diff --git a/policy-F13.patch b/policy-F13.patch
index a164e61..9590022 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2543,7 +2543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.fc
 +/var/db/sudo(/.*)?              gen_context(system_u:object_r:sudo_db_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if	2010-09-13 15:56:30.021085395 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.if	2010-10-05 16:40:27.236667890 +0200
 @@ -32,6 +32,7 @@
  
  	gen_require(`
@@ -2562,7 +2562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  	##############################
  	#
  	# Local Policy
-@@ -73,12 +77,16 @@
+@@ -73,17 +77,23 @@
  	# Enter this derived domain from the user domain
  	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
  
@@ -2580,7 +2580,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  
  	kernel_read_kernel_sysctls($1_sudo_t)
  	kernel_read_system_state($1_sudo_t)
-@@ -134,7 +142,11 @@
+ 	kernel_link_key($1_sudo_t)
+ 
++	application_signal($1_sudo_t)
++
+ 	corecmd_read_bin_symlinks($1_sudo_t)
+ 	corecmd_exec_all_executables($1_sudo_t)
+ 
+@@ -134,7 +144,11 @@
  	userdom_manage_user_tmp_symlinks($1_sudo_t)
  	userdom_use_user_terminals($1_sudo_t)
  	# for some PAM modules and for cwd
@@ -7132,9 +7139,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-09-01 12:20:15.387083633 +0200
-@@ -0,0 +1,402 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-10-05 16:12:11.355651521 +0200
+@@ -0,0 +1,403 @@
 +policy_module(sandbox,1.0.0)
++
 +dbus_stub()
 +attribute sandbox_domain;
 +attribute sandbox_x_domain;
@@ -7493,7 +7501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +optional_policy(`
 +	nsplugin_read_rw_files(sandbox_web_type)
 +	nsplugin_rw_exec(sandbox_web_type)
-+	nsplugin_manage_rw(sandbox_web_type)
++#	nsplugin_manage_rw(sandbox_web_type)
 +')
 +
 +optional_policy(`
@@ -12626,8 +12634,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if	2010-09-09 11:07:14.850085218 +0200
-@@ -0,0 +1,687 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if	2010-10-05 17:05:35.898651111 +0200
+@@ -0,0 +1,706 @@
 +## <summary>Unconfiend user role</summary>
 +
 +########################################
@@ -12975,6 +12983,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +	dontaudit $1 unconfined_t:fifo_file rw_file_perms;
 +')
 +
++#######################################
++## <summary>
++##  Do not audit attempts to read and write
++##  unconfined domain netlink_route_socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`unconfined_dontaudit_netlink_route_socket',`
++    gen_require(`
++        type unconfined_t;
++    ')
++
++    dontaudit $1 unconfined_t:netlink_route_socket { read write };
++')
++
 +########################################
 +## <summary>
 +##	Do not audit attempts to read and write
@@ -13317,8 +13344,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te	2010-09-23 13:17:47.400386803 +0200
-@@ -0,0 +1,457 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te	2010-10-05 16:53:14.162651746 +0200
+@@ -0,0 +1,453 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -13485,10 +13512,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +	')
 +
 +	optional_policy(`
-+		iptables_run(unconfined_usertype, unconfined_r)
-+	')
-+
-+	optional_policy(`
 +		networkmanager_dbus_chat(unconfined_usertype)
 +	')
 +
@@ -15576,7 +15599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te	2010-09-09 13:07:21.400085528 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te	2010-10-05 16:57:44.624651594 +0200
 @@ -19,11 +19,13 @@
  # Declarations
  #
@@ -16002,7 +16025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-+	smokeping_getattr_lib_files(httpd_t)
++	smokeping_read_lib_files(httpd_t)
 +')
 +
 +optional_policy(`
@@ -18706,14 +18729,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +/var/run/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.19/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/consolekit.if	2010-05-28 09:42:00.085610890 +0200
-@@ -55,5 +55,44 @@
++++ serefpolicy-3.7.19/policy/modules/services/consolekit.if	2010-10-05 16:31:31.267651526 +0200
+@@ -55,5 +55,62 @@
  	')
  
