diff --git a/policy-20071130.patch b/policy-20071130.patch
index e8061b73..14ced2c1 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -5454,8 +5454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-28 09:20:56.000000000 +0100
-@@ -0,0 +1,179 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-29 12:28:11.000000000 +0100
+@@ -0,0 +1,183 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5587,6 +5587,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 +
 +optional_policy(`
++	unconfined_execmem_signull(nsplugin_t)
++')
++
++optional_policy(`
 +	xserver_stream_connect_xdm_xserver(nsplugin_t)
 +	xserver_xdm_rw_shm(nsplugin_t)
 +	xserver_read_xdm_tmp_files(nsplugin_t)
@@ -6817,7 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 23:02:31.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-02-26 20:19:56.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-03-29 13:08:46.000000000 +0100
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -7741,7 +7745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-29 23:02:31.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-02-27 22:58:04.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-03-29 13:06:34.000000000 +0100
 @@ -851,9 +851,8 @@
  		type proc_t, proc_afs_t;
  	')
@@ -12733,7 +12737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 11:32:17.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-19 19:48:13.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-29 13:18:18.000000000 +0100
 @@ -9,6 +9,7 @@
  #
  # Delcarations
@@ -12811,7 +12815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  
  libs_use_ld_so(system_dbusd_t)
  libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +139,26 @@
+@@ -121,9 +139,28 @@
  ')
  
  optional_policy(`
@@ -12834,8 +12838,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +optional_policy(`
 +	gen_require(`
 +		type unconfined_dbusd_t;
++		attribute domain;
 +	')
 +	unconfined_domain(unconfined_dbusd_t)
++	allow dbusd_unconfined domain:consolekit_t:dbus send_msg;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if
@@ -13746,7 +13752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2008-02-26 14:17:43.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te	2008-02-26 14:29:22.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/dovecot.te	2008-03-29 12:22:39.000000000 +0100
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -13838,7 +13844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -184,5 +205,49 @@
+@@ -184,5 +205,53 @@
  ')
  
  optional_policy(`
@@ -13876,6 +13882,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +files_read_etc_files(dovecot_deliver_t)
 +files_read_etc_runtime_files(dovecot_deliver_t)
 +
++auth_use_nsswitch(dovecot_deliver_t)
++
 +libs_use_ld_so(dovecot_deliver_t)
 +libs_use_shared_libs(dovecot_deliver_t)
 +
@@ -13885,6 +13893,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 +dovecot_auth_stream_connect(dovecot_deliver_t)
 +
++userdom_priveleged_home_dir_manager(dovecot_deliver_t)
++
 +optional_policy(`
 +	mta_manage_spool(dovecot_deliver_t)
  ')
@@ -23614,8 +23624,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.3.1/policy/modules/services/stunnel.if
 --- nsaserefpolicy/policy/modules/services/stunnel.if	2006-11-16 23:15:20.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/stunnel.if	2008-03-18 19:31:14.000000000 +0100
-@@ -1 +1,24 @@
++++ serefpolicy-3.3.1/policy/modules/services/stunnel.if	2008-03-29 17:44:16.000000000 +0100
+@@ -1 +1,25 @@
  ## <summary>SSL Tunneling Proxy</summary>
 +
 +########################################
@@ -23639,6 +23649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun
 +	')
 +
 +	domtrans_pattern(stunnel_t,$2,$1)
++	allow $1 stunnel_t:tcp_socket rw_socket_perms;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2007-12-19 11:32:17.000000000 +0100
@@ -26939,7 +26950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 14:17:43.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-12 13:37:59.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-29 13:15:04.000000000 +0100
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -27142,22 +27153,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +622,6 @@
- ')
+@@ -554,16 +617,12 @@
+ 	dbus_read_config(initrc_t)
  
- optional_policy(`
+ 	optional_policy(`
+-		networkmanager_dbus_chat(initrc_t)
++		consolekit_dbus_chat(initrc_t)
+ 	')
+-')
+ 
+-optional_policy(`
 -	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 -	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 -	# the directory. But we do not want to allow this.
 -	# The master process of dovecot will manage this file.
 -	dovecot_dontaudit_unlink_lib_files(initrc_t)
--')
--
--optional_policy(`
- 	ftp_read_config(initrc_t)
++	optional_policy(`
++		networkmanager_dbus_chat(initrc_t)
++	')
  ')
  
