diff --git a/policy-20071130.patch b/policy-20071130.patch
index 952bd75..6f38bc8 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -2276,7 +2276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.3.1/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.te	2008-02-28 15:36:54.000000000 -0500
 @@ -31,6 +31,9 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -6744,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-26 21:27:47.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-28 13:12:42.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -6784,7 +6784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -148,3 +157,27 @@
+@@ -148,3 +157,28 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6812,6 +6812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +	unconfined_dontaudit_rw_pipes(domain)
 +	unconfined_sigchld(domain)
 +')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-02-26 16:54:46.000000000 -0500
@@ -8096,7 +8097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-02-27 17:28:38.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-02-28 16:49:32.000000000 -0500
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -8192,12 +8193,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  # httpd_modules_t is the type given to module files (libraries) 
  # that come with Apache /etc/httpd/modules and /usr/lib/apache
  type httpd_modules_t;
-@@ -202,12 +233,15 @@
+@@ -202,12 +233,16 @@
  	prelink_object_file(httpd_modules_t)
  ')
  
 +apache_content_template(user)
 +userdom_user_home_content(user,httpd_user_content_t)
++typealias httpd_user_content_t alias httpd_unconfined_content_t;
 +
  ########################################
  #
@@ -8209,7 +8211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -249,6 +283,7 @@
+@@ -249,6 +284,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
  read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -8217,7 +8219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +324,7 @@
+@@ -289,6 +325,7 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -8225,7 +8227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +351,7 @@
+@@ -315,9 +352,7 @@
  
  auth_use_nsswitch(httpd_t)
  
@@ -8236,7 +8238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -335,6 +369,10 @@
+@@ -335,6 +370,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -8247,7 +8249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  libs_use_ld_so(httpd_t)
  libs_use_shared_libs(httpd_t)
-@@ -351,25 +389,38 @@
+@@ -351,25 +390,38 @@
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -8291,7 +8293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_can_network_relay',`
  	# allow httpd to work as a relay
  	corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +433,10 @@
+@@ -382,6 +434,10 @@
  	corenet_sendrecv_http_cache_client_packets(httpd_t)
  ')
  
@@ -8302,7 +8304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
  
-@@ -399,11 +454,21 @@
+@@ -399,11 +455,21 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -8324,7 +8326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +502,14 @@
+@@ -437,8 +503,14 @@
  ')
  
  optional_policy(`
@@ -8340,7 +8342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -450,19 +521,13 @@
+@@ -450,19 +522,13 @@
  ')
  
  optional_policy(`
@@ -8361,7 +8363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -472,13 +537,14 @@
+@@ -472,13 +538,14 @@
  	openca_kill(httpd_t)
  ')
  
@@ -8380,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -486,6 +552,7 @@
+@@ -486,6 +553,7 @@
  ')
  
  optional_policy(`
@@ -8388,7 +8390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -521,6 +588,19 @@
+@@ -521,6 +589,19 @@
  	userdom_use_sysadm_terms(httpd_helper_t)
  ')
  
@@ -8408,7 +8410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -550,18 +630,24 @@
+@@ -550,18 +631,24 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -8436,7 +8438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -585,6 +671,8 @@
+@@ -585,6 +672,8 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -8445,7 +8447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +681,7 @@
+@@ -593,9 +682,7 @@
  
  fs_search_auto_mountpoints(httpd_suexec_t)
  
@@ -8456,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +714,7 @@
+@@ -628,6 +715,7 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -8464,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -638,6 +725,12 @@
+@@ -638,6 +726,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -8477,7 +8479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +748,6 @@
+@@ -655,10 +749,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -8488,7 +8490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -668,7 +757,8 @@
+@@ -668,7 +758,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -8498,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +772,44 @@
+@@ -682,15 +773,44 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -8544,7 +8546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +819,15 @@
+@@ -700,9 +820,15 @@
  	clamav_domtrans_clamscan(httpd_sys_script_t)
  ')
  