  	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
 +	logging_search_logs($1)
 +')
 +
++#######################################
++## <summary>
++## Dontaudit attempts to read consolekit log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`consolekit_dontaudit_read_log',`
++	gen_require(`
++		type consolekit_log_t;
++	')
++
++	dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
 +########################################
 +## <summary>
 +##	Manage consolekit log files.
@@ -18730,8 +18771,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +	')
 +
 +	manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
-+	files_search_pids($1)
-+')
+ 	files_search_pids($1)
+ ')
 +
 +########################################
 +## <summary>
@@ -18748,9 +18789,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +		type consolekit_var_run_t;
 +	')
 +
- 	files_search_pids($1)
++	files_search_pids($1)
 +	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
- ')
++')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.19/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2010-04-13 20:44:37.000000000 +0200
@@ -20635,7 +20676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  	admin_pattern($1, devicekit_tmp_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/devicekit.te	2010-10-01 15:15:06.194599521 +0200
++++ serefpolicy-3.7.19/policy/modules/services/devicekit.te	2010-10-05 16:46:24.302651295 +0200
 @@ -42,6 +42,8 @@
  
  files_read_etc_files(devicekit_t)
@@ -20816,7 +20857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  dev_rw_netcontrol(devicekit_power_t)
  dev_rw_sysfs(devicekit_power_t)
  
-@@ -167,12 +227,17 @@
+@@ -167,12 +227,18 @@
  files_read_etc_files(devicekit_power_t)
  files_read_usr_files(devicekit_power_t)
  
@@ -20830,11 +20871,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  
 +sysnet_read_config(devicekit_power_t)
 +sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
 +
  userdom_read_all_users_state(devicekit_power_t)
  
  optional_policy(`
-@@ -180,6 +245,10 @@
+@@ -180,6 +246,10 @@
  ')
  
  optional_policy(`
@@ -20845,7 +20887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -190,6 +259,7 @@
+@@ -190,6 +260,7 @@
  
  	optional_policy(`
  		networkmanager_dbus_chat(devicekit_power_t)
@@ -20853,7 +20895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  	')
  
  	optional_policy(`
-@@ -203,17 +273,23 @@
+@@ -203,17 +274,23 @@
  
  optional_policy(`
  	hal_domtrans_mac(devicekit_power_t)
@@ -32554,7 +32596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te	2010-09-23 13:18:50.383386842 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te	2010-10-05 16:48:57.914651451 +0200
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -32606,6 +32648,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dontaudit smbd_t self:capability sys_tty_config;
  allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow smbd_t self:process setrlimit;
+@@ -255,7 +264,7 @@
+ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+-allow smbd_t samba_share_t:filesystem getattr;
++allow smbd_t samba_share_t:filesystem { getattr quotaget };
+ 
+ manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
 @@ -275,6 +284,8 @@
  
  allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
@@ -32615,7 +32666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
  kernel_read_network_state(smbd_t)
-@@ -306,8 +317,11 @@
+@@ -306,16 +317,21 @@
  dev_read_urand(smbd_t)
  dev_getattr_mtrr_dev(smbd_t)
  dev_dontaudit_getattr_usbfs_dirs(smbd_t)
@@ -32627,7 +32678,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  fs_get_xattr_fs_quotas(smbd_t)
  fs_search_auto_mountpoints(smbd_t)
  fs_getattr_rpc_dirs(smbd_t)
-@@ -316,6 +330,7 @@
++fs_get_all_fs_quotas(smbd_t)
+ fs_list_inotifyfs(smbd_t)
+ 
  auth_use_nsswitch(smbd_t)
  auth_domtrans_chk_passwd(smbd_t)
  auth_domtrans_upd_passwd(smbd_t)
@@ -32635,7 +32688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(smbd_t)
  domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -325,6 +340,9 @@
+@@ -325,6 +341,9 @@
  files_read_etc_runtime_files(smbd_t)
  files_read_usr_files(smbd_t)
  files_search_spool(smbd_t)
@@ -32645,7 +32698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  # Allow samba to list mnt_t for potential mounted dirs
  files_list_mnt(smbd_t)
  
-@@ -337,10 +355,13 @@
+@@ -337,10 +356,13 @@
  miscfiles_read_public_files(smbd_t)
  
  userdom_use_unpriv_users_fds(smbd_t)
@@ -32660,7 +32713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +373,19 @@
+@@ -352,19 +374,19 @@
  ') 
  
  tunable_policy(`samba_domain_controller',`
@@ -32686,7 +32739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
  