-@@ -639,12 +694,6 @@
+ optional_policy(`
+@@ -639,12 +698,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -27170,7 +27187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -705,6 +754,9 @@
+@@ -705,6 +758,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -27180,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -717,9 +769,11 @@
+@@ -717,9 +773,11 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -27195,7 +27212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -738,6 +792,11 @@
+@@ -738,6 +796,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -27207,7 +27224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -752,6 +811,10 @@
+@@ -752,6 +815,10 @@
  ')
  
  optional_policy(`
@@ -27218,7 +27235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -774,3 +837,4 @@
+@@ -774,3 +841,4 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29744,7 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 21:30:49.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-03-04 23:26:54.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-03-29 12:26:49.000000000 +0100
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -29806,7 +29823,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -581,7 +587,6 @@
+@@ -372,6 +378,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Send a SIGNULL signal to the unconfined execmem domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_execmem_signull',`
++	gen_require(`
++		type unconfined_execmem_t;
++	')
++
++	allow $1 unconfined_execmem_t:process signull;
++')
++
++########################################
++## <summary>
+ ##	Send generic signals to the unconfined domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -581,7 +605,6 @@
  interface(`unconfined_dbus_connect',`
  	gen_require(`
  		type unconfined_t;
@@ -29814,7 +29856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	')
  
  	allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +594,139 @@
+@@ -589,7 +612,120 @@
  
  ########################################
  ## <summary>
@@ -29933,34 +29975,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +########################################
 +## <summary>
 +##	Allow apps to set rlimits on userdomain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_set_rlimitnh',`
-+	gen_require(`
-+		type unconfined_t;
-+	')
-+
-+	allow $1 unconfined_t:process rlimitinh;
-+')
-+
-+########################################
-+## <summary>
-+##	Allow the specified domain to read/write to
-+##	unconfined with a unix domain stream sockets.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -597,41 +734,43 @@
+@@ -597,20 +733,18 @@
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_read_home_content_files',`
-+interface(`unconfined_rw_stream_sockets',`
++interface(`unconfined_set_rlimitnh',`
  	gen_require(`
 -		type unconfined_home_dir_t, unconfined_home_t;
 +		type unconfined_t;
@@ -29970,12 +29993,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
 -	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
 -	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-+	allow $1 unconfined_t:unix_stream_socket { read write };
++	allow $1 unconfined_t:process rlimitinh;
  ')
  
  ########################################
  ## <summary>
 -##	Read unconfined users temporary files.
++##	Allow the specified domain to read/write to
++##	unconfined with a unix domain stream sockets.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -618,31 +752,54 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`unconfined_read_tmp_files',`
++interface(`unconfined_rw_stream_sockets',`
+ 	gen_require(`
+-		type unconfined_tmp_t;
++		type unconfined_t;
+ 	')
+ 
+-	files_search_tmp($1)
+-	allow $1 unconfined_tmp_t:dir list_dir_perms;
+-	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+-	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++	allow $1 unconfined_t:unix_stream_socket { read write };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write unconfined users temporary files.
 +##	Read/write unconfined tmpfs files.
  ## </summary>
 +## <desc>
@@ -29989,38 +30038,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ##	</summary>
  ## </param>
  #
--interface(`unconfined_read_tmp_files',`
+-interface(`unconfined_write_tmp_files',`
 +interface(`unconfined_rw_tmpfs_files',`
  	gen_require(`
 -		type unconfined_tmp_t;
 +		type unconfined_tmpfs_t;
- 	')
- 
--	files_search_tmp($1)
--	allow $1 unconfined_tmp_t:dir list_dir_perms;
--	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
--	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++	')
++
 +	fs_search_tmpfs($1)
 +	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
 +	rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
 +	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write unconfined users temporary files.
++')
++
++########################################
++## <summary>
 +##	Get the process group of unconfined.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -639,10 +778,10 @@
- ##	</summary>
- ## </param>
- #
--interface(`unconfined_write_tmp_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`unconfined_getpgid',`
- 	gen_require(`
--		type unconfined_tmp_t;
++	gen_require(`
 +		type unconfined_t;
  	')
  
