diff --git a/authconfig-6.2.8-norestart.patch b/authconfig-6.2.8-norestart.patch
index b4adba3..0ad389e 100644
--- a/authconfig-6.2.8-norestart.patch
+++ b/authconfig-6.2.8-norestart.patch
@@ -1,6 +1,6 @@
 diff -up authconfig-6.2.8/authinfo.py.norestart authconfig-6.2.8/authinfo.py
---- authconfig-6.2.8/authinfo.py.norestart	2014-01-17 15:35:09.000000000 +0100
-+++ authconfig-6.2.8/authinfo.py	2014-01-17 15:37:45.085207188 +0100
+--- authconfig-6.2.8/authinfo.py.norestart	2014-01-17 15:42:31.512947910 +0100
++++ authconfig-6.2.8/authinfo.py	2014-01-29 14:58:17.010078820 +0100
 @@ -80,11 +80,6 @@ PATH_PWCONV = "/usr/sbin/pwconv"
  PATH_RPCBIND = "/sbin/rpcbind"
  PATH_NSCD = "/usr/sbin/nscd"
@@ -178,7 +178,7 @@ diff -up authconfig-6.2.8/authinfo.py.norestart authconfig-6.2.8/authinfo.py
  		("enableLDAP", "b"), ("enableLDAPAuth", "b"), ("enableKerberos", "b"),
  		("enableEcryptfs", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"),
  		("enableWinbindAuth", "b"), ("enableWinbind", "b"), ("winbindKrb5", "b"), ("enableDB", "b"),
-@@ -1494,8 +1426,14 @@ class AuthInfo:
+@@ -1494,8 +1426,15 @@ class AuthInfo:
  		("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b"),
  		("ipav2Server", "i"), ("ipav2Domain", "i"), ("ipav2Realm", "c"),
  		("enableIPAv2", "b"), ("ipaDomainJoined", "b"), ("ipav2NoNTP", "b")]),
@@ -188,14 +188,15 @@ diff -up authconfig-6.2.8/authinfo.py.norestart authconfig-6.2.8/authinfo.py
 +	SaveGroup(self.toggleShadow, None, [("enableShadow", "b")]),
 +	SaveGroup(None, self.toggleNisService, [("enableNIS", "b")]),
 +	SaveGroup(None, self.toggleOddjobService, [("enableMkHomeDir", "b")]),
-+	SaveGroup(None, self.toggleLDAPService, [("enableLDAP", "b"), ("enableLDAPAuth", "b")]),
++	SaveGroup(None, self.toggleLDAPService, [("enableLDAP", "b"), ("enableLDAPAuth", "b"),
++		("implicitSSSD", "b"), ("implicitSSSDAuth", "b"), ("enableForceLegacy", "b")]),
 +	SaveGroup(None, self.toggleSSSDService, [("implicitSSSD", "b"), ("implicitSSSDAuth", "b"),
-+		("enableIPAv2", "b"), ("enableSSSD", "b"), ("enableSSSDAuth", "b")]),
++		("enableIPAv2", "b"), ("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b")]),
 +	SaveGroup(None, self.toggleWinbindService, [("enableWinbind", "b"), ("enableWinbindAuth", "b")])]
  
  	def setParam(self, attr, value, ref):
  		oldval = getattr(self, attr)
-@@ -4049,7 +3987,6 @@ class AuthInfo:
+@@ -4049,7 +3988,6 @@ class AuthInfo:
  		self.update()
  		self.prewriteUpdate()
  		self.setupBackup(PATH_CONFIG_BACKUPS + "/last")
@@ -203,7 +204,7 @@ diff -up authconfig-6.2.8/authinfo.py.norestart authconfig-6.2.8/authinfo.py
  		try:
  			ret = self.writeLibuser()
  			ret = ret and self.writeLogindefs()
-@@ -4080,6 +4017,9 @@ class AuthInfo:
+@@ -4080,6 +4018,9 @@ class AuthInfo:
  		except (OSError, IOError):
  			sys.stderr.write(str(sys.exc_info()[1]) + "\n")
  			return False
@@ -213,7 +214,7 @@ diff -up authconfig-6.2.8/authinfo.py.norestart authconfig-6.2.8/authinfo.py
  		return ret
  
