diff --git a/policy-20070703.patch b/policy-20070703.patch
index 6f86997..f39af0d 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -16438,7 +16438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-11-06 15:55:57.000000000 -0500
@@ -145,6 +145,25 @@
########################################
@@ -16465,7 +16465,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## Send and receive messages from
## dhcpc over dbus.
##
-@@ -522,6 +541,8 @@
+@@ -493,6 +512,10 @@
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
++
++ optional_policy(`
++ avahi_stream_connect($1)
++ ')
+ ')
+
+ ########################################
+@@ -522,6 +545,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -16474,7 +16485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -556,3 +577,23 @@
+@@ -556,3 +581,23 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
@@ -17245,7 +17256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-02 11:09:48.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-06 16:01:20.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -18077,7 +18088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1135,11 @@
+@@ -1029,23 +1135,14 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -18087,15 +18098,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- kerberos_use($1_t)
-- ')
--
-- optional_policy(`
-- loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ hal_dbus_chat($1_t)
')
+- optional_policy(`
+- loadkeys_run($1_t,$1_r,$1_tty_device_t)
+- ')
+-
+- optional_policy(`
+- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+- ')
+-
+- # Run pppd in pppd_t by default for user
++ # Run pppd in pppd_t by default for user
optional_policy(`
-@@ -1054,17 +1156,6 @@
+ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+@@ -1054,17 +1151,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -18113,7 +18133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1102,6 +1193,8 @@
+@@ -1102,6 +1188,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -18122,7 +18142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
# Declarations
-@@ -1127,7 +1220,7 @@
+@@ -1127,7 +1215,7 @@
# $1_t local policy
#
@@ -18131,7 +18151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1232,11 @@
+@@ -1139,7 +1227,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -18144,7 +18164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1277,6 +1374,7 @@
+@@ -1277,6 +1369,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -18152,7 +18172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1642,9 +1740,13 @@
+@@ -1642,9 +1735,13 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -18166,7 +18186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_type($2)
')
-@@ -1894,10 +1996,46 @@
+@@ -1894,10 +1991,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -18214,7 +18234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3078,7 +3216,7 @@
+@@ -3078,7 +3211,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -18223,7 +18243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4609,11 +4747,29 @@
+@@ -4609,11 +4742,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -18254,7 +18274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4633,6 +4789,14 @@
+@@ -4633,6 +4784,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -18269,7 +18289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5323,7 +5487,7 @@
+@@ -5323,7 +5482,7 @@
attribute user_tmpfile;
')
@@ -18278,7 +18298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5529,6 +5693,24 @@
+@@ -5529,6 +5688,24 @@
########################################
##
@@ -18303,7 +18323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5559,3 +5741,386 @@
+@@ -5559,3 +5736,386 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -18692,7 +18712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-11-06 16:05:52.000000000 -0500
@@ -24,13 +24,6 @@
##
@@ -18812,7 +18832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -494,3 +497,7 @@
+@@ -494,3 +497,15 @@
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
@@ -18820,6 +18840,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
++
++optional_policy(`
++ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
++ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
++ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
++ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.8/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/virt.fc 2007-10-29 23:59:29.000000000 -0400