diff --git a/policy-20070703.patch b/policy-20070703.patch
index 8cb0b69..f7dfa86 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -2518,8 +2518,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.6/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/kernel/domain.te 2007-08-22 08:03:53.000000000 -0400
-@@ -6,6 +6,29 @@
++++ serefpolicy-3.0.6/policy/modules/kernel/domain.te 2007-08-23 09:30:52.000000000 -0400
+@@ -6,6 +6,15 @@
# Declarations
#
@@ -2530,26 +2530,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+##
+##
+gen_tunable(allow_netlabel,true)
-+
-+##
-+##
-+## Allow all domains to use ipsec labeled packets
-+##
-+##
-+gen_tunable(allow_ipsec_label,true)
+')
+
-+##
-+##
-+## Allow unlabeled packets to work on system
-+##
-+##
-+gen_tunable(allow_unlabeled_packets,true)
-+
# Mark process types as domains
attribute domain;
-@@ -134,3 +157,25 @@
+@@ -134,3 +143,22 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -2571,9 +2557,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ kernel_tcp_recvfrom_unlabeled(domain)
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
-+ tunable_policy(`allow_ipsec_label',`
-+ ipsec_labeled(domain)
-+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
@@ -4063,7 +4046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.6/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/bind.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/bind.te 2007-08-22 17:35:04.000000000 -0400
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -4081,19 +4064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t,named_zone_t,named_zone_t)
-@@ -119,6 +120,11 @@
- corenet_sendrecv_dns_client_packets(named_t)
- corenet_sendrecv_rndc_server_packets(named_t)
- corenet_sendrecv_rndc_client_packets(named_t)
-+corenet_udp_bind_all_unreserved_ports(named_t)
-+
-+#dnsmasq
-+corenet_tcp_bind_dhcpd_port(named_t)
-+corenet_udp_bind_dhcpd_port(named_t)
-
- dev_read_sysfs(named_t)
- dev_read_rand(named_t)
-@@ -175,6 +181,10 @@
+@@ -175,6 +176,10 @@
')
optional_policy(`
@@ -4104,7 +4075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
# this seems like fds that arent being
# closed. these should probably be
# dontaudits instead.
-@@ -184,14 +194,6 @@
+@@ -184,14 +189,6 @@
')
optional_policy(`
@@ -4119,7 +4090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
seutil_sigchld_newrole(named_t)
')
-@@ -232,6 +234,7 @@
+@@ -232,6 +229,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)