  	def writeChanged(self, ref):
-@@ -4091,8 +4031,10 @@ class AuthInfo:
+@@ -4091,8 +4032,10 @@ class AuthInfo:
  		try:
  			for group in self.save_groups:
  				if group.attrsDiffer(self, ref):
@@ -226,7 +227,7 @@ diff -up authconfig-6.2.8/authinfo.py.norestart authconfig-6.2.8/authinfo.py
  		except (OSError, IOError):
  			sys.stderr.write(str(sys.exc_info()[1]) + "\n")
  			return False
-@@ -4326,44 +4268,93 @@ class AuthInfo:
+@@ -4326,44 +4269,93 @@ class AuthInfo:
  		cmd = PATH_IPA_CLIENT_INSTALL + " --uninstall --noac"
  		os.system(cmd)
  
diff --git a/authconfig-6.2.8-restorecon.patch b/authconfig-6.2.8-restorecon.patch
new file mode 100644
index 0000000..0ae5c9f
--- /dev/null
+++ b/authconfig-6.2.8-restorecon.patch
@@ -0,0 +1,37 @@
+diff -up authconfig-6.2.8/authinfo.py.restorecon authconfig-6.2.8/authinfo.py
+--- authconfig-6.2.8/authinfo.py.restorecon	2014-01-29 15:21:07.000000000 +0100
++++ authconfig-6.2.8/authinfo.py	2014-01-29 15:21:32.024225923 +0100
+@@ -1009,10 +1009,12 @@ class SaveGroup:
+ class SafeFile:
+ 	def __init__(self, filename, default_mode):
+ 		(base, name) = os.path.split(filename)
++		self.missing = False
+ 		self.file = tempfile.NamedTemporaryFile(dir=base, prefix=name, delete=True)
+ 		# overwrite the inode attributes and contents
+ 		if call(["/bin/cp", "-af", filename, self.file.name],
+ 			stderr=os.open('/dev/null', os.O_WRONLY)) == 1:
++			self.missing = True
+ 			# the mode was not copied, use the default
+ 			os.fchmod(self.file.fileno(), default_mode)
+ 		self.filename = filename
+@@ -1021,6 +1023,9 @@ class SafeFile:
+ 		self.file.flush()
+ 		os.fsync(self.file.fileno())
+ 		os.rename(self.file.name, self.filename)
++		if self.missing:
++			call(["/usr/sbin/restorecon", self.filename],
++				stderr=os.open('/dev/null', os.O_WRONLY))
+ 
+ 	def close(self):
+ 		# we may have renamed the temp file, need to catch OSError
+@@ -1111,7 +1116,9 @@ class FileBackup:
+ 			rv = self.safeCopy(backuppath, self.origPath)
+ 
+ 		try:
+-			os.system("restorecon '"+self.origPath+"'")
++			if rv:
++				call(["/usr/sbin/restorecon", self.origPath],
++					stderr=os.open('/dev/null', os.O_WRONLY))
+ 		except (IOError, OSError):
+ 			pass
+ 
diff --git a/authconfig.spec b/authconfig.spec
index 6a237c7..7f81342 100644
--- a/authconfig.spec
+++ b/authconfig.spec
@@ -1,7 +1,7 @@
 Summary: Command line tool for setting up authentication from network services
 Name: authconfig
 Version: 6.2.8
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 ExclusiveOS: Linux
 Group: System Environment/Base
@@ -13,6 +13,7 @@ Patch3: authconfig-6.2.8-wait-for-card.patch
 Patch4: authconfig-6.2.8-translation-updates.patch
 Patch5: authconfig-6.2.8-norestart.patch
 Patch6: authconfig-6.2.8-notraceback.patch
+Patch7: authconfig-6.2.8-restorecon.patch
 Requires: newt-python, pam >= 0.99.10.0, python, libpwquality > 0.9
 Conflicts: pam_krb5 < 1.49, samba-common < 3.0, samba-client < 3.0
 Conflicts: nss_ldap < 254, sssd < 0.99.1
@@ -47,6 +48,7 @@ authentication schemes.
 %patch4 -p1 -b .translations
 %patch5 -p1 -b .norestart
 %patch6 -p1 -b .notraceback
+%patch7 -p1 -b .restorecon
 
 %build
 %configure
@@ -129,6 +131,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_datadir}/icons/hicolor/256x256/apps/system-config-authentication.*
 
 %changelog
+* Wed Jan 29 2014 Tomáš Mráz <tmraz@redhat.com> - 6.2.8-6
+- check nslcd for restart when --enableforcelegacy is used
+- call restorecon on newly created configuration files
+
 * Mon Jan 20 2014 Tomáš Mráz <tmraz@redhat.com> - 6.2.8-5
 - fix typo enableNis