diff --git a/pam-0.99.10.0-namespace-level.patch b/pam-0.99.10.0-namespace-level.patch
new file mode 100644
index 0000000..d113397
--- /dev/null
+++ b/pam-0.99.10.0-namespace-level.patch
@@ -0,0 +1,17 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c
+--- Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount	2008-02-13 14:52:13.000000000 +0100
++++ Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c	2008-03-20 15:29:11.000000000 +0100
+@@ -822,10 +822,11 @@ static int poly_name(const struct polydi
+      */
+ 
+     pm = polyptr->method;
+-    if (pm == LEVEL || pm == USER) {
++    if (pm == LEVEL || pm == CONTEXT)
+ #ifdef WITH_SELINUX
+-        if (!(idata->flags & PAMNS_CTXT_BASED_INST))
++        if (!(idata->flags & PAMNS_CTXT_BASED_INST)) {
+ #else
++    {
+ 	pam_syslog(idata->pamh, LOG_NOTICE,
+ 		"Context and level methods not available, using user method");
+ #endif
diff --git a/pam-0.99.10.0-namespace-umount.patch b/pam-0.99.10.0-namespace-umount.patch
new file mode 100644
index 0000000..a48eb89
--- /dev/null
+++ b/pam-0.99.10.0-namespace-umount.patch
@@ -0,0 +1,16 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c
+--- Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount	2008-02-13 14:52:13.000000000 +0100
++++ Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c	2008-03-17 11:40:02.000000000 +0100
+@@ -1528,8 +1528,11 @@ static int setup_namespace(struct instan
+      */
+     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+ 	enum unmnt_op dir_unmnt = unmnt;
++	if (ns_override(pptr, idata, idata->ruid)) {
++	    dir_unmnt = NO_UNMNT;
++	}
+         if (ns_override(pptr, idata, idata->uid)) {
+-    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
++    	    if (dir_unmnt == NO_UNMNT) {
+     		continue;
+ 	    } else {
+ 		dir_unmnt = UNMNT_ONLY;
diff --git a/pam-0.99.10.0-selinux-prev-context.patch b/pam-0.99.10.0-selinux-prev-context.patch
new file mode 100644
index 0000000..2f42e66
--- /dev/null
+++ b/pam-0.99.10.0-selinux-prev-context.patch
@@ -0,0 +1,43 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c.prev-context Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c.prev-context	2007-06-18 12:46:48.000000000 +0200
++++ Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c	2008-03-20 17:38:41.000000000 +0100
+@@ -672,7 +672,7 @@ PAM_EXTERN int
+ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
+ 		     int argc, const char **argv)
+ {
+-  int i, debug = 0,status=0, open_session=0;
++  int i, debug = 0, status = PAM_SUCCESS, open_session = 0;
+   if (! (selinux_enabled ))
+       return PAM_SUCCESS;
+ 
+@@ -702,19 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh,
+     free(ttyn);
+     ttyn=NULL;
+   }
+-  status=setexeccon(prev_user_context);
+-  freecon(prev_user_context);
+-  if (status) {
+-    pam_syslog(pamh, LOG_ERR, "Error!  Unable to set executable context %s.",
++  if (prev_user_context) {
++    if (setexeccon(prev_user_context)) {
++      pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.",
+ 	       prev_user_context);
+-    if (security_getenforce() == 1)
+-       return PAM_AUTH_ERR;
+-    else
+-       return PAM_SUCCESS;
++      if (security_getenforce() == 1)
++         status = PAM_AUTH_ERR;
++      else
++         status = PAM_SUCCESS;
++    }
++    freecon(prev_user_context);
++    prev_user_context = NULL;
+   }
+ 
+   if (debug)
+     pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal");
+ 
+-  return PAM_SUCCESS;
++  return status;
+ }
diff --git a/pam.spec b/pam.spec
index 0e3ee6e..b3f45b3 100644
--- a/pam.spec
+++ b/pam.spec
@@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.10.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -30,6 +30,9 @@ Patch20: pam-0.99.10.0-unix-any-user.patch
 Patch21: pam-0.99.10.0-unix-audit-failed.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
+Patch33: pam-0.99.10.0-namespace-umount.patch
+Patch34: pam-0.99.10.0-namespace-level.patch
+Patch35: pam-0.99.10.0-selinux-prev-context.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -107,6 +110,9 @@ popd
 %patch21 -p1 -b .audit-failed
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
+%patch33 -p1 -b .umount
+%patch34 -p1 -b .level
+%patch35 -p1 -b .prev-context
 
 autoreconf
 
@@ -376,6 +382,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Thu Mar 20 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-4
+- pam_namespace: fix problem with level polyinst (#438264)
+- pam_namespace: improve override checking for umount
+- pam_selinux: fix syslogging a context after free() (#438338)
+
 * Thu Feb 28 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-3
 - update pam-redhat module tarball
 - update internal db4