@@ -30364,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 15:52:56.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-27 23:47:44.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-29 13:10:01.000000000 +0100
 @@ -29,9 +29,14 @@
  	')
  
@@ -30381,7 +30423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	corecmd_shell_entry_type($1_t)
  	corecmd_bin_entry_type($1_t)
  	domain_user_exemption_target($1_t)
-@@ -45,66 +50,76 @@
+@@ -45,66 +50,78 @@
  	type $1_tty_device_t; 
  	term_user_tty($1_t,$1_tty_device_t)
  
@@ -30442,6 +30484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
 +	kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
 +	kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
++	kernel_dontaudit_list_proc($1_usertype)
  
  	# When the user domain runs ps, there will be a number of access
  	# denials when ps tries to search /proc.  Do not audit these denials.
@@ -30491,23 +30534,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	dev_dontaudit_getattr_all_blk_files($1_usertype)
 +	dev_dontaudit_getattr_all_chr_files($1_usertype)
-+
-+	auth_use_nsswitch($1_usertype)
-+
-+	libs_use_ld_so($1_usertype)
-+	libs_use_shared_libs($1_usertype)
-+	libs_exec_ld_so($1_usertype)
++	dev_getattr_mtrr_dev($1_t)
  
 -	miscfiles_read_localization($1_t)
 -	miscfiles_read_certs($1_t)
--
++	auth_use_nsswitch($1_usertype)
+ 
 -	sysnet_read_config($1_t)
++	libs_use_ld_so($1_usertype)
++	libs_use_shared_libs($1_usertype)
++	libs_exec_ld_so($1_usertype)
++
 +	miscfiles_read_localization($1_usertype)
 +	miscfiles_read_certs($1_usertype)
  
  	tunable_policy(`allow_execmem',`
  		# Allow loading DSOs that require executable stack.
-@@ -115,6 +130,10 @@
+@@ -115,6 +132,10 @@
  		# Allow making the stack executable via mprotect.
  		allow $1_t self:process execstack;
  	')
@@ -30518,7 +30561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -141,33 +160,13 @@
+@@ -141,33 +162,13 @@
  #
  template(`userdom_ro_home_template',`
  	gen_require(`
@@ -30557,7 +30600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	##############################
  	#
-@@ -175,13 +174,14 @@
+@@ -175,13 +176,14 @@
  	#
  
  	# read-only home directory
@@ -30579,7 +30622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_list_home($1_t)
  
  	tunable_policy(`use_nfs_home_dirs',`
-@@ -231,30 +231,14 @@
+@@ -231,30 +233,14 @@
  #
  template(`userdom_manage_home_template',`
  	gen_require(`
@@ -30616,7 +30659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	##############################
  	#
-@@ -262,43 +246,46 @@
+@@ -262,43 +248,46 @@
  	#
  
  	# full control of the home directory
@@ -30691,7 +30734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -316,14 +303,20 @@
+@@ -316,14 +305,20 @@
  ## <rolebase/>
  #
  template(`userdom_exec_home_template',`
@@ -30717,7 +30760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -341,11 +334,10 @@
+@@ -341,11 +336,10 @@
  ## <rolebase/>
  #
  template(`userdom_poly_home_template',`
@@ -30733,7 +30776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -369,18 +361,18 @@
+@@ -369,18 +363,18 @@
  #
  template(`userdom_manage_tmp_template',`
  	gen_require(`
@@ -30762,7 +30805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -396,7 +388,13 @@
+@@ -396,7 +390,13 @@
  ## <rolebase/>
  #
  template(`userdom_exec_tmp_template',`
@@ -30777,7 +30820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -445,12 +443,12 @@
+@@ -445,12 +445,12 @@
  	type $1_tmpfs_t, $1_file_type;
  	files_tmpfs_file($1_tmpfs_t)
  
