2008-06-22 20:51:20.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/dbus.te	2008-06-26 07:22:31.000000000 -0400
 @@ -9,9 +9,10 @@
  #
  # Delcarations
@@ -14349,7 +14371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  
  libs_use_ld_so(system_dbusd_t)
  libs_use_shared_libs(system_dbusd_t)
-@@ -122,9 +140,40 @@
+@@ -122,9 +140,38 @@
  ')
  
  optional_policy(`
@@ -14380,10 +14402,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +optional_policy(`
 +	gen_require(`
 +		type unconfined_dbusd_t;
-+		attribute domain;
 +	')
 +	unconfined_domain(unconfined_dbusd_t)
-+	allow dbusd_unconfined domain:dbus send_msg;
 +	unconfined_execmem_domtrans(unconfined_dbusd_t)
 +
 +	optional_policy(`
@@ -25716,7 +25736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.4.2/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/squid.te	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/squid.te	2008-06-25 07:54:09.000000000 -0400
 @@ -31,12 +31,15 @@
  type squid_var_run_t;
  files_pid_file(squid_var_run_t)
@@ -25730,7 +25750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  #
  
 -allow squid_t self:capability { setgid setuid dac_override sys_resource };
-+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
++allow squid_t self:capability { setgid killa setuid dac_override sys_resource };
  dontaudit squid_t self:capability sys_tty_config;
  allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
  allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -25742,7 +25762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  corenet_tcp_bind_http_cache_port(squid_t)
  corenet_udp_bind_http_cache_port(squid_t)
  corenet_tcp_bind_ftp_port(squid_t)
-@@ -92,6 +96,7 @@
+@@ -92,10 +96,12 @@
  corenet_udp_bind_gopher_port(squid_t)
  corenet_tcp_bind_squid_port(squid_t)
  corenet_udp_bind_squid_port(squid_t)
@@ -25750,7 +25770,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  corenet_tcp_connect_ftp_port(squid_t)
  corenet_tcp_connect_gopher_port(squid_t)
  corenet_tcp_connect_http_port(squid_t)
-@@ -109,6 +114,8 @@
+ corenet_tcp_connect_http_cache_port(squid_t)
++corenet_tcp_connect_pgpkeyserver_port(squid_t)
+ corenet_sendrecv_http_client_packets(squid_t)
+ corenet_sendrecv_ftp_client_packets(squid_t)
+ corenet_sendrecv_gopher_client_packets(squid_t)
+@@ -109,6 +115,8 @@
  
  fs_getattr_all_fs(squid_t)
  fs_search_auto_mountpoints(squid_t)
@@ -25759,7 +25784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  
  selinux_dontaudit_getattr_dir(squid_t)
  
-@@ -128,6 +135,7 @@
+@@ -128,6 +136,7 @@
  files_getattr_home_dir(squid_t)
  
  auth_use_nsswitch(squid_t)
@@ -25767,7 +25792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  
  libs_use_ld_so(squid_t)
  libs_use_shared_libs(squid_t)
-@@ -149,11 +157,7 @@
+@@ -149,11 +158,7 @@
  ')
  
  optional_policy(`
@@ -25780,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  ')
  
  optional_policy(`
-@@ -168,7 +172,12 @@
+@@ -168,7 +173,12 @@
  	udev_read_db(squid_t)
  ')
  
@@ -29263,6 +29288,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.4.2/policy/modules/system/ipsec.if
+--- nsaserefpolicy/policy/modules/system/ipsec.if	2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/ipsec.if	2008-06-26 07:50:38.000000000 -0400
+@@ -150,6 +150,26 @@
+ 	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
+ ')
+ 
++
++########################################
++## <summary>
++##	write the ipsec_var_run_t files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`ipsec_write_pid',`
++	gen_require(`
++		type ipsec_var_run_t;
++	')
++
++	files_search_pids($1)
++	write_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute racoon in the racoon domain.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.4.2/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te	2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/ipsec.te	2008-06-26 07:46:57.000000000 -0400
+@@ -69,8 +69,8 @@
+ read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ 
+-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
+-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
++manage_files_pattern(ipsec_t, ipsec_var_run_t,  ipsec_var_run_t)
++manage_sock_files_pattern(ipsec_t, ipsec_var_run_t,  ipsec_var_run_t)
+ files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
+ 
+ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.4.2/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2008-06-12 23:25:07.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/iptables.te	2008-06-12 23:37:52.000000000 -0400
@@ -32174,7 +32243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.4.2/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/sysnetwork.te	2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/sysnetwork.te	2008-06-26 07:51:07.000000000 -0400
 @@ -20,6 +20,10 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -32317,7 +32386,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -332,6 +351,14 @@
+@@ -324,6 +343,10 @@
+ ')
+ 
+ optional_policy(`
++	ipsec_write_pid(ifconfig_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(ifconfig_t)
+ ')
+ 
+@@ -332,6 +355,14 @@
  ')
  
  optional_policy(`
@@ -32448,14 +32528,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.4.2/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc	2008-06-23 06:28:00.000000000 -0400
-@@ -2,15 +2,26 @@
++++ serefpolicy-3.4.2/policy/modules/system/unconfined.fc	2008-06-26 07:24:15.000000000 -0400
+@@ -2,15 +2,28 @@
  # e.g.:
  # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
  # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
 -/usr/bin/qemu.*			--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
  /usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
- /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+-/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
  
  /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -32480,6 +32561,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/bin/runhaskell  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/libexec/ghc-[^/]+/.*bin  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/libexec/ghc-[^/]+/ghc-.*  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++
++/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.4.2/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-06-12 23:25:07.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/unconfined.if	2008-06-22 20:50:34.000000000 -0400
@@ -33212,7 +33295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.2/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/userdomain.if	2008-06-14 07:13:36.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/userdomain.if	2008-06-26 08:07:11.000000000 -0400
 @@ -28,10 +28,14 @@
  		class context contains;
  	')
@@ -35304,7 +35387,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -4710,6 +4823,25 @@
+@@ -4666,6 +4779,8 @@
+ 	')
+ 
+ 	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++	fs_dontaudit_list_nfs($2)
++	fs_dontaudit_list_cifs($2)
+ ')
+ 
+ ########################################
+@@ -4710,6 +4825,25 @@
  
  ########################################
  ## <summary>
@@ -35330,7 +35422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4935,7 +5067,7 @@
+@@ -4935,7 +5069,7 @@
  
  ########################################
  ## <summary>
@@ -35339,7 +35431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5307,6 +5439,42 @@
+@@ -5307,6 +5441,42 @@
  
  ########################################
  ## <summary>
@@ -35382,7 +35474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5357,7 +5525,7 @@
+@@ -5357,7 +5527,7 @@
  		attribute userdomain;
  	')
  
@@ -35391,7 +35483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -5472,6 +5640,42 @@
+@@ -5472,6 +5642,42 @@
  
  ########################################
  ## <summary>
@@ -35434,7 +35526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5502,3 +5706,525 @@
+@@ -5502,3 +5708,525 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 01dc3bf..b8612b0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.4.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Jun 26 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-8
+- Allow vpnc to run ifconfig
+
 * Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7
 - Allow confined users to use postgres
 - Allow system_mail_t to exec other mail clients