  # Support Samba sharing of NFS mount points
-@@ -376,6 +397,15 @@
+@@ -376,6 +398,15 @@
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -32702,7 +32755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  optional_policy(`
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
-@@ -391,6 +421,11 @@
+@@ -391,6 +422,11 @@
  ')
  
  optional_policy(`
@@ -32714,7 +32767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -405,13 +440,15 @@
+@@ -405,13 +441,15 @@
  tunable_policy(`samba_create_home_dirs',`
  	allow smbd_t self:capability chown;
  	userdom_create_user_home_dirs(smbd_t)
@@ -32731,7 +32784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	auth_read_all_files_except_shadow(nmbd_t)
  ')
  
-@@ -420,8 +457,8 @@
+@@ -420,8 +458,8 @@
  	auth_manage_all_files_except_shadow(smbd_t)
  	fs_read_noxattr_fs_files(nmbd_t) 
  	auth_manage_all_files_except_shadow(nmbd_t)
@@ -32741,7 +32794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  ########################################
  #
-@@ -518,13 +555,13 @@
+@@ -518,13 +556,13 @@
  allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
  
  allow smbcontrol_t nmbd_t:process { signal signull };
@@ -32759,7 +32812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -536,6 +573,8 @@
+@@ -536,6 +574,8 @@
  
  miscfiles_read_localization(smbcontrol_t)
  
@@ -32768,7 +32821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # smbmount Local policy
-@@ -618,7 +657,7 @@
+@@ -618,7 +658,7 @@
  # SWAT Local policy
  #
  
@@ -32777,7 +32830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t self:process { setrlimit signal_perms };
  allow swat_t self:fifo_file rw_fifo_file_perms;
  allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +665,25 @@
+@@ -626,23 +666,25 @@
  allow swat_t self:udp_socket create_socket_perms;
  allow swat_t self:unix_stream_socket connectto;
  
@@ -32811,7 +32864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t smbd_exec_t:file mmap_file_perms ;
  
  allow swat_t smbd_t:process signull;
-@@ -657,11 +698,14 @@
+@@ -657,11 +699,14 @@
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
  allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -32827,7 +32880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
  kernel_read_network_state(swat_t)
-@@ -700,6 +744,8 @@
+@@ -700,6 +745,8 @@
  
  miscfiles_read_localization(swat_t)
  
@@ -32836,7 +32889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -713,12 +759,23 @@
+@@ -713,12 +760,23 @@
  	kerberos_use(swat_t)
  ')
  
@@ -32861,7 +32914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -763,6 +820,7 @@
+@@ -763,6 +821,7 @@
  
  kernel_read_kernel_sysctls(winbind_t)
  kernel_read_system_state(winbind_t)
@@ -32869,7 +32922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  corecmd_exec_bin(winbind_t)
  
-@@ -779,6 +837,9 @@
+@@ -779,6 +838,9 @@
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -32879,7 +32932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
-@@ -788,7 +849,7 @@
+@@ -788,7 +850,7 @@
  
  auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
@@ -32888,7 +32941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(winbind_t)
  
-@@ -866,6 +927,18 @@
+@@ -866,6 +928,18 @@
  #
  
  optional_policy(`
@@ -32907,7 +32960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -876,9 +949,12 @@
+@@ -876,9 +950,12 @@
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -33497,8 +33550,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
  	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/smartmon.te	2010-05-28 09:42:00.186610872 +0200
-@@ -83,6 +83,8 @@
++++ serefpolicy-3.7.19/policy/modules/services/smartmon.te	2010-10-05 16:29:21.802651275 +0200
+@@ -73,6 +73,7 @@
+ files_read_etc_runtime_files(fsdaemon_t)
+ # for config
+ files_read_etc_files(fsdaemon_t)
++files_read_usr_files(fsdaemon_t)
+ 
+ fs_getattr_all_fs(fsdaemon_t)
+ fs_search_auto_mountpoints(fsdaemon_t)
+@@ -83,6 +84,8 @@
  storage_raw_read_fixed_disk(fsdaemon_t)
  storage_raw_write_fixed_disk(fsdaemon_t)
  storage_raw_read_removable_device(fsdaemon_t)
@@ -33509,7 +33570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.19/policy/modules/services/smokeping.te
 --- nsaserefpolicy/policy/modules/services/smokeping.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/smokeping.te	2010-05-28 09:42:00.187610526 +0200
++++ serefpolicy-3.7.19/policy/modules/services/smokeping.te	2010-10-05 16:58:22.852651336 +0200
 @@ -24,6 +24,7 @@
  # smokeping local policy
  #
@@ -33526,6 +33587,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
  
  logging_send_syslog_msg(smokeping_t)
  
