diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index fc8a254..ba5e9e6 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -280,6 +280,13 @@ gen_tunable(samba_enable_home_dirs,false)
 
 ## <desc>
 ## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs,false)
+
+## <desc>
+## <p>
 ## Allow spamassassin to do DNS lookups
 ## </p>
 ## </desc>
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index b61da4c..c33b667 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -134,14 +134,18 @@ level s0:c0.c255;
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
 #
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+# At this time we do not restrict "ps" type operations via MCS.  This
+# will probably change in future.
 mlsconstrain file { read }
 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
 
diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index dab8194..8b3c531 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.3.0)
+policy_module(amanda,1.3.1)
 
 #######################################
 #
@@ -8,7 +8,7 @@ policy_module(amanda,1.3.0)
 
 type amanda_t;
 type amanda_inetd_exec_t;
-inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_service_domain(amanda_t,amanda_inetd_exec_t)
 role system_r types amanda_t;
 
 type amanda_exec_t;
@@ -189,7 +189,7 @@ optional_policy(`
 #
 # Amanda recover local policy
 
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
@@ -229,6 +229,7 @@ corenet_udp_sendrecv_all_ports(amanda_recover_t)
 corenet_non_ipsec_sendrecv(amanda_recover_t)
 corenet_tcp_bind_all_nodes(amanda_recover_t)
 corenet_udp_bind_all_nodes(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
 corenet_tcp_connect_amanda_port(amanda_recover_t)
 
 corecmd_exec_shell(amanda_recover_t)
@@ -261,3 +262,7 @@ optional_policy(`
 optional_policy(`
 	nis_use_ypbind(amanda_recover_t)
 ')
+
+optional_policy(`
+	nscd_socket_use(amanda_recover_t)
+')
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index 9ee5bd6..6c9261d 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.2.1)
+policy_module(bootloader,1.2.2)
 
 ########################################
 #
@@ -88,6 +88,8 @@ dev_read_raw_memory(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 
+mls_file_read_up(bootloader_t)
+
 term_getattr_all_user_ttys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 10941b7..2d22241 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.2)
+policy_module(usermanage,1.3.3)
 
 ########################################
 #
@@ -514,6 +514,7 @@ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_staff_home_dirs(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
diff --git a/refpolicy/policy/modules/apps/java.te b/refpolicy/policy/modules/apps/java.te
index 26cca07..0c6045d 100644
--- a/refpolicy/policy/modules/apps/java.te
+++ b/refpolicy/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
 
-policy_module(java,1.1.1)
+policy_module(java,1.1.2)
 
 ########################################
 #
@@ -7,10 +7,8 @@ policy_module(java,1.1.1)
 #
 
 type java_t;
-domain_type(java_t)
-
 type java_exec_t;
-files_type(java_exec_t)
+init_system_domain(java_t,java_exec_t)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/apps/mono.te b/refpolicy/policy/modules/apps/mono.te
index 1715c18..c680ffc 100644
--- a/refpolicy/policy/modules/apps/mono.te
+++ b/refpolicy/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.1.1)
+policy_module(mono,1.1.2)
 
 ########################################
 #
@@ -22,6 +22,8 @@ ifdef(`targeted_policy',`
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 
+	init_dbus_chat_script(mono_t)
+
 	optional_policy(`
 		avahi_dbus_chat(mono_t)
 	')
@@ -29,4 +31,8 @@ ifdef(`targeted_policy',`
 	optional_policy(`
 		hal_dbus_chat(mono_t)
 	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(mono_t)
+	')
 ')
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 62ff408..5b80d1a 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2701,7 +2701,7 @@ interface(`dev_rw_xen',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -2720,7 +2720,7 @@ interface(`dev_manage_xen',`
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file manage_file_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 8f6bd83..fbb684e 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.10)
+policy_module(devices,1.1.11)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 667fbd3..badc619 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -947,6 +947,24 @@ interface(`files_mounton_all_mountpoints',`
 ')
 
 ########################################
+## <summary>
+##	Get the attributes of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir getattr;
+')
+
+########################################
 #
 # files_list_root(domain)
 #
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 09d96c5..dacfc72 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.6)
+policy_module(files,1.2.7)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index d5d03ff..570433b 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1150,6 +1150,9 @@ interface(`kernel_rw_vm_sysctls',`
 	allow $1 sysctl_t:dir r_dir_perms;
 	allow $1 sysctl_vm_t:dir list_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
+
+	# hal needs this
+	allow $1 sysctl_vm_t:dir write;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 70df6fc..0edc3d6 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.4)
+policy_module(kernel,1.3.5)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
index adb57ea..88a6e98 100644
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -32,6 +32,10 @@ type unconfined_t;
 type xdm_exec_t;
 
 ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions.  But while range_transitions have to be in the base module
+# this is not possible.
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
 range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 876e499..7fc37cb 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.2.0)
+policy_module(avahi,1.2.1)
 
 ########################################
 #
@@ -92,6 +92,7 @@ optional_policy(`
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus(avahi_t)
+	init_dbus_chat_script(avahi_t)
 ')
 
 optional_policy(`
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 877926b..e8e94fc 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.4)
+policy_module(hal,1.3.5)
 
 ########################################
 #
@@ -103,6 +103,7 @@ files_getattr_default_dirs(hald_t)
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
 fs_list_auto_mountpoints(hald_t)
+files_getattr_all_mountpoints(hald_t)
 
 mls_file_read_up(hald_t)
 
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index 91e99dc..497536d 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -200,6 +200,45 @@ interface(`mailman_search_data',`
 
 #######################################
 ## <summary>
+##	Allow domain to to read mailman data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_data_files',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search_dir_perms;
+	allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to to create mailman data files
+##	and write the directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_manage_data_files',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir rw_dir_perms;
+	allow $1 mailman_data_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
 ##	List the contents of mailman data directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 742b23f..584ee4b 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.1.1)
+policy_module(mailman,1.1.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 6c44c06..bb7a992 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
 
-policy_module(postfix,1.2.1)
+policy_module(postfix,1.2.2)
 
 ########################################
 #
@@ -175,6 +175,11 @@ mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
 
 optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_master_t)
+')
+
+optional_policy(`
 	mount_send_nfs_client_request(postfix_master_t)
 ')
 
@@ -281,6 +286,11 @@ mta_delete_spool(postfix_local_t)
 mta_read_config(postfix_local_t)
 
 optional_policy(`
+#	for postalias
+	mailman_read_data_files(postfix_local_t)
+')
+
+optional_policy(`
 	procmail_domtrans(postfix_local_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 62e52cf..731fe26 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.1)
+policy_module(rpc,1.2.2)
 
 ########################################
 #
@@ -110,13 +110,13 @@ portmap_tcp_connect(nfsd_t)
 portmap_udp_chat(nfsd_t)
 
 tunable_policy(`nfs_export_all_rw',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_manage_all_files_except_shadow(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_read_all_files_except_shadow(nfsd_t)
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index a38a6ea..7cacf8b 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -33,6 +33,7 @@ template(`samba_per_userdomain_template',`
 	')
 
 	tunable_policy(`samba_enable_home_dirs',`
+		userdom_manage_user_home_content_dirs($1,smbd_t)
 		userdom_manage_user_home_content_files($1,smbd_t)
 		userdom_manage_user_home_content_symlinks($1,smbd_t)
 		userdom_manage_user_home_content_sockets($1,smbd_t)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index c5ae85e..e836628 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.3)
+policy_module(samba,1.2.4)
 
 #################################
 #
@@ -296,6 +296,12 @@ tunable_policy(`allow_smbd_anon_write',`
 	miscfiles_manage_public_files(smbd_t)
 ') 
 
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+	fs_manage_nfs_dirs(smbd_t)
+	fs_manage_nfs_files(smbd_t)
+')
+
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 ')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index a1b5818..17e2fdb 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.5)
+policy_module(unconfined,1.3.6)
 
 ########################################
 #
@@ -62,6 +62,8 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
+		init_dbus_chat_script(unconfined_t)
+
 		dbus_stub(unconfined_t)
 
 		optional_policy(`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 475a7ce..4bdf8f0 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -3402,6 +3402,35 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete staff
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_staff_home_dirs',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type user_home_dir_t;
+		')
+
+		files_search_home($1)
+		allow $1 user_home_dir_t:dir manage_dir_perms;
+	',`
+		gen_require(`
+			type staff_home_dir_t;
+		')
+
+		files_search_home($1)
+		allow $1 staff_home_dir_t:dir manage_dir_perms;
+	')
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to append to the staff
 ##	users home directory.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 00baa24..1d5ea22 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.14)
+policy_module(userdomain,1.3.15)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index 8787fcf..08fb1b5 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.0)
+policy_module(xen,1.0.1)
 
 ########################################
 #
@@ -19,6 +19,8 @@ init_daemon_domain(xend_t, xend_exec_t)
 # var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
 
 # log files
 type xend_var_log_t;
@@ -122,6 +124,7 @@ domain_read_all_domains_state(xend_t)
 domain_dontaudit_read_all_domains_state(xend_t)
 
 files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 
@@ -208,6 +211,7 @@ kernel_read_xen_state(xenstored_t)
 dev_create_generic_dirs(xenstored_t)
 dev_manage_xen(xenconsoled_t)
 dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)