@@ -8560,7 +8562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -724,3 +849,46 @@
+@@ -724,3 +850,46 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -11280,7 +11282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cvs.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/cvs.te	2008-02-28 15:30:50.000000000 -0500
 @@ -28,6 +28,9 @@
  type cvs_var_run_t;
  files_pid_file(cvs_var_run_t)
@@ -13254,7 +13256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te	2008-02-28 15:39:03.000000000 -0500
 @@ -18,6 +18,9 @@
  type fail2ban_var_run_t;
  files_pid_file(fail2ban_var_run_t)
@@ -13276,7 +13278,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
  
  kernel_read_system_state(fail2ban_t)
  
-@@ -55,6 +59,8 @@
+@@ -47,14 +51,20 @@
+ 
+ files_read_etc_files(fail2ban_t)
+ files_read_usr_files(fail2ban_t)
++files_list_var(fail2ban_t)
++files_search_var_lib(fail2ban_t)
++
++fs_search_inotifyfs(fail2ban_t)
+ 
+ libs_use_ld_so(fail2ban_t)
+ libs_use_shared_libs(fail2ban_t)
+ 
+-logging_read_generic_logs(fail2ban_t)
++logging_read_all_logs(fail2ban_t)
  
  miscfiles_read_localization(fail2ban_t)
  
@@ -22702,7 +22717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-27 23:02:25.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-28 09:30:18.000000000 -0500
 @@ -15,6 +15,11 @@
  template(`xserver_common_domain_template',`
  	gen_require(`
@@ -23153,7 +23168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -542,25 +539,360 @@
+@@ -542,25 +539,364 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -23298,6 +23313,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# everyone can get the input focus of everyone else
 +	# this is a fundamental brokenness in the X protocol
 +	allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
++	tunable_policy(`allow_read_x_device',`
++		allow $3 { x_domain x_server_domain }:x_device read;
++	')
++
 +	# everyone can grab the server
 +	# everyone does it, it is basically a free DOS attack
 +	allow $3 x_server_domain:x_server grab;
@@ -23520,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	')
  ')
  
-@@ -593,26 +925,44 @@
+@@ -593,26 +929,44 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -23572,7 +23591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -638,10 +988,77 @@
+@@ -638,10 +992,77 @@
  #
  template(`xserver_domtrans_user_xauth',`
  	gen_require(`
@@ -23652,7 +23671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -671,10 +1088,10 @@
+@@ -671,10 +1092,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -23665,7 +23684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -760,7 +1177,7 @@
+@@ -760,7 +1181,7 @@
  		type xconsole_device_t;
  	')
  
@@ -23674,7 +23693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -860,6 +1277,25 @@
+@@ -860,6 +1281,25 @@
  
  ########################################
  ## <summary>
@@ -23700,7 +23719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -914,6 +1350,7 @@
+@@ -914,6 +1354,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -23708,7 +23727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -955,6 +1392,24 @@
+@@ -955,6 +1396,24 @@
  
  ########################################
  ## <summary>
@@ -23733,7 +23752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -965,15 +1420,47 @@
+@@ -965,15 +1424,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -23782,7 +23801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1123,7 +1610,7 @@
+@@ -1123,7 +1614,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -23791,7 +23810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1312,3 +1799,108 @@
+@@ -1312,3 +1803,108 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -23902,8 +23921,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-27 23:17:59.000000000 -0500
-@@ -16,21 +16,79 @@
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-28 16:46:06.000000000 -0500
+@@ -8,6 +8,14 @@
+ 
+ ## <desc>
+ ## <p>
++## Allows X clients to read the x devices (keyboard/mouse)
++## </p>
++## </desc>
++gen_tunable(allow_read_x_device,true)
++
++
++## <desc>
++## <p>
+ ## Allows clients to write to the X server shared
+ ## memory segments.
+ ## </p>
+@@ -16,21 +24,79 @@
  
  ## <desc>
  ## <p>
@@ -23985,7 +24019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # this is not actually a device, its a pipe
  type xconsole_device_t;
-@@ -56,6 +114,12 @@
+@@ -56,6 +122,12 @@
  type xdm_var_run_t;
  files_pid_file(xdm_var_run_t)
  