+@@ -65,6 +67,7 @@
+ 	allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
+ 
+ 	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ 
+ 	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if
 --- nsaserefpolicy/policy/modules/services/snmp.if	2010-04-13 20:44:36.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/snmp.if	2010-09-16 16:46:09.199637062 +0200
@@ -40246,8 +40315,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc
 --- nsaserefpolicy/policy/modules/system/miscfiles.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc	2010-06-28 14:07:11.666276142 +0200
-@@ -76,12 +76,18 @@
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc	2010-10-05 16:46:33.947667684 +0200
+@@ -10,6 +10,7 @@
+ #
+ /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
+ /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
++/etc/timezone           --      gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+ 
+ ifdef(`distro_redhat',`
+@@ -76,12 +77,18 @@
  /var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
  
  /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
@@ -42401,7 +42478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te	2010-07-21 09:34:24.436135014 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te	2010-10-05 17:05:56.764651628 +0200
 @@ -1,11 +1,18 @@
  
 -policy_module(sysnetwork, 1.10.3)
@@ -42530,7 +42607,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  optional_policy(`
-@@ -360,3 +396,9 @@
+@@ -348,6 +384,7 @@
+ 
+ optional_policy(`
+ 	unconfined_dontaudit_rw_pipes(ifconfig_t)
++	unconfined_dontaudit_netlink_route_socket(ifconfig_t)
+ ')
+ 
+ optional_policy(`
+@@ -360,3 +397,9 @@
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -43412,7 +43497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2010-09-16 15:44:29.987386896 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2010-10-05 16:30:49.672651409 +0200
 @@ -30,8 +30,9 @@
  	')
  
@@ -44302,7 +44387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		loadkeys_run($1_t,$1_r)
  	')
  ')
-@@ -871,45 +1007,83 @@
+@@ -871,45 +1007,89 @@
  	#
  
  	auth_role($1_r, $1_t)
@@ -44311,6 +44396,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
++	auth_dontaudit_read_login_records($1_usertype)
++
 +	dev_read_sound($1_usertype)
 +	dev_write_sound($1_usertype)
  	# gnome keyring wants to read this.
@@ -44351,6 +44438,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
 -		alsa_read_rw_config($1_t)
 +		alsa_read_rw_config($1_usertype)
++	')
++	
++	optional_policy(`
++		consolekit_dontaudit_read_log($1_usertype)
  	')
  
  	optional_policy(`
@@ -44401,7 +44492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -944,7 +1118,7 @@
+@@ -944,7 +1124,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -44410,7 +44501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_common_user_template($1)
  
  	##############################
-@@ -953,54 +1127,77 @@
+@@ -953,54 +1133,77 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -44426,8 +44517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -
 -	ifndef(`enable_mls',`
 -		fs_exec_noxattr($1_t)
-+	storage_rw_fuse($1_t)
- 
+-
 -		tunable_policy(`user_rw_noexattrfile',`
 -			fs_manage_noxattr_fs_files($1_t)
 -			fs_manage_noxattr_fs_dirs($1_t)
@@ -44438,7 +44528,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -			storage_raw_read_removable_device($1_t)
 -		')
 -	')
--
++	storage_rw_fuse($1_t)
+ 
 -	tunable_policy(`user_dmesg',`
 -		kernel_read_ring_buffer($1_t)
 -	',`
@@ -44475,20 +44566,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	optional_policy(`
 +		gpg_role($1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
-+		gnomeclock_dbus_chat($1_t)
  	')
  
 -	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		ppp_run_cond($1_t,$1_r)
-+		gpm_stream_connect($1_usertype)
++		gnomeclock_dbus_chat($1_t)
  	')
  
  	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
++		gpm_stream_connect($1_usertype)
++	')
++
++	optional_policy(`
 +		execmem_role_template($1, $1_r, $1_t)
 +	')
 +
@@ -44518,7 +44609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1036,7 +1233,7 @@
+@@ -1036,7 +1239,7 @@
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -44527,7 +44618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	##############################
-@@ -1071,6 +1268,9 @@
+@@ -1071,6 +1274,9 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -44537,7 +44628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1085,6 +1285,7 @@
+@@ -1085,6 +1291,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -44545,7 +44636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1116,10 +1317,13 @@
+@@ -1116,10 +1323,13 @@
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -44559,7 +44650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	fs_set_all_quotas($1_t)
  	fs_exec_noxattr($1_t)
  
