diff --git a/policy-20090105.patch b/policy-20090105.patch
index 9b1a2e41..7c475595 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -3287,8 +3287,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.3/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te	2009-01-19 13:10:02.000000000 -0500
-@@ -11,21 +11,58 @@
++++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te	2009-01-30 08:03:36.000000000 -0500
+@@ -11,21 +11,59 @@
  application_domain(podsleuth_t, podsleuth_exec_t)
  role system_r types podsleuth_t;
  
@@ -3326,7 +3326,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +fs_getattr_dos_fs(podsleuth_t)
 +fs_read_dos_files(podsleuth_t)
 +fs_search_dos(podsleuth_t)
-+
++fs_getattr_tmpfs(podsleuth_t)
++fs_list_tmpfs(podsleuth_t)
 +fs_mount_nfs(podsleuth_t)
 +fs_unmount_nfs(podsleuth_t)
 +fs_getattr_nfs(podsleuth_t)
@@ -3685,7 +3686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.3/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/qemu.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/qemu.te	2009-01-30 09:14:38.000000000 -0500
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -3695,7 +3696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <desc>
  ## <p>
  ## Allow qemu to connect fully to the network
-@@ -13,28 +15,151 @@
+@@ -13,28 +15,153 @@
  ## </desc>
  gen_tunable(qemu_full_network, false)
  
@@ -3799,6 +3800,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 +storage_raw_write_removable_device(qemu_t)
 +storage_raw_read_removable_device(qemu_t)
++
++userdom_search_user_home_content(qemu_t)
 +
  tunable_policy(`qemu_full_network',`
  	allow qemu_t self:udp_socket create_socket_perms;
@@ -5158,7 +5161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	all protocols (TCP, UDP, etc)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.3/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/domain.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/domain.te	2009-01-30 07:56:48.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -5220,7 +5223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -153,3 +170,39 @@
+@@ -153,3 +170,34 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5234,15 +5237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	cron_dontaudit_write_system_job_tmp_files(domain)
 +	cron_rw_pipes(domain)
 +ifdef(`hide_broken_symptoms',`
-+	cron_dontaudit_rw_tcp_sockets(domain)
 +	allow domain domain:key { link search };
 +')
 +')
 +
-+ifdef(`hide_broken_symptoms',`
-+        dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
-+')
-+
 +optional_policy(`
 +	rpm_rw_pipes(domain)
 +	rpm_dontaudit_use_script_fds(domain)
@@ -17626,7 +17624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.3/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/postfix.if	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/postfix.if	2009-01-30 08:30:01.000000000 -0500
 @@ -46,6 +46,7 @@
  
  	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -17647,7 +17645,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_search_etc($1)
  ')
  
-@@ -378,7 +378,7 @@
+@@ -232,6 +232,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow read/write postfix local pipes
++##	TCP sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`postfix_rw_local_pipes',`
++	gen_require(`
++		type postfix_local_t;
++	')
++
++	allow $1 postfix_local_t:fifo rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Allow domain to read postfix local process state
+ ## </summary>
+ ## <param name="domain">
+@@ -378,7 +397,7 @@
  ##	</summary>
  ## </param>
  #
@@ -17656,7 +17680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	gen_require(`
  		type postfix_private_t;
  	')
-@@ -389,6 +389,25 @@
+@@ -389,6 +408,25 @@
  
  ########################################
  ## <summary>
@@ -17682,7 +17706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Execute the master postfix program in the
  ##	postfix_master domain.
  ## </summary>
-@@ -418,10 +437,10 @@
+@@ -418,10 +456,10 @@
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -17695,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_search_spool($1)
  ')
  
-@@ -437,11 +456,30 @@
+@@ -437,11 +475,30 @@
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -17728,7 +17752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -456,16 +494,16 @@
+@@ -456,16 +513,16 @@
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -17748,7 +17772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -475,11 +513,11 @@
+@@ -475,11 +532,11 @@
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -17762,7 +17786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -500,3 +538,23 @@
+@@ -500,3 +557,23 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -21420,7 +21444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.3/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te	2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te	2009-01-30 08:30:30.000000000 -0500
 @@ -20,6 +20,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -21532,7 +21556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -265,31 +323,34 @@
+@@ -265,31 +323,35 @@
  
  sysnet_read_config(spamc_t)
  