@@ -23998,7 +24032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  type xdm_tmp_t;
  files_tmp_file(xdm_tmp_t)
  typealias xdm_tmp_t alias ice_tmp_t;
-@@ -78,7 +142,31 @@
+@@ -78,7 +150,31 @@
  type xserver_log_t;
  logging_log_file(xserver_log_t)
  
@@ -24030,7 +24064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  init_system_domain(xdm_xserver_t,xserver_exec_t)
  
  ifdef(`enable_mcs',`
-@@ -95,8 +183,9 @@
+@@ -95,8 +191,9 @@
  # XDM Local policy
  #
  
@@ -24042,7 +24076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xdm_t self:fifo_file rw_fifo_file_perms;
  allow xdm_t self:shm create_shm_perms;
  allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +198,8 @@
+@@ -109,6 +206,8 @@
  allow xdm_t self:key { search link write };
  
  allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -24051,7 +24085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +222,22 @@
+@@ -131,15 +230,22 @@
  manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
  manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
  fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -24075,7 +24109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  allow xdm_t xdm_xserver_t:process signal;
  allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +251,7 @@
+@@ -153,6 +259,7 @@
  allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -24083,7 +24117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +272,8 @@
+@@ -173,6 +280,8 @@
  
  corecmd_exec_shell(xdm_t)
  corecmd_exec_bin(xdm_t)
@@ -24092,7 +24126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +285,7 @@
+@@ -184,6 +293,7 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_all_nodes(xdm_t)
  corenet_udp_bind_all_nodes(xdm_t)
@@ -24100,7 +24134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  corenet_tcp_connect_all_ports(xdm_t)
  corenet_sendrecv_all_client_packets(xdm_t)
  # xdm tries to bind to biff_port_t
-@@ -196,6 +298,7 @@
+@@ -196,6 +306,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -24108,7 +24142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -208,8 +311,8 @@
+@@ -208,8 +319,8 @@
  dev_setattr_video_dev(xdm_t)
  dev_getattr_scanner_dev(xdm_t)
  dev_setattr_scanner_dev(xdm_t)
@@ -24119,7 +24153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_getattr_power_mgmt_dev(xdm_t)
  dev_setattr_power_mgmt_dev(xdm_t)
  
-@@ -226,6 +329,7 @@
+@@ -226,6 +337,7 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -24127,7 +24161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  fs_getattr_all_fs(xdm_t)
  fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +349,7 @@
+@@ -245,6 +357,7 @@
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -24135,7 +24169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -256,12 +361,11 @@
+@@ -256,12 +369,11 @@
  libs_exec_lib_files(xdm_t)
  
  logging_read_generic_logs(xdm_t)
@@ -24149,7 +24183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +374,13 @@
+@@ -270,8 +382,13 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -24163,7 +24197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +413,11 @@
+@@ -304,7 +421,11 @@
  ')
  
  optional_policy(`
@@ -24176,7 +24210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -312,6 +425,23 @@
+@@ -312,6 +433,23 @@
  ')
  
  optional_policy(`
@@ -24200,7 +24234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	# Talk to the console mouse server.
  	gpm_stream_connect(xdm_t)
  	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +452,10 @@
+@@ -322,6 +460,10 @@
  ')
  
  optional_policy(`
@@ -24211,7 +24245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	loadkeys_exec(xdm_t)
  ')
  
-@@ -335,6 +469,11 @@
+@@ -335,6 +477,11 @@
  ')
  
  optional_policy(`
@@ -24223,18 +24257,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	seutil_sigchld_newrole(xdm_t)
  ')
  
-@@ -343,8 +482,9 @@
+@@ -343,8 +490,8 @@
  ')
  
  optional_policy(`
 -	unconfined_domain(xdm_t)
-+	unconfined_domain(xdm_xserver_t)
  	unconfined_domtrans(xdm_t)
 +	unconfined_signal(xdm_t)
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +520,7 @@
+@@ -380,7 +527,7 @@
  allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
  
@@ -24243,7 +24276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +532,15 @@
+@@ -392,6 +539,15 @@
  can_exec(xdm_xserver_t, xkb_var_lib_t)
  files_search_var_lib(xdm_xserver_t)
  
