diff --git a/modules-minimum.conf b/modules-minimum.conf
index 1f08acc..e9325ed 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1576,6 +1576,13 @@ tgtd = module
 # 
 udev = base
 
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+# 
+usbmuxd = module
+
 # Layer: system
 # Module: userdomain
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 1f08acc..e9325ed 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1576,6 +1576,13 @@ tgtd = module
 # 
 udev = base
 
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+# 
+usbmuxd = module
+
 # Layer: system
 # Module: userdomain
 #
diff --git a/policy-20100106.patch b/policy-20100106.patch
index b12534a..816aab0 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -84,6 +84,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
+--- nsaserefpolicy/policy/modules/apps/firewallgui.te	2010-01-18 18:24:22.593530742 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te	2010-02-02 18:41:27.873067758 +0100
+@@ -59,6 +59,10 @@
+ iptables_initrc_domtrans(firewallgui_t)
+ 
+ optional_policy(`
++	gnome_read_gconf_home_files(firewallgui_t)
++') 
++
++optional_policy(`
+         policykit_dbus_chat(firewallgui_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2010-01-18 18:24:22.594539949 +0100
 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc	2010-01-21 18:31:02.867611919 +0100
@@ -753,8 +767,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  network_port(dns, udp,53,s0, tcp,53,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-01-18 18:24:22.670530409 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-01-27 17:35:56.087613943 +0100
-@@ -103,6 +103,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2010-02-02 15:44:16.896067937 +0100
+@@ -83,6 +83,7 @@
+ /dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/pps.*  	-c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
+@@ -103,6 +104,7 @@
  /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
  /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -762,7 +784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
-@@ -162,6 +163,8 @@
+@@ -162,6 +164,8 @@
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  
@@ -1156,6 +1178,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
 +/var/lib/avahi-autoipd(/.*)?  	gen_context(system_u:object_r:avahi_var_lib_t,s0)    
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc
+--- nsaserefpolicy/policy/modules/services/chronyd.fc	2010-01-18 18:24:22.753540198 +0100
++++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc	2010-02-02 18:56:12.191317011 +0100
+@@ -1,4 +1,6 @@
+ 
++/etc/chrony\.keys                  --     gen_context(system_u:object_r:chronyd_keys_t,s0)
++
+ /etc/rc\.d/init\.d/chronyd         --      gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+ 
+ /usr/sbin/chronyd                  --      gen_context(system_u:object_r:chronyd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te
+--- nsaserefpolicy/policy/modules/services/chronyd.te	2010-01-18 18:24:22.755539963 +0100
++++ serefpolicy-3.6.32/policy/modules/services/chronyd.te	2010-02-02 18:55:49.615067744 +0100
+@@ -12,6 +12,9 @@
+ type chronyd_initrc_exec_t;
+ init_script_file(chronyd_initrc_exec_t)
+ 
++type chronyd_keys_t;
++files_type(chronyd_keys_t)
++
+ # var/lib files
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+@@ -30,11 +33,14 @@
+ # chronyd local policy
+ #
+ 
+-allow chronyd_t self:capability { setuid setgid sys_time };
+-allow chronyd_t self:process { getcap setcap };
++allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
++allow chronyd_t self:process { getcap setcap setrlimit };
+ 
+ allow chronyd_t self:udp_socket create_socket_perms;
+ allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:shm create_shm_perms;
++
++allow chronyd_t chronyd_keys_t:file read_file_perms;
+ 
+ # chronyd var/lib files
+ manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+@@ -64,4 +70,7 @@
+ 
+ miscfiles_read_localization(chronyd_t)
+ 
+-permissive chronyd_t;
++optional_policy(`
++    gpsd_rw_shm(chronyd_t)
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2010-01-18 18:24:22.769530360 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/cron.te	2010-01-29 09:59:49.239614360 +0100
@@ -2605,6 +2676,144 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  logging_send_syslog_msg(tgtd_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
+--- nsaserefpolicy/policy/modules/services/tuned.te	2010-01-18 18:24:22.909530847 +0100
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te	2010-02-02 19:06:55.670067778 +0100
+@@ -36,7 +36,7 @@
+ kernel_read_system_state(tuned_t)
+ 
+ dev_read_sysfs(tuned_t)