@@ -30796,7 +30839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -510,10 +508,6 @@
+@@ -510,10 +510,6 @@
  ## <rolebase/>
  #
  template(`userdom_exec_generic_pgms_template',`
@@ -30807,7 +30850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	corecmd_exec_bin($1_t)
  ')
  
-@@ -531,27 +525,20 @@
+@@ -531,27 +527,20 @@
  ## <rolebase/>
  #
  template(`userdom_basic_networking_template',`
@@ -30847,7 +30890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -568,30 +555,32 @@
+@@ -568,30 +557,32 @@
  #
  template(`userdom_xwindows_client_template',`
  	gen_require(`
@@ -30896,7 +30939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -622,13 +611,7 @@
+@@ -622,13 +613,7 @@
  ## <summary>
  ##	The template for allowing the user to change roles.
  ## </summary>
@@ -30911,7 +30954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	<summary>
  ##	The prefix of the user domain (e.g., user
  ##	is the prefix for user_t).
-@@ -692,183 +675,194 @@
+@@ -692,183 +677,194 @@
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -31187,7 +31230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -895,6 +889,8 @@
+@@ -895,6 +891,8 @@
  ## </param>
  #
  template(`userdom_login_user_template', `
@@ -31196,7 +31239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_base_user_template($1)
  
  	userdom_manage_home_template($1)
-@@ -923,70 +919,68 @@
+@@ -923,70 +921,68 @@
  
  	allow $1_t self:context contains;
  
@@ -31299,7 +31342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1020,9 +1014,6 @@
+@@ -1020,9 +1016,6 @@
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
@@ -31309,7 +31352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	typeattribute $1_tty_device_t user_ttynode;
  
  	##############################
-@@ -1031,16 +1022,29 @@
+@@ -1031,16 +1024,29 @@
  	#
  
  	# privileged home directory writers
@@ -31345,7 +31388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1068,6 +1072,13 @@
+@@ -1068,6 +1074,13 @@
  
  	userdom_restricted_user_template($1)
  
@@ -31359,7 +31402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_xwindows_client_template($1)
  
  	##############################
-@@ -1076,14 +1087,16 @@
+@@ -1076,14 +1089,16 @@
  	#
  
  	authlogin_per_role_template($1, $1_t, $1_r)
@@ -31381,7 +31424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	logging_dontaudit_send_audit_msgs($1_t)
  
  	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1104,29 @@
+@@ -1091,32 +1106,29 @@
  	selinux_get_enforce_mode($1_t)
  
  	optional_policy(`
@@ -31425,7 +31468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1127,10 +1137,10 @@
+@@ -1127,10 +1139,10 @@
  ## </summary>
  ## <desc>
  ##	<p>
@@ -31440,7 +31483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	This template creates a user domain, types, and
  ##	rules for the user's tty, pty, home directories,
  ##	tmp, and tmpfs files.
-@@ -1164,7 +1174,6 @@
+@@ -1164,7 +1176,6 @@
  	# Need the following rule to allow users to run vpnc
  	corenet_tcp_bind_xserver_port($1_t)
  
@@ -31448,7 +31491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -1193,12 +1202,11 @@
+@@ -1193,12 +1204,11 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
@@ -31463,7 +31506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1207,7 +1215,27 @@
+@@ -1207,7 +1217,27 @@
  	')
  
  	optional_policy(`
@@ -31492,7 +31535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1284,8 +1312,6 @@
+@@ -1284,8 +1314,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -31501,6 +31544,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
+@@ -1307,8 +1335,6 @@
+ 
+ 	dev_getattr_generic_blk_files($1_t)
+ 	dev_getattr_generic_chr_files($1_t)
+-	# for lsof
+-	dev_getattr_mtrr_dev($1_t)
+ 	# Allow MAKEDEV to work
+ 	dev_create_all_blk_files($1_t)
+ 	dev_create_all_chr_files($1_t)
 @@ -1363,13 +1389,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3209fc3d..d9cc034f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@ exit 0
 %endif
 
 %changelog
+* Sat Mar 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-26
+- Allow initrc_t to dbus chat with consolekit.
+
 * Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-25
 - Additional access for nsplugin
 - Allow xdm setcap/getcap until pulseaudio is fixed