diff --git a/xrdp.spec b/xrdp.spec
index d58ba99..03829dc 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -7,7 +7,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.6
-Release:   2%{?dist}
+Release:   3%{?dist}
 License:   ASL 2.0
 Group:     Applications/Internet
 URL:       http://www.xrdp.org/
@@ -23,6 +23,7 @@ Patch1:    xrdp-0.9.5-xrdp-ini.patch
 Patch2:    xrdp-0.9.4-service.patch
 Patch3:    xrdp-0.9.2-setpriv.patch
 Patch4:    xrdp-0.9.6-scripts-libexec.patch
+Patch5:    xrdp-0.9.6-script-interpreter.patch
 
 BuildRequires: gcc
 BuildRequires: libX11-devel
@@ -48,8 +49,10 @@ Requires: util-linux
 
 Requires(post): systemd
 Requires(post): systemd-sysv
+Requires(post): /sbin/ldconfig
 Requires(posttrans): openssl
 Requires(preun): systemd
+Requires(postun): /sbin/ldconfig
 Requires(posttrans): systemd
 
 
@@ -133,6 +136,7 @@ done
 /usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
 
 %post
+%{?ldconfig}
 %systemd_post xrdp.service
 
 %preun
@@ -155,11 +159,13 @@ if [ "`systemctl is-active xrdp.service`" = 'active' ]; then
     systemctl start xrdp.service >/dev/null 2>&1 || :
 fi
 
+%postun
+%{?ldconfig}
+
 %posttrans
 if [ ! -s %{_sysconfdir}/xrdp/rsakeys.ini ]; then
   (umask 377; %{_bindir}/xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini >/dev/null)
 fi
-chmod 400 %{_sysconfdir}/xrdp/rsakeys.ini
 
 if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
   (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
@@ -167,8 +173,6 @@ if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
     -out %{_sysconfdir}/xrdp/cert.pem \
     -config %{_sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1)
 fi
-chmod 400 %{_sysconfdir}/xrdp/cert.pem
-chmod 400 %{_sysconfdir}/xrdp/key.pem
 
 %post selinux
 for selinuxvariant in %{selinux_variants}
@@ -198,12 +202,12 @@ fi
 %config(noreplace) %{_sysconfdir}/logrotate.d/xrdp
 %config(noreplace) %{_sysconfdir}/sysconfig/xrdp
 %config(noreplace) %{_sysconfdir}/xrdp/sesman.ini
+%config(noreplace) %{_sysconfdir}/xrdp/km*.ini
+%config(noreplace) %{_sysconfdir}/xrdp/openssl.conf
+%config(noreplace) %{_sysconfdir}/xrdp/xrdp_keyboard.ini
 %exclude %{_sysconfdir}/xrdp/xrdp.sh
 %exclude %ghost %{_sysconfdir}/xrdp/*.pem
 %exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini
-%{_sysconfdir}/xrdp/km*.ini
-%{_sysconfdir}/xrdp/openssl.conf
-%{_sysconfdir}/xrdp/xrdp_keyboard.ini
 %{_libexecdir}/xrdp/startwm*.sh
 %{_libexecdir}/xrdp/reconnectwm.sh
 %{_bindir}/xrdp-genkeymap
@@ -259,6 +263,12 @@ fi
 %{_datadir}/selinux/*/%{name}.pp
 
 %changelog
+* Mon Apr 23 2018 Bojan Smojver <bojan@rexurive.com> - 1:0.9.6-3
+- mark files in /etc as configs
+- run ldconfig
+- remove chmod of certs/keys
+- fix script interpreter
+
 * Sun Apr 22 2018 Bojan Smojver <bojan@rexurive.com> - 1:0.9.6-2
 - Allow oddjob-mkhomedir in SELinux policy (stolen from grishin-a)
 - Allow no new privileges transition in SELinux policy