diff --git a/execmem.patch b/execmem.patch
new file mode 100644
index 0000000..82343be
--- /dev/null
+++ b/execmem.patch
@@ -0,0 +1,379 @@
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 8d3c1d8..a7b1b65 100644
+--- a/policy/modules/admin/rpm.te
++++ b/policy/modules/admin/rpm.te
+@@ -416,14 +416,6 @@ optional_policy(`
+ 	unconfined_domain_noaudit(rpm_script_t)
+ 	unconfined_domtrans(rpm_script_t)
+ 	unconfined_execmem_domtrans(rpm_script_t)
+-
+-	optional_policy(`
+-		java_domtrans_unconfined(rpm_script_t)
+-	')
+-
+-	optional_policy(`
+-		mono_domtrans(rpm_script_t)
+-	')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
+index 6f3570a..70c661e 100644
+--- a/policy/modules/apps/execmem.fc
++++ b/policy/modules/apps/execmem.fc
+@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
+ /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /opt
++#
++/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /usr
++#
++/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/fastjar	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/frysk		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gappletviewer	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gij		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gjarsigner	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gkeytool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmic		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmiregistry	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/jv-convert	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++ifdef(`distro_redhat',`
++/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++')
++/usr/bin/mono.*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+index e23f640..a78bec0 100644
+--- a/policy/modules/apps/execmem.if
++++ b/policy/modules/apps/execmem.if
+@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
+ 
+ 	allow $1 execmem_exec_t:file execmod;
+ ')
+-
+diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
+index a7d37e2..fd8450f 100644
+--- a/policy/modules/apps/execmem.te
++++ b/policy/modules/apps/execmem.te
+@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
+ #
+ # Declarations
+ #
++attribute execmem_type;
+ 
+-type execmem_exec_t alias unconfined_execmem_exec_t;
++type execmem_exec_t;
++typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
+ application_executable_file(execmem_exec_t)
+ 
++allow execmem_type self:process { execmem execstack };
++files_execmod_tmp(execmem_type)
++execmem_execmod(execmem_type)
++
++optional_policy(`
++	gnome_read_usr_config(execmem_type)
++')
++	
++optional_policy(`
++	mozilla_execmod_user_home_files(execmem_type)
++')
++
++optional_policy(`
++	nsplugin_rw_shm(execmem_type)
++	nsplugin_rw_semaphores(execmem_type)
++')
+diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
+index d1b1280..f93103b 100644
+--- a/policy/modules/apps/mozilla.te
++++ b/policy/modules/apps/mozilla.te
+@@ -273,10 +273,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_domtrans(mozilla_t)
+-')
+-
+-optional_policy(`
+ 	lpd_domtrans_lpr(mozilla_t)
+ ')
+ 
+@@ -456,7 +452,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_exec(mozilla_plugin_t)
++	execmem_exec(mozilla_plugin_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
+index ccc15ab..9d0e298 100644
+--- a/policy/modules/apps/podsleuth.te
++++ b/policy/modules/apps/podsleuth.te
+@@ -85,5 +85,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_exec(podsleuth_t)
++	execmem_exec(podsleuth_t)
+ ')
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index bfabe3f..fbbce55 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(staff_r, staff_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(staff_r, staff_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 7cd6d4f..e120bbc 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(sysadm_r, sysadm_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(sysadm_r, sysadm_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index fcc8949..6f1425f 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -337,10 +337,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_run_unconfined(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+ 	kerberos_filetrans_named_content(unconfined_t)
+ ')
+ 
+@@ -361,13 +357,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_role_template(unconfined, unconfined_r, unconfined_t)
+-	unconfined_domain_noaudit(unconfined_mono_t)
+-	role system_r types unconfined_mono_t;
+-')
+-
+-
+-optional_policy(`
+ 	mozilla_role_plugin(unconfined_r)
+ 
+ 	tunable_policy(`unconfined_mozilla_plugin_transition', `
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index e5a8559..68013b7 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(user_r, user_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index 1cd57fd..a1db79d 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -107,14 +107,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+-	mono_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+ 	mozilla_run_plugin(xguest_usertype, xguest_r)
+ ')
+ 
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+index 1442451..add9ada 100644
+--- a/policy/modules/services/boinc.te
++++ b/policy/modules/services/boinc.te
+@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
+ miscfiles_read_localization(boinc_project_t)
+ 
+ optional_policy(`
+-	java_exec(boinc_project_t)
++	execmem_exec(boinc_project_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index 86ea0ba..a2c41fd 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -299,10 +299,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(crond_t)
+-')
+-
+-optional_policy(`
+ 	amanda_search_var_lib(crond_t)
+ ')
+ 
+@@ -553,10 +549,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(system_cronjob_t)
+-')
+-
+-optional_policy(`
+ 	mrtg_append_create_logs(system_cronjob_t)
+ ')
+ 
+@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
+ 	allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+ 
+-# need a per-role version of this:
+-#optional_policy(`
+-#	mono_domtrans(cronjob_t)
+-#')
+-
+ optional_policy(`
+ 	nis_use_ypbind(cronjob_t)
+ ')
+diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
+index 1e40c00..ae34382 100644
+--- a/policy/modules/services/hadoop.if
++++ b/policy/modules/services/hadoop.if
+@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
+ 
+ 	hadoop_exec_config(hadoop_$1_t)
+ 
+-	java_exec(hadoop_$1_t)
++	execmem_exec(hadoop_$1_t)
+ 
+ 	kerberos_use(hadoop_$1_t)
+ 
+diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
+index 3889dc9..32dc803 100644
+--- a/policy/modules/services/hadoop.te
++++ b/policy/modules/services/hadoop.te
+@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
+ 
+ userdom_use_inherited_user_terminals(hadoop_t)
+ 
+-java_exec(hadoop_t)
++execmem_exec(hadoop_t)
+ 
+ kerberos_use(hadoop_t)
+ 
+@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
+ userdom_use_inherited_user_terminals(zookeeper_t)
+ userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+ 
+-java_exec(zookeeper_t)
++execmem_exec(zookeeper_t)
+ 
+ ########################################
+ #
+@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
+ 
+ sysnet_read_config(zookeeper_server_t)
+ 
+-java_exec(zookeeper_server_t)
++execmem_exec(zookeeper_server_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 60e0e2d..d14f2d6 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -1247,10 +1247,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_rw_shm(xserver_t)
+-')
+-
+-optional_policy(`
+ 	rhgb_rw_shm(xserver_t)
+ 	rhgb_rw_tmpfs_files(xserver_t)
+ ')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 53f3bfe..20dd3a0 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1190,10 +1190,6 @@ optional_policy(`
+ 		unconfined_dontaudit_rw_pipes(daemon)
+ 	')
+ 
+-	optional_policy(`
+-		mono_domtrans(initrc_t)
+-	')
+-
+ 	# Allow SELinux aware applications to request rpm_script_t execution
+ 	rpm_transition_script(initrc_t)
+ 	
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e7a65ae..a001ce9 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ 
+ 	optional_policy(`
+-		java_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+-		mono_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+ 		mount_run_fusermount($1_t, $1_r)
+ 		mount_read_pid_files($1_t)
+ 	')
diff --git a/modules-mls.conf b/modules-mls.conf
index 9706ffb..28ac668 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -733,13 +733,6 @@ i18n_input = off
 # 
 jabber = module
 
-# Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
 # Layer: admin
 # Module: kdump
 #
@@ -925,13 +918,6 @@ modutils = module
 # 
 mojomojo = module
 
-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 35bbfa6..6930073 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -844,13 +844,6 @@ i18n_input = off
 jabber = module
 
 # Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
-# Layer: apps
 # Module: execmem
 #
 # execmem executable
@@ -1071,13 +1064,6 @@ mojomojo = module
 # 
 modutils = module
 
-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
diff --git a/policy-F16.patch b/policy-F16.patch
index 922b4d2..29e1ca4 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -66791,7 +66791,7 @@ index 808ba93..ed84884 100644
  
  ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..c76046b 100644
+index e5836d3..eae9427 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -66834,7 +66834,17 @@ index e5836d3..c76046b 100644
  ifdef(`hide_broken_symptoms',`
  	ifdef(`distro_gentoo',`
  		# leaked fds from portage
-@@ -131,6 +139,10 @@ optional_policy(`
+@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+ 		')
+ 	')
+ 
++	dev_dontaudit_rw_lvm_control(ldconfig_t)
++	term_dontaudit_use_unallocated_ttys(ldconfig_t)
++
+ 	optional_policy(`
+ 		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ 	')
+@@ -131,6 +142,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66845,7 +66855,7 @@ index e5836d3..c76046b 100644
  	puppet_rw_tmp(ldconfig_t)
  ')
  
-@@ -141,6 +153,3 @@ optional_policy(`
+@@ -141,6 +156,3 @@ optional_policy(`
  	rpm_manage_script_tmp_files(ldconfig_t)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b772eb9..e2bc246 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.6%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -214,7 +214,7 @@ fi;
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
    if [ %1 -ne 1 ]; then \
-	/usr/sbin/semodule -n -s %2 -r moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+	/usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
    fi \
    /usr/sbin/semodule -B -s %2; \
 else \
@@ -240,6 +240,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %install
 mkdir selinux_config
@@ -471,6 +472,27 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron  is now labeled as user_cron_spool_t
+
+* Mon Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-35
+- Stop complaining about leaked file descriptors during install
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.7
+- Remove java and mono module and merge into execmem
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.6
+- Fixes for thumb policy and passwd_file_t
+
 * Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
 - Fixes caused by the labeling of /etc/passwd
 - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
diff --git a/thumb.patch b/thumb.patch
index df9d9da..97ff409 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -6,7 +6,7 @@ index 1105ff5..620e17b 100644
  		rtkit_scheduled(unconfined_usertype)
  	')
  
-+	# Might remove later if this proves to be problematic, but would like to gather AVC's
++	# Might remove later if this proves to be problematic, but would like to gather AVCs
 +	optional_policy(`
 +		thumb_role(unconfined_r, unconfined_usertype)
 +	')