-@@ -1139,6 +1343,7 @@
+@@ -1139,6 +1349,7 @@
  	logging_send_syslog_msg($1_t)
  
  	modutils_domtrans_insmod($1_t)
@@ -44567,7 +44658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1412,8 @@
+@@ -1207,6 +1418,8 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -44576,7 +44667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1234,6 +1441,7 @@
+@@ -1234,6 +1447,7 @@
  	seutil_run_checkpolicy($1,$2)
  	seutil_run_loadpolicy($1,$2)
  	seutil_run_semanage($1,$2)
@@ -44584,7 +44675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	seutil_run_setfiles($1, $2)
  
  	optional_policy(`
-@@ -1272,11 +1480,15 @@
+@@ -1272,11 +1486,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -44600,7 +44691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1387,6 +1599,7 @@
+@@ -1387,6 +1605,7 @@
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -44608,7 +44699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_home($1)
  ')
  
-@@ -1433,6 +1646,14 @@
+@@ -1433,6 +1652,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -44623,7 +44714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1448,9 +1669,11 @@
+@@ -1448,9 +1675,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -44635,7 +44726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1507,6 +1730,42 @@
+@@ -1507,6 +1736,42 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -44678,7 +44769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1581,6 +1840,8 @@
+@@ -1581,6 +1846,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -44687,7 +44778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1595,10 +1856,12 @@
+@@ -1595,10 +1862,12 @@
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -44702,7 +44793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1641,6 +1904,24 @@
+@@ -1641,6 +1910,24 @@
  
  ########################################
  ## <summary>
@@ -44727,7 +44818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1692,10 +1973,30 @@
+@@ -1692,10 +1979,30 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -44758,7 +44849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ########################################
  ## <summary>
  ##	Do not audit attempts to read user home files.
-@@ -1708,11 +2009,14 @@
+@@ -1708,11 +2015,14 @@
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -44776,7 +44867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1802,8 +2106,7 @@
+@@ -1802,8 +2112,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -44786,7 +44877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1815,25 +2118,18 @@
+@@ -1815,24 +2124,17 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -44804,19 +44895,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
--	')
 -')
--
+ 
  ########################################
  ## <summary>
- ##	Do not audit attempts to execute user home files.
-@@ -1866,6 +2162,7 @@
+@@ -1866,6 +2168,7 @@
  interface(`userdom_manage_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -44824,7 +44914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2399,25 @@
+@@ -2102,6 +2405,25 @@
  
  ########################################
  ## <summary>
@@ -44850,7 +44940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to list user
  ##	temporary directories.
  ## </summary>
-@@ -2218,6 +2534,25 @@
+@@ -2218,6 +2540,25 @@
  
  ########################################
  ## <summary>
@@ -44876,7 +44966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to manage users
  ##	temporary files.
  ## </summary>
-@@ -2427,13 +2762,14 @@
+@@ -2427,13 +2768,14 @@
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -44892,7 +44982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2454,6 +2790,24 @@
+@@ -2454,6 +2796,24 @@
  
  ########################################
  ## <summary>
@@ -44917,7 +45007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2747,6 +3101,25 @@
+@@ -2747,6 +3107,25 @@
  
  ########################################
  ## <summary>
@@ -44943,7 +45033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Execute bin_t in the unprivileged user domains. This
  ##	is an explicit transition, requiring the
  ##	caller to use setexeccon().
-@@ -2787,7 +3160,7 @@
+@@ -2787,7 +3166,7 @@
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -44952,7 +45042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2803,11 +3176,13 @@
+@@ -2803,11 +3182,13 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -44968,7 +45058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2944,7 +3319,7 @@
+@@ -2944,7 +3325,7 @@
  		type user_tmp_t;
  	')
  
@@ -44977,7 +45067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2981,6 +3356,7 @@
+@@ -2981,6 +3362,7 @@
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -44985,7 +45075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3111,3 +3487,724 @@
+@@ -3111,3 +3493,724 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f5758e8..7b14e27 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 63%{?dist}
+Release: 64%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 5 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-64
+- Allow smartd to read usr files
+- Allow devicekit-power transition to dhcpc
+- Add label for /etc/timezone
+- Remove transition from unconfined_t to iptables_t
+
 * Fri Oct 1 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-63
 - Allow devicekit-power domtrans to NetworkManager 
 - Allow passwd to use the console, all ttys and all ptys