diff --git a/policy-F15.patch b/policy-F15.patch
index cc26057..b540d76 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -5109,10 +5109,10 @@ index 0000000..4f9cb05
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..aedbcbe
+index 0000000..ae1d09b
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,315 @@
+@@ -0,0 +1,316 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5343,6 +5343,7 @@ index 0000000..aedbcbe
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
++dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
@@ -7846,7 +7847,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..93e0ee8 100644
+index 34c9d01..d858795 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -7887,7 +7888,11 @@ index 34c9d01..93e0ee8 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,6 +324,7 @@ ifdef(`distro_redhat', `
+@@ -316,9 +321,11 @@ ifdef(`distro_redhat', `
+ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
@@ -8003,7 +8008,7 @@ index b06df19..c0763c2 100644
##
##
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..e00278f 100644
+index edefaf3..7548158 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -8094,7 +8099,7 @@ index edefaf3..e00278f 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,30 +147,34 @@ network_port(iscsi, tcp,3260,s0)
+@@ -125,30 +147,35 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8116,6 +8121,7 @@ index edefaf3..e00278f 100644
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
++network_port(movaz_ssc, tcp,5252,s0)
+network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
-network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
@@ -8133,7 +8139,7 @@ index edefaf3..e00278f 100644
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -156,12 +182,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -156,12 +183,20 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -8154,7 +8160,7 @@ index edefaf3..e00278f 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,43 +210,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -176,43 +211,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -14200,7 +14206,7 @@ index c3a1903..b0e48c6 100644
corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..3bfac20 100644
+index 9e39aa5..7ba3b11 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -14220,17 +14226,19 @@ index 9e39aa5..3bfac20 100644
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,8 +42,7 @@ ifdef(`distro_suse', `
+@@ -43,8 +42,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,7 +72,8 @@ ifdef(`distro_suse', `
+@@ -74,7 +74,8 @@ ifdef(`distro_suse', `
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -14240,7 +14248,7 @@ index 9e39aa5..3bfac20 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -86,7 +85,6 @@ ifdef(`distro_suse', `
+@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -14248,7 +14256,7 @@ index 9e39aa5..3bfac20 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,22 @@ ifdef(`distro_debian', `
+@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -20208,7 +20216,7 @@ index 418a5a0..28d9e41 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..20efe4a 100644
+index f706b99..22b862e 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -20223,29 +20231,10 @@ index f706b99..20efe4a 100644
##
#
interface(`devicekit_domtrans',`
-@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
-+######################################
-+##
-+## Allow to write the devicekit
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`devicekit_write_log',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ allow $1 devicekit_var_log_t:file { write };
-+')
-+
+#######################################
+##
+## Do not audit attempts to write the devicekit
@@ -20287,7 +20276,7 @@ index f706b99..20efe4a 100644
########################################
##
## Read devicekit PID files.
-@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
########################################
##
@@ -20347,7 +20336,7 @@ index f706b99..20efe4a 100644
##
##
##
-@@ -165,21 +252,22 @@ interface(`devicekit_admin',`
+@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -20375,7 +20364,6 @@ index f706b99..20efe4a 100644
- files_search_pids($1)
+ files_list_pids($1)
')
-+
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..4ecd4b7 100644
--- a/policy/modules/services/devicekit.te
@@ -24961,7 +24949,7 @@ index ed1af3c..40b5f0e 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
-index 47e3612..98801a7 100644
+index 47e3612..ece07ab 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.3.0)
@@ -25009,7 +24997,27 @@ index 47e3612..98801a7 100644
#
# It removes any existing socket (not owned by root) whilst running as root,
-@@ -52,8 +76,8 @@ mta_read_config(greylist_milter_t)
+@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
+ allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+ allow greylist_milter_t self:process { setsched getsched };
+
++allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
++
+ # It creates a pid file /var/run/milter-greylist.pid
+ files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+ kernel_read_kernel_sysctls(greylist_milter_t)
+
++corecmd_exec_bin(greylist_milter_t)
++corecmd_exec_shell(greylist_milter_t)
++
++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
++
+ # Allow the milter to read a GeoIP database in /usr/share
+ files_read_usr_files(greylist_milter_t)
+ # The milter runs from /var/lib/milter-greylist and maintains files there
+@@ -52,8 +84,8 @@ mta_read_config(greylist_milter_t)