+-
++dev_read_urand(tuned_t)
+ # to allow cpu tuning
+ dev_rw_netcontrol(tuned_t)
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
+--- nsaserefpolicy/policy/modules/services/usbmuxd.fc	1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc	2010-02-02 19:00:16.333067308 +0100
+@@ -0,0 +1,6 @@
++
++/usr/sbin/usbmuxd	--	gen_context(system_u:object_r:usbmuxd_exec_t,s0)
++
++/var/run/usbmuxd	-s 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
++
++/var/run/usbmuxd\.lock  --  gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.6.32/policy/modules/services/usbmuxd.if
+--- nsaserefpolicy/policy/modules/services/usbmuxd.if	1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.if	2010-02-02 19:06:22.735067968 +0100
+@@ -0,0 +1,64 @@
++## <summary>Daemon for communicating with Apple's iPod Touch and iPhone</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run usbmuxd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`usbmuxd_domtrans',`
++	gen_require(`
++		type usbmuxd_t, usbmuxd_exec_t;
++	')
++
++	domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
++')
++
++#######################################
++## <summary>
++##  Execute usbmuxd in the usbmuxd domain, and
++##  allow the specified role the usbmuxd domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed the usbmuxd domain.
++##  </summary>
++## </param>
++#
++interface(`usbmuxd_run',`
++    gen_require(`
++        type usbmuxd_t;
++    ')
++
++    usbmuxd_domtrans($1)
++    role $2 types usbmuxd_t;
++')
++
++#####################################
++## <summary>
++##      Connect to usbmuxd over a unix domain
++##      stream socket.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`usbmuxd_stream_connect',`
++        gen_require(`
++                type usbmuxd_t, usbmuxd_var_run_t;
++        ')
++
++        files_search_pids($1)
++        stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
+--- nsaserefpolicy/policy/modules/services/usbmuxd.te	1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te	2010-02-02 18:58:37.916068136 +0100
+@@ -0,0 +1,44 @@
++
++policy_module(usbmuxd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type usbmuxd_t;
++type usbmuxd_exec_t;
++application_domain(usbmuxd_t, usbmuxd_exec_t)
++
++type usbmuxd_var_run_t;
++files_pid_file(usbmuxd_var_run_t)
++
++permissive usbmuxd_t;
++
++########################################
++#
++# usbmuxd local policy
++#
++
++allow usbmuxd_t self:capability { kill setgid setuid };
++allow usbmuxd_t self:process { fork signal signull };
++
++# Init script handling
++domain_use_interactive_fds(usbmuxd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
++manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
++manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
++files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
++
++files_read_etc_files(usbmuxd_t)
++
++miscfiles_read_localization(usbmuxd_t)
++
++auth_use_nsswitch(usbmuxd_t)
++
++logging_send_syslog_msg(usbmuxd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-01-18 18:24:22.915540061 +0100
 +++ serefpolicy-3.6.32/policy/modules/services/virt.te	2010-02-01 17:46:33.611080298 +0100
@@ -3052,8 +3261,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')   
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2010-01-18 18:24:22.961540534 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-01-25 17:40:43.288687056 +0100
-@@ -181,6 +181,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/mount.te	2010-02-02 18:59:46.438067812 +0100
+@@ -155,6 +155,8 @@
+ seutil_read_config(mount_t)
+ 
+ userdom_use_all_users_fds(mount_t)
++userdom_read_user_home_content_symlinks(mount_t)
++userdom_read_user_home_content_files(mount_t)
+ userdom_manage_user_home_content_dirs(mount_t)
+ 
+ ifdef(`distro_redhat',`
+@@ -181,6 +183,7 @@
  	auth_read_all_dirs_except_shadow(mount_t)
  	auth_read_all_files_except_shadow(mount_t)
  	files_mounton_non_security(mount_t)
@@ -3061,11 +3279,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -260,6 +261,10 @@
+@@ -260,6 +263,14 @@
  	samba_read_config(mount_t)
  ')
  
 +optional_policy(`
++    usbmuxd_stream_connect(mount_t)
++')
++
++optional_policy(`
 +	vmware_exec_host(mount_t)
 +')
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 491df01..de1197d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -462,6 +462,7 @@ exit 0
 - Allow rsyslogd to connect to MySQL using a unix domain stream socket
 - Allow apache to list inotifyfs filesystem
 - Add label for /dev/pps device
+- Fixes for chronyd policy
 
 * Mon Feb 1 2010 Miroslav Grepl <mgrepl@redhat.com> 3.6.32-80
 - Allow xdm to execute octave