@@ -24259,7 +24292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  # VNC v4 module in X server
  corenet_tcp_bind_vnc_port(xdm_xserver_t)
  
-@@ -404,9 +553,17 @@
+@@ -404,9 +560,17 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -24277,7 +24310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_xserver_t)
  	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +577,22 @@
+@@ -420,6 +584,22 @@
  ')
  
  optional_policy(`
@@ -24300,7 +24333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	resmgr_stream_connect(xdm_t)
  ')
  
-@@ -429,47 +602,125 @@
+@@ -429,47 +609,138 @@
  ')
  
  optional_policy(`
@@ -24309,30 +24342,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	rpm_dontaudit_rw_shm(xdm_xserver_t)
 +	rpm_rw_tmpfs_files(xdm_xserver_t)
 +')
-+
+ 
+-	ifndef(`distro_redhat',`
+-		allow xdm_xserver_t self:process { execheap execmem };
+-	')
 +optional_policy(`
 +	unconfined_rw_shm(xdm_xserver_t)
 +	unconfined_execmem_rw_shm(xdm_xserver_t)
 +	unconfined_rw_tmpfs_files(xdm_xserver_t)
  
--	ifndef(`distro_redhat',`
+-	ifdef(`distro_rhel4',`
 -		allow xdm_xserver_t self:process { execheap execmem };
 -	')
 +	# xserver signals unconfined user on startx
 +	unconfined_signal(xdm_xserver_t)
 +	unconfined_getpgid(xdm_xserver_t)
-+')
- 
--	ifdef(`distro_rhel4',`
--		allow xdm_xserver_t self:process { execheap execmem };
--	')
-+
-+tunable_policy(`allow_xserver_execmem', `
-+	allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
-+ifndef(`distro_redhat',`
-+	allow xdm_xserver_t self:process { execheap execmem };
  ')
  
 -ifdef(`TODO',`
@@ -24356,16 +24380,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -allow xdm_t polymember:lnk_file { create unlink };
 -# xdm needs access for copying .Xauthority into new home
 -allow xdm_t polymember:file { create getattr write };
-+ifdef(`distro_rhel4',`
-+	allow xdm_xserver_t self:process { execheap execmem };
++
++tunable_policy(`allow_xserver_execmem', `
++	allow xdm_xserver_t self:process { execheap execmem execstack };
  ')
  
++ifndef(`distro_redhat',`
++	allow xdm_xserver_t self:process { execheap execmem };
++')
++
++ifdef(`distro_rhel4',`
++	allow xdm_xserver_t self:process { execheap execmem };
++')
++
 +##############################
  #
 -# Wants to delete .xsession-errors file
 +# xauth_t Local policy
- #
--allow xdm_t user_home_type:file unlink;
++#
 +domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
 +
 +userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@@ -24412,11 +24444,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +##############################
  #
--# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+-allow xdm_t user_home_type:file unlink;
 +# iceauth_t Local policy
  #
--allow pam_t xdm_t:fifo_file { getattr ioctl write };
--') dnl end TODO
+-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
 +
 +allow iceauth_t user_iceauth_home_t:file manage_file_perms;
 +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@@ -24440,7 +24471,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
 +
 +########################################
-+#
+ #
+-allow pam_t xdm_t:fifo_file { getattr ioctl write };
+-') dnl end TODO
 +# Rules for unconfined access to this module
 +#
 +
@@ -24459,6 +24492,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
 +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 +
++gen_require(`
++	attribute domain;
++')
++
++allow xserver_unconfined_type domain:x_resource *;
++allow xserver_unconfined_type domain:{ x_event x_synthetic_event } *;
++allow xserver_unconfined_type domain:x_drawable *;
++
++  
++tunable_policy(`allow_read_x_device',`
++	allow xserver_unconfined_type { x_domain x_server_domain self }:x_device read;
++')
++
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc
 --- nsaserefpolicy/policy/modules/services/zabbix.fc	2007-04-11 15:52:54.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 437829b..0fac8d6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-7
+-
+
 * Wed Feb 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-6
 - Prepare policy for beta release
 - Change some of the system domains back to unconfined