########################################
#
# milter-regex local policy
@@ -25020,7 +25028,7 @@ index 47e3612..98801a7 100644
#
# It removes any existing socket (not owned by root) whilst running as root
-@@ -72,8 +96,8 @@ mta_read_config(regex_milter_t)
+@@ -72,8 +104,8 @@ mta_read_config(regex_milter_t)
########################################
#
# spamass-milter local policy
@@ -41253,7 +41261,7 @@ index 1c4b1e7..ffa4134 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..cbd62c5 100644
+index bea0ade..a0feb45 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -41580,7 +41588,7 @@ index bea0ade..cbd62c5 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -41594,7 +41602,7 @@ index bea0ade..cbd62c5 100644
sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
+
-+ tunable_policy(`authlogin_use_sssd',`', `
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ files_list_var_lib($1)
+
+ miscfiles_read_generic_certs($1)
@@ -41604,61 +41612,45 @@ index bea0ade..cbd62c5 100644
optional_policy(`
- avahi_stream_connect($1)
-+ tunable_policy(`authlogin_use_sssd',`', `
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ dirsrv_stream_connect($1)
+ ')
')
optional_policy(`
- ldap_stream_connect($1)
-+ tunable_policy(`authlogin_use_sssd',`', `
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ ldap_stream_connect($1)
+ ')
')
optional_policy(`
-- likewise_stream_connect_lsassd($1)
-+ tunable_policy(`authlogin_use_sssd',`', `
-+ likewise_stream_connect_lsassd($1)
-+ ')
+ likewise_stream_connect_lsassd($1)
')
+ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
optional_policy(`
kerberos_use($1)
')
-@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
- nscd_socket_use($1)
+ nscd_use($1)
- ')
-
- optional_policy(`
-- samba_stream_connect_winbind($1)
-- samba_read_var_files($1)
-- samba_dontaudit_write_var_files($1)
-+ tunable_policy(`authlogin_use_sssd',`', `
-+ nslcd_stream_connect($1)
-+ ')
+ ')
+
+ optional_policy(`
-+ sssd_stream_connect($1)
++ nslcd_stream_connect($1)
+ ')
+
+ optional_policy(`
-+ tunable_policy(`authlogin_use_sssd',`', `
-+ samba_stream_connect_winbind($1)
-+ samba_read_var_files($1)
-+ samba_dontaudit_write_var_files($1)
-+ ')
++ sssd_stream_connect($1)
')
- ')
+ optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..c2a3970 100644
+index 54d122b..069790d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
@@ -41677,7 +41669,7 @@ index 54d122b..c2a3970 100644
+## Allow users to login using a sssd server
+##
+##
-+gen_tunable(authlogin_use_sssd, false)
++gen_tunable(authlogin_nsswitch_use_ldap, false)
+
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -42553,7 +42545,7 @@ index ed152c4..be3bb8f 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 0580e7c..28fd86c 100644
+index 0580e7c..1618f9d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -43241,7 +43233,7 @@ index 0580e7c..28fd86c 100644
+userdom_inherit_append_user_tmp_files(daemon)
+userdom_dontaudit_rw_stream(daemon)
+
-+logging_append_all_logs(daemon)
++logging_inherit_append_all_logs(daemon)
+
+optional_policy(`
+ # sudo service restart causes this
@@ -44345,7 +44337,7 @@ index 571599b..17dd196 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..620e0a4 100644
+index c7cfb62..ee9809d 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@@ -44416,7 +44408,7 @@ index c7cfb62..620e0a4 100644
+ attribute logfile;
+ ')
+
-+ allow $1 logfile:file { getattr append };
++ allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
@@ -44660,7 +44652,7 @@ index 58bc27f..b4f0663 100644
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..a251276 100644
+index 86ef2da..0676045 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -44705,8 +44697,12 @@ index 86ef2da..a251276 100644
ccs_stream_connect(clvmd_t)
')
-@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
- allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+@@ -167,9 +179,10 @@ optional_policy(`
+ # net_admin for multipath
+ allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+ dontaudit lvm_t self:capability sys_tty_config;
+-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
++allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
+allow lvm_t self:sem create_sem_perms;
@@ -46782,7 +46778,7 @@ index 8e71fb7..f1b155a 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..d8c6f24 100644
+index dfbe736..d1f6368 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -46944,12 +46940,11 @@ index dfbe736..d8c6f24 100644
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -325,8 +372,15 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +372,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
-+ devicekit_write_log(ifconfig_t)
+')
+
+optional_policy(`
@@ -46960,7 +46955,7 @@ index dfbe736..d8c6f24 100644
')
optional_policy(`
-@@ -334,6 +388,14 @@ optional_policy(`
+@@ -334,6 +387,14 @@ optional_policy(`
')
optional_policy(`
@@ -46975,7 +46970,7 @@ index dfbe736..d8c6f24 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +417,9 @@ optional_policy(`
+@@ -355,3 +416,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 99148d8..9be8f73 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Tue Dec 21 2010 Dan Walsh 3.9.12-2
+- New labels for ghc http content
+- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
+- pm-suspend now creates log file for append access so we remove devicekit_wri
+- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
+- Fixes for greylist_milter policy
+
* Tue Dec 21 2010 Miroslav Grepl 3.9.12-1
- Update to upstream
- Fixes for systemd policy