@@ -21568,6 +21592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	nscd_socket_use(spamc_t)
 +	postfix_domtrans_postdrop(spamc_t)
 +	postfix_search_spool(spamc_t)
++	postfix_rw_local_pipes(spamc_t)
  ')
  
  optional_policy(`
@@ -21579,7 +21604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -301,7 +362,7 @@
+@@ -301,7 +363,7 @@
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -21588,7 +21613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -317,10 +378,13 @@
+@@ -317,10 +379,13 @@
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
@@ -21603,7 +21628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +393,11 @@
+@@ -329,10 +394,11 @@
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -21616,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
  
  kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +447,27 @@
+@@ -382,22 +448,27 @@
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -21648,7 +21673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -415,6 +485,7 @@
+@@ -415,6 +486,7 @@
  
  optional_policy(`
  	dcc_domtrans_client(spamd_t)
@@ -21656,7 +21681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -424,10 +495,6 @@
+@@ -424,10 +496,6 @@
  ')
  
  optional_policy(`
@@ -21667,7 +21692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	postfix_read_config(spamd_t)
  ')
  
-@@ -442,6 +509,10 @@
+@@ -442,6 +510,10 @@
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -22363,10 +22388,80 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.3/policy/modules/services/virt.fc
+--- nsaserefpolicy/policy/modules/services/virt.fc	2009-01-05 15:39:43.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.fc	2009-01-30 09:09:00.000000000 -0500
+@@ -8,5 +8,10 @@
+ 
+ /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
+ /var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
++/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_image_ro_t,s0)
++
+ /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
+ /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
++
++HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
++HOME_DIR/VirtualMachines/isos(/.*)? 	gen_context(system_u:object_r:virt_image_ro_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
+--- nsaserefpolicy/policy/modules/services/virt.if	2009-01-05 15:39:43.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.if	2009-01-30 09:13:05.000000000 -0500
+@@ -293,6 +293,41 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`virt_read_ro_t',`
++	gen_require(`
++		type virt_image_ro_t;
++	')
++
++	virt_search_lib($1)
++	allow $1 virt_image_ro_t:dir list_dir_perms;
++	read_dirs_pattern($1, virt_image_ro_t, virt_image_ro_t)
++	read_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
++	read_lnk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
++	rw_blk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
++
++	tunable_policy(`virt_use_nfs',`
++		fs_read_nfs_dirs($1)
++		fs_read_nfs_files($1)
++		fs_read_nfs_symlinks($1)
++	')
++
++	tunable_policy(`virt_use_samba',`
++		fs_read_nfs_files($1)
++		fs_read_cifs_files($1)
++		fs_read_cifs_symlinks($1)
++	')
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to administrate 
+ ##	an virt environment
+ ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te	2009-01-21 16:53:49.000000000 -0500
-@@ -53,7 +53,7 @@
++++ serefpolicy-3.6.3/policy/modules/services/virt.te	2009-01-30 09:10:13.000000000 -0500
+@@ -32,6 +32,10 @@
+ type virt_image_t, virt_image_type; # customizable
+ virt_image(virt_image_t)
+ 
++# virt Image files
++type virt_image_ro_t;
++virt_image(virt_image_ro_t)
++
+ type virt_log_t;
+ logging_log_file(virt_log_t)
+ 
+@@ -53,7 +57,7 @@
  # virtd local policy
  #
  
@@ -22375,7 +22470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow virtd_t self:process { getsched sigkill signal execmem };
  allow virtd_t self:fifo_file rw_file_perms;
  allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -96,7 +96,7 @@
+@@ -96,7 +100,7 @@
  corenet_tcp_sendrecv_generic_node(virtd_t)
  corenet_tcp_sendrecv_all_ports(virtd_t)
  corenet_tcp_bind_generic_node(virtd_t)
@@ -22384,7 +22479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_bind_vnc_port(virtd_t)
  corenet_tcp_connect_vnc_port(virtd_t)
  corenet_tcp_connect_soundd_port(virtd_t)
-@@ -110,11 +110,13 @@
+@@ -110,11 +114,13 @@
  
  files_read_usr_files(virtd_t)
  files_read_etc_files(virtd_t)
@@ -22398,7 +22493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  storage_raw_write_removable_device(virtd_t)
  storage_raw_read_removable_device(virtd_t)
-@@ -129,7 +131,10 @@
+@@ -129,7 +135,10 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -22409,7 +22504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -173,16 +178,17 @@
+@@ -173,16 +182,17 @@
  	iptables_domtrans(virtd_t)
  ')
  
@@ -28084,7 +28179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-28 10:48:13.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-30 09:14:16.000000000 -0500
 @@ -30,8 +30,